Opptify AB — Privacy Policy (GDPR)

1. Who we are (Controller)

Opptify AB (org. nr. 559548-6407), Mittvägen 1E, 181 61 Lidingö, Sweden (“Opptify”).

Contact (all privacy inquiries & rights requests): info@opptify.com

Scope & roles. This Privacy Policy explains how Opptify processes personal data as a Controller (e.g., site visitors, prospects, customer admin contacts, billing, security logs, product telemetry). When Opptify processes Customer Data inside the Opptify application, Opptify acts as a Processor and the Customer is the Controller. That processing is governed by our Data Processing Agreement (DPA), not this Policy.

2. Personal data we collect (Controller scope)

• Account & billing data: names, business contact details, role, login identifiers, billing addresses, VAT numbers, transaction records.
• Support interactions: messages, attachments, ticket metadata, call recordings (if any).
• Service telemetry: de-identified analytics and event logs (e.g., feature usage, performance metrics), IP-derived coarse location, device/browser.
• Website data & cookies: strictly necessary cookies only (e.g., session/sign-in, security, basic settings). See our Cookies Notice.
• Security & access logs: authentication events, admin actions, audit trails.
• Marketing preferences: newsletter opt-ins/outs, event registrations.

We do not intentionally collect special categories of data in Controller scope. The Service is B2B and not for children.

3. Purposes and lawful bases (GDPR Art. 6)

• Provide and administer the Service: Contract (Art. 6(1)(b)).
• Billing and accounting: Legal obligation (Art. 6(1)(c)) and Contract.
• Security & abuse prevention: Legitimate interests (Art. 6(1)(f)).
• Service analytics & improvement: Legitimate interests (Art. 6(1)(f)).
• Communications: Legitimate interests (Art. 6(1)(f)) and/or Contract.
• Direct marketing to business contacts: Legitimate interests (Art. 6(1)(f)) or Consent (Art. 6(1)(a)) where required; opt-out anytime.

4. Data sharing and recipients

We share personal data with:

• Service providers/sub-processors (hosting, email, ticketing, security monitoring, payments, document preview, AI API).
• Professional advisors (legal, accounting), authorities where required by law, and successors in a business transfer.

A current list of application sub-processors is published at https://opptify.com/legal/sub-processors. For Controller-scope processing, we use only providers offering appropriate safeguards.

5. International transfers

Primary production databases for the Opptify application are hosted in the EU/EEA. If Controller-scope processing involves transfers outside the EEA (e.g., global email or ticketing vendors), we implement appropriate safeguards such as EU Standard Contractual Clauses and supplementary measures, or rely on an adequacy decision.

6. Retention

We keep personal data only as long as necessary for the purposes above:

• Account/billing records: up to 7 years (per accounting/tax rules).
• Support tickets: typically 3 years after closure unless longer needed for dispute handling.
• Security logs: typically 90–365 days depending on log type.
• Marketing lists: until you opt out or data becomes inactive for a defined period.

We may retain minimal records to demonstrate compliance and manage suppression lists.

7. Your rights (GDPR Arts. 15–22)

You have the right to access, rectify, erase, restrict, object, and port your personal data, and not to be subject to decisions based solely on automated processing where applicable. To exercise rights, contact info@opptify.com. We will respond within one month. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.

For personal data processed inside the Opptify application on behalf of a Customer, please contact that Customer (Controller) first; we will assist them under the DPA.

8. Security

We apply appropriate technical and organizational measures aligned with our Security Policy, including encryption in transit and at rest, access controls (MFA for admin), least privilege, monitoring, vulnerability management, and independent third-party penetration testing. A current penetration test certificate (or executive summary) is available on request under NDA. High/Critical findings are remediated in line with good industry practice. We maintain daily backups, off-site EU copies, and point-in-time recovery within the configured retention window.

9. Cookies & similar technologies

We currently use only essential cookies needed to run our site/app (e.g., sign-in/session, security, basic settings). By using the site/app you agree to these essential cookies. If we later introduce non-essential cookies, we will ask for your consent first and update this Policy. See our Cookies Notice.

10. AI/LLM usage

Certain in-product features may call OpenAI’s API (“ChatGPT”) as a sub-processor under the DPA for tenant-scoped interpretation/search of Customer Data. Opptify configures the API so that data is not used to train OpenAI’s models, and is not retained beyond transient processing except for limited vendor anti-abuse retention. For Controller-scope processing (e.g., website, billing), we do not send personal data to third-party AI providers for model training.

11. Children

The Service and our site are intended for business users. We do not knowingly collect personal data from children.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified at least 30 days in advance via email to customer admin contacts; other changes take effect upon posting with an updated version and date.

13. Contact

Questions or requests: info@opptify.com

Postal: Opptify AB, ℅ Michael Taylor, Mittvägen 1E, 181 61 Lidingö, Sweden

Appendix – Role summary

• Customer Data in the application: Customer = Controller, Opptify = Processor → governed by the DPA.
• Operations data (this Policy): Opptify = Controller (e.g., billing, admin contacts, logs, telemetry, marketing preferences).