beta-v0.2
Resources
Company
Legal
đź”’
Privacy Policy
Privacy Policy
đź”’

Privacy Policy

Oath Innovations Incorporated Website Privacy Policy

Last modified: 7/1/2024

Introduction

At Oath Innovations Incorporated (“Company”, “We”, “Us”, “Our”, etc.), We strive to be clear about what we’re doing with your data, whether that’s how we store it, where we get it from, what we need it for, and more. Privacy is about freedom of identity, and that’s why we want you (“You”, “Your”, etc.) to feel like you are making a clear decision if you consent to our privacy policy.
This privacy policy applies to our data collection practices when you visit or interact with https://oath.to (“Website”) or any of our properties, such as those managed through Apps created by Company, Discord, Facebook, Instagram, LinkedIn, Signal, Slack, Snapchat, Steam, Telegram, TikTok, Twitch, Twitter, WhatsApp, YouTube, PayPal, and Reddit. It covers Oath Innovations Incorporated and its employees’ handling of your data collected under the terms of this policy.
If we receive data from or about you from a different source, then it is not governed by this privacy policy unless we explicitly state otherwise. One example of a different source would be if you walked into our office and left your business card — we’d have information about you, but it wouldn’t be covered by this privacy policy. Another example would be if you had given your business card to your neighbor, and your neighbor gave us your business card because they thought it would be helpful — that also wouldn’t be covered by this privacy policy. This policy also doesn’t apply to any links to other websites. Links to other websites are governed by the privacy policies of those specific websites.
For the purposes of the General Data Protection Regulation (known as the “GDPR”), Oath Innovations Incorporated, located at support@oath.to, is a “Data Controller.” This means that we direct the flow of collected personal information, as opposed to being a “Data Processor,” which is a person or company that does things with and to the information.

What You Can Do to Let Us Know You Accept This Privacy Policy

We do our best to remind you that you are opting-in to specific types of data gathering and use when you are interacting with our site. This includes when we display a button requiring users to accept the Company terms before they can submit information.
Technology isn't perfect though, so those reminders might not always be there. That's why we ask you to please remember as you use the site, that when you provide any information to us, that information will be stored and used by us as described in this policy. Some information that we gather isn't as obvious though, like, for example, when we collect information using cookies. That's why it's important to remember that using our website means that you are opting-in to our use of cookies and other automatic tracking technologies. To learn more about what we collect, how we collect it, and why, keep reading!

Information We Collect About You

We use this section to explain our data collection practices to you. We combine the data we have about you together. For example, we might combine information about how long you were on our website with your username. Any information we combine will be treated as if it is all equally sensitive information, and we only collect information from you that allows us to make the site run smoothly and provide you with our services.

Personally Identifiable Information

Personally identifiable information is information that can identify you as a person — simple, right? Well personally identifiable information can also be a combination of information that reveals who you are.
For example, if I know your birthday is on July 4, 1976, I can’t necessarily figure out who you are. However, if I know your birthday, where you went to college, whether you’re married or not, and maybe your zip code, then I probably know enough to figure out who you are if I really wanted to. So personally identifiable information can be either something very specific about you, like your full name, or it can be a combination of general details that let me narrow down the possibilities until I figure out that it can only be you.
We treat personally identifiable information with the utmost respect, and our security practices related to your privacy reflect that fact. More information can be found in the security section.

What

We purposefully seek the following personally identifiable information from you in a variety of circumstances: your full name, email address, date of birth, telephone number, Internet Protocol (IP) address, device IDs, and cookies.

When

We may seek personally identifiable information from you using a number of methods, including: registration forms, contact forms, social media integrations, screen recording, webpage heatmaps, cookies, UTM parameters, communication methods, such as chat, email, or phone widgets, from publicly available data, and from data aggregators.

Why

We may use personally identifiable information in the following ways: improving the website or services, delivering the product or service requested by users, and understanding who is using the website or services. Our primary use-cases for this information is to power application features, understand application errors, and improve the product quality and user experience.
We store any personally identifiable information that we’ve collected for an indefinite period of time.

