This document is a templated draft, pending counsel review.
The text below is generic SaaS baseline language intended to communicate intent while the formal version is being finalised with our counsel. Do not rely on it for compliance, procurement, audit or any legally binding decision. For the current binding version applicable to your engagement, contact privacy@observone.com.
Effective2026-05-11
Versionv0.1 (draft)
Jurisdiction[PLACEHOLDER: Delaware, USA]
1. Introduction & scope
This privacy notice explains how ObservOne, Inc. ("ObservOne", "we", "our") collects, uses and shares personal data when you interact with our platform, marketing websites and related services (collectively, the "Service").
This notice applies to:
Visitors to our marketing site
Operators using the Service under a customer agreement
Sub-tenant users (for example, colocation tenants) granted access by a customer
It does not apply to personal data that customers process about their own end-users using the Service — that data is governed by the customer's own privacy notice. We act as a processor for such data; the customer is the controller.
Legal entity: [PLACEHOLDER: ObservOne, Inc., a Delaware corporation, registered office at ___].
2. Categories of personal data
Depending on how you interact with us, we may collect the following categories:
Identifiers — name, work email, work phone, job role
Business contact information — company, job title, work address
Operational metadata — login timestamps, IP address, user-agent, navigation events within the Service
Communications — support tickets, emails, chat messages
Account & billing data — where applicable to your subscription tier
We do not collect:
Sensitive special categories under GDPR Art. 9 (race, religion, biometric, health, etc.)
Payment card numbers directly — those flow to our payment sub-processor (see § 5)
3. Sources of personal data
We collect personal data:
Directly from you — when you register, contact us, fill in a form or otherwise interact with us
Automatically — through cookies, server logs and telemetry as you use the Service
From third parties — your employer's SSO provider, business contact data providers, partners with whom you have an existing relationship
4. Purposes & legal basis
We process personal data for the following purposes, on the following bases under GDPR Article 6 (and equivalent state-law bases in the United States):
To provide the Service — Art. 6(1)(b), contract performance
To secure the Service — Art. 6(1)(f), legitimate interests in protecting our systems and our customers
To improve the Service — Art. 6(1)(f), legitimate interests in product improvement
To respond to your requests — Art. 6(1)(b), pre-contractual measures
To comply with legal obligations — Art. 6(1)(c)
To send service communications — Art. 6(1)(b), necessary for the Service
To send marketing communications — Art. 6(1)(a), consent; you may withdraw consent at any time without affecting the lawfulness of prior processing
5. Sharing & sub-processors
We may share personal data with:
Our sub-processors (cloud hosting, email delivery, analytics, support tooling) — see our sub-processors page for the current list, updated when our roster changes
Professional advisors (counsel, auditors, accountants) under confidentiality obligations
Affiliates and successors in business as part of a corporate transaction
Authorities when legally required, subject to careful legal review
We do not sell personal data and we do not use personal data for cross-context behavioural advertising (CCPA/CPRA terms).
6. International transfers
We are headquartered in [PLACEHOLDER: jurisdiction]. We may transfer personal data internationally, including from the EEA, UK and Switzerland to the United States, under the following safeguards:
EU Standard Contractual Clauses (2021/914)
UK International Data Transfer Addendum
Region pinning for customer tenant data, on request
Transfer Impact Assessments on file for each material destination
7. Retention
We retain personal data only as long as necessary for the purposes described in § 4, then we delete or anonymise it. Typical retention windows:
Operator account data — lifetime of the contract plus 12 months
Operational logs — 13 months
Communications (support, sales) — 36 months
Backups — rolling 35-day window
Longer retention may apply where required by law, by ongoing contractual obligations or where data has been irreversibly anonymised.
8. Your rights
Subject to local law, you may have the right to:
Access the personal data we hold about you
Correct inaccuracies
Erase your personal data, subject to retention obligations
Restrict or object to processing
Receive your data in a portable format
Withdraw consent (where consent is the basis)
Lodge a complaint with your supervisory authority
To exercise these rights, email privacy@observone.com. We respond within 30 days under GDPR and within 45 days under CCPA. We may need to verify your identity before fulfilling the request.
9. Cookies & analytics
We use first-party cookies and similar technologies for:
Analytics — with consent in jurisdictions that require it
You can control cookies via your browser. We do not use third-party advertising cookies on our marketing site.
10. Security
We maintain technical and organisational measures appropriate to the risk. See the security page for our program detail. No system is perfect; in the event of a security incident affecting personal data, we will notify affected parties consistent with applicable law.
11. Children's data
The Service is intended for business use. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact privacy@observone.com and we will delete it.
12. Changes to this notice
We will update this notice when our practices change. Material changes will be announced via our changelog and, where required, by email to account administrators. The "Effective" date above tracks updates.