Operalta

Privacy Policy

Last Updated: December 19, 2025

Welcome to Operalta. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how Operalta Inc. ("Operalta", "we", "us", "our") collects, uses, stores, and shares your personal information when you use our conversational AI platform (the "Service").

Data Controller: Operalta Inc. (Switzerland)
Contact: privacy@operalta.com
Data Protection Officer: dpo@operalta.com (if appointed)

This Privacy Policy applies to all users of the Service, regardless of location. For users in the European Union, this Policy complies with the General Data Protection Regulation (GDPR). For users in California, this Policy complies with the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA).

Table of Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Information
  3. 3. Legal Basis for Processing (GDPR)
  4. 4. AI Processing & Third-Party Sharing
  5. 5. International Data Transfers
  6. 6. Data Retention
  7. 7. Data Security
  8. 8. Your Rights (GDPR)
  9. 9. California Privacy Rights (CCPA)
  10. 10. Cookies & Tracking
  11. 11. Children's Privacy
  12. 12. Changes to This Policy
  13. 13. Contact Us
  14. 14. Sub-Processors

1. Information We Collect

1.1 Information You Provide

Account Information:

  • Name, email address, password (encrypted)
  • Company name, stage, vertical, metrics
  • User region preference (EU, US, APAC, MENA)

Conversation Data:

  • Messages (user and AI responses)
  • Conversation context and history

Institutional Memory:

  • Decisions, hypotheses, experiments, blockers
  • Taxonomy classifications

Company Context:

  • Company description, stage, vertical
  • Metrics (MRR, ARR, growth rates, burn, runway)
  • Team size, roles, strategic priorities

Files & Documents:

  • PDFs, Office documents (DOCX, PPTX, XLSX), images
  • Pitch decks, financial models, business memos

1.2 Automatically Collected Information

  • IP address (security, fraud prevention, region detection)
  • User agent (browser type, version, OS)
  • Session data (login timestamps, duration)
  • Usage data (token counts, message counts, feature usage)

2. How We Use Your Information

2.1 Provide the Service

  • Conversational AI: Process your messages with Claude Sonnet 4.5 (Anthropic), Mistral AI
  • Memory Extraction: Automatically extract decisions, hypotheses, experiments, blockers
  • Intelligence Research: Generate market intelligence briefings using SERP API, You.com
  • Report Generation: Create board reports, investor updates, weekly summaries
  • Document Processing: Analyze PDFs, Office files, images using Claude Vision, Mistral Pixtral
  • Voice Transcription: Convert voice messages to text using Infomaniak (Swiss provider)
  • Multi-User Collaboration: Enable team workspaces, shared conversations

2.2 Account Management

  • Create and maintain your account
  • Authenticate and authorize access
  • Send transactional emails (job completions, approvals, invitations)
  • Process subscription payments (via Stripe)

Important: We do NOT use your data to train AI models for other customers. Your data remains private.

4. AI Processing & Third-Party Sharing

4.1 AI Providers

Anthropic Claude Sonnet 4.5 (United States)

  • Purpose: Conversational AI, memory extraction, intelligence synthesis, report generation
  • Data Shared: Conversation content, documents, company context, search queries
  • Data Retention: Not retained after processing (per Anthropic DPA)
  • Training: Your data is NOT used to train AI models
  • DPA: Anthropic Data Processing Agreement

Mistral AI (European Union, France) - Optional

  • Purpose: Document processing for French-market clients
  • Data Shared: Uploaded documents (PDFs, images, Office files)
  • Data Retention: Not retained after processing

Infomaniak (Switzerland)

  • Purpose: Voice transcription (auto-language detection)
  • Data Shared: Audio recordings (voice messages)
  • Data Retention: Not retained after processing
  • Data Location: 100% Swiss infrastructure (GDPR + FADP compliant)

4.2 What We Do NOT Share

  • No data sold to third parties
  • No advertising networks
  • No data brokers
  • No training AI on customer data for other customers
  • No marketing partners (unless you opt in)

Complete Sub-Processor List: See Section 14 for all third-party data processors with details on data location, retention, and DPA status.

5. International Data Transfers

5.1 Multi-Region Architecture

Current State: All customer data is stored in eu-central-2 (Zurich, Switzerland) via Supabase.

Planned Regions:

  • Americas: US-based companies → US region
  • Asia-Pacific: APAC companies → APAC region
  • MENA: Middle East & North Africa companies → MENA region

5.2 Cross-Border Data Transfers (EU → US)

When your data is processed by US-based providers (Anthropic, SERP API, You.com, Vercel), it involves a cross-border data transfer from the EU to the United States. Such transfers are governed by:

  • Standard Contractual Clauses (SCCs): Operalta has executed SCCs with US-based sub-processors
  • Transfer Impact Assessment (TIA): Risk assessment per Schrems II requirements
  • Data Processing Agreements (DPAs): Prohibiting retention of data after processing

5.3 EU-Based and Swiss Alternatives

For privacy-conscious customers, Operalta offers EU-based and Swiss alternatives for some services:

  • Mistral AI (EU, France) instead of Anthropic (US) for document processing
  • Infomaniak (Switzerland) for voice transcription (100% Swiss infrastructure, FADP compliant)
  • Bird (EU, Netherlands) for communications (no cross-border email transfer for EU customers)
  • Supabase eu-central-2 for database (Zurich, Switzerland)

Enterprise customers may request EU-only or Swiss-only processing (contact sales@operalta.com).

