← Back to Home

Privacy Policy

Opsy’s privacy notice explains the categories of information handled through the service and how they support the underlying business service.

Version 2026-04-01 • Effective April 1, 2026

1. Scope and Roles

This Privacy Policy describes how Opsy handles information relating to the Service. Depending on context, Opsy may act as an independent controller for account, billing, support, security, and product usage information, and as a processor or service provider for Customer data that Customer submits to or makes accessible through the Service.

This Policy supports the Terms of Service and applies to business, professional, commercial, or internal development and operations use.

2. Categories of Information

  • Account, organization, and authentication data, including names, emails, org identifiers, session details, permissions, and profile metadata.
  • Cloud integration and infrastructure metadata, including provider account identifiers, configuration metadata, inventory metadata, resource identifiers, state snapshots, diffs, drift findings, approvals, audit trails, and operation history.
  • Credential and secret handling metadata, such as encrypted secrets, key labels, secret fingerprints, scopes, rotation timestamps, and validation status. Opsy does not publish raw secret material back to normal dashboard or API responses after submission.
  • Billing, support, and security telemetry, including subscription records, invoices, payment processor references, support interactions, incident records, logs, IP addresses, device data, rate-limit signals, abuse markers, and diagnostic telemetry.

3. How We Use Information

  • To authenticate users, provision organizations, operate the Service, and maintain customer-selected integrations.
  • To execute or facilitate customer-requested workflows, previews, reviews, applies, and operational history.
  • To secure the Service, detect misuse, enforce terms and limits, investigate incidents, and protect Opsy, Customers, and third parties.
  • To provide billing, support, communications, analytics, service improvements, and legal compliance.

4. Sharing and Disclosure

Opsy may disclose information to service providers, hosting and infrastructure partners, cloud or integration providers at Customer direction, professional advisors, corporate transaction counterparties, and authorities where reasonably necessary to provide the Service, secure the Service, comply with law, or protect rights and safety.

Opsy does not sell Customer personal information for consumer advertising purposes.

5. Subprocessors, Transfers, and DPA

Opsy may use subprocessors and infrastructure providers in multiple jurisdictions. Opsy may transfer information internationally, including to the United States and other places where Opsy or its providers operate. Where required, Opsy will use transfer mechanisms Opsy determines are appropriate for the Services offered.

A data processing addendum is available on request for applicable customers. Subprocessor information may be provided on request or via a separate Opsy subprocessor page when made available.

6. Retention

  • Account, organization, and billing records are generally retained for the term of the relationship and for a reasonable period afterward for billing, compliance, dispute, tax, audit, and security purposes.
  • Operational logs, audit records, diffs, snapshots, and support materials are retained according to Opsy’s operational needs, contractual commitments, legal requirements, and security practices, and may persist in backups for a limited period.
  • Credentials and secrets are retained while configured by Customer and may remain in encrypted backups or archival systems for a limited period after deletion or rotation.

7. Security

Opsy uses administrative, technical, and physical safeguards designed for the Service. Security measures vary over time. No system is perfectly secure, and Opsy does not promise that unauthorized access, loss, or alteration will never occur.

8. Rights and Requests

Depending on applicable law and Opsy’s role, individuals may request access, correction, deletion, portability, restriction, or objection by contacting saba@opsy.sh. Opsy may need to verify identity, route the request through the relevant Customer, or decline a request where law allows.

When Opsy acts as a processor or service provider for Customer data, Customer is generally responsible for handling end-user requests.

9. Changes and Contact

Opsy may update this Policy from time to time by posting an updated version with a revised effective date. Questions, rights requests, and DPA requests may be sent to saba@opsy.sh.