Privacy Policy

Last updated: March 2026

1. Data Controller

OCENOX LTD
82 The Circle, Manly
Whangaparāoa, 0930, New Zealand
Email: webmaster@ocenox.com

ONOXIA is a SaaS product of OCENOX LTD. This privacy policy explains how we process personal data on the platform onoxia.nz and through the ONOXIA chat widget.

2. Applicable Data Protection Law

For visitors and customers from the EU/EEA, the provisions of the General Data Protection Regulation (GDPR) apply. For all others, the provisions of the New Zealand Privacy Act 2020 apply.

3. Cookies

ONOXIA uses no tracking, advertising, or analytics cookies. There is no Google Analytics and no cookie consent banner, as no consent-required cookies are set.

The chat widget (embedded on customer websites) sets no cookies. It exclusively uses sessionStorage in the visitor's browser to temporarily store the current chat session (session ID and message history). sessionStorage is scoped to the individual browser tab: the data is not transmitted to our or any other servers, is not accessible to other tabs or websites, and is automatically deleted when the tab is closed. Unlike cookies, sessionStorage data is not sent with HTTP requests.

The dashboard (onoxia.nz/app) sets the following technically necessary cookies for logged-in customers:

Cookie	Purpose	Duration	Type
onoxia_session	Session management for login	Session (2 hrs)	Strictly necessary
XSRF-TOKEN	CSRF protection against form attacks	Session (2 hrs)	Strictly necessary

These cookies are permitted without consent under Art. 6(1)(f) GDPR, as they are strictly necessary for the operation of the service.

The language preference on the landing page is stored using localStorage. This data does not leave the browser and is not transmitted to our servers.

4. Data Collected When Using the Website

4.1 Server Log Files

When visiting our website, the web server automatically stores information in server log files:

• Anonymised IP address (hashed, non-reversible)
• Date and time of the request
• Requested URL
• Referrer URL
• Browser and operating system used

IP anonymisation: IP addresses are anonymised using cryptographic hashing before storage. Reversal to the original IP address is not possible.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and operation of the website).

4.2 Contact via Email

If you contact us by email, your details will be stored for the purpose of processing the enquiry and in case of follow-up questions. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest).

5. Data Collected During Registration (SaaS Platform)

When registering as a customer on onoxia.nz, we collect:

• Company name and contact person
• Email address
• Billing address
• Payment information (processed by Stripe and/or Xero, not stored on our servers)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

5.1 Payment Processing

Depending on your region and currency, we use different payment service providers:

• Stripe (Stripe, Inc., USA) — Credit card, Apple Pay, Google Pay for EUR and NZD customers. Credit card data is processed exclusively by Stripe and is never stored on our servers.
• GoCardless (GoCardless Ltd, London, UK) — SEPA Direct Debit for EUR customers.
• Xero (Xero Limited, New Zealand) — Invoicing for EUR and NZD customers.
• Paddle (Paddle.com Market Ltd, London, UK) — Payment processing for all other currencies (USD etc.). Paddle acts as Merchant of Record and is the contractual partner for payment processing. Paddle collects and processes payment data in its own right. The Paddle Privacy Policy and Paddle Terms of Use apply additionally. For questions about Paddle payments, please contact Paddle Buyer Support.

6. Data in the Chat Widget

The ONOXIA chat widget is embedded by our customers on their websites. When end users interact with the widget, the following data is processed:

6.1 Data Collected

• Chat messages: Text messages sent by the end user to the bot
• Session ID: A randomly generated ID to associate the chat session (no cross-session tracking)
• IP address: Immediately anonymised via cryptographic hashing; the original IP is not stored
• Browser information: User agent string for technical compatibility

6.2 Data Not Collected

• No cookies
• No fingerprinting
• No cross-session tracking
• No location data

6.3 AI Processing

Chat messages are transmitted to AI interfaces for generating responses. Depending on configuration and language pair, the following providers may be used:

• Mistral AI (Mistral AI SAS, Paris, France) — European AI provider, processing within the EU.
• OpenRouter (OpenRouter, Inc., USA) — AI model router for models such as Qwen and Gemini. Data may be transferred to the USA; OpenRouter maintains appropriate safeguards pursuant to Art. 46 GDPR (EU Standard Contractual Clauses).

The AI provider is selected automatically based on the configured language and model. The website operator can view the model selection in the dashboard.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of our customers in automated customer service).

6.4 Data Processing Agreement

OCENOX LTD acts as a data processor on behalf of the customers (website operators) who deploy the ONOXIA widget. The website operators are the data controllers for the processing of end-user data.

7. Server Location and Data Transfers

Our servers are located in Finland (EU). AI processing is primarily carried out by Mistral AI in France (EU).

Data transfers outside the EU/EEA:

• Stripe (USA) — Billing data for credit card payments. Safeguards pursuant to Art. 46 GDPR (EU Standard Contractual Clauses).
• OpenRouter (USA) — Chat messages for AI processing, where a non-European model is configured. Safeguards pursuant to Art. 46 GDPR (EU Standard Contractual Clauses).
• Paddle (UK) — Payment data for non-EUR/NZD customers. The United Kingdom benefits from an EU adequacy decision.
• GoCardless (UK) — SEPA Direct Debit data. EU adequacy decision.
• Xero (New Zealand) — Billing data. New Zealand benefits from an EU adequacy decision.
• Kie.ai (USA) — Avatar image generation. Only text prompts are transmitted; no personal data is involved.

8. Data Retention

Data Type	Retention Period
Chat messages	Configurable per plan (default: 90 days)
Session data	Configurable per plan (default: 90 days)
Server log files	14 days
Customer account data	Duration of business relationship + statutory retention periods
Billing data	7 years (statutory retention requirement)

Automatic deletion of expired data is performed daily by our system.

9. Your Rights (GDPR)

As a data subject, you have the following rights:

• Access (Art. 15 GDPR) — Information about what data we hold about you
• Rectification (Art. 16 GDPR) — Correction of inaccurate data
• Erasure (Art. 17 GDPR) — Deletion of your data
• Restriction (Art. 18 GDPR) — Restriction of processing
• Data portability (Art. 20 GDPR) — Receive your data in a machine-readable format
• Objection (Art. 21 GDPR) — Object to processing

To exercise your rights, please contact us at webmaster@ocenox.com.

You also have the right to lodge a complaint with a supervisory authority.

10. Third-Party Services

Service	Provider	Purpose	Location
Mistral AI	Mistral AI SAS, Paris	AI chatbot responses	France (EU)
OpenRouter	OpenRouter, Inc.	AI model routing (Qwen, Gemini etc.)	USA (EU-SCC)
Kie.ai	Kie AI, Inc.	Avatar image generation	USA
Stripe	Stripe, Inc.	Credit card payments (EUR, NZD)	USA (EU-SCC)
GoCardless	GoCardless Ltd	SEPA Direct Debit (EUR)	UK (adequacy decision)
Paddle	Paddle.com Market Ltd	Payment processing (Merchant of Record, USD etc.)	UK (adequacy decision)
Xero	Xero Limited	Invoicing (EUR, NZD)	New Zealand (adequacy decision)
Google Fonts	Google LLC	Font (Montserrat)	CDN (EU-SCC)

11. Changes

We reserve the right to update this privacy policy to reflect changes in the law or modifications to our service. The current version is always available on this page.