6. Data Retention

6.1 Active Accounts

  • User data: Indefinite (while account active)
  • Conversations: Active + archive policy (user-controlled)
  • Technical logs: 90 days
  • Audit logs: 7 years (EU requirement for compliance)

6.2 Deleted Accounts

When you delete your account:

  1. 30-day window: You can export your data (conversations, streams, reports, files)
  2. After 30 days: All data is permanently deleted and cannot be recovered
  3. Backups: Purged within 90 days
  4. Audit logs: Retained for 7 years (EU requirement)

6.3 Third-Party Deletion

  • AI Providers (Anthropic, Mistral, Infomaniak): Do not retain data after processing (per DPAs)
  • Vercel: Logs deleted within 7 days, application data deleted with account
  • Supabase: Data deleted with account, backups purged within 90 days
  • Bird: Message logs retained for 90 days, then deleted

7. Data Security

We apply the highest industry standards to protect your personal data, including encryption, multi-factor authentication, rate limiting, and database-level access controls.

For detailed information about our security practices, please visit our Security page.

Important: While we implement strong security measures, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security. You acknowledge that you provide personal data at your own risk.

Breach Notification

In the event of a data breach affecting your personal data, we will:

  • 72 hours: Notify affected users within 72 hours (GDPR requirement)
  • Details: Provide details of the breach, data affected, and remediation steps
  • Authorities: Notify data protection authorities as required by law

8. Your Rights (GDPR)

If you are in the European Union, you have the following rights under the GDPR:

✅ Right to Access (Article 15)

Request a copy of all personal data we hold about you

Timeline: 30 days | Format: JSON or CSV export

✏️ Right to Rectification (Article 16)

Request correction of inaccurate or incomplete data

Update via account settings or email privacy@operalta.com

🗑️ Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data

30-day window to export, permanent deletion after 30 days

📦 Right to Data Portability (Article 20)

Request your data in a machine-readable format (JSON/CSV)

Export via account settings page

⛔ Right to Object (Article 21)

Object to processing based on legitimate interests

Email privacy@operalta.com with subject "GDPR Objection"

To exercise any of these rights, please contact us at privacy@operalta.com

9. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA).

9.1 Sale of Personal Information

WE DO NOT SELL PERSONAL INFORMATION.

Operalta has not sold personal information in the preceding 12 months and does not sell personal information.

9.2 Consumer Rights

A. Right to Know (Disclosure)

Request disclosure of personal information collected, used, shared, or sold in the past 12 months

Email: privacy@operalta.com | Response Time: 45 days

B. Right to Delete

Request deletion of personal information we have collected

Delete account via settings or email privacy@operalta.com

C. Right to Non-Discrimination

You will not receive discriminatory treatment for exercising your CCPA rights

We guarantee equal service regardless of rights exercised

9.3 "Do Not Sell My Personal Information"

Status: We do not sell personal information. This section is provided for transparency and to comply with CCPA disclosure requirements.

10. Cookies & Tracking

Essential Cookies

We use essential cookies to maintain your login session and provide core functionality:

  • Session Cookie: JWT token stored in HTTP-only cookie (7-day expiry)
  • Preferences: Language, theme, UI settings (localStorage)

Essential cookies cannot be disabled without losing core functionality (authentication, session management).

No Tracking/Advertising Cookies

We do NOT use:

  • ❌ Third-party advertising cookies
  • ❌ Cross-site tracking cookies
  • ❌ Behavioral profiling
  • ❌ Marketing pixels

11. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are under 18, do not use the Service or provide any personal information.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email to your registered email address (at least 30 days' advance notice for material changes)
  • Prominent notice on the Service homepage
  • In-app notification upon next login

Effective Date: The "Last Updated" date at the top of this Policy reflects the most recent revision.

Continued Use: Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: privacy@operalta.com

Data Protection Officer: dpo@operalta.com (if appointed)

Support: support@operalta.com

For GDPR Requests: Subject line "GDPR [Request Type]" (e.g., "GDPR Access Request")

For CCPA Requests: Subject line "CCPA [Request Type]" (e.g., "CCPA Disclosure Request")

Response Time:

  • GDPR Requests: 30 days
  • CCPA Requests: 45 days (may extend 45 days with notice)
  • General Inquiries: 5 business days

14. Sub-Processors

A complete, up-to-date list of all third-party sub-processors (data processors) includes:

AI Providers

  • Anthropic (US) - Claude Sonnet 4.5 for conversational AI
  • Mistral AI (EU, France) - Document processing (optional)
  • Infomaniak (Switzerland) - Voice transcription

Infrastructure Providers

  • Vercel (US/Global) - Hosting, edge runtime, CDN
  • Supabase (EU) - Database, authentication, file storage
  • Upstash (Global) - Redis rate limiting, caching
  • Cloudflare (Global) - CDN, WAF, DDoS protection

Intelligence & Search

  • SERP API (US) - Market intelligence research
  • You.com (US) - AI-powered search (fallback)

Communications

  • Bird (MessageBird B.V.) (EU, Netherlands) - Email, SMS, WhatsApp notifications

Payment Processing

  • Stripe (US/Global) - Payment processing, subscription billing

Change Notification Policy:

  • Critical infrastructure changes (Vercel, Supabase, Stripe): 30 days' advance notice
  • Technical service changes (AI providers, intelligence, communications): No advance notice (documented in quarterly update)

For complete details including data location, retention policies, and DPA status, see our Complete Sub-Processors List.

Acknowledgment

By using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.

If you do not agree to this Privacy Policy, you may not use the Service.

END OF PRIVACY POLICY

Last Updated: December 19, 2025 | Version: 1.2