Privacy Policy

Effective date: 2026-05-22 · Last updated: 2026-05-22

This Privacy Policy explains how Owlogs (SAS) (“Owlogs”, “we”, “us”) collects and uses personal data when you visit our website, sign up for an account, manage a Workspace or otherwise interact with the Owlogs service (the “Service”). It is written to comply with the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the French “Loi Informatique et Libertés”.

Two distinct roles. When we collect personal data about you (as a visitor, prospect, account holder or billing contact), we act as controller. When you, as a Customer, use the Service to ingest logs and telemetry from your applications that happen to contain personal data, we act as a processor on your behalf, under the terms of our Data Processing Addendum. This Privacy Policy only covers our processing as a controller.

Who is the data controller

The data controller for personal data processed under this policy is:

Owlogs (SAS) France Privacy contact: privacy@owlogs.io

What personal data we collect

We collect personal data in the following categories:

Account & profile data

When you create an account or are invited to a Workspace, we collect your name, email address, profile picture (if you upload one or import it from a social login), password (stored hashed), preferred language and time-zone, and any two-factor or passkey credentials you set up.

Workspace & billing data

For paid Workspaces we collect the billing contact name, email, company name, billing address, country, VAT number where applicable, and payment-method metadata returned by our payment processor (last four digits, brand and expiry of the card, or the IBAN’s last four digits for SEPA mandates). We do not store full card or bank-account numbers on our servers — those are handled directly by Stripe.

Authentication & session data

When you sign in, we record the time of the login, the IP address used, the browser user-agent and high-level device information. Sessions are stored on our infrastructure and are tied to a server-side cookie. We also keep an audit trail of administrative actions performed within your Workspaces (member invitations, role changes, API key creation, etc.).

Communications & support

If you contact our support team, send us an email, fill in a contact form or chat with us, we keep the content of the exchange, your email address and any technical metadata needed to follow up on the conversation.

Marketing & attribution data

When you land on our marketing pages, we may capture limited attribution information (UTM parameters, referring domain, landing page) so that we can understand which channels brought you to us. We do not use this information to build advertising profiles and we do not sell it.

Service usage & logs

We log technical events about the Service itself (API calls, errors, performance metrics, abusive-traffic patterns) for the purposes of operating, securing and improving the platform. Where these logs reference an account or a Workspace, the corresponding IP address and user identifier may be considered personal data.

Purposes & legal bases

Each category of data is processed for one or more specific purposes, on the legal basis indicated below:

Providing the Service — performance of a contract (GDPR art. 6(1)(b)). Account creation, authentication, Workspace administration, billing, transactional emails and support.
Keeping the Service secure — legitimate interests (GDPR art. 6(1)(f)). Detecting and preventing abuse, fraud, brute-force attacks and unauthorised access; logging administrative actions for audit purposes. Our legitimate interest is the protection of the Service, of our customers and of ourselves.
Improving the Service — legitimate interests (GDPR art. 6(1)(f)). Aggregated analytics of how users navigate the marketing site and the application, performance measurement, A/B testing of marketing pages. Our legitimate interest is to understand how the Service is used so that we can make it better.
Marketing — consent or legitimate interests, depending on jurisdiction and channel. Sending newsletters, product updates and event invitations to addresses for which we have a lawful basis. You can unsubscribe at any time using the link at the bottom of each marketing email.
Complying with legal obligations — GDPR art. 6(1)(c). Issuing and retaining invoices, responding to lawful requests from public authorities, fulfilling accounting and tax obligations.

Retention

We retain personal data only for as long as it is necessary for the purposes set out above:

Account data: for the duration of the account, plus a short cool-down period (typically 30 days) after deletion to allow recovery from accidental closure.
Workspace audit logs: for the duration of the Workspace, plus the legally-required retention period for evidentiary purposes.
Billing records: for the duration required by French and European accounting and tax law — typically 10 years.
Authentication logs: for up to 12 months after the event, in line with CNIL guidance.
Support exchanges: for up to 3 years after the last contact.
Marketing data and consent records: for up to 3 years after the last interaction or until you withdraw consent, whichever comes first.

