Privacy Policy
Last Updated: April 20, 2026
This Privacy Policy describes how OKO Labs, Inc., doing business as Product Leader Academy (collectively, “we,” “us,” or “our”), a Florida corporation, collects, uses, and protects your personal information when you use our website, programs, and services (collectively, the “Services”).
1. Information We Collect
1.1 Information You Provide
We collect information you provide directly to us, including:
- Account Information: Name, email address, password, and profile information when you register
- Payment Information: Credit card details, billing address (processed securely via Stripe)
- Profile Information: Professional background, career goals, portfolio submissions
- Communications: Emails, support tickets, and messages sent to us
- Application Information: Scholarship applications, job preferences, and program selections
1.2 Information Collected Automatically
When you use our Services, we automatically collect:
- Usage Data: Pages visited, time spent, features used, click patterns
- Device Information: IP address, browser type, operating system, device identifiers
- Cookies and Similar Technologies: See our Cookie Policy below
- Location Data: General geographic location based on IP address
1.3 Third-Party Information
We may receive information from:
- Authentication providers (Google, LinkedIn) when you sign in via OAuth
- Payment processor (Stripe) regarding transaction status and subscription lifecycle
- Analytics and product-insight providers (Google Analytics 4, Microsoft Clarity, PostHog)
- Advertising measurement partners (Google Ads) for conversion reporting
- Scheduling provider (TidyCal) when you book a live session
2. How We Use Your Information
We use your information for the following purposes:
2.1 Providing Services
- Creating and managing your account
- Processing payments and maintaining purchase history
- Delivering educational content and program materials
- Facilitating community features (discussions, mentorship matching)
- Providing customer support
2.2 Improving Our Services
- Analyzing usage patterns to improve content and features
- Conducting research and analytics
- Testing new features and functionality
- Debugging and troubleshooting technical issues
2.3 Communications
- Sending transactional emails (receipts, account notifications)
- Delivering program updates and announcements
- Sending marketing communications (with your consent)
- Responding to your inquiries and support requests
2.4 Legal and Security
- Complying with legal obligations
- Preventing fraud and abuse
- Enforcing our Terms of Service
- Protecting our rights and property
3. Information Sharing
We do not sell your personal information. We may share information in the following circumstances:
3.1 Sub-processors
We engage the following sub-processors to operate our Services. For each, we disclose the purpose, the legal basis we rely on (under GDPR Article 6 and equivalent frameworks), the data retention period, and the transfer mechanism used for cross-border transfers from the EEA/UK to the United States or other jurisdictions. We do not sell personal information.
| Processor | Purpose | Legal basis | Retention | Transfer mechanism |
|---|---|---|---|---|
| Stripe, Inc. (US) | Payment processing, subscription billing, tax collection | Contract performance (Art. 6(1)(b)) | 7 years (tax and financial-records law) | DPA + Standard Contractual Clauses (SCCs) |
| Vercel, Inc. (US) | Application hosting, CDN, serverless compute, Vercel Blob storage | Contract performance (Art. 6(1)(b)) | Logs: 30 days. Deployments: lifetime of account. | DPA + SCCs |
| Neon, Inc. (US) | Primary PostgreSQL database for account, profile, and content data | Contract performance (Art. 6(1)(b)) | Per Section 5 retention schedule | DPA + SCCs |
| Google LLC — Vertex AI / Gemini (US) | AI Coach inference; embeddings for semantic search. Prompts are not used to train Google models (per Vertex AI terms). | Contract performance (Art. 6(1)(b)) | Inputs/outputs not retained beyond the request. Abuse-monitoring logs: up to 30 days. | DPA + SCCs; EU-US Data Privacy Framework |
| Google LLC — Analytics 4 (US) | Website and product analytics | Consent in EEA/UK (Art. 6(1)(a)); legitimate interests elsewhere (Art. 6(1)(f)) | 14 months (event-level); aggregated reports indefinitely | SCCs; EU-US Data Privacy Framework |
| Google LLC — Google Ads (US) | Conversion measurement, retargeting, and enhanced conversions | Consent (Art. 6(1)(a)) | Enhanced-conversion data: hashed and retained up to 540 days. Ad-click data: up to 30 days. | SCCs; EU-US Data Privacy Framework |
| Microsoft Corporation — Clarity (US) | Session replay and heatmap analytics for UX improvement | Consent in EEA/UK; legitimate interests elsewhere | 13 months | SCCs; EU-US Data Privacy Framework |
| PostHog Inc. (US; EU region available) | Product analytics, conversion-funnel tracking, feature flags | Consent in EEA/UK; legitimate interests elsewhere | 7 years (configurable); can be anonymized sooner on request | DPA + SCCs |
| Resend (Resend.com, Inc., US) | Transactional email delivery (receipts, account notifications, digests) | Contract performance (Art. 6(1)(b)) | Delivery logs: 30 days. Suppression list: indefinite. | DPA + SCCs |
| TidyCal (Sumo Group Inc., US) | Live-session scheduling and booking confirmation | Contract performance (Art. 6(1)(b)) | Retained for the life of the booking record | DPA + SCCs |
| Functional Software, Inc. d/b/a Sentry (US) | Error and performance monitoring for production reliability | Legitimate interests (Art. 6(1)(f)) | 90 days | DPA + SCCs |
| Stack Auth / Better Auth (US) | Authentication, session management, OAuth with Google and LinkedIn | Contract performance (Art. 6(1)(b)) | Active-session tokens; deleted on logout or account deletion | DPA + SCCs |
This list is current as of the Last Updated date above. We will update this Privacy Policy before engaging a new sub-processor for a materially different purpose. Data Processing Agreements (DPAs) with each sub-processor are available on request to privacy@productleaderacademy.com.
