Privacy Policy
Version 3.1 — Effective: 20 April 2026
1. Introduction
Opagio Ltd ("Opagio", "we", "us", or "our") is committed to protecting your privacy and handling your personal data in compliance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website opag.io, use our Opagio Growth Platform, or interact with us.
Data Controller: Opagio Ltd, registered in England & Wales (company number 13050381). Our contact email for privacy matters is privacy@opag.io.
2. Information We Collect
We collect the following categories of personal data:
Contact Information: Name, email address, telephone number, company name, and job title — provided when you contact us, subscribe to our newsletter, request a demo, or register for the platform.
Account Data: Login credentials and authentication information when you create a platform account.
Usage Data: Information about how you interact with our website and platform, including pages viewed, features used, session duration, and referring URLs.
Technical Data: IP address, browser type and version, device information, and operating system.
Marketing Attribution Data: When you first visit our website via a marketing campaign or referral link, we may store campaign attribution data (such as UTM parameters and referring website URL) in a cookie on your device. This data is used solely to understand which marketing channels led to your registration and is cleared upon registration. This processing requires your consent via our cookie banner (Analytics category). See our Cookie Policy for details.
Platform Data: Financial, operational, and workforce data that you upload to the Opagio Growth Platform for analysis. Where you are a business client, we process this data as a data processor on your behalf — see our Data Processing Agreement for details.
3. Lawful Bases for Processing
Under Article 6 of the UK GDPR, we rely on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Responding to enquiries and demo requests | Legitimate interests (responding to prospective clients) |
| Providing the Opagio Growth Platform | Contract performance |
| Sending marketing emails and newsletters | Consent (withdrawable at any time) |
| Website analytics and improvement | Legitimate interests (improving our services) |
| Processing payments and billing | Contract performance |
| Fraud prevention and security | Legitimate interests (protecting our business and users) |
| Tax and regulatory compliance | Legal obligation |
| Generating anonymised benchmarks and industry analytics (using Aggregated Data only, as defined in our Terms of Service) | Legitimate interests (improving services and generating market insights) |
| Training and improving machine learning models (using Aggregated Data only) | Legitimate interests (improving service accuracy and analytical capabilities) |
| Automated classification of your financial data (Classification Engine). We process your uploaded financial data through our Classification Engine to categorise transactions, identify patterns, and generate analytical outputs. The majority of this processing occurs within our own infrastructure using rule-based algorithms and proprietary models. For tasks that require large language model capabilities (e.g. summarisation, semantic search, extraction from unstructured client materials, natural-language interpretation), we transmit limited, task-specific extracts of your data to vetted AI sub-processors listed in our Data Processing Agreement. Those sub-processors are contractually prohibited from using your data to train their models. You can request human review of any automated classification via support@opag.io. A Legitimate Interests Assessment is available on request. | Legitimate interests (Article 6(1)(f)) — providing the core Platform service |
| Corporate group entity discovery. Where you use the Platform for a corporate group, we process publicly available corporate registry data (including from the Global Legal Entity Identifier Foundation — GLEIF) to identify related entities within your group structure. This data is publicly available and does not involve processing private personal data. | Legitimate interests (Article 6(1)(f)) — assisting with accurate group setup |
Where we rely on legitimate interests as a lawful basis, we have conducted a Legitimate Interest Assessment (LIA) balancing our interests against your rights and freedoms. You may request a copy of any LIA by contacting privacy@opag.io.
4. How We Use Your Information
We use the information we collect to:
- Respond to your enquiries and provide customer support
- Deliver, maintain, and improve the Opagio Growth Platform
- Send marketing communications (only with your consent)
- Process payments and manage your subscription
- Analyse website usage to improve our services
- Comply with legal and regulatory obligations
5. Data Sharing and Sub-Processors
We do not sell your personal data. We share your information only with trusted third-party service providers who process data on our behalf under appropriate contractual and security obligations:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Firebase) | Cloud hosting, database, authentication | Europe (eur3: London, Belgium, Netherlands) |
| Supabase | User authentication and identity | United States |
| Stripe | Payment processing and billing | United States |
| Resend | Transactional and marketing email | United States |
| ATTIO Ltd | Customer relationship management (contact name, email, company, interaction history) | United Kingdom |
| Anthropic, PBC | LLM processing for narrow Platform tasks (summarisation, semantic search, structured extraction, natural-language interpretation). Task-specific extracts only — not bulk client data. Zero-training terms apply. | United States |
A complete sub-processor list is also available in our Data Processing Agreement.
