Privacy Policy

1. Information We Collect

1.1 Information you provide

• Account data: name, email, phone, password (hashed), business name, role, license numbers (e.g., CSLB).
• Customer & project data: information about your customers, jobs, properties, subcontractors, vendors, employees, and related documents, photos, and communications you upload or create in the Services.
• Payment information: payment-card and bank data you submit are processed by PCI-compliant payment processors (e.g., Stripe, Intuit QuickBooks Payments). We do not store full card numbers.
• Support communications: messages, screenshots, and attachments you send to our support team.
• Marketing consents: email and SMS subscription preferences.

1.2 Information collected automatically

• Device & log data: IP address, browser type, OS, device identifiers, referring URLs, pages viewed, timestamps, crash logs.
• Cookies and similar technologies: see Cookie Policy.
• Product analytics: in-app events that help us understand feature usage (via PostHog). Pseudonymous by default.

1.3 Information from third parties and integrations

When you connect a third-party service, we receive data as you authorize:

• Accounting: QuickBooks Online — invoices, bills, chart of accounts, vendor/customer lists, transactions.
• Communications: RingCentral, Resend — messages, call metadata, delivery receipts.
• Advertising and marketing: Google Ads, Meta Ads — campaign performance, lead data.
• Reviews and listings: Google Business Profile, Yelp, Angi, Thumbtack, Houzz — reviews, inquiries, profile data.
• Field and ops: CompanyCam, PandaDoc, DocuSeal — photos, documents, signatures.
• Single sign-on: if you use Google or another SSO provider, we receive the profile fields you authorize (name, email, profile picture). We do not post to your social accounts without your action.

1.4 Sensitive personal information

We do not intentionally collect sensitive personal information as defined under CCPA/CPRA or any other US state privacy law (e.g., precise geolocation, government ID numbers, racial or ethnic origin, religious beliefs, health data, biometric identifiers, or sexual orientation).

1.5 Information about minors

The Services are not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact support@oparbase.com and we will delete it.

2. How We Use Information

We process personal information for the following purposes:

3. AI Processing

The Services use large language models and other AI systems from third-party providers — including Anthropic — to power features such as summarization, drafting, classification, and conversational assistance.

• Your content may be sent to these providers to generate outputs in the Services.
• We do not permit our AI providers to use your content to train their public or foundation models. Our contracts with providers such as Anthropic include a zero-retention or limited-retention commitment consistent with their enterprise API terms.
• Outputs may contain errors. AI-generated content is not a substitute for professional judgment. Review before acting on it.
• You can disable AI features for your tenant by contacting support@oparbase.com.

4. How We Share Information

We do not sell personal information for money. We share information only as follows:

• Service providers / subprocessors (hosting, databases, email, SMS, analytics, payment processors, AI providers).
• Integrations you authorize. We share data with third-party platforms only at your direction (e.g., pushing an invoice to QuickBooks).
• Professional advisors (lawyers, accountants, auditors) bound by confidentiality.
• Business transfers. If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to continuity of this Policy.
• Legal and safety. We may disclose information if required by law, subpoena, or court order, or to protect rights, property, or safety.
• Aggregated or de-identified data that cannot reasonably be used to identify you.

4.1 “Sharing” for cross-context behavioral advertising

Certain US state laws treat the use of advertising cookies and pixels as “sharing” even when no money changes hands. OparBase uses advertising technologies (e.g., Meta Pixel, Google Ads tags) on our marketing website. You can opt out via our cookie banner, by enabling Global Privacy Control in your browser, or through the links in Your Rights.

5. International Data Transfers

OparBase is based in the United States and stores and processes data primarily in the United States. If you access the Services from outside the US, your information may be transferred to, stored in, and processed in the US and other countries where our subprocessors operate. Where required by law, we use appropriate safeguards such as the EU Standard Contractual Clauses.

6. Cookies and Tracking

We use cookies and similar technologies to operate the site, remember preferences, analyze usage, and — with your consent — measure advertising. See our full Cookie Policy for details on what we use, why, and how to manage your preferences.

6.1 Global Privacy Control

We honor the Global Privacy Control (GPC) browser signal. When we detect GPC, we treat it as a valid opt-out of “sale” and “sharing” under CCPA/CPRA and equivalent state laws, and we do not fire advertising tags for that visitor.

6.2 Do Not Track

There is no consensus industry standard for Do Not Track. We respond to GPC signals (see above) but do not separately respond to DNT headers.

7. Data Retention

We retain personal information only as long as needed for the purposes described in this Policy, to comply with legal obligations (e.g., tax and accounting — typically 7 years), resolve disputes, and enforce our agreements.

When retention is no longer required, we delete or irreversibly anonymize the data. Backups are retained for up to 90 days and then overwritten. You may request deletion of your account and associated data at any time — see Your Rights.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and least-privilege access.
• Multi-factor authentication for administrative access.
• Row-level security on customer data in our primary database.
• Logging, monitoring, and automated alerting.
• Vendor and subprocessor security review.
• Regular backups and tested restoration procedures.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact support@oparbase.com immediately.

9. Your Rights

Depending on where you live, you may have some or all of the following rights:

• Access / Know — confirm whether we process your information and obtain a copy.
• Correct — request correction of inaccurate information.
• Delete — request deletion of your personal information.
• Portability — receive a copy in a machine-readable format.
• Opt out of sale or sharing — including cross-context behavioral advertising.
• Opt out of targeted advertising.
• Appeal — if we deny your request, you may appeal our decision.
• Withdraw consent — where processing is based on consent.
• Non-discrimination — we will not discriminate against you for exercising any of these rights.

9.1 How to exercise your rights

Submit a request at /legal/privacy-request or email support@oparbase.com. We verify requests using the email on your account. We respond within the time required by law (generally 45 days, extendable once).

9.2 California notice (CCPA/CPRA)

In the preceding 12 months we have collected the categories of personal information listed in Section 1. We have not sold personal information for money. We have “shared” advertising-related identifiers as described in Section 4.1, which you can opt out of at any time. To exercise your “Do Not Sell or Share My Personal Information” right, visit /legal/privacy-request or enable Global Privacy Control.

9.3 Other US state notices

If you are a resident of Colorado, Connecticut, Virginia, Texas, Montana, or other states with privacy laws comparable to CCPA, you have equivalent rights. Use /legal/privacy-request to exercise them. Appeals can be sent to support@oparbase.com.

9.4 EEA, UK, and Swiss residents

You have rights under the GDPR and UK GDPR, including the rights listed above plus the right to lodge a complaint with your supervisory authority. Our legal bases for processing are listed in Section 2.

10. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date and, where required by law, notify you by email or in-product notice. The current Policy always governs your use of the Services.

11. Contact