Non-Identifiable Personal Information

Non-identifiable personal information is information that’s technically about you, but cannot be linked directly to you without being combined with personal information. For example, if I know that you use Google Chrome when you visit my site, I will never be able to figure out who you are without combining it with personally identifiable information — even if I know what search terms you typed in, what kind of computer you are using, and how long you use the site for every time you visit, I will not be able to figure out that the user is you without personally identifiable information.

What

We purposefully seek the following non-identifiable personal information from you in a variety of circumstances: country, state, city, zip code, and your partially or fully masked IP addresses.

When

We may request non-identifiable personal information from you in a variety of ways, including: registration forms, contact forms, social media integrations, screen recording, webpage heatmaps, cookies, UTM parameters, communication methods, such as chat, email, or phone widgets, from publicly available data, and from data aggregators.

Why

We may use non-identifiable personal information in the following ways: improving the website or services, delivering the product or service requested by users, and understanding who is using the website or services.
We store any non-identifiable personal information that we’ve collected for indefinite periods of time.

Sensitive Information

Sensitive information is the type of information that you might not necessarily want people to know, or at least, you would want to control who knows the information and how they come across it. An example of sensitive information could be your credit score or your social security number. As you can imagine, sensitive information should only be requested by a company if they really need the information to provide you with services.
We collect some sensitive information from you for various reasons and at various times, including driver’s license, mailing address, passport information, home address. When we collect sensitive information, it's so we can improve the website or services, deliver the product or service requested by users, and understand who is using the website or services. We collect that information via registration forms, contact forms, social media integrations, screen recording, webpage heatmaps, cookies, UTM parameters, communication methods, such as chat, email, or phone widgets, from publicly available data, from data aggregators. We retain your sensitive information for as long as is necessary to provide the services.

Biometric Information

Part of our user authentication process includes biometric facial scans to unify user accounts around a singular identity. The purpose of this step is to prevent users from creating accounts with false credentials and to ensure a stable reputation system. Without the biometric facial scans, malicious users would be able to create fresh accounts without any of their reputational history associated with it, thus allowing perpetrators of fraud to continue victimizing other users.
Privacy is our number one concern, and we make sincere efforts to protect the data in our care. Biometric data is encrypted and stored on our own secured servers and is not shared with anyone. In order to strike a balance between providing the service to our users and respecting their privacy wishes, we delete biometric data from our systems one year after users terminate their accounts. We keep such information for the stated length of time to deter bad actors from victimizing members of the Oath community.

About Automated Collection

Automated technologies help us make our website run more smoothly. Through the use of automated means, we are able to see which of our pages are most popular, how users find our website, what causes errors in the website, and a lot of other details which help us make the website the best it can be.
We may use a number of automation technologies, including cookies, flash cookies, web beacons, or others as they become available or necessary.

Cookies

Cookies are small text files that a website sends to your computer to try to make your experience online a smoother one. Cookies often contain very little data, such as a User ID or the last time you logged in to a particular site. When your computer connects to the website, the website might read the cookie to figure out whether you’re a returning customer, whether you’ve seen the most recent privacy policy update, or whether you need to be automatically logged out. As you can probably tell from those examples, cookies serve a variety of necessary functions. However, if you’d prefer, you can disable cookies. You can visit www.allaboutcookies.org for information about deleting and blocking cookies on your browser.
Please note that disabling and deleting cookies might make this website (and others) work improperly.

Flash Cookies

Flash cookies are functionally similar to regular cookies, but they are not subject to the same controls as regular cookies are. While you can follow the directions in the “Cookies” section to block most cookies, flash cookies require a different type of opt out. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe's website.

Web Beacons

Web Beacons are tiny files that load when a user completes an action like visiting a particular webpage, or opening an email. Because the tiny file is loaded from a server, and the server can see that your computer is trying to open the page or email, the server can deduce that you have visited the page or viewed the email.

