GDPR Compliance

How OPSONIS complies with the General Data Protection Regulation

Our Commitment to GDPR

OPSONIS is fully committed to compliance with the General Data Protection Regulation (GDPR) and takes data protection seriously. As a European company based in Romania, we adhere to the highest standards of data privacy and security.

This page outlines how we comply with GDPR requirements and what rights you have under this regulation.

GDPR Principles We Follow

Lawfulness, Fairness & Transparency

We process data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect and why.

Purpose Limitation

We collect data only for specific, explicit, and legitimate purposes and don't process it further in a manner incompatible with those purposes.

Data Minimization

We only collect data that is adequate, relevant, and limited to what is necessary for the purposes of processing.

Accuracy

We ensure personal data is accurate and, where necessary, kept up to date. You can update your information at any time.

Storage Limitation

We keep personal data only for as long as necessary. Data is deleted within 90 days of account closure.

Integrity & Confidentiality

We process data securely using encryption, access controls, and regular security audits.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right to Access

You have the right to request a copy of all personal data we hold about you.

How to exercise: Email privacy@opsonis.com with your request. We'll respond within 30 days with a complete data export.

Right to Rectification

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your information in your account settings, or contact us to make corrections.

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances.

How to exercise: Delete your account in settings, or email us to request complete data deletion. Data will be permanently deleted within 90 days.

Right to Restriction of Processing

You have the right to request that we limit how we process your data.

How to exercise: Contact us with your specific restriction request. We'll honor valid requests while maintaining service functionality.

Right to Data Portability

You have the right to receive your data in a structured, machine-readable format.

How to exercise: Request a data export in JSON or CSV format. We'll provide your process data and account information within 30 days.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing.

How to exercise: Unsubscribe from marketing emails via the link in emails, or contact us to object to other processing activities.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

How to exercise: Manage consent in your account settings, or contact us to withdraw specific consents.

Right to Lodge a Complaint

You have the right to file a complaint with a supervisory authority.

How to exercise: Contact the Romanian DPA (ANSPDCP) or your local data protection authority.

Legal Basis for Processing

We process your personal data under the following legal bases:

Contractual Necessity

Processing is necessary to provide our services under our Terms of Service (account management, service delivery, billing).

Consent

You have given explicit consent for specific processing activities (marketing communications, cookies, newsletter).

Legitimate Interests

Processing is necessary for our legitimate business interests (fraud prevention, security, service improvement) where not overridden by your rights.

Legal Obligation

Processing is required to comply with legal obligations (tax records, financial reporting, legal requests).

Technical & Organizational Measures

We implement comprehensive security measures to protect your data:

Technical Measures

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-tenant data isolation using Row Level Security (RLS)
  • Regular automated backups with encryption
  • Intrusion detection and prevention systems
  • Vulnerability scanning and penetration testing
  • Two-factor authentication (2FA) support

Organizational Measures

  • Data Protection Officer (DPO) appointed
  • Staff training on data protection and GDPR
  • Strict access controls and need-to-know basis
  • Data Processing Agreements (DPAs) with all processors
  • Incident response and breach notification procedures
  • Regular privacy impact assessments (PIAs)
  • Data retention and deletion policies

International Data Transfers

Your data is primarily stored in EU data centers (Supabase EU region). When data is transferred outside the EU, we ensure adequate protection:

Third-Party Processors

  • Supabase: EU data centers, GDPR compliant
  • Anthropic (Claude AI): US-based, Standard Contractual Clauses (SCCs), does not store data
  • Stripe: US/EU, GDPR compliant, PCI-DSS certified
  • Vercel: Global CDN, GDPR compliant

All international transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Breach Notification

In the event of a data breach, we will:

  • Notify the relevant supervisory authority within 72 hours (if required)
  • Notify affected users without undue delay if the breach poses a high risk
  • Provide clear information about the breach, its impact, and remedial actions
  • Take immediate steps to contain and remediate the breach
  • Document all breaches and our response for regulatory review

Children's Privacy

OPSONIS is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it immediately.

Contact Our Data Protection Officer

For any questions about GDPR compliance or to exercise your rights:

OPSONIS Data Protection Officer

Email: contact@opsonis.com

Company: OPSONIS (registration number TBD - company formation in progress)

Address: Bucharest, Romania, European Union (full address TBD)

Response Time: We aim to respond to all requests within 30 days (as required by GDPR).

Note: Company registration is in progress. Full legal details will be updated upon completion.

Supervisory Authority

If you have concerns about our data processing that we haven't addressed, you can lodge a complaint with:

Romanian National Supervisory Authority for Personal Data Processing

Website: www.dataprotection.ro

Email: anspdcp@dataprotection.ro

Phone: +40 21 252 5599

You can also contact the data protection authority in your country of residence.

Updates to This Page

We may update this GDPR compliance page to reflect changes in our practices or legal requirements. Check the "Last updated" date at the top of this page for the most recent version.

Related Documents

Privacy Policy →Terms of Service →Security Practices →Contact Us →