Opzyai
Legal

Privacy Policy

Last updated June 15, 2026Draft — pending legal review

This policy explains what personal data Opzyai processes, why, where it lives, and your rights. Opzyai is EU-hosted and GDPR-native. For business customers, this is complemented by our Data Processing Agreement.

1. Data we process

  • Account data — your email, organization name, role, and authentication metadata.
  • Asset & scan data — the assets you add (domains, URLs, repository identifiers), ownership-verification tokens, scan runs, and the findings produced.
  • Repository content (transiently) — for code scans, source is cloned to an ephemeral sandbox, scanned, and deleted; dependency manifests are read and not persisted. Only findings and metadata are retained. Secret-scanning findings are stored redacted (masked preview only).
  • Usage & audit data — an append-only audit log of security-relevant actions, and basic operational logs.
  • Billing data — handled by our payment processor; we store a customer reference and plan, not card numbers.

2. How we use it

To provide and secure the service: authenticate you, verify asset ownership, run and triage scans, produce findings and remediation, enforce plan limits and safety controls, maintain the audit trail, and communicate with you. The legal bases under GDPR are performance of our contract, our legitimate interests in operating and securing the platform, and consent where applicable.

3. Sub-processors

We use a small set of vetted providers to run Opzyai:

  • Supabase — database, authentication, and storage (EU region).
  • Vercel — application hosting and serverless compute (EU region).
  • GitHub — repository access for code scans, via a GitHub App you install.
  • Anthropic — optional AI assistance for triage and remediation drafting (only when enabled).
  • Stripe — payment processing.
  • Resend — transactional email.
  • OSV.dev & open-source scanner projects — vulnerability data and scanning engines.

4. Retention

Account, asset, and findings data are retained for the life of your account and a reasonable period afterward, or as required for legal and audit purposes; the audit log is append-only and immutable by design. Cloned source is deleted immediately after each scan. You can request deletion (see your rights below).

5. International transfers

Primary processing is in the EU. Where a sub-processor transfers data outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. Enterprise customers can request a stated data region.

6. Security

Tenant data is isolated at the database layer with row-level security; secrets are encrypted; the scope guard prevents scanning of unverified targets; and security-relevant actions are recorded in a tamper-resistant audit log. No system is perfectly secure, but security is the core of what we do.

7. Your rights

Subject to applicable law, you may request access to, correction of, deletion of, or a copy of your personal data, and may object to or restrict certain processing. To exercise these rights, contact us via the contact page. You may also lodge a complaint with your local data-protection authority.

8. Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising cookies.

9. Contact

For privacy questions or requests, reach us via the contact page.

Privacy Policy · Opzyai