“Do Not Track”

“Do Not Track” signals are a brand new feature that some web browsers allow their users to send. The idea behind the “Do Not Track” signals is that all of the websites of various companies will come to an agreement about standardizing a way to not track people who visit their websites. That way, people who turn on “Do Not Track” will always know what parts of their privacy are protected without having to read every single privacy policy.
There is not yet an industry consensus on how to handle “Do Not Track” signals, so our website is not yet set up to handle them. In the future, this section will discuss how the “Do Not Track” signals are honored.

Who Else Sees Your Data

Most websites who collect user data have relationships with other companies or people that result in user data being shared with those companies or people. This section explains how those relationships work, and what our relationships with others look like when it comes to your data.
When we share your data with third parties, we restrict them from using that data other than to help us perform our services or obligations through this website.

Processors Who Help Us Run Our Site

Most businesses need others’ help to run properly (imagine using eBay without PayPal!). When a business hires another business or uses another business’s services, that other business is sometimes called a third party processor, or a subprocessor.
We try to keep this section up-to-date with who our subprocessors are, and what kinds of information they collect.
As of the date that these terms were last updated, we couldn't think of a single subprocessor that our company uses. Sometimes it's hard to recognize where there is a subprocessor, or it's hard to control who might be doing the subprocessing. An example of that is when you connect to a public WiFi hotspot, you might be connecting to the internet through a particular business, but how often do you know who their internet service provider is? That internet service provider is also seeing your data, but it's not so clear!
To the best of our knowledge, we do not currently have any subprocessors, and no subprocessors are seeing your information on our behalf. We will never sell or share your data without your explicit consent or permission. Information is shared on an as--needed basis. In the future, we may use a subprocessor to verify your identity to enhance our security measures. You will be notified if we ever intend to share data or add a subprocessor, and you will have time to determine if you would like to continue with our services or decline acceptance of our updated terms and terminate your account.

Third Parties We Share Information With

Businesses often have complicated relationships with other businesses. Some companies are owned by other companies, they work with companies that are owned by the same company, they engage in partnerships, and find a variety of ways to work together to bring services and products to the public.
We don't share any user information with third parties as of the date at the top of this policy. If we ever change that, we'll let you know and give you the option to approve this before we share your information. Your privacy is extremely important to us, and we will treat your data like we treat our own. We will NEVER share your data with third parties who are known to exploit you.
However, one thing to note - if we ever sell the company, part of the company, or any of the assets of the company, our users' data would probably be shared with the purchasing company or person. You will be given advance notice if we ever intend sell the company, and you will have time to determine if you would like to continue with our services under the new owner or terminate your account.
We ask your permission before sharing information with third parties, other than anonymized or aggregate data, when we believe it is legally required of us due to court order or similar functions, or in some other specific cases mentioned in this policy.

Third Parties Who Share Information With Us

Some companies get information from third parties for a variety of reasons. One example might be if a website is trying to create a more personalized web browsing experience for their users. If a website knows the kind of content you like, and they’re able to share that information with another website, then that other website can also make sure to only show you content that you like. However, there can be any number of reasons why a website needs information from third parties, like for credit checks, allowing users to login through social media, or other reasons.
We get our information from our App Users, Discord, Facebook, Instagram, LinkedIn, Signal, Slack, Snapchat, Steam, Telegram, TikTok, Twitch, Twitter, WhatsApp, YouTube, PayPal, and Reddit.

Understanding our SMS Policies

This section of our privacy policy explains how we manage and use the information you provide when you sign up or log in via SMS, including your rights and obligations regarding our SMS services.

Consent to Receive SMS Messages

By entering your mobile number and opting in to receive SMS notifications from Us, you consent to receive SMS messages from us. This includes messages for account authentication, notifications, and other relevant service updates. Your consent to receive these messages is not a condition for any purchase. SMS notifications enhance the security of your account by providing an additional layer of protection through One-Time Passwords (OTPs), significantly reducing the risk of unauthorized access.

