Privacy Policy
Last updated: March 2026
This policy explains how Oneway collects, uses, stores, and protects your data. We've written it clearly because we believe you should understand exactly what happens with your information.
Oneway operates as both a data controller (for your account information and our relationship with you) and a data processor (for the customer data you process through the platform — your customers' conversations, contacts, etc.).
1. What data we collect
Account information
When you create an account, we collect your name, email address, and password (stored as a salted hash — we never store plain-text passwords). If you subscribe to a paid plan, your payment information is processed by Stripe and is not stored on our servers.
Customer data you process through Oneway
This is data that belongs to you and your customers. It includes:
- Chat conversations between your customers and your team or AI agent
- Contact records (names, emails, custom fields, tags)
- Email campaign content and recipient data
- Help center articles and knowledge base content
- Feedback submissions and votes
- Form submissions
- Website content indexed by the knowledge crawler
You are the data controller for this information. We process it on your behalf to provide the service.
Usage data
We collect information about how you use Oneway, including pages visited within the app, features used, and general performance metrics. This helps us improve the service. We do not use third-party analytics tools — this data is collected internally.
Technical data
We automatically collect IP addresses, browser type, operating system, and device information when you access the service. This is used for security, fraud prevention, and troubleshooting.
Website crawler data
When you connect your website, we crawl and index publicly available pages you've selected. This content is stored as text chunks with vector embeddings so the AI agent can search it. We only index pages you explicitly include.
2. Why we collect it and our lawful basis
| Purpose | Data | Lawful basis (GDPR) |
|---|---|---|
| Providing the service | Account info, customer data | Contract performance |
| Processing payments | Billing information (via Stripe) | Contract performance |
| Sending transactional emails (password resets, billing receipts, system notifications) | Email address | Contract performance |
| Improving the service | Usage data, technical data | Legitimate interest |
| Security and fraud prevention | IP addresses, technical data | Legitimate interest |
| Customer support | Account info, conversation history | Legitimate interest |
| Optional marketing emails about Oneway | Email address | Consent (opt-in) |
We do not rely on consent for core service delivery. Consent is only used for optional marketing communications, which you can unsubscribe from at any time.
3. Sub-processors
We use the following third-party services to provide Oneway. We only share the minimum data necessary with each.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, real-time messaging, file storage | EU / US |
| Amazon Web Services (AWS SES) | Email delivery for campaigns and transactional emails | EU / US |
| Anthropic | AI chat agent, article generation, knowledge base intelligence | US |
| Together AI | Vector embeddings for knowledge search | US |
| Vercel | Website hosting and CDN | Global |
| Stripe | Payment processing | US / EU |
We will update this list if we add or change sub-processors and will notify affected customers in advance.
4. Data storage and security
- Your data is stored on Supabase infrastructure with encryption at rest and in transit (TLS 1.2+)
- All database connections use encrypted channels
- Access to production systems is restricted to essential personnel with role-based access controls
- We maintain regular encrypted backups
- Passwords are salted and hashed — never stored in plain text
- No Oneway employee accesses your customer conversation content unless you explicitly grant permission for support purposes
5. Data retention
- Active accounts: your data is retained for as long as your account is active
- Cancelled accounts: you can export your data for 30 days after cancellation. After 30 days, all data is permanently deleted from our systems and backups within a reasonable timeframe
- Technical logs: server logs containing IP addresses are retained for up to 90 days for security purposes, then automatically purged
6. AI and your data
This is important, so we're being explicit:
- We do NOT use your customer data to train our AI models. Your conversations, contacts, articles, and other content are never used to improve the underlying AI models provided by Anthropic or Together AI
- AI features process your data only within the context of your workspace to generate responses for your customers
- No data is shared between Oneway tenants. Your workspace is completely isolated
- When the AI agent answers a customer question, it searches only your knowledge base and your indexed website content — never another customer's data
7. International data transfers
Some of our sub-processors are based in the United States. When personal data is transferred from the UK or EU to the US, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Any applicable adequacy decisions
- Our sub-processors' own compliance frameworks (Stripe and AWS maintain their own SCCs; Supabase supports EU hosting)
8. Your rights
Under the GDPR (and UK GDPR), you have the following rights regarding your personal data:
- Right of access — request a copy of all personal data we hold about you
- Right of rectification — correct any inaccurate data (you can do this directly in the app for most data)
- Right of erasure — request deletion of your personal data (you can delete your account from settings, or contact us)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a standard, machine-readable format (data export is available in the app)
- Right to object — object to processing based on our legitimate interest
- Right to withdraw consent — for marketing communications, unsubscribe at any time
We respond to all rights requests within 7 days. The legal maximum under GDPR is 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK, or the relevant supervisory authority in your EU member state.
9. Cookies
We use essential cookies only — for session authentication and user preferences. We do not use advertising, tracking, or third-party marketing cookies. For full details, see our Cookie Policy.
10. Children
Oneway is not directed at anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. For material changes, we will notify you by email at least 30 days before they take effect. The current version will always be available at this URL.