Privacy Policy

Last Updated: 08/05/2026

1. Service Overview

Ocho is a B2B SaaS platform for influencer marketing automation. Users may connect their own external service accounts (Gmail, Instagram, Facebook, etc.) to Ocho. Within the scope of permissions explicitly granted by the user, Ocho automates messaging with influencers, campaign operations, and performance analytics through those connected accounts. Ocho operates user accounts on the user's behalf and never performs actions the user has not authorized.

2. Information We Collect

Account Information

Name, email, phone, company name, job title, job function
Login credentials and payment information

Service Usage Data

All data generated while using our service (search history, uploaded files, CRM data, etc.)
User activity and interaction records
System performance and analytics data

Technical Information

Device info, IP address, cookies

Connected Service Data (User-Delegated Access)

Collected only when a user connects an external account.

Gmail

Send/receive permissions, email body and metadata, labels/thread information

Meta Platform (Instagram, Facebook)

Profile information (account ID, username, profile picture, connected business pages)
Direct message content and metadata (sender/recipient, timestamps, attached media) — limited to DMs influencers send in response to your posts and DMs exchanged in reply threads
Permissions (scopes) requested: instagram_business_basic, instagram_business_manage_messages, pages_messaging, pages_show_list
We use the Meta API solely for Interactive Messaging. We do not auto-publish posts or publish content on your behalf.

3. How We Use Your Information

Service Delivery: Influencer search, CRM, messaging automation, campaign management
Service Improvement: Feature enhancement and quality assurance
Customer Support: Technical support and inquiry responses
Analytics & Research: Marketing trend analysis and industry research

4. Information Sharing

We share information only in the following cases:

Third-party services you authorize (Gmail, Meta, etc.) within the scope required for integration
Service providers for operations (hosting, payments, etc.)
Legal requirements or authority requests

We never sell personal information for marketing purposes, and we never sell or transfer data obtained from Meta to any third party under any circumstances.

5. Data Security and Storage Location

Storage Location: All data is stored exclusively in AWS Seoul region (ap-northeast-2) RDS. We do not replicate or transfer data to any region outside of this.
Credential Protection: Authentication artifacts (access tokens, refresh tokens) issued by connected external services are encrypted and securely stored.
TLS encryption in transit and encryption at rest
Access controls and audit logging to prevent unauthorized access
Regular security monitoring and audits
However, we cannot guarantee 100% complete security

6. Your Rights

Access: Check personal information processing status
Correction/Deletion: Request correction or deletion of incorrect information
Processing Restriction: Request suspension of personal information processing
Data Export: Download your account data
Disconnect: You may disconnect any external service at any time, and you may also revoke permissions directly from the external service (e.g., Meta).

Contact cs@sesaa.me to exercise your rights.

7. Data Retention and Deletion

Retained during active account period; deleted within 30 days after account deletion
When a user disconnects an external account or revokes permissions on the external service, all data collected through that integration is immediately stopped from further processing and deleted within 30 days
We support Meta's Data Deletion Request Callback; deletion requests via Meta are handled automatically. Progress can be verified at /en/docs/data-deletion-status/<code> using the issued confirmation code
User-initiated deletion requests are processed promptly (cs@sesaa.me)
May be retained longer if legally required
Data used for service improvement is anonymized with user consent. Data collected from Meta (messages, profiles, insights, etc.) is never used to train AI/ML models.

8. International Transfers

Your data is stored and processed exclusively in AWS Seoul region (ap-northeast-2). No international transfer occurs.

9. Cookies

We use cookies for website functionality, analytics, and security. You can control them through browser settings.

10. User-Delegated Authorization Model

When you connect an external service account, Ocho stores the issued access token in encrypted form and uses it according to the following principles:

Used only within the scope of campaigns, automations, and messaging tasks the user has explicitly enabled
Invoked only for actions the user has requested (sending/receiving messages, replying to influencers, publishing content, etc.)
The user may revoke permissions at any time, either within Ocho or directly through the external service (Meta, Google, etc.); operations stop immediately upon revocation
When the user disconnects an integration, the stored token is immediately discarded

11. Meta Platform Data — Special Provisions

Ocho complies with Meta Platform Terms and Developer Policies.

Data obtained from Meta is used solely for the marketing, CRM, and messaging automation purposes the user has authorized
We do not use Meta data for ad targeting, data brokerage, credit decisions, insurance decisions, or employment decisions
We do not use Meta data to train AI/ML models
We do not sell or transfer Meta data to third parties
We follow Meta's data retention and deletion requirements

12. Policy Changes

Important changes will be notified 30 days in advance via email. Separate consent may be obtained as required by Korean privacy laws.

13. Contact

Privacy-related inquiries:

Privacy Officer: cs@sesaa.me
Customer Support: cs@sesaa.me
Legal Team: cs@sesaa.me

By using our service, you agree to this Privacy Policy and our Terms of Service.