Oak Security
Security audits Operational security review Continuous audit vCISO service Penetration testing Op-sec training Security & economic advisory Technical due diligence Research TRACE framework Pre-Audit Agent Op-Sec Academy Request a quote

Legal

Privacy Policy

Effective Date: October 24, 2025 · Controller: Oak Security GmbH, Leopoldstr. 31, 80802 Munich, Germany · Email: info@oaksecurity.io · DPO: Not appointed.

Oak Security GmbH (“Oak Security,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Notice explains how we collect, use, disclose, and safeguard personal data when you use our website, contact us, request a quote, or schedule a meeting via our website. This Privacy Notice applies globally to all users, and we comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

Personal Data We Collect

When you voluntarily submit information via our contact form or meeting scheduling tool, we may collect:

  • First and last name
  • Email address
  • Project name, URL, and related project details
  • Message or description of your inquiry
  • Company or entity name and signer (if requesting an NDA)
  • Meeting date, time, and notes you provide (if scheduling a meeting)

We do not intentionally collect sensitive personal data. Providing personal data is voluntary, but necessary to respond to your inquiry.

How We Collect Personal Data

  • Directly from you when you complete the contact form, email us, or schedule a meeting.
  • Automatically through the technical systems used to host and transmit your request (Cloudflare, Resend, and Google Workspace).

We do not use any third-party analytics or marketing tracking tools unless you consent to them. If you accept analytics cookies in our consent banner, we use Microsoft Clarity to understand how visitors use the site (see "Cookies and Tracking Technologies" below). If you decline, or take no action, no analytics or tracking runs.

Purposes of Processing and Legal Basis

  • To respond to your inquiry, provide a quote, and communicate about your project — legal basis: Art. 6(1)(b) GDPR (pre-contract/contract) or your consent under Art. 6(1)(a).
  • To schedule and conduct a meeting at your request, and to prepare and execute a Non-Disclosure Agreement (NDA), if requested — legal basis: Art. 6(1)(b) GDPR.
  • To maintain business records, improve support quality, and defend legal claims — legal basis: Art. 6(1)(f) GDPR (legitimate interests). A balancing test is available on request.
  • To comply with legal obligations (e.g., tax, commercial retention) — legal basis: Art. 6(1)(c) GDPR.
  • To measure and improve how the website is used through Microsoft Clarity — legal basis: your consent under Art. 6(1)(a) GDPR. We only set these cookies and run this analytics after you accept them, and you can withdraw consent at any time.

Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

Data Sharing and Processors

We do not sell personal data. We share personal data only as needed with:

  • Cloudflare, Inc. (website hosting/platform): hosts the site and processes form submissions.
  • Resend, Inc. (transactional email): transmits contact form submissions to us by email.
  • Microsoft Corporation (Microsoft Clarity): provides usage analytics and session insights, only if you have given consent. Clarity processes interaction data such as page views, clicks, scrolling, and a pseudonymized device identifier.
  • Google LLC (Google Workspace/Calendar): receives contact emails and processes meeting scheduling data.
  • Professional advisers (e.g., legal counsel), courts, regulators, or authorities where necessary to establish, exercise, or defend legal claims or comply with law.

All processors act on our documented instructions under a data processing agreement and implement appropriate security.

International Data Transfers

Personal data may be processed outside the EEA/UK by our providers (e.g., Cloudflare, Resend, Microsoft, Google). Transfers are safeguarded by the European Commission Standard Contractual Clauses and, where applicable, participation in the EU-US Data Privacy Framework and additional technical and organizational measures. Cloudflare may host certain website content through globally distributed infrastructure.

Data Retention

  • For the duration of active communication and up to twelve (12) months thereafter.
  • If a contractual relationship is established, data may be retained longer in accordance with statutory retention obligations.
  • Emails and communication records may be retained to establish, exercise, or defend legal claims.

You may request earlier deletion unless retention is legally required.

Security Measures

We apply appropriate technical and organizational security measures to protect your personal data, including encrypted transmission (TLS), restricted internal access, and secure hosting.

Your Rights (EU/UK)

You have the right to access, rectify, erase, restrict processing, object (including to processing based on legitimate interests), and data portability, and to withdraw consent where applicable. Contact: info@oaksecurity.io. You also have the right to lodge a complaint with a supervisory authority.

  • EU (Germany): Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, Germany.
  • UK: Information Commissioner's Office (ICO), ico.org.uk.

Your Rights (California Residents)

  • Notice at Collection — categories we collect: identifiers (name, email), commercial information (project details you submit), internet/technical information limited to essential operation (strictly necessary cookies), professional or employment-related information you include (e.g., company).
  • Sources: directly from you; our service providers (Cloudflare/Resend/Google) for transmission and hosting.
  • Purposes: to respond to your request, schedule meetings, perform record-keeping and compliance.
  • Retention: identifiers and project/scheduling data for active communication plus 12 months, or longer if required by law or contract.
  • Sale/Sharing: we do not sell or share personal information as defined by CPRA, and we do not use or disclose sensitive personal information.
  • Rights: access, deletion, correction, to know, and to non-discrimination. Submit requests to info@oaksecurity.io.
  • Verification/Authorized Agents: we will verify your request (e.g., by matching email identity) and accept authorized-agent requests with proof of authorization.
  • Minors: we do not knowingly sell or share data of consumers under 16.

Cookies and Tracking Technologies

Our site uses strictly necessary technical cookies required for secure operation. These are essential, set without consent, and not used to track behavior.

We also offer optional analytics through Microsoft Clarity. These cookies (for example _clck and _clsk) and the associated session analytics are set only after you accept them in our consent banner. They help us see which pages are used, where people get stuck, and how to improve the site. We do not use advertising or marketing cookies of any kind.

You can change your choice at any time using the "Cookie preferences" link in the footer. Declining, or taking no action, means Clarity never loads. For more on how Microsoft processes this data, see the Microsoft Privacy Statement.

Meeting Scheduling via Google Calendar

If you choose to schedule a meeting, your name, email, meeting time, and any notes will be processed by Google Calendar in accordance with Google's Privacy Policy. Oak Security only receives the information necessary to conduct the meeting.

Children's Data

Our services are not directed to children, and we do not knowingly collect personal data from children.

Required or Optional Data

Providing contact and project details is optional but necessary for us to respond, provide a quote, or schedule a meeting. If you do not provide it, we may be unable to process your request.

No Automated Decision-Making

We do not use automated decision-making or profiling.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. Our competent authority is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, Germany.

Contact Information

Leopoldstr. 31, 80802 Munich, Germany · Email: info@oaksecurity.io

Changes to This Privacy Notice

We may update this Privacy Notice from time to time. The effective date at the top will be updated accordingly. Continued use of our website after any changes indicates your acceptance of the updated terms.

Subscribe to our newsletter

Security research, audit insights, and ecosystem analysis — straight to your inbox.