Privacy Policy

1. Introduction

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use OpiFlo (the "Service"), our website, and related services. We process data in line with the UK GDPR and the Data Protection Act 2018. By using the Service, you agree to this policy.

2. Data we collect

2.1 Data you give us

• Account: Email address, password (stored in hashed form), name, and profile details you provide when signing up or updating your account.
• Workspace: Business or workspace name, slug, and any details you add about your business.
• Billing: Billing address and payment-related information are collected and processed by Stripe; we do not store full card numbers. We may store Stripe customer and subscription identifiers to manage your plan.
• Content you create: Proposals, invoices, payslips, client names and contact details, line items, and any text or documents you upload or enter into the Service.
• Team and contacts: Names, email addresses, and roles of team members and clients you add in the Service.
• AI context: Documents, business descriptions, brand guidelines, and other materials you upload or provide for the AI Strategy Advisor and content generation.
• Communications: Emails and other messages you send to us (e.g. support or sales).

2.2 Data we collect automatically

• Usage and technical data: Log-in and usage information, IP address, browser type, device information, and similar technical data needed to run and secure the Service.
• Cookies and similar technologies: Session and authentication cookies, and similar technologies used to keep you logged in and to operate the Service. You can manage cookies in your browser settings.

We do not use your data for third-party advertising or selling your personal data.

3. How we use your data

We use your data to:

• Create and manage your account and workspace.
• Provide the Service (proposals, invoices, payslips, team management, AI features).
• Process payments and manage subscriptions (via Stripe).
• Send transactional emails (e.g. password reset, invoices, payslips) via our email provider.
• Run AI features (e.g. proposal generation, strategy advisor) by sending relevant content to our AI providers under our instructions and contracts.
• Improve, secure, and troubleshoot the Service and to comply with law.
• Respond to your requests and enforce our terms.

We process your data on the legal bases of: performing our contract with you, our legitimate interests (running and improving the Service, security, fraud prevention), and where required by law. Where we rely on consent (e.g. for optional marketing), we will ask separately and you can withdraw consent at any time.

4. Who we share your data with

We share data only as needed and under strict agreements:

• Infrastructure and hosting: Service providers that host our application and database (e.g. Vercel, Supabase) in the UK/EU where possible.
• Payments: Stripe for payment and subscription processing. Stripe's privacy policy applies to their processing: https://stripe.com/gb/privacy.
• Email: Our email delivery provider (e.g. Resend) to send transactional emails.
• AI: AI providers (e.g. Anthropic, OpenAI) to power proposal generation, strategy advisor, and similar features. We only send data necessary for those features and under data processing agreements.
• Background jobs: Providers we use for automated tasks (e.g. sending emails, processing data) under our instructions.

We do not sell your personal data. We may disclose data if required by law (e.g. court order, regulator) or to protect our or others' rights and safety.

5. International transfers

Your data is stored and processed in the UK and European Economic Area where possible. If we use providers outside the UK/EEA, we ensure appropriate safeguards (e.g. UK adequacy decisions, standard contractual clauses approved by the UK authorities) so your data remains protected.

6. Retention

• Account and workspace data: Kept while your account is active and for a limited period after closure to comply with law and resolve disputes.
• Billing and payment records: Retained as required for tax, accounting, and legal obligations (typically at least 6 years where relevant under UK law).
• Backups and logs: Retained for a limited period for security and recovery; then deleted or anonymised in line with our retention schedule.

After the retention period, we delete or anonymise your data so it can no longer identify you.

7. Your rights (UK GDPR)

You have the right to:

• Access: Receive a copy of your personal data we hold.
• Rectification: Have inaccurate data corrected.
• Erasure: Request deletion of your data in the circumstances set out in law.
• Restriction: Request that we restrict processing in certain situations.
• Data portability: Receive your data in a structured, machine-readable format where the right applies.
• Object: Object to processing based on legitimate interests (including profiling) and to direct marketing.
• Withdraw consent: Where we rely on consent, withdraw it at any time.
• Complain: Lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/.

To exercise these rights, contact us at privacy@opiflo.co.uk. We will respond within one month (or explain why we need longer). We may need to verify your identity.

8. Security

We use technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and secure development practices. Despite this, no system is completely secure; we ask you to keep your password safe and to tell us if you suspect unauthorised access.

9. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. If you believe we have collected a child's data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version on https://opiflo.com and update the "Last updated" date. If changes are significant, we will notify you by email or a clear notice in the Service. Continued use after the change means you accept the updated policy.

11. Contact

For privacy questions, to exercise your rights, or to contact our data protection contact:

Email: privacy@opiflo.co.uk

Address: London, UK