Privacy Policy

Last updated: 14 May 2026
Effective date: 14 May 2026

This Privacy Policy explains how ooblee Alpine GmbH (the operator of the Oobyte service) handles personal data when you use the Oobyte website at oobyte.ai, the Oobyte mobile applications for iOS and Android, and any related services (collectively, the "Service").

This policy is written to comply with Regulation (EU) 2016/679 (the "GDPR"), the Austrian Data Protection Act (Datenschutzgesetz, "DSG"), and, in respect of users in the United Kingdom, the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Controller and contact

The data controller responsible for the processing of your personal data is:

ooblee Alpine GmbH
Registered office: Am Tabor 36, 1020 Vienna, Austria
UK office: 15 Rathbone Place, London W1T 1HU, United Kingdom
VAT: ATU80851534
Commercial Register (Firmenbuchnummer): [FN]
Commercial Court: Handelsgericht Wien

Privacy contact: privacy@oobyte.ai
General contact: support@oobyte.ai

Our lead supervisory authority under the GDPR one-stop-shop is the Austrian Datenschutzbehörde. We respond to verified data-subject requests within one month of receipt and, where requests are complex or numerous, may extend that period by up to two further months as permitted by Article 12(3) GDPR.

2. Scope

This policy applies to personal data we collect when you create an account, subscribe to a paid plan, complete actions, offers, or surveys, communicate with us, visit our website, or interact with our advertising on third-party sites and apps. It does not cover the practices of the third-party offer, survey, and advertiser providers you choose to engage with through the Service. Those third parties are independent controllers for the data they collect from you, and their own privacy notices apply to that processing.

3. Categories of personal data we process

Account and identity data. Email address, password (stored as a salted cryptographic hash), display name, country of residence, date of birth or age confirmation, profile picture if you upload one.

Identity verification (KYC) data. When you request a withdrawal or where we deem verification necessary to prevent fraud or comply with applicable law, we (or a third-party verification provider acting on our written instructions) process a copy of a government-issued ID, a selfie image, liveness-check data, and the matching results returned by the verification provider.

Subscription and payment data. Subscription tier, start and renewal dates, billing country, payment-method type, and transaction identifiers returned by our payment processor. We do not store full payment-card numbers. Card data is processed directly by our PCI-DSS-compliant payment provider acting as an independent controller for that processing.

Earning and activity data. Actions completed, offers attempted, surveys started or finished, screenouts, time-on-task, tokens earned, coin balance, cash balance, withdrawal history, and similar Service-usage records.

Device and technical data. IP address, mobile advertising identifier (IDFA on iOS, GAID on Android, where you have permitted tracking), device model and identifiers, operating system and version, browser type, language, time zone, app version, network type, mobile carrier, crash logs, and behavioural signals used for fraud and bot detection.

Location data. Approximate location derived from your IP address. We do not collect precise GPS location unless you explicitly grant location permission in the app for a feature that requires it.

Communications data. Messages and attachments you send to support, in-app chat content, dispute submissions, and any screenshots or evidence you provide.

Marketing and engagement data. Email open and click events, in-app notification engagement, campaign attribution data, A/B test variant assignment.

We do not knowingly collect special categories of personal data within the meaning of Article 9 GDPR. Do not provide such data to us through the Service.

4. Sources of personal data

We collect personal data directly from you when you provide it, automatically when you use the Service, and from third parties, including:

  1. our offerwall, survey, and advertising partners, who send postbacks confirming that you completed an action and the corresponding payout;
  2. our payment processor, fraud-prevention provider, and identity-verification provider, which return verification, risk-scoring, and transaction-status data;
  3. analytics, attribution, and SDK partners, which return device and event signals;
  4. third-party login providers, where you choose to connect a social or other account.

5. Purposes and legal bases

We process personal data only where we have a lawful basis under Article 6 GDPR. The table below sets out our processing purposes and the corresponding legal bases.

