Privacy Policy
Last updated: 8 February 2026
1. Data Controller
Opscale Group
CVR: 44583216
Email: info@getopscale.com
Denmark
We are the data controller for all personal data processed through the Opscale platform ("Service"). We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Danish Data Protection Act (databeskyttelsesloven).
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Full name
- Email address
- Password (stored in hashed form by our authentication provider)
- Language preference
2.2 Organization Data
When you create or join an organization, we collect:
- Organization name
- Time zone
- Your role within the organization (owner, manager, or employee)
- Team member email addresses (when invitations are sent)
2.3 Operational Data
As you use the Service, we process:
- Tasks, sequences, schedules, and SOPs you create
- Task completion records, including who completed each task (when task completion tracking is enabled by your organization)
- Prep list items and completion records
- Issue reports and shopping notes
- Images uploaded to tasks, SOPs, and feedback
- Opening hours and location information
2.4 Billing Data
If you subscribe to a paid plan:
- Billing currency preference
- Subscription status and period dates
Payment card details and billing addresses are processed directly by Stripe and never stored on our servers. Stripe's privacy policy applies to that data.
2.5 Technical Data
We collect limited technical data for the functioning of the Service:
- Browser user agent string (when you submit feedback)
- Page URL and path (when you submit feedback)
- Device platform information (when you submit feedback)
We do not use any third-party analytics, tracking pixels, session recording, or behavioral tracking tools.
2.6 Aggregated Metrics
We generate aggregated, non-personally-identifiable metrics such as daily task completion counts per organization for internal operational reporting. Per-user task completion counts are recorded for organization managers to review team performance.
3. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6(1):
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account, tasks, scheduling) | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| Sending team invitations on behalf of an organization | Legitimate interest (Art. 6(1)(f)) |
| Aggregated operational metrics | Legitimate interest (Art. 6(1)(f)) |
| Per-user task completion tracking | Legitimate interest (Art. 6(1)(f)) — the organization's interest in operational oversight; can be disabled by the organization at any time |
| Technical metadata in feedback submissions | Legitimate interest (Art. 6(1)(f)) — bug diagnosis |
| Cookies strictly necessary for operation | Legitimate interest (Art. 6(1)(f)) |
4. Data Processors and Third-Party Services
We use the following third-party processors to deliver the Service. Each processor's own terms govern how they handle personal data on our behalf:
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Clerk | Authentication and user management | Name, email, password hash, session tokens, organization memberships | USA |
| Convex | Database, backend logic, file storage | All operational data, uploaded images | USA |
| Stripe | Payment processing | Payment card details, billing address, email, subscription metadata | USA / Ireland |
| Vercel | Web hosting and CDN | IP address, request metadata (server logs) | Global CDN |
International Data Transfers
Some of our processors are based in the United States. When personal data is transferred from the EU/EEA to the USA, these providers rely on transfer mechanisms recognized under GDPR, such as the EU-U.S. Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs). You can review each provider's data processing and transfer terms via the links above.
5. Data Retention
- Account data: Retained for as long as your account exists. Upon account deletion, your data is anonymized or deleted within 30 days.
- Organization data: Retained for as long as the organization exists. When an organization is deleted, all associated data (locations, tasks, files, memberships, billing records) is permanently deleted.
- Uploaded images: Unreferenced images are automatically purged after 7 days. All images are deleted when the associated organization is deleted.
- Feedback submissions: Retained for up to 2 years for product improvement, then deleted.
- Aggregated metrics: Retained for up to 3 years. These do not contain directly identifiable personal data.
- Billing records: Retained for as long as required by applicable Danish accounting and tax law (currently 5 years from the end of the financial year).
6. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access (Art. 15): You can export your personal data at any time from Settings > Data & Privacy in the app, or by contacting us.
- Right to rectification (Art. 16): You can update your name, email, and other profile information at any time via your account settings.
- Right to erasure (Art. 17): You can delete your account at any time from Settings > Data & Privacy. Organization owners can delete entire organizations. You may also contact us to request deletion.
- Right to restriction of processing (Art. 18): Contact us to request restriction of specific processing activities.
- Right to data portability (Art. 20): You can export your data in JSON format from Settings > Data & Privacy.
- Right to object (Art. 21): You may object to processing based on legitimate interest by contacting us. Organization administrators can disable per-user task completion tracking at any time.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, use the self-service tools in the app or contact us at info@getopscale.com. We will respond within 30 days.
7. Cookies and Local Storage
We use only strictly necessary cookies and local storage for the functioning of the Service. We do not use any tracking, marketing, or analytics cookies. See our Cookie Policy for full details.
| Name | Purpose | Duration |
|---|---|---|
__clerk_* | Authentication session management | Session |
locale | Language preference | 1 year |
opscenter | OpsCenter mode flag | 30 days |
pin_bypass_ok | One-time PIN bypass flag | One-time use |
8. Security Measures
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) for all data transmission
- Encrypted authentication tokens via Clerk
- Hashed OpsCenter PINs (SHA-256 with per-PIN salt)
- Per-organization data isolation with role-based access control
- Webhook signature verification for Stripe and Clerk integrations
- Automated cleanup of unreferenced files
- Fine-grained permission system with per-user overrides
9. Data Processing in the Employment Context
When an organization uses Opscale to manage employee tasks, the organization acts as the data controller for their employees' operational data (task completions, initials, scheduling). Opscale acts as a data processor on behalf of the organization for this data. The processing is governed by our Terms & Conditions.
Organizations are responsible for:
- Ensuring a lawful basis exists for monitoring employee task completion
- Informing their employees about the use of Opscale and the data processed
- Configuring task completion tracking settings in accordance with their internal policies and applicable employment law
10. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete that data.
11. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by email or through a notice in the Service. The "Last updated" date at the top of this policy indicates when it was last revised.
12. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet) — www.datatilsynet.dk.
13. Contact
For questions about this privacy policy or your personal data:
Opscale Group
Email: info@getopscale.com