Who we are (Controller). The O/A Group International Ltd. ("O/A", "we", "us") operates www.theoa.group and acts as the data controller for personal data processed via the Site. Contact: hello@theoa.group.

Scope. This Policy covers personal data we process when you visit our Site, contact us, report misuse, or interact with our public notices and verification channels.

Data we collect.

• Technical/usage data: IP address, device/browser type, pages viewed, timestamps, referring URLs (via server logs and analytics).

• Communications: email metadata and content you send (e.g., verification/rectification requests, legal notices).

• Verification/misuse reports: links, screenshots, and minimal associated identifiers supplied by you.

• Cookie data: subject to your consent and preferences (see Cookie Policy below).

Lawful bases (UK GDPR/EU GDPR; Indonesia PDPL).

• Legitimate interests (Art. 6(1)(f)): site operations, security, fraud prevention, verification of claims, IP protection.

• Contract (Art. 6(1)(b)): where needed to respond to requests you initiate.

• Legal obligation (Art. 6(1)(c)): responding to lawful requests, compliance with court/authority orders.

• Consent (Art. 6(1)(a)): non-essential cookies/analytics and optional communications. Under Indonesia’s PDPL, we rely on consent or other PDPL bases as applicable.

How we use data. Operate and secure the Site; respond to media/legal/privacy requests; verify or remediate misuse of our name/materials; maintain audit logs; comply with legal obligations; improve content. We do not sell personal data.

Sharing. We may share data with vetted service providers (hosting, security, analytics, email), professional advisers (legal/PR), and authorities or courts when required. All processors are bound by appropriate data-processing terms and confidentiality obligations. International transfers use safeguards such as SCCs/ID contractual clauses as applicable.

Retention. We retain minimal data for as long as needed for the purpose collected: typically 12–24 months for logs/communications unless required longer for legal, security, or audit reasons.

Security. We employ technical and organizational measures (encryption in transit, access controls, logging, least-privilege). No system is 100% secure.

Your rights. Subject to jurisdiction and limits: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. To exercise rights, email hello@theoa.group with “Data Rights Request” and describe your request. We may request verification. You may also contact the ICO (UK) or relevant supervisory authority, and in Indonesia the PDP enforcement authority when designated.

Children. The Site is not directed to children; do not submit children’s data.

Changes. We may update this Policy; material changes will be indicated by the “Last updated” date and posted here.

Contact (Privacy). hello@theoa.group