Privacy Policy
Last updated: 15 July 2026
This policy explains how Operoso (operoso.app), operated from Ireland, handles personal data. It covers both the account data we hold about you and the business data you store in your workspace.
1. Two roles: controller and processor
For the data needed to run your account — your name, email address, workspace details, billing records and usage logs — we act as the data controller.
For the data your business enters into its workspace — customers, contacts, orders, invoices, employee records and similar — you are the controller and we act as your data processor: we process that data only to provide the Service and on your instructions, never for our own purposes.
2. What we collect and why
- Account data (name, email, hashed password): to authenticate you and operate your workspace. Legal basis: performance of a contract.
- Billing data (plan, payment status): to charge for subscriptions. Card details are handled entirely by Stripe and never touch our servers. Legal basis: performance of a contract, legal obligations.
- Usage and audit logs (actions taken in the app, timestamps): for security, troubleshooting and the audit trail your workspace relies on. Legal basis: legitimate interest.
We do not sell personal data, run advertising, or use third-party analytics trackers.
3. Cookies
We use only essential cookies: the session cookies that keep you signed in. There are no advertising or tracking cookies, which is why you don’t see a cookie banner.
4. Where data lives
All workspace data is stored in the European Union (AWS eu-west-1, Dublin) via Supabase. Application hosting and background processing run on Vercel and Railway with EU-region functions where available.
5. Subprocessors
We use a small set of service providers to run Operoso:
- Supabase — database, authentication and file storage (EU, Dublin)
- Vercel — application hosting
- Railway — background job processing (EU West)
- Stripe — payment processing
- Resend — transactional email delivery
- Sentry — error monitoring (EU region; no form contents or cookies attached)
Each is bound by a data processing agreement. We will update this list before adding a new subprocessor.
6. Retention
Workspace data is kept for as long as your workspace is active. After termination you may request an export for 60 days, after which data may be permanently deleted. Backups are retained on a rolling schedule and age out automatically. Billing records are kept as long as tax law requires.
7. Security
Data is encrypted in transit (TLS) and at rest. Every workspace is isolated by tenant controls enforced in the application and in the database itself. Access to production systems is limited to the operator. If a breach affecting your data ever occurs, we will notify you without undue delay as the GDPR requires.
8. Your rights
Under the GDPR you can ask us for access to, correction of, export of, or deletion of the personal data we control about you, and you can object to or restrict certain processing. Write to us and we will respond within one month. You can also complain to the Irish Data Protection Commission (dataprotection.ie).
For data inside a workspace, ask the business that runs that workspace — we act only on their instructions.
9. Contact
Privacy questions and requests: support@operoso.app.