After these periods, personal data is either deleted or anonymised. Anonymised data may be retained for statistical purposes and can no longer be traced back to you.

Recipients & sub-processors

We share personal data only with the parties that need it to deliver the Service or that we are legally required to share it with. The main categories of recipient are:

employees and contractors of Owlogs bound by confidentiality obligations and granted access on a strict need-to-know basis;
infrastructure providers that host the Service (see our Imprint for the list of hosting providers and our Sub-processors page for the full list);
service providers acting as our processors for narrow purposes (payment processing, email delivery, customer support tooling, AI-assisted features when enabled);
public authorities, courts and law-enforcement bodies, where we are legally compelled to disclose information;
a successor entity in the context of a merger, acquisition or sale of all or part of the company, subject to equivalent protection of your data.

We never sell personal data and we do not share it for the purpose of third-party advertising or profiling.

International transfers

Our primary infrastructure is hosted within the European Union. Some of our sub-processors (in particular for email delivery and AI-assisted features) may process personal data outside the European Economic Area, in countries that do not benefit from a European Commission adequacy decision. In those cases, we rely on appropriate safeguards, primarily the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where relevant, supplementary technical measures such as encryption in transit and at rest.

You can request a copy of these safeguards by writing to privacy@owlogs.io.

Security

We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include encryption of data in transit and at rest, network segmentation, principle-of-least-privilege access controls with audit logging, regular backups, multi-factor authentication for administrative access, secure software development practices, vulnerability monitoring, and incident-response procedures.

Despite our efforts, no security measure is perfect. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours, and we will notify you when required by law and feasible to do so.

Your rights

Under European data-protection law you have the following rights with respect to your personal data:

Right of access — obtain confirmation that we process your data and a copy of it.
Right of rectification — have inaccurate or incomplete data corrected.
Right of erasure (“right to be forgotten”) — have your data deleted in the cases listed in GDPR art. 17.
Right to restriction of processing — in the cases listed in GDPR art. 18.
Right to data portability — receive the personal data you have provided to us in a structured, commonly-used machine-readable format and transmit it to another controller.
Right to object — object, on grounds relating to your particular situation, to processing based on our legitimate interests; you may also object at any time to direct-marketing processing.
Right to withdraw consent — where processing is based on consent, withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Post-mortem instructions — under article 85 of the French “Loi Informatique et Libertés”, you may give general or specific instructions about the fate of your personal data after death.
Right to lodge a complaint — with a data-protection supervisory authority, in particular the French CNIL (Commission Nationale de l’Informatique et des Libertés, 3 place de Fontenoy, TSA 80715, 75334 Paris CEDEX 07, www.cnil.fr).

How to exercise your rights

To exercise any of these rights, write to privacy@owlogs.io from the email address associated with your account or provide enough information to allow us to verify your identity. We will respond within one month of receiving your request, with a possible extension of two months for complex requests, in which case we will inform you within the first month.

Exercising your rights is free of charge, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

Cookies & trackers

Detailed information about the cookies and similar trackers used on our website, including the consent mechanism and how to withdraw your choice, is provided in our Cookie Policy.

Children

The Service is intended for use by professionals and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe that we have collected such data, please contact privacy@owlogs.io so we can remove it.

Automated decision-making

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, except where such processing is necessary for entering into or performing a contract with us, is authorised by applicable law, or is based on your explicit consent. Should we introduce such processing in the future, we will update this policy and inform affected individuals of the logic involved, the significance and the envisaged consequences.

Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will notify you in advance through the Service or by email and will update the “Effective date” at the top of this page. Continued use of the Service after a change becomes effective constitutes acknowledgement of the updated policy.

Contact & complaints

For any question about this Privacy Policy or about how we handle personal data, write to privacy@owlogs.io. You also have the right to lodge a complaint with a competent supervisory authority — in France, the CNIL.

Owlogs (SAS) France Privacy: privacy@owlogs.io Legal: legal@owlogs.io

Other legal documents: Terms of Use Privacy Policy Cookies DPA Sub-processors Imprint