Log in
Sign Up Free

Privacy policy

How Owlie collects, uses, discloses, and safeguards personal data.

Last updated: February 13, 2026

This Privacy Policy describes how Owlie, LLC (“Owlie,” “Company,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal data in connection with our websites and identity and access management software-as-a-service offerings (the “Services”). This Policy is intended to comply with applicable privacy laws, including:

  • GDPR and UK GDPR
  • Swiss DPA
  • CCPA/CPRA
  • Other U.S. state privacy laws

This Privacy Policy works together with the Master Subscription Agreement (Terms of Service), Data Processing Addendum (“DPA”), Acceptable Use Policy, and Security Addendum.

1. Scope and Roles

This Privacy Policy applies to:

  • Visitors to our websites (“Website Users”)
  • Users who access the Services (“End Users”)
  • Representatives of customers, vendors, or partners (“Business Contacts”)

Owlie acts in different roles depending on the context:

Owlie as Processor (Service Provider)

We process Customer Content (identity data, access data, logs, directory sync data) strictly on behalf of customers and according to the Agreement and DPA.

Owlie as Controller

We process data as a controller for our own business operations, such as:

  • Account administration
  • Billing and subscription management
  • Security and platform monitoring
  • Website analytics
  • Marketing communications

2. Information We Collect

2.1 Information Provided Directly

We may collect personal data that you or our customers provide, including:

  • Contact details (name, email, phone, job role, company)
  • Account registration information
  • Authentication and login elements (usernames, keys, MFA factors—never plaintext passwords)
  • Configuration, policy, and workflow settings within the Services
  • Communications with support or customer success teams

2.2 Information Collected Automatically

When you access our websites or Services, we may automatically collect:

  • IP addresses and geolocation approximations
  • Device identifiers, browser type, operating system
  • Access logs and authentication events
  • API usage and performance telemetry
  • System activity metadata

2.3 Customer Content

Customers may upload or sync:

  • Employee or contractor identity data
  • Role assignments and access permissions
  • HR or directory data fields
  • Identity lifecycle events and logs

We process Customer Content only in accordance with the Agreement and DPA.

2.4 Cookies and Tracking Technologies

We may use:

  • Essential operational cookies
  • Analytics tools (e.g., pseudonymized usage metrics)
  • Error monitoring and performance telemetry

We do not use tracking for cross-site advertising.

3. How We Use Personal Data

We use data for the following purposes:

Service Delivery

  • Authentication and access control
  • Provisioning, deprovisioning, and identity lifecycle management
  • Generating security logs and audit trails

Security & Fraud Prevention

  • Detecting unauthorized access
  • Monitoring system performance and anomalies
  • Protecting against phishing, credential abuse, and fraud

Service Improvement

  • Telemetry to optimize platform stability
  • To provide customer support and technical assistance
  • To improve and develop our Services
  • Enhancing product features and user experience
  • AI/ML features to assist with automation and insights (not trained on Customer Content)

Administrative Purposes

  • Contract and billing management
  • Customer communications
  • Compliance and legal obligations

Owlie does not sell personal data and does not use Customer Content for targeted advertising.

Where applicable, Owlie processes personal data under the following legal bases:

  • Performance of a contract
  • Legitimate interests (security, fraud prevention, service improvement)
  • Compliance with legal obligations
  • Consent for optional marketing or analytics tools

5. Data Sharing and Disclosure

We may share data with:

Service Providers & Subprocessors

Cloud hosting, monitoring, analytics, messaging, support, and identity infrastructure providers. All subprocessors are bound by contractual confidentiality and data protection obligations.

Affiliates

Where necessary for operations or support.

Legal Requirements

Courts, regulators, or government authorities when required.

Business Transactions

In connection with mergers, acquisitions, or restructuring events with appropriate safeguards.

All service providers are bound by contractual obligations to protect personal data and use it only for authorized purposes.

We do not sell or share personal data for behavioral advertising.

6. Data Security

We implement appropriate technical and organizational measures designed to protect personal data, including:

  • Encryption in transit and at rest
  • Role-based access controls and MFA enforcement
  • Segregated environments
  • Vulnerability management and penetration testing
  • Logging and monitoring of privileged access

Details are provided in the Security Addendum.

7. Data Retention

We retain personal data for the duration of the applicable customer relationship and thereafter for legitimate business purposes, including service operation, account reactivation, security logging, auditability, dispute resolution, and legal compliance.

Customer Content is retained and deleted in accordance with the applicable agreement and Data Processing Addendum (DPA). Data is not automatically deleted upon contract termination.

8. International Data Transfers

Personal data may be transferred to and processed in countries other than your country of residence. Where data is transferred internationally, we use:

  • Standard Contractual Clauses
  • UK Addendum or IDTA
  • Other approved transfer mechanisms

We implement supplementary safeguards where required.

9. Your Privacy Rights

Depending on jurisdiction, you may have rights to:

  • Access your data
  • Correct inaccurate data
  • Delete data
  • Restrict or object to processing
  • Port your data
  • Opt out of “sharing” or targeted advertising
  • Appeal decisions in certain cases

Requests may require identity verification and customer authorization.

10. Children’s Privacy

The Services are not directed to children under 13 (or other age as required by law), and we do not knowingly collect personal data from children. Use by minors is prohibited.

11. Changes to This Privacy Policy

We may update this Policy from time to time.

Material changes will be communicated through the Services or via other appropriate means.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

Owlie, LLC Attn: Privacy Officer Email: legal@owlie.com