1. Who controls your data
The data controller is ōku, a digital agency based in Viana do Castelo, Portugal. For anything concerning your data or GDPR requests:
- Email: flow@oku.pt
- Phone: +351 930 625 043
- Address: Viana do Castelo, Portugal (remote · no public address)
We're not yet required to appoint a Data Protection Officer (DPO), but you deal directly with the person who founded the company.
2. What data we collect
a) Contact form
When you fill in the brief, we collect: name, email, phone (optional), project type, desired timing, and the free-text message. We also store your IP and browser user-agent for spam prevention.
b) Cookies and browser identifiers
Two types:
- Necessary (always on): your consent choice is stored in
localStorageasoku-consent. Without it the banner would reappear on every page. - Analytics (opt-in): Google Analytics 4 with Consent Mode v2 and IP anonymisation. Only runs after you click "Accept" or enable the toggle in "Customise". We never use advertising or remarketing.
c) Cookieless analytics (Cloudflare)
Cloudflare Web Analytics records aggregated visits without cookies, identifiers or personal data. Since it's technically impossible to identify you, GDPR doesn't treat it as personal data processing — it's always on, like server logs.
3. Why we process it
- Respond to your brief (legal basis: pre-contractual measures, GDPR art. 6(1)(b)).
- Send a confirmation email to the address you provided (same basis).
- Understand what works on the site via Google Analytics (legal basis: consent, art. 6(1)(a)).
- Prevent abuse and spam with IP and user-agent (legal basis: legitimate interest, art. 6(1)(f)).
We don't profile, score, run automated decisions, do unsolicited marketing, or use your data to train AI models.
4. Where the data runs
The site and submitted briefs are hosted on Hetzner Online GmbH servers in Falkenstein, Germany. Processing happens in the EU, with no transfers to third countries. Hetzner is a processor with a signed DPA under GDPR art. 28.
Google Analytics (Google Ireland Limited) sends aggregated data to Google servers. This is the only case where data may be transferred outside the EEA, under the European Commission's Standard Contractual Clauses (SCCs) and with IP anonymisation. If you don't want this transfer, decline consent in the cookie banner — the site works fine either way.
5. How long we keep data
- Submitted briefs: 24 months after last contact, or immediately on your request.
- Exchanged emails: while the contractual relationship is active + 5 years for tax purposes (legal obligation).
- Consent in localStorage: until you change or clear it, or 12 months automatically.
- Google Analytics: 14 months (GA4 minimum).
- Server logs (IP, user-agent): 30 days.
6. Your rights
At any time you can, free of charge, ask to:
- Access a copy of your data (art. 15)
- Rectify incorrect data (art. 16)
- Erase (right to be forgotten, art. 17)
- Restrict processing (art. 18)
- Port your data to another format (art. 20)
- Object to processing based on legitimate interest (art. 21)
- Withdraw consent at any moment (click "Cookies" in the footer)
We respond within 30 days. If you think we didn't handle your request well, you have the right to lodge a complaint with Portugal's Data Protection Authority (CNPD) or the one in your country of residence.
7. Security
Mandatory HTTPS (HSTS active), A+ security headers, encrypted passwords where applicable, access to data limited to the ōku team. In case of a breach affecting your data, we notify you within 72 hours as required by GDPR art. 33.
8. Detailed cookie and storage list
| Name | Type | Purpose | Duration |
|---|---|---|---|
oku-consent | localStorage · necessary | Store your consent choice | 12 months |
_ga | Cookie · analytics · opt-in | Google Analytics identifier | 2 years |
_ga_XXXXXXXX | Cookie · analytics · opt-in | GA4 session state | 2 years |
9. Terms of use
Content on this site (text, code, visual identity, excluding technology logos) belongs to ōku. You can share links and cite us provided you attribute. You can't copy entire blocks to a competing site.
Services contracted with ōku are governed by a separate signed contract, not by these general terms.
10. Changes to this policy
When we change anything substantive, we update the date at the top and — if it affects consent — increment the version (CONSENT_VERSION) so you can decide again. We never retroactively change legal bases.
Prefer to manage your cookie preferences now?