Data Processing Overview
Osano processes personal information solely to deliver its services. Each application within the platform processes personal information according to its specific function, ensuring that only the minimum necessary data is used to perform its services and help customers maintain records of processing activities.
This policy adheres to the following principle: Osano does not use any data collected in a third-party context—such as IP addresses or user identifiers—for purposes beyond delivering its services (e.g., consent management, DSAR, Authorized Users, and Data Discovery). This means that Osano does not use or share data for tracking specific users or devices across different services.
Authorized Users
Osano collects personal information from customer-authorized users, including name, work email, password, and phone number. This data is required to verify secure access to customer accounts, facilitate communication, and provide customer support. Information submitted from outside the United States is transferred to the US for processing. This data is deleted when the customer relationship ends or if the customer removes the authorized user from their account.
Consent Management - Cookie Consent and Unified Consent
Cookie Consent
To display a cookie banner on a customer’s website and record visitor preferences, Osano collects the visitor’s IP address and unique device identifier. This information is encrypted in transit and at rest and is de-identified by Osano in AWS (Dublin, Ireland) as part of consent record-keeping. The hashed, de-identified data is then stored in AWS (US). Because the data is hashed and de-identified, Osano does not retain personal information, and only the customer can reverse the hashing to link the data back to an individual. No personal information from the EU or UK is transferred to the US.
Unified Consent
When users record their privacy choices, Osano may collect their email (for verification purposes, though this is optional), as well as a hashed IP address and the user agent (the browser used to submit consents). Unlike cookie consent, consents are recorded in both the EU (Frankfurt) and the US (N. Virginia). In cookie consent, all consent recording occurs in the EU (Ireland). Data is not transferred between regions in Unified Consent; all non-US consents remain in the EU.
Data Subject Access Requests (DSAR)
For individuals submitting Data Subject Access Requests (DSAR), Osano processes only the personal information necessary to verify identity, including name, email address, IP address, and unique identifier. Customers may customize DSAR forms to request additional details. This data is used solely for authentication and is processed in the US. All data is encrypted in transit and retained until the request is validated and fulfilled. Afterward, the hashed, de-identified information is stored in AWS (US).
The following data is retained for up to 730 days in line with Osano’s retention policy: requester email, first name, last name, country of residence, state/province/territory, proof of identity, and secure messaging attachments. Any attachments related to the Subject Rights Manager or actions taken on requests are stored indefinitely. For a complete overview of DSAR and Discovery retention policies, refer to the Subject Rights Retention Policy.
Data Discovery
The Data Discovery feature helps customers locate and classify personal information within their integrated services. This enables customers to respond to DSARs and better understand the data they manage. The application searches for pre-identified fields that likely contain personal information, tags those fields, and suggests appropriate classifications.
Osano collects this data when customers enable an integration. The information is encrypted in transit and at rest and is stored in AWS (Dublin, Ireland). A sample of data is pulled to ensure accurate classification.
Depending on the data stored by the customer, the tool may process sensitive personal information to fulfill queries. Osano does not transfer personal information from the EU to the US unless specifically requested by the customer for support.
For a complete overview of DSAR and Discovery retention policies, refer to the Subject Rights Retention Policy.