Privacy Policy

Last updated: March 2026

Summary: OPS2.AI LTD ("we", "us", "our") respects your privacy. We collect minimal data, use it only for legitimate purposes, never sell it, and give you full control over your information. Our Services are designed for business (B2B) clients.

1. Who we are

OPS2.AI LTD is a company registered in England and Wales (Company No. 17081809), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018, we act in two capacities:

Data controller — for personal data we collect directly (e.g., contact details of our business clients, website visitors, and prospective customers)
Data processor — for personal data that our business clients upload to or process through our platform. In this case, the client is the data controller and we process data on their behalf in accordance with our Data Processing Agreement (DPA)

Data Protection Contact: [email protected] (for all data protection enquiries)

2. Scope

This Privacy Policy applies to personal data we collect as a data controller, including data from:

Visitors to our website (ops2.ai)
Business contacts and prospective clients who enquire about our Services
Representatives of client organisations who create accounts or use our Services

For data we process on behalf of our clients (as a data processor), the client's own privacy policy applies. Our processing obligations are governed by the DPA between OPS2.AI and the client.

3. What data we collect as controller

3.1 Data you provide directly

Business contact information: name, business email address, company name, job title (when you sign up for beta access, create an account, request a demo, or contact us)
Account data: login credentials, account preferences, subscription details
Communications: messages, feedback, or support requests
Billing data: company billing address, payment information (processed by our third-party payment provider)

3.2 Data collected automatically

Technical data: IP address, browser type and version, operating system, device type
Usage data: pages visited, features used, time spent, referring URL, date and time of access
Cookie data: see our Cookie Policy for details

3.3 Data we do not collect

We do not collect special category (sensitive) data such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data. Our Services are not directed at individuals under 18 years of age.

4. How we use your data

We process personal data only when we have a lawful basis under applicable data protection law:

Contract (Art. 6(1)(b) GDPR): to provide our Services, manage accounts, process transactions, and fulfil contractual obligations to our business clients
Legitimate interest (Art. 6(1)(f) GDPR): to improve our website and Services, communicate with business contacts, ensure security, prevent fraud, and conduct business development. Our legitimate interests are balanced against data subjects' rights
Consent (Art. 6(1)(a) GDPR): when you opt in to marketing communications or beta access. You can withdraw consent at any time
Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable laws and regulations

Specifically, we use your data to:

Provide, maintain, and improve our Services
Manage client accounts and subscriptions
Send service-related communications (account confirmations, security alerts, technical notices, invoices)
Send marketing communications to business contacts (only with consent or where permitted under legitimate interest for existing B2B relationships; you can opt out at any time)
Respond to enquiries and provide support
Monitor and analyse usage to improve the platform
Detect, prevent, and address fraud, abuse, or technical issues
Comply with legal and regulatory obligations

5. Data we process on behalf of clients (processor role)

When our business clients use the OPS2.AI platform, they may upload or process data through our Services, which may include personal data of their own customers, employees, or end users. In this context:

The client is the data controller and determines the purposes and means of processing
We act as a data processor and process data solely in accordance with the client's documented instructions
Our obligations are set out in our Data Processing Agreement (DPA), available upon request
We implement appropriate technical and organisational security measures
We do not access, use, or share client data except as necessary to provide the Services or as required by law
We assist clients with data subject requests, data protection impact assessments, and breach notification as required by GDPR

6. Data sharing

We do not sell, rent, or trade personal data. We may share data with:

Sub-processors: trusted third-party service providers who assist us in operating the Services (e.g., cloud hosting, email delivery, payment processing, analytics), bound by data processing agreements with obligations no less protective than our DPA. A list of sub-processors is available upon request
Professional advisers: lawyers, accountants, and auditors where necessary for the operation of our business
Legal requirements: when required by law, regulation, court order, or governmental request
Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to affected parties

7. International data transfers

Data may be transferred to, stored, and processed in countries outside the UK and the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK ICO
EU-US Data Privacy Framework certification (where applicable)
UK adequacy regulations and adequacy decisions by the relevant authorities

Details of international transfers and the safeguards used are set out in our DPA.

8. Data retention

We retain personal data only for as long as necessary for the purposes outlined in this policy, or as required by law:

Account and business contact data: retained while the business relationship is active and for 24 months after termination to allow for re-engagement and dispute resolution
Client data (processor role): retained for the duration of the service agreement, then deleted within 30 days of termination unless retention is required by law or the client requests an extension
Marketing consent records: retained for the duration of consent plus 3 years
Technical logs: retained for up to 12 months
Legal, tax, and accounting records: retained for up to 7 years as required by UK law

9. Your rights

Under the UK GDPR, EU GDPR, and applicable US state privacy laws, individuals have the following rights regarding data we control:

Right of access: request a copy of your personal data
Right to rectification: request correction of inaccurate data
Right to erasure: request deletion of your data ("right to be forgotten")
Right to restrict processing: request that we limit how we use your data
Right to data portability: receive your data in a structured, machine-readable format
Right to object: object to processing based on legitimate interests or for direct marketing
Right to withdraw consent: withdraw consent at any time
Right not to be subject to automated decision-making: not be subject to decisions based solely on automated processing that produce legal or significant effects

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If personal data is processed through the OPS2.AI platform by one of our business clients, data subjects should direct their requests to the relevant client (as the data controller). We will assist our clients in fulfilling such requests as required by our DPA.

9.1 Additional rights for US residents

Residents of California (CCPA/CPRA), Virginia, Colorado, Connecticut, and other US states with privacy legislation may have additional rights including the right to know, delete, and opt out. We do not sell personal data. Contact us to exercise these rights.

10. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption in transit (TLS) and at rest
Access controls and authentication
Regular security assessments and penetration testing
Incident response and breach notification procedures
Employee training on data protection

Our security measures are detailed in our DPA and are subject to continuous improvement.

11. Third-party links

Our website may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify clients of material changes by email at least 30 days before they take effect. The updated policy will be posted on our website with a revised date.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk
EU: Your local Data Protection Authority