Message Frequency and Charges

Message frequency may vary based on your interaction with our services. Message and data rates may apply for any messages sent to you from us and to us from you, depending on your mobile service provider. For questions about your text or data plan, please contact your wireless provider. SMS notifications provide real-time updates and important information directly to your mobile device, ensuring you stay informed about any changes or activities related to your account.

Opting Out

You can cancel the SMS service at any time by texting "STOP" to the short code. After sending "STOP," you will receive a confirmation SMS, and you will no longer receive SMS messages from us. If you wish to resume the SMS service, you may sign up again as you did initially. This flexibility ensures that you only receive messages that are relevant and important to you.

Getting Help

If you experience issues with our messaging program, text "HELP" to the short code for assistance, or contact our support team directly at support@oath.to. Carriers are not liable for delayed or undelivered messages. With SMS, you have instant access to support and assistance whenever needed.

Texting Program Expectations

  • Sign-Up Confirmation: Upon signing up or logging in via SMS, you will receive a confirmation message acknowledging your consent to receive further SMS notifications. This immediate confirmation helps you stay in control of your account.
  • Notifications and OTPs: You will receive SMS messages for account verification, such as OTPs, and other important notifications related to your account activities. This method is faster and more reliable than waiting for email confirmations, especially when you need immediate access.
  • User Control: You have control over your SMS subscription and can opt out anytime by following the provided instructions (see Opting Out).
  • Data Privacy: Your data privacy is important to us. All collected information through the SMS service will be managed in accordance with our Privacy Policy. For more details, please refer to our Privacy Policy.
By using our SMS services, you agree to these terms and conditions. If you have any questions, please contact us at support@oath.to. We are committed to ensuring your SMS experience is secure and convenient.

Children Under the Age of Majority

Our Website is not intended for anyone under the age of majority in their respective jurisdiction, and in no case is our website to be used by anyone under the age of 18 years of age. No one under the age of majority may provide any information to or on the Website. We do not knowingly collect personal information from those under the age of majority. If you are under the age of majority, do not use or provide any information on this Website or through any of its features, register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a person under the age of majority, we will delete that information. If you believe we might have any information from or about a person under the age of majority, please contact us using the contact information at the bottom of this policy.

Security

We make efforts to provide security to our user data. It’s impossible to guarantee that data security will be 100% effective, that’s why you hear about hacks or viruses all the time now. Small companies, large companies, and even governments are sometimes the victims of cyber attacks. However, privacy and - by extension - security are top priorities for us in the provision of our services. This section details how we manage security so you can determine for yourself whether our security practices meet your requirements.
We take steps to protect your data by encrypting data at rest, encrypting data in transit, encrypting data in use, granting each of our technologies only the minimum required access to perform necessary functions, regularly training our employees in security best practices, conducting regular security audits, restricting access to user data to the Company employees or contractors who need access to perform their job duties, taking regular backups of our data, only using tools from providers who we determine to have adequate security practices relevant to market position, contractually obligating our employees to maintain the confidentiality of our users' data, regularly updating all of our systems and services, monitoring website and services activity for anomalous behaviors, and using data storage and service providers who have adequate physical security measures.
These are the encryption standards we use:
  1. Data in transit: HTTPS/TLS
    1. This means when you are communicating with our servers from your computer or phone, your data cannot be read or deciphered by someone in the middle who lacks the necessary keys.
  1. Data at rest: AES-256 (DynamoDB encryption)
    1. This means even if someone stole the hard drive with your data from AWS servers, they would not be able to read your information without the encryption keys.
  1. Data in use: AES-256-CBC with encryption key only accessible to our deployment systems (no individual employees or others)
    1. This means sensitive information like your ID info, address, secret keys, and other encrypted data are not readable in the database. Therefore, even if someone downloads the database (the most common form of data leaks), they will be unable to read it without our encryption key.
    2. Our encryption key is stored as an environment deployment variable meaning that even if you have access to the written code and production database, you can’t read the encrypted data unless you write malicious code into our production environment and run it there (which is extremely unlikely given the multiple checks we do over code and our overview from testing to production environments).
    3. Although our engineers and staff have access to the code and database, only two specified deployment engineers have access to the encryption key, and both must work together to access it. These engineers have been thoroughly trained in security and phishing techniques, and have multiple steps of MFA including Oath’s facial recognition that is needed to access the encryption key. Furthermore, they can only access or change the encryption key together.
    4. We require all staff to use secure MFA and facial recognition due to most data leaks being as strong as their weakest link with many high-level employees having the unfortunate combination of too much access and too little security on their accounts.
In an ideal world, we’d love to be E2E encrypted like applications such as Telegram or Signal. However, we need to allow our servers to decrypt certain information to facilitate the contextually relevant disclosure and transfer of data for end-users. What this means is when you're using E2E encryption, you're choosing to trust the other party like your message recipient which works great for messaging apps.
However, when you're using any other consumer app (Oath), you're choosing to trust the app over the person on the other end. This means because you trust us with your information, we can verify your identity, address, account ownership to others without you sharing that private or sensitive information to the other party.
Additionally, whenever a user requests deletion of their data we delete their data automatically, although a copy may be retained in backups for a temporary period until replaced in keeping with our backup practices.

