Legal

Privacy Policy

Last updated: May 8, 2026

Oka is the institutional knowledge layer for AI-assisted software development. We take privacy seriously because the data we hold (reasoning events, learnings, code-related context) is the data that makes you and your team effective. This policy explains what we collect, why we collect it, who we share it with, and the rights you have over it.

1. Who we are

Oka is operated by CompanyWorks, LLC (doing business as The Company Works), a Delaware limited liability company registered in the United States. References to "we", "us", or "Oka" in this policy refer to CompanyWorks, LLC as the data controller for personal data processed through oka.so and its subdomains (id.oka.so, app.oka.so, api.oka.so, reason.oka.so, hi.oka.so).

For any privacy-related question, contact us at privacy@oka.so.

2. What we collect

2.1 Account data

  • Email address, primary identifier for your account.
  • Authentication data, provided by your sign-in method. We support Google sign-in (via OAuth) and passkeys (WebAuthn). When you use Google, we receive your name, email, email-verified flag, profile picture, and a unique Google user identifier. We never see your Google password.
  • Session tokens, short-lived access tokens and longer-lived refresh tokens stored in cookies on the .oka.so domain. The refresh token is stored as HttpOnly so JavaScript cannot read it.

2.2 Product data, your reasoning graph

The core of Oka is a knowledge graph built from observations made by your AI coding agents. With your tools, this includes:

  • Reasoning events: short text snippets describing decisions, explorations, deviations, and completions captured by MCP tools during agent sessions.
  • Code-related context: file paths, repository names, commit hashes, and tags you (or your agents) attach to events.
  • Distilled learnings: summaries, confidence scores, evidence counts and relationships derived by our consolidation engine.
  • Vector embeddings of the above, used to power semantic search.

Reasoning data is scoped to your account or organisation and is never shared across tenants.

2.3 Operational data

  • Server logs: request method, path, status code, user-agent, IP address, latency, and request identifiers. Retained for up to 30 days for security and reliability.
  • Usage telemetry: counts of events ingested, consolidation runs executed, tokens consumed by language models, and approximate cost. Used for billing, capacity planning, and abuse prevention.
  • Error reports: stack traces and metadata when something goes wrong, with personal data redacted where possible.

2.4 What we do not collect

  • We do not collect or sell behavioural advertising data.
  • We do not run third-party trackers or analytics pixels on authenticated pages.
  • We do not access source code from your repositories unless you (or an agent acting on your behalf) explicitly send it to us through the API.

3. Why we use it (legal bases)

Under the GDPR, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)), to provide the service you signed up for, including authentication, storing your reasoning data, and running consolidation.
  • Legitimate interests (Art. 6(1)(f)), for security monitoring, fraud and abuse prevention, and improving the product. These uses are limited and balanced against your rights.
  • Legal obligation (Art. 6(1)(c)), when we must retain or disclose data to comply with applicable law.
  • Consent (Art. 6(1)(a)), for any processing not covered above. You can withdraw consent at any time.

4. AI processing

Oka uses large language models to consolidate raw reasoning events into structured learnings. When a consolidation run executes, the relevant events from your tenant are sent to a language model provider for distillation and returned to our database.

  • Provider: OpenRouter (proxying to model vendors such as Minimax). We may add or change providers over time and will update this list.
  • Data sent: your reasoning events plus a small amount of metadata required for prompting.
  • Training: we do not consent to your data being used by providers to train their models. We use API endpoints and contracts that explicitly exclude training where available.

5. Sub-processors

We rely on the following sub-processors to deliver the service. Each is bound by appropriate data processing terms.

  • Supabase, managed authentication (EU region).
  • Neon, Postgres database hosting (EU region).
  • Cloudflare, DNS, edge hosting, Pages, Workers, Durable Objects (global).
  • Fly.io, application runtime (EU region: lhr, cdg).
  • Google Cloud, auxiliary infrastructure (Terraform state, OAuth identity).
  • OpenRouter and the underlying model vendors, language-model inference for consolidation and embedding.
  • Resend, transactional email.

6. International transfers

Where data is transferred outside the European Economic Area (for example, when calling US-based language model APIs), we rely on Standard Contractual Clauses approved by the European Commission and equivalent safeguards. We minimise the scope of data sent in each transfer.

7. Retention

  • Account data: kept for as long as your account is active and for a short grace period after deletion to allow recovery.
  • Reasoning data: kept indefinitely while your account is active because that is the product's value proposition. You can delete individual learnings, repositories, or your entire tenant at any time.
  • Server logs: rolling 30-day retention.
  • Backups: encrypted and overwritten on a rolling basis (typically within 30 days).

8. Your rights

If you are in the EEA, the UK, or a jurisdiction with similar rights, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data ("right to be forgotten");
  • restrict or object to certain processing;
  • port your data in a structured, machine-readable format;
  • lodge a complaint with your local data protection authority. For users in the EEA, you can find your authority via the European Data Protection Board (edpb.europa.eu). For users in the United States, see the FTC at ftc.gov.

Most of these are available self-service through your account settings. For anything else, email privacy@oka.so and we will respond within 30 days.

9. Security

We use TLS for all network traffic, scope access tokens narrowly, isolate tenants at the database row level, store secrets in managed secret stores, and run least-privilege service accounts. No system is perfectly secure, but we treat security as part of the product and not an afterthought.

10. Cookies

We use a small number of strictly necessary cookies for authentication (__session, __refresh) and UI preferences (e.g. theme). We do not use advertising or third-party tracking cookies.

11. Children

Oka is not directed to children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email or an in-product notice at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact

CompanyWorks, LLC
1111B S Governors Ave STE 23971
Dover, DE 19904, United States
privacy@oka.so