Legal

Privacy Policy

Last updated: April 13, 2026

1. Information We Collect

When you use Onekof, we collect information you provide directly:

  • Account information: Name, email address, and password when you create an account.
  • Organization data: Organization name, team members, projects, tasks, budgets, and documents you create within the platform.
  • Usage data: Activity logs, feature usage patterns, and session information for analytics and security.
  • Device data: IP address, browser type, and operating system for security and rate limiting.

2. How We Use Your Information

  • To provide, maintain, and improve the Onekof platform.
  • To authenticate your identity and secure your account.
  • To enforce multi-tenant data isolation between organizations.
  • To send transactional emails (password resets, invitations, notifications).
  • To detect and prevent security threats, fraud, and abuse.
  • To comply with legal obligations.

3. Data Sovereignty & Storage

Onekof operates a three-tier hosting architecture designed for data sovereignty:

  • Tier 1 (Government): Data stored exclusively within Ethiopian government-controlled infrastructure.
  • Tier 2 (Private): Data stored on customer-owned or DAPS Analytics-managed servers within Ethiopia.
  • Tier 3 (Global Cloud): Data stored on Vercel (Frankfurt, Germany) and Supabase (EU region), compliant with GDPR.

Your organization's hosting tier determines where your data is stored. Data does not flow between tiers.

4. Data Sharing

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

  • With your consent or at your direction.
  • With service providers who assist in platform operations (email delivery, error monitoring), bound by data processing agreements.
  • To comply with legal obligations, court orders, or government requests.
  • To protect the rights, safety, and security of Onekof, our users, and the public.

5. Security

We implement industry-standard security measures including:

  • bcrypt password hashing (12 rounds).
  • JWT session tokens with HTTP-only, secure cookies.
  • Progressive account lockout after failed login attempts.
  • Redis-backed rate limiting on all authentication endpoints.
  • Admin audit logging with IP tracking.
  • GPG-encrypted database backups.

6. Your Rights

You have the right to:

  • Access and download your personal data.
  • Correct inaccurate information.
  • Delete your account and associated data.
  • Export your organization's data in standard formats.
  • Object to data processing for marketing purposes.

7. Contact

For privacy-related inquiries, contact us at privacy@onekof.com.

Terms of ServiceCookie Policy