3.2 Legal Requirements
We may disclose information if required by:
- Court order, subpoena, or legal process
- Government request or law enforcement inquiry
- Investigation of fraud or security incidents
- Protection of our rights, property, or safety
3.3 Business Transfers
If OKO Labs, Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
3.4 With Your Consent
We may share information with third parties when you explicitly authorize us to do so.
4. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in transit (TLS/SSL) and at rest (AES-256)
- Secure authentication with bcrypt password hashing
- Regular security audits and penetration testing
- Access controls and role-based permissions
- PCI-DSS compliant payment processing (via Stripe)
- Row-Level Security (RLS) on database tables
5. Data Retention
We retain your information for the following periods:
- Account Information: Retained while your account is active; deleted within 30 days of account deletion request
- Payment Records: Retained for 7 years per financial regulations
- Usage Data: Retained for 2 years for analytics, then anonymized
- Communications: Retained for 3 years for customer service purposes
6. Your Rights and Choices
Depending on your location, you may have the following rights:
6.1 Access and Portability
You can request a copy of your personal information in a structured, machine-readable format.
6.2 Correction
You can update your account information at any time through your profile settings or by contacting us.
6.3 Deletion
You can request deletion of your account and personal information. Some data may be retained as required by law or for legitimate business purposes.
6.4 Opt-Out
You can opt out of:
- Marketing emails by clicking the unsubscribe link
- Analytics tracking through browser settings or Do Not Track signals
- Certain data processing by contacting us directly
6.5 Cookie Preferences
You can manage cookie preferences through your browser settings. Essential cookies required for site functionality cannot be disabled.
7. Cookies and Tracking
We use cookies and similar technologies for:
- Essential: Authentication, session management, CSRF protection, and site functionality
- Analytics: Understanding how users interact with our Services (Google Analytics 4, Microsoft Clarity, PostHog)
- Advertising: Measuring ad effectiveness and conversion attribution (Google Ads)
- Preferences: Remembering your settings, cookie choices, and UI state
Non-essential cookies (Analytics and Advertising categories) are set only after you grant consent in regions that require it (EEA, UK, and comparable jurisdictions). You can change your choice at any time via the cookie preferences link in the site footer.
8. Children's Privacy
Our Services are not intended for children under 13. We do not knowingly collect information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.
9. International Data Transfers
OKO Labs, Inc. is based in the United States. If you access our Services from outside the US, your information will be transferred to and processed in the United States. By using our Services, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or through a notice on our website. Your continued use of Services after changes constitutes acceptance of the updated Policy.
11. Contact Us
For questions about this Privacy Policy or to exercise your rights:
OKO Labs, Inc.
d/b/a Product Leader Academy
Email: privacy@productleaderacademy.com
Website: https://productleaderacademy.com
12. California Privacy Rights
California residents have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information is collected
- Right to know if personal information is sold or shared (we do not sell your information)
- Right to request deletion of personal information
- Right to non-discrimination for exercising privacy rights
To exercise these rights, contact us at privacy@productleaderacademy.com
13. GDPR Compliance (EU/UK Residents)
If you are located in the European Union or United Kingdom:
- We process your data based on consent, contract necessity, or legitimate interests
- You have the right to lodge a complaint with your local data protection authority
- We have appointed a Data Protection Officer reachable at privacy@productleaderacademy.com