• Features
  • How it works
  • Pricing
  • Blog
EN ES PT
Log in Start free
  • Features
  • How it works
  • Pricing
  • Blog
Log in Start free
EN ES PT
Home / Legal / Privacy Policy

Contents

Privacy Policy

Legal Document

Last updated: May 22, 2026

This Privacy Policy applies globally. Jurisdiction-specific annexes for the European Union / Spain, Mexico, Colombia, Brazil, and the United States are included at the end of this document.

1. Identity of the Data Controller

The controller responsible for processing your personal data under this policy is:

  • Company Name: Ohana Technologies Inc.
  • Registered Address: Delaware, United States
  • Contact Email: privacy@ohanapp.co
  • Website: ohanapp.co

2. Information We Collect

We collect three categories of information through our platform:

Information You Provide Voluntarily

When creating an account or managing your subscription, we collect: full name, work email address, company name, job title, encrypted password, billing address, and tax identification number (NIT/RUT/RFC/Tax ID, as applicable to your jurisdiction).

Data Uploaded in Service Use

Any personal data or business information that the Customer or authorized users upload, enter, or store on the platform for technical processing (such as employee profiles, survey responses, recognition messages, or performance data).

Automatically Collected Data

We automatically collect technical data when you interact with the platform, including: IP address, browser type and version, operating system, referring URLs, pages visited within our platform, cookie identifiers, session timestamps, and technical activity logs.

3. Purposes of Data Processing

We process your data for the following legitimate purposes:

  • Providing, operating, maintaining, and optimizing the platform software.
  • Managing billing, subscription renewals, and processing financial transactions.
  • Providing technical support and customer service.
  • Ensuring the security and integrity of the system, preventing fraud and cyberattacks.
  • Sending operational communications, security updates, and product notifications.
  • Sending commercial communications and newsletters (subject to your prior consent, which you may withdraw at any time).
  • Complying with applicable legal obligations in the jurisdictions where we operate.

4. Sub-processors (Third-Party Service Providers)

To deliver a best-in-class service, we rely on carefully selected third-party technology providers that act as "Data Processors" (Sub-processors). These sub-processors are only permitted to process your data in accordance with our specific instructions and under strict Data Processing Agreements (DPAs).

Provider (Sub-processor) Service Provided Data Location
Amazon Web Services (AWS) Cloud hosting & infrastructure USA (N. Virginia), EU (Frankfurt)
Microsoft Azure Cloud infrastructure & services USA (East US), EU (West Europe)
Google Cloud Platform (GCP) Cloud infrastructure & ML services USA (Iowa), EU (Belgium)
DigitalOcean Cloud hosting & infrastructure USA (New York), EU (Amsterdam)
Stripe Inc. Payment gateway & secure billing USA (Protected by DPA)
Paddle.com Market Ltd. Subscription management & billing United Kingdom / EU (Protected by DPA)
PayPal Inc. Payment processing USA (Protected by DPA)

5. Information Security Measures

We implement enterprise-grade technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

  • Encryption in transit: TLS 1.2+ for all data transmitted between your browser and our servers.
  • Encryption at rest: AES-256 encryption for all stored data.
  • Access controls: Strict Role-Based Access Control (RBAC) for all internal technical staff.
  • Network security: Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS).
  • Monitoring: 24/7 security monitoring and incident response procedures.
  • Data backups: Regular automated backups with geographic redundancy.

6. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy, including for the duration of the contractual relationship. After account termination, data is retained in a blocked state for the legally required retention periods in each applicable jurisdiction (typically 5–7 years for financial and tax records) and then securely deleted.

7. User Rights

Regardless of your geographic location, we guarantee all users the following rights with respect to their personal data:

  • Right of Access: Obtain confirmation of whether we hold data about you and a copy of that data.
  • Right of Rectification: Correct any inaccurate or incomplete personal data.
  • Right of Erasure: Request the permanent deletion of your personal data ("right to be forgotten"), where no legal retention obligation prevents us from doing so.
  • Right to Object: Object to processing for marketing purposes or other legitimate interests.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Withdraw Consent: Withdraw consent for any processing based on consent, at any time.

To exercise any of these rights, send a request to privacy@ohanapp.co with the subject line "Privacy Rights – [Your Name]". We will process your request within a maximum of 30 calendar days at no cost to you.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the platform. Strictly necessary cookies are essential for the platform to function. Analytics and preference cookies are only activated with your explicit consent. You can manage your cookie preferences at any time through our cookie settings panel.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or prominent in-app notice at least fifteen (15) calendar days before the changes take effect. The most current version of this policy is always available at ohanapp.co/legal/privacy.