PurposeLegal basis
Creating and managing your account; providing access to the ServicePerformance of a contract (Art. 6(1)(b))
Tracking and crediting completed Actions; converting tokens; managing balancesPerformance of a contract (Art. 6(1)(b))
Processing subscription payments, renewals, and withdrawalsPerformance of a contract (Art. 6(1)(b))
Verifying your identity and eligibility, including KYC and age checksLegal obligation (Art. 6(1)(c)) and our legitimate interests in preventing fraud (Art. 6(1)(f))
Detecting, investigating, and preventing fraud, abuse, multi-accounting, bot activity, money laundering, and breach of our TermsLegitimate interests in protecting the Service and other users (Art. 6(1)(f)); legal obligation where AML or similar rules apply (Art. 6(1)(c))
Sending essential service notifications (transaction confirmations, security alerts, policy updates)Performance of a contract (Art. 6(1)(b))
Sending marketing communications, including by email and push notificationsConsent (Art. 6(1)(a)), or our legitimate interests in direct marketing of similar services to existing users where this is compatible with applicable law (Art. 6(1)(f))
Personalising the Service, including recommending Actions, offers, and rewardsLegitimate interests in providing a useful product (Art. 6(1)(f))
Analytics, performance measurement, A/B testing, and product improvementLegitimate interests (Art. 6(1)(f)); consent for non-essential cookies and trackers
Tax and accounting record-keepingLegal obligation (Art. 6(1)(c))
Establishing, exercising, or defending legal claimsLegitimate interests (Art. 6(1)(f))
Responding to law-enforcement and regulatory requestsLegal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))
Corporate transactions (mergers, acquisitions, financings, reorganisations)Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have carried out a balancing test and have concluded that our interests are not overridden by your interests, rights, or freedoms. You can request more information on this balancing exercise by writing to privacy@oobyte.ai.

6. Recipients of personal data

We share personal data only with categories of recipients that need it for the purposes set out above. These include:

  1. offerwall, survey, advertising, and attribution partners that deliver the Actions you complete and that we rely on for validation and reward calculation;
  2. payment service providers and gift-card issuers, for subscription billing and payout processing;
  3. identity-verification and fraud-prevention providers, for KYC, device fingerprinting, IP risk scoring, and anti-bot checks;
  4. cloud-hosting and infrastructure providers running our servers, databases, and storage;
  5. email, push, and in-app messaging providers;
  6. analytics and product-intelligence providers;
  7. customer-support tooling providers;
  8. professional advisors (legal, accounting, audit, tax) under duties of confidentiality;
  9. public authorities and courts, where we are legally required to disclose, or where disclosure is necessary to protect our rights, property, or safety, or that of users or the public;
  10. acquirers, investors, and successors in the context of a merger, acquisition, financing, or reorganisation, subject to confidentiality and continued protection.

Each recipient acts either as a processor on our written instructions or as an independent controller. We do not sell personal data, and we do not use your data for purposes incompatible with those described in this policy.

7. International data transfers

Some of our service providers process personal data outside the European Economic Area, including in the United States and the United Kingdom. Where we transfer personal data to a country that has not received an adequacy decision from the European Commission, we rely on appropriate safeguards under Chapter V GDPR, including the Standard Contractual Clauses adopted by the European Commission, supplementary technical and organisational measures where required following our transfer-impact assessment, and certification under the EU-US Data Privacy Framework where the recipient is certified.

You can request a copy of the safeguards we apply by writing to privacy@oobyte.ai.

8. Retention

We retain personal data only for as long as necessary for the purposes set out above and, after that, for the periods required by law or by our legitimate interests in defending legal claims. Indicative periods:

  1. Account data: for the duration of the contractual relationship and up to 24 months after account closure, after which it is deleted or anonymised.
  2. Earning, payment, and withdrawal records: at least seven years after the relevant transaction, in accordance with the Austrian Federal Fiscal Code (Bundesabgabenordnung, § 132 BAO) and the Austrian Commercial Code (Unternehmensgesetzbuch, § 212 UGB).
  3. KYC records: at least five years from the end of the relationship, in line with applicable AML legislation, unless a longer period is required.
  4. Marketing data: until you withdraw consent, after which it is deleted or anonymised within 30 days.
  5. Support communications: up to 24 months after the issue is resolved.
  6. Server, security, and fraud logs: typically up to 24 months, longer where necessary to investigate an incident or defend a claim.