Your Choices and Rights

This section describes your choices and rights regarding how we handle your data. In order to protect user data from theft or misuse, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).
To exercise your privacy rights and request erasure of your data, you may:
You won’t have to pay anything to exercise your rights, the only exceptions being if your request is clearly unfounded, repetitive or excessive. In those situations we might also refuse to comply with your request.
We try to respond to all legitimate requests under these rights within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated as to when we expect to have the request completed.
The rights guaranteed by law (as described below) only generally apply to people and companies who are present in and residents of those jurisdictions. Although access to the rights listed below may not  be guaranteed for you by law, we are proud to offer the following options to all of our users.

GDPR

The General Data Protection Regulation is a law passed in the European Union that grants EU internet users a variety of rights regarding their data. Those rights include:
  • The right to request access to their data;
  • The right to request correction of their data;
  • The right to request erasure of their data;
  • The right to object to the processing of their data;
  • The right to request their data in a machine readable format;
  • The right to be free of decisions affecting their rights based solely on automated processes; and
  • The right to withdraw their consent to undue data processing.

Legal Bases for Processing

The GDPR also requires that companies list their “Legal Basis” for each type of processing. Depending on the circumstances, our legal bases include:
  • User consent
  • Necessity for the performance of our obligations to the user
  • Necessity for the purposes of our justified legitimate interests.
For more information on how legal bases work, please visit https://gdpr-info.eu/art-6-gdpr/.

California Rights

The rights listed in this section are specific to California residents.
California's "Shine the Light" law allows California users of our website to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We attempt to be transparent about where your data is going. If you would like to request more information or clarification about whether your data is only going to third parties as described in this privacy policy, please contact us using your preferred method in the “Contact Us” section at the end of this policy.
California users are also allowed to opt out of any sales of their personal information that may occur. Users who opt out may opt back in at any time.
California users may request that we delete their personal information, but those requests have some exceptions. One example of an exception would be if you paid for one of our products or services, and then requested that your data be deleted before we could deliver the product or service you paid for.

Processing of Data Outside of the EU

The internet is a complex, interwoven, global structure, so your data may move across the planet. Be aware that this includes areas outside of the European Economic Area. By continuing to use this website, you are telling us that you consent to these transfers, even if the countries your data travels to don’t have the same level of privacy protection as your home country.

Changes to This Privacy Policy

This policy may be updated from time to time. When updates are made, we will let you know via popups, notifications by email or other direct communication, and advance notice of updates to the policy.
The date that the most recent updates went into effect is listed at the beginning of this policy.

Contact Info

If you ever have any questions, concerns, or comments about this policy or about exercising the options made available to you in this privacy policy, please contact us through your preferred method as listed below.
support@oath.to
 
Made with ❤️ in Texas, USAOath Innovations Inc. © 2025