6. International Data Transfers
Our primary database and core platform infrastructure are hosted on Google Cloud Platform in the eur3 multi-region (Europe), spanning data centres in London (United Kingdom), Belgium, and the Netherlands. All customer data at rest is stored within the European Economic Area (EEA) and the United Kingdom. No international transfers outside the EEA are required for core platform operations.
Certain sub-processors (Supabase, Stripe, and Resend) process limited categories of data in the United States for authentication, payment processing, and email delivery respectively.
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place under Chapter V of the UK GDPR, including UK adequacy decisions, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses.
7. Data Retention
We retain your personal data only for as long as necessary. Our specific retention periods are:
| Data Category | Retention Period |
|---|---|
| Contact form submissions and demo requests | 2 years from submission |
| Newsletter subscriber data | Until unsubscribe, plus 6 months |
| Platform account and usage data | Duration of subscription, plus 30 days |
| Payment and billing records | 7 years (UK tax obligations) |
| Website analytics data | 26 months from collection |
| Database backups (daily automated + point-in-time recovery) | 7 days rolling retention |
8. What We Do Not Do
- We never sell your personal data to third parties.
- We never share your data for advertising or marketing purposes with third parties.
- We never use your data for profiling or targeted advertising.
- We never display third-party advertisements on the Platform.
- We never track your location without explicit consent.
9. Automated Decision-Making and AI Transparency
The Platform includes automated processing tools that analyse your data and produce outputs:
(a) Classification Engine. The Platform's Classification Engine automatically categorises financial data (such as general ledger entries) using rule-based algorithms and, where deployed, proprietary machine learning models. This processing is automated but produces decision-support outputs only — no decisions with legal or similarly significant effects are made solely by automated means.
(b) No Third-Party AI. All automated processing occurs within Opagio's own infrastructure. Your data is not transmitted to third-party artificial intelligence services (such as OpenAI, Google AI, or similar) for processing. Future model training, where applicable, uses only anonymised and aggregated data as described in Section 3.
(c) Human Review. You have the right to request human review of any automated output by contacting support@opag.io. We will review the relevant classification or output and provide an explanation of how it was generated.
(d) EU AI Act Compliance. Under the EU AI Act, the Platform operates as a decision-support tool, not an autonomous decision-making system. Opagio does not make or recommend financial decisions on your behalf. All outputs require your independent professional review before use. Platform outputs should not be treated as professional valuations or financial advice — see our Terms of Service for important limitations.
9A. Corporate Group Data Controller Relationships
Where you use the Platform for a corporate group comprising multiple legal entities:
(a) The Group Administrator's entity is the data controller for Platform account data (user credentials, subscription details, billing information).
(b) Each individual entity within the group is the data controller for its own financial and operational data uploaded to the Platform. Opagio processes this data as a processor under the terms of the Data Processing Agreement.
(c) The Group Administrator may grant cross-entity access to designated users. When a user accesses data from multiple entities, each entity remains the controller for its own data, and the Group Administrator is responsible for ensuring appropriate authorisation.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to improve your experience. For details, see our Cookie Policy.
11. Your Rights Under UK GDPR
Under the UK GDPR, you have the following rights:
- Right of access — request a copy of your personal data.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure — request deletion in certain circumstances.
- Right to restriction — restrict processing of your data.
- Right to data portability — receive data in a machine-readable format.
- Right to object — object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent — withdraw consent at any time.
To exercise any of these rights, email privacy@opag.io. We will respond within one month, extendable by up to two further months for complex cases.
12. Right to Complain
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk/make-a-complaint
13. Children's Privacy
Our services are directed at businesses and professionals and are not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@opag.io.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. For material changes, we will notify you by email or through a notice on our website.
15. Contact Us
Privacy matters: privacy@opag.io
Data Protection Officer enquiries: dpo@opag.io
General enquiries: hello@opag.io
Opagio Ltd, registered in England & Wales, company number 13050381. Our Privacy Lead is Tony Hillier; both privacy@opag.io and dpo@opag.io route to the Privacy Lead.