Privacy Policy — OperantOS

Effective date: April 5, 2026 | Last updated: April 5, 2026

OperantOS ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our AI-powered business automation platform (the "Service"). This policy applies to users worldwide and addresses requirements under the General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and the Australian Privacy Act 1988.

OperantOS is operated from the Province of Ontario, Canada. For the purposes of GDPR, we act as the data controller of your personal information.

1. Information We Collect

We collect the following categories of personal information:

a) Information You Provide Directly

Account information: Full name, email address, company name, and workspace details provided during registration
Payment information: Billing address and payment method details (credit card numbers are processed and stored exclusively by Stripe; we do not have access to your full card number)
AI agent inputs: Text, data, prompts, and other content you provide to AI agents within the Service
Support communications: Information you provide when contacting our support team, including email content and attachments

b) Information Generated by the Service

AI agent outputs: Content generated by AI agents in response to your inputs
Usage data: Agent run counts, agent types used, feature usage patterns, workspace activity logs, and subscription plan information

c) Information Collected Automatically

Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution
Log data: Access times, pages viewed, referring URL, and interactions with the Service
Cookies: Essential authentication cookies only (see Section 10 and our Cookie Policy)

2. Legal Basis for Processing (GDPR Article 6)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data on the following legal bases:

Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process payments, and execute AI agent runs as part of your subscription
Legitimate interest (Art. 6(1)(f)): Processing for fraud prevention, security, Service improvement, analytics, and responding to support requests. We have conducted balancing tests to ensure our legitimate interests do not override your rights and freedoms
Consent (Art. 6(1)(a)): Where we rely on consent (e.g., for optional marketing communications), you may withdraw consent at any time by contacting [email protected] or using the unsubscribe link in any marketing email
Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax and financial reporting obligations

3. How We Use Your Information

We use your personal information for the following purposes:

Providing, operating, and maintaining the Service, including processing AI agent runs
Managing your account, subscription, and billing
Authenticating your identity and securing your account
Sending transactional communications (e.g., billing receipts, account notifications, service updates)
Responding to your support requests and inquiries
Analyzing usage patterns to improve Service quality, reliability, and performance
Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues
Complying with legal obligations and enforcing our Terms of Service

Important: We do not sell your personal data. We do not use your AI agent inputs or outputs to train machine learning models. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

4. AI Data Processing

When you use AI agents, the inputs you provide are transmitted to Anthropic (our AI provider) for processing. Anthropic processes these inputs solely to generate outputs for you and does not use your inputs to train its AI models. Outputs generated by AI agents are stored in your workspace within our Supabase database and are accessible only to members of your workspace with appropriate permissions.

We retain AI agent inputs and outputs in accordance with the data retention schedule described in Section 8. You may delete individual agent runs from your workspace at any time.

5. Sub-Processors and Third-Party Services

We share your personal information with the following third-party sub-processors, each of which is necessary for the operation of the Service:

Sub-Processor	Purpose	Data Location
Supabase Inc.	Database hosting, authentication, and data storage	United States
Anthropic PBC	AI language model processing (Claude)	United States
Stripe Inc.	Payment processing and billing management	United States
Vercel Inc.	Application hosting and content delivery	United States

Each sub-processor is contractually obligated to protect your personal information in accordance with applicable data protection laws. We conduct due diligence on all sub-processors and will notify users of any material changes to this list.

6. International Data Transfers

As our sub-processors are located in the United States, your personal data is transferred from Canada (and potentially from the EEA, UK, or other jurisdictions) to the United States. We ensure that these transfers are conducted lawfully through the following safeguards:

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with our sub-processors as the transfer mechanism for EEA-originating data
UK International Data Transfer Agreement/Addendum: For UK-originating data, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, as applicable
PIPEDA adequacy: Transfers from Canada are governed by PIPEDA's requirements for comparable levels of protection
Supplementary measures: We implement technical and organizational measures including encryption in transit (TLS 1.2+) and at rest to protect data during transfer

7. Data Storage and Security

Your data is stored securely using Supabase (powered by PostgreSQL) with row-level security policies ensuring strict workspace isolation. We implement industry-standard security measures including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using AES-256
Row-level security ensuring workspace data isolation
Regular security assessments and monitoring
Access controls limiting employee access to personal data on a need-to-know basis

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your personal information according to the following schedule:

Data Category	Retention Period
Account information (name, email, company)	Duration of active account + 30 days after deletion request
AI agent inputs and outputs	Per plan: Starter 7 days, Pro 30 days, Enterprise 90 days (or until manually deleted)
Payment and billing records	7 years after transaction (as required by tax and financial reporting laws)
Usage data and analytics	24 months, then aggregated/anonymized
Support communications	Duration of active account + 12 months
Server logs (IP, access logs)	90 days
Authentication cookies	Session duration (cleared on logout or expiry)

After the applicable retention period, data is permanently deleted or irreversibly anonymized. We may retain data longer where required by applicable law or to resolve disputes.