Inactive accounts may be closed in accordance with our Terms. Backups are deleted on a rolling cycle and may persist for a limited period after corresponding live data has been deleted.

9. Your rights

Subject to the conditions and exceptions in the GDPR, you have the right to:

  1. access the personal data we hold about you, and receive a copy;
  2. rectification of inaccurate or incomplete data;
  3. erasure ("right to be forgotten"), in particular where the data is no longer necessary;
  4. restriction of processing in specific situations;
  5. portability of the data you provided to us, in a structured, commonly used, machine-readable format, where technically feasible;
  6. object to processing based on our legitimate interests, including profiling, and to processing for direct marketing at any time;
  7. withdraw consent at any time, where we rely on consent; withdrawal does not affect the lawfulness of processing before withdrawal;
  8. not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, except as permitted by Article 22 GDPR (see Section 10).

To exercise your rights, write to privacy@oobyte.ai. We may need to verify your identity before responding and may decline manifestly unfounded or excessive requests, or charge a reasonable fee, as permitted by Article 12(5) GDPR.

You have the right to lodge a complaint with a supervisory authority, in particular:

  1. Austrian Datenschutzbehörde (dsb.gv.at), Barichgasse 40-42, 1030 Vienna, Austria, our lead authority;
  2. the data protection authority of your EU country of residence; or
  3. the UK Information Commissioner's Office (ico.org.uk) if you are in the United Kingdom.

10. Automated decision-making and fraud detection

Oobyte uses automated systems to recommend Actions, offers, and rewards we believe are relevant to you, to detect fraud, abuse, bot activity, multi-accounting, identity misrepresentation, and money laundering, and to validate completion of Actions.

For most users, this personalisation and screening does not produce legal or similarly significant effects within the meaning of Article 22 GDPR. However, automated checks may contribute to decisions to hold, reduce, or reverse a reward, refuse or delay a withdrawal, restrict access to specific Actions, or suspend or close an account where fraud or breach is suspected.

Where these decisions are automated and significant, you have the right to obtain human review, to express your point of view, and to contest the decision. To request a review, contact privacy@oobyte.ai with the relevant facts and any supporting evidence. Our review is final.

11. Children

The Service is not directed at children. You must be at least 16 years old to register a free account and at least 18 years old to subscribe to a paid plan, complete monetised Actions, or withdraw funds. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, contact privacy@oobyte.ai and we will delete the data and close the account.

12. Cookies, SDKs, and similar technologies

We and our partners use cookies, software development kits (SDKs), pixels, and similar technologies on the website and in the apps for:

  1. strictly necessary purposes (authentication, security, load balancing, fraud prevention); these do not require consent;
  2. analytics, to understand how the Service is used;
  3. advertising and attribution, to measure campaign performance and to show relevant promotions on and off the Service.

We obtain consent for non-strictly-necessary cookies and SDKs through our cookie banner on the website and through the relevant operating-system permission prompts on mobile (App Tracking Transparency on iOS, advertising-ID controls on Android). You can change your preferences at any time through the cookie settings on the website and through your device settings on mobile.

A separate Cookie Policy lists the specific cookies and trackers in use, their purposes, providers, and retention periods.

13. Security

We apply technical and organisational measures designed to protect personal data, including encryption in transit, access controls, role-based permissions, logging, regular reviews of vendor security, and incident-response procedures. No internet-based service is fully secure, and we cannot guarantee absolute security. Where required, we will notify affected users and the relevant supervisory authority of a personal-data breach in accordance with Articles 33 and 34 GDPR.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent version. For material changes, we will notify you in advance by email or through an in-app or website notice. Continued use of the Service after the new policy takes effect constitutes acceptance, except where we are required to obtain renewed consent.

15. Contact

ooblee Alpine GmbH
Am Tabor 36, 1020 Vienna, Austria
privacy@oobyte.ai
support@oobyte.ai

To lodge a complaint:
Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Vienna, Austria
dsb.gv.at