Legal

GDPR & Your Rights

Effective date: 1 June 2026 · Last updated: 1 June 2026

This page sets out your rights under the General Data Protection Regulation (GDPR) and the UK GDPR. These rights apply to residents of the European Economic Area (EEA) and the United Kingdom. If you are not based in the EEA or UK, many of these rights may still apply to you under other applicable laws and we will honour them in good faith.

1. Data Controller

The data controller for ApoClock is:

OIOI Lab

Email: office@oioilab.ai

You may exercise any of your rights below by contacting us at that address.

2. Your Rights Under GDPR

Under the GDPR you have the following rights regarding your personal data:

👁

Right of Access

You have the right to request a copy of all personal data we hold about you, including your account details and workspace data.

How to exercise: Email office@oioilab.ai with "Data Access Request" in the subject line. We will respond within 30 days.

✏️

Right to Rectification

You have the right to correct inaccurate personal data or complete incomplete data we hold about you.

How to exercise: Most data (member details, workspace settings) can be corrected directly within the app. For account-level data, contact us.

🗑

Right to Erasure

You have the right to request deletion of your personal data ("right to be forgotten") where there is no overriding legal basis for us to retain it.

How to exercise: Delete your account in-app (Settings → Account → Delete Account) or email us. We will delete all associated data within 30 days.

⏸

Right to Restriction

You may request that we restrict processing of your data in certain circumstances — for example, while a dispute about accuracy is being resolved.

How to exercise: Contact office@oioilab.ai with details of your request.

📦

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

How to exercise: Use the Export feature in-app (Settings → Export) to download your workspace data as JSON. For a full account export, contact us.

🚫

Right to Object

You may object to processing of your data where we rely on legitimate interests as our legal basis. We will then need to demonstrate compelling grounds for processing.

How to exercise: Contact office@oioilab.ai explaining which processing you object to and why.

🤖

Rights Related to Automated Decision-Making

ApoClock does not use automated decision-making or profiling that produces legal or similarly significant effects on you. The Goal Seek engine processes data locally to calculate optimal times — this is a tool feature, not automated profiling.

Status: No action required.

🔔

Right to Withdraw Consent

Where we rely on your consent as a legal basis, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to exercise: Disconnect any social OAuth providers in your account settings, or contact us to withdraw specific consents.

3. Legal Bases for Processing

Under GDPR, we must have a valid legal basis for each processing activity. Our bases are:

Processing Activity	Legal Basis	Article
Creating and managing your account	Performance of a contract	Art. 6(1)(b)
Syncing workspace data across devices	Performance of a contract	Art. 6(1)(b)
Sending authentication emails (magic link)	Performance of a contract	Art. 6(1)(b)
Social OAuth sign-in (Discord, Google, etc.)	Consent + contract	Art. 6(1)(a)(b)
Security logging & abuse prevention	Legitimate interests	Art. 6(1)(f)
Compliance with legal obligations	Legal obligation	Art. 6(1)(c)

4. International Data Transfers

ApoClock's database is hosted on AWS RDS. Depending on your region, your data may be stored or processed in the United States or other countries outside the EEA.

Where personal data is transferred outside the EEA, we rely on:

Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our agreements with AWS
Adequacy decisions where applicable

You may request a copy of the relevant transfer safeguards by contacting us.

5. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required)
Notify affected users without undue delay when there is a high risk to their rights and freedoms

6. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. For example:

EU: Your national DPA (e.g. CNIL in France, BfDI in Germany)
UK: Information Commissioner's Office (ICO) — ico.org.uk

We ask that you contact us first so we can try to resolve the matter directly.

7. Response Timeframes

30 days Response to data subject requests (extendable by 60 days for complex requests, with notice)

72 hours Notification to supervisory authority of a notifiable breach

30 days Deletion of data following account deletion request

8. Contact for GDPR Requests

For all GDPR-related requests or questions:

OIOI Lab — Privacy & GDPR

Email: office@oioilab.ai

Please include your account email address and a clear description of your request. We may need to verify your identity before actioning the request.