9. Your Privacy Rights

a) Rights Under GDPR (EEA and UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR/UK GDPR:

Right of access (Art. 15): Obtain confirmation of whether we process your personal data and request a copy of that data
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
Right to restrict processing (Art. 18): Request that we limit the processing of your personal data under certain circumstances
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
Right to object (Art. 21): Object to processing based on legitimate interest or for direct marketing purposes
Right regarding automated decision-making (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you
Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence, your place of work, or the place of the alleged infringement

b) Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the third parties with whom we share it
Right to delete: Request deletion of your personal information, subject to certain exceptions
Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights
Right to correct: Request correction of inaccurate personal information
Right to limit use of sensitive personal information: We only use sensitive personal information as necessary to provide the Service

c) Rights Under PIPEDA (Canadian Residents)

If you are a Canadian resident, you have the following rights under PIPEDA:

Right of access: Request access to the personal information we hold about you
Right to correction: Request correction of any inaccurate or incomplete personal information
Right to withdraw consent: Withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. We will inform you of the implications of withdrawal
Right to challenge compliance: Challenge our compliance with PIPEDA by contacting our privacy officer or filing a complaint with the Office of the Privacy Commissioner of Canada

d) Rights Under the Australian Privacy Act

If you are an Australian resident, you have rights under the Australian Privacy Principles (APPs), including the right to access and correct your personal information, and the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

e) How to Exercise Your Rights

To exercise any of the rights described above, please submit a request by emailing [email protected] with the subject line "Privacy Rights Request." To verify your identity, we may ask you to confirm details associated with your account. We will respond to verifiable requests within thirty (30) days (or the applicable timeframe required by law). If we require additional time, we will inform you of the reason and the expected timeline.

You may also exercise certain rights directly through the Service, such as updating your account information or deleting agent run history from your dashboard.

10. Cookie Policy

We use only essential cookies required for the operation of the Service. Specifically, we use a Supabase authentication session cookie to maintain your logged-in state. We do not use analytics cookies, tracking cookies, advertising pixels, or any other non-essential cookies.

For full details, including cookie names, durations, and how to manage cookies in your browser, please see our dedicated Cookie Policy.

11. Children's Privacy

The Service is not intended for use by children. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EEA/UK, in accordance with GDPR Article 8). If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

This policy is consistent with the U.S. Children's Online Privacy Protection Act (COPPA), GDPR provisions on children's consent, and equivalent protections under PIPEDA and the Australian Privacy Act.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

GDPR/UK GDPR: Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33) and notify affected individuals without undue delay where the breach is likely to result in a high risk (Article 34)
PIPEDA: Report the breach to the Office of the Privacy Commissioner of Canada and notify affected individuals as required under the Breach of Security Safeguards Regulations
CCPA/CPRA: Notify affected California residents as required by applicable law
Australian Privacy Act: Notify the OAIC and affected individuals in accordance with the Notifiable Data Breaches scheme

Notification will include the nature of the breach, the likely consequences, the measures taken or proposed to address it, and contact information for further inquiries.

13. CASL Compliance (Canadian Anti-Spam Legislation)

We comply with Canada's Anti-Spam Legislation (CASL). We will only send you commercial electronic messages (CEMs) with your express or implied consent. All marketing emails include a clear unsubscribe mechanism, and we honor unsubscribe requests within 10 business days. Transactional messages related to your account or subscription are not subject to CASL consent requirements.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because we do not use tracking or advertising cookies, the Service does not respond differently to DNT signals. Our data collection practices remain the same regardless of DNT settings.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. For material changes, we will provide at least thirty (30) days' prior notice by email and by posting the updated policy with a revised "Last updated" date. Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated policy.

16. Contact Information

For privacy-related questions, to exercise your data rights, or to lodge a complaint, please contact us at:

Privacy and Data Protection Contact: [email protected]
Data Protection Officer (DPO): [email protected]
Address: Ontario, Canada

If you are not satisfied with our response, you have the right to lodge a complaint with the applicable supervisory authority:

Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
EU/EEA: Your local data protection authority
UK: Information Commissioner's Office (ico.org.uk)
Australia: Office of the Australian Information Commissioner (oaic.gov.au)
California: California Attorney General's Office