Annex A: European Union & Spain (GDPR / LOPDGDD)

This annex applies exclusively to individuals located within the European Union and regulates strict compliance with the General Data Protection Regulation (GDPR – 2016/679) and Spain's Organic Law on Data Protection (LOPDGDD).

  • Legal Basis: We process your data only when we have an applicable legal basis under Article 6 GDPR: (i) performance of a contract (registration and service delivery), (ii) explicit consent (marketing communications and non-essential cookies), or (iii) legitimate interests (cybersecurity, fraud prevention).
  • International Transfers: Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data Retention: Data is retained for the duration of the contractual relationship and thereafter in a blocked state for the statutory limitation periods under Spanish law.
  • Supervisory Authority: You have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es if you believe your data has not been processed in accordance with applicable regulations.

Annex B: Mexico (LFPDPPP)

In accordance with the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares – LFPDPPP), we establish the following:

  • Privacy Notice: This document serves as our Comprehensive Privacy Notice (Aviso de Privacidad Integral) as required by Mexican law.
  • Primary and Secondary Purposes: The purposes described in Section 3 of this policy constitute primary purposes (necessary for service delivery). Sending newsletters or external promotions is a secondary purpose, which may be declined at registration or at any subsequent time.
  • ARCO Rights: Users in Mexico have the right to exercise Access, Rectification, Cancellation, and Opposition (ARCO) rights. ARCO requests must include the information required by law and be directed in writing to privacy@ohanapp.co.
  • Regulatory Authority: The supervisory authority in Mexico is the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).

Annex C: Colombia (Ley 1581 – Habeas Data)

This annex governs the collection and processing of data for Colombian citizens, in accordance with Ley 1581 de 2012 and Decreto 1377 de 2013 of the Republic of Colombia.

  • Prior and Express Authorization: Consent for data processing is requested in a prior, express, free, and informed manner upon registration. The technical registration in our databases serves as valid proof of such authorization.
  • Response Timelines: Data inquiries (consultas) will be resolved within a maximum of ten (10) business days and claims (reclamos) within fifteen (15) business days, extendable in accordance with applicable law.
  • Regulatory Authority: The Superintendencia de Industria y Comercio (SIC), through its data protection division, is the competent supervisory authority to which users may submit complaints after exhausting the direct internal support channel.

Annex D: Brazil (LGPD)

In accordance with the Lei Geral de Proteção de Dados Pessoais (LGPD – Federal Law No. 13,709/2018), we declare that we process the personal data of data subjects located in Brazilian territory under valid legal bases.

  • Data Protection Officer (Encarregado / DPO): For any inquiries related to data processing under the LGPD, you may contact our privacy officer at privacy@ohanapp.co.
  • Data Subject Rights: Brazilian users enjoy all rights set out in Article 18 of the LGPD, including: confirmation of existence of processing, access, correction, anonymization or blocking of unnecessary data, portability, deletion of data processed with consent, and revocation of consent at any time.
  • Regulatory Authority: The Autoridade Nacional de Proteção de Dados (ANPD) is the competent supervisory authority for matters arising under the LGPD.

Annex E: United States (CCPA / CPRA)

This annex applies exclusively to residents of the United States, particularly California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and residents of Virginia, Colorado, and Connecticut under their respective state privacy laws.

  • No Sale of Personal Data: We formally declare that we do not sell or share the personal information of our users with third parties for commercial purposes, cross-context behavioral advertising, or any monetary or other valuable consideration.
  • Categories of Information Collected: We collect personal identifiers (name, email, IP address), commercial information (billing and subscription records), and internet activity information (platform usage logs).
  • Right to Non-Discrimination: We will not discriminate against any user for exercising their privacy rights under applicable state law, including by denying service, charging different prices, or providing a different level of service quality.
  • Shine the Light: California residents may request information about personal data disclosed to third parties for direct marketing purposes. We do not disclose personal information to third parties for such purposes.

Contact for Privacy Matters

For all privacy-related inquiries, data subject rights requests, or to reach our Data Protection Officer:

  • Email: privacy@ohanapp.co
  • Subject line format: "Privacy Rights – [Your Name] – [Country]"
  • Response time: Maximum 30 calendar days (shorter timelines apply in Colombia — see Annex C)

Where people thrive.

Product
Features Pricing Start free
Resources
Blog Comparisons Contact
Compare
vs Culture Ampvs Latticevs 15Fivevs Bonuslyvs Leapsome
Legal
Privacy Policy Terms of Service GDPR
© 2026 Ohana. All rights reserved.
EN ES PT