Privacy Policy

Last updated: 11 November 2025

1. Introduction

Out of Band AS (Org.Number: 935632765) ("Out of Band", "we", "our", or "us") operates the Out of Band web and mobile applications (collectively, the "Service").

This Privacy Policy explains how we collect, use, share, and safeguard information in connection with your use of the Service.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

Depending on the context, Out of Band may act as either a data controller (for our own operations and marketing) or a data processor (when providing the Service to enterprise customers).

2. Information We Collect

2.1 Personal Information

We collect limited personal information that you provide when creating an account or using the Service, such as:

  • Name and contact information
  • Account credentials
  • Profile details (e.g., role, team assignment)

When the Service is used by clients, Out of Band primarily processes system metadata (e.g., event timestamps, user identifiers, connection logs) required for synchronization and communication. We do not permanently store customer content or incident data after synchronization is complete.

2.2 Automatically Collected Information

We automatically collect certain technical information to ensure functionality and security, including:

  • Device and browser information
  • Usage statistics and interaction logs
  • IP address and session timestamps
  • Location (if permitted by device settings)
  • Notification tokens

3. How We Use Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Enable incident communication and coordination
  • Ensure performance, reliability, and security
  • Improve features and user experience
  • Comply with applicable laws and regulations
  • Communicate with you about your account or service updates

4. Data Sharing and Sub-Processors

We use a limited number of trusted sub-processors who perform technical and operational functions on our behalf. Each is bound by written data processing agreements ensuring compliance with the EU General Data Protection Regulation (GDPR).

Service ProviderPurposeData LocationData Types / Notes
Stream (GetStream)Communications and secure chat functionalityEuropean Union (Ireland)Communication content, user identifiers, metadata
Google Cloud PlatformCloud infrastructure, data processing, and API servicesEUBasic user data, incident data, operational data
Google Firebase MessagingPush notificationsAs per Google's data center locations as notification delivery is a global serviceDevice tokens, notification content
Google Vertex AIAI featuresEUGoogle does not use customer data to train or improve models; no data retention by AI system [1]
HubSpotCustomer relationship management (CRM)EUContact information
SlackInternal communicationsEUInternal communication
Microsoft Entra ID (Azure AD)Enterprise identity and access management through our multi-tenant applicationEUUser identities
SentryApplication error tracking and performance monitoringEUError logs
CloudflareDDoS protection / Proxy DNSGlobal networkIP addresses, DNS queries

Note: We may engage additional service providers as needed to enhance our Service. Any new providers will be subject to the same privacy and security standards outlined in this policy.

5. AI-Powered Features

Out of Band uses Google Cloud's Vertex AI platform (see Section 4: Data Sharing and Sub-Processors for details) to provide AI-assisted incident summarization. This feature helps teams quickly understand incident context by automatically generating concise summaries from incident logs.

How It Works

When an incident summary is requested, relevant incident log data is transmitted to Vertex AI (hosted in the EU region: europe-west4) where Google's Gemini model generates a natural language summary. The summary is returned and stored in your incident record. No training, fine-tuning, or long-term retention of your data occurs within the AI model.

Data Protection

  • We use paid, enterprise-grade Vertex AI services under Google's Gemini API Additional Terms, which prohibit Google from using customer data to train or improve models
  • All processing occurs within Google Cloud's EU infrastructure with encryption in transit and at rest
  • Data is used solely for real-time inference—summaries are generated on-demand and inputs are not retained by the model
  • Model caching features are disabled to ensure zero data retention by the AI system
  • Access is restricted to authorized operations only, with full audit logging

This AI feature is designed to minimize risk while providing valuable incident management capabilities, fully aligned with GDPR and our broader data protection standards.

6. Data Security

We apply appropriate technical and organizational measures to protect information, including:

  • Encryption in transit and at rest
  • Access control and multi-factor authentication
  • Secure hosting within our preferred certified infrastructure
  • Regular vulnerability assessments and monitoring

While advanced safeguards are in place, no system can be made completely secure.

7. Data Retention

Information is retained only as long as necessary to deliver the Service or fulfill contractual and legal obligations.

Transient synchronization data and metadata are automatically deleted or anonymized once no longer required for operational purposes.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete your personal information
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent (where applicable)

To exercise your rights, contact us using the details below.

9. International Data Transfers

Where data is transferred outside the European Economic Area (EEA), such transfers are conducted in accordance with GDPR Articles 46–49, including use of the EU Standard Contractual Clauses (SCCs) and other appropriate safeguards.

10. Children's Privacy

Our Service is not directed at children under the age of 13 (or applicable local minimum). We do not knowingly collect data from such individuals.

11. Updates to This Policy

We may update this Privacy Policy periodically. The revised version will be posted on our website with a new "Last updated" date.

12. Legal Basis for Processing (EU Users)

For users within the EU/EEA, processing of personal data is based on one or more of the following:

  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests pursued by Out of Band
  • Consent (where applicable)

13. Contact Us

Out of Band AS
Org.Number: 935632765
Norway

For privacy-related inquiries, please contact us through our official support channels within the application or at contact@outofband.app