Privacy Policy

We collect the minimum information necessary to provide the service. This includes:

• Account data: your email address and display name, collected when you sign in via Google OAuth or email one-time code (OTP) through Clerk.
• Integration credentials: API keys, webhook URLs, and access tokens you provide to connect your automation platforms (Make, n8n, GitHub Actions, AWS Step Functions, Zapier). All credentials are encrypted at rest using AES-256 before being written to storage.
• Workflow and run data: workflow names, execution statuses, run timestamps, and failure details pulled from your connected platforms during monitoring cycles.
• Team and governance data: email addresses of team members you invite, their assigned roles, and administrative actions recorded in the immutable audit log — including role changes, owner assignments, and integration connections.
• Billing data: your subscription plan and billing email address. Payment card details are handled entirely by Paddle, our merchant of record, and are never transmitted to or stored by OpsVeritas.

Your data is used solely to provide and improve the OpsVeritas service. Specifically, we use it to:

• Provide the service: monitor your automations, generate health metrics, route alerts to the correct workflow owners, and display run history and uptime statistics.
• Send transactional communications: sign-in codes, workflow failure alerts, and owner-assignment notifications. We do not send marketing or promotional email without your explicit, separate consent.
• Maintain security and compliance: enforce access controls, apply rate limiting, maintain audit logs, and investigate suspected misuse or security incidents.
• Improve the product: analyse aggregate, anonymised usage patterns to inform product decisions. We do not sell, share, or license individual user data to third parties for advertising or analytics purposes.

All data is stored in a Supabase PostgreSQL database hosted on AWS infrastructure. Integration credentials are encrypted with AES-256 before being written to the database — the decryption key is never stored alongside the data. All data is scoped to your organisation at the database level, making cross-tenant data access architecturally impossible. All connections between clients, the OpsVeritas API, and our database use TLS 1.2 or higher. We additionally apply HTTP security headers (via Helmet) and request-level rate limiting on all API endpoints.

We share data with the following third-party service providers solely to deliver the OpsVeritas service. All sub-processors are contractually bound to process data only as instructed and to maintain appropriate technical and organisational security measures.

• Active accounts: all data is retained for the lifetime of your active subscription and is available to you at all times via the platform.
• Following cancellation: your data is retained for 90 days to allow for account recovery, then permanently and irreversibly deleted from all systems. You may request immediate deletion at any time by contacting support.
• Audit logs: governance audit logs are retained for the duration of your subscription and are permanently deleted alongside your account data upon confirmed cancellation and the expiry of the 90-day retention window.

Depending on your jurisdiction, applicable law may grant you the following rights with respect to your personal data. OpsVeritas honours these rights regardless of your location:

• Right of access: request a complete copy of the personal data we hold about you and your organisation.
• Right to rectification: update inaccurate or incomplete personal information at any time via your account Settings page.
• Right to erasure: request the permanent deletion of your account and all associated personal data from our systems.
• Right to data portability: request a structured, machine-readable export of your workflow configurations, alert history, and account data.
• Right to object: object to processing of your personal data carried out on the basis of our legitimate interests.
• Right to restrict processing: request that we limit how we use your data while a dispute or objection is resolved.

To exercise any of these rights, contact us at support@opsveritas.com. We will acknowledge your request within 5 business days and respond in full within 30 days.

OpsVeritas uses session cookies exclusively for authentication purposes, managed by Clerk. These cookies are strictly necessary for the platform to function and cannot be disabled without losing access to the service. We do not set advertising cookies, tracking pixels, or any third-party analytics cookies. No external tracking scripts are loaded on the application.

OpsVeritas is operated from the United Kingdom. Some of our sub-processors process data in the United States and European Union. Where personal data is transferred outside the UK or European Economic Area, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved under GDPR Article 46, or equivalent transfer mechanisms required by applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. We will notify you of any material changes by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of OpsVeritas after the effective date of a revised policy constitutes your acceptance of the changes.

If you have questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact our team at support@opsveritas.com. We take all privacy enquiries seriously and will respond promptly.