Privacy Policy

Welcome to Operalta. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how Operalta Sàrl ("Operalta", "we", "us", "our") collects, uses, stores, and shares your personal information when you use our conversational AI platform (the "Service").

Data Controller: Operalta Sàrl, a Swiss limited liability company (Sàrl / GmbH / Sagl)
Registered office: Avenue Eugène-Pittard 56, 1206 Genève, Switzerland
Contact: privacy@operalta.com

This Privacy Policy applies to all users of the Service, regardless of location. For users in the European Union, this Policy complies with the General Data Protection Regulation (GDPR). For users in Switzerland, it complies with the revised Swiss Federal Act on Data Protection (revFADP/nFADP). For users in California, this Policy complies with the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA).

1. Information We Collect

1.1 Information You Provide

Account Information:

• Name, email address, password (encrypted)
• Company name, stage, vertical, metrics
• User region preference (EU, US, APAC, MENA)

Access Control Data:

• Role assignments and permissions
• Policy configurations for administrative access
• Audit events for security and compliance

Conversation Data:

• Messages (user and AI responses)
• Conversation context and history

Institutional Memory:

• Decisions, hypotheses, experiments, blockers
• Taxonomy classifications

Company Context:

• Company description, stage, vertical
• Metrics (MRR, ARR, growth rates, burn, runway)
• Team size, roles, strategic priorities

Files & Documents:

• PDFs, Office documents (DOCX, PPTX, XLSX), images
• Pitch decks, financial models, business memos

1.2 Public Trial Flows (/apps)

When you run a free tool at /apps/<tool>/try (Beacon, Fundraise Ready, Investor Match, Market Intel, Startup Radar, VC AI Audit, Playbooks) without an account, we collect:

• Email address — to send you the result and, if you opt in, occasional product updates
• Form inputs — challenge, stage, website URL or pasted context, and any answers you type during a Playbook conversation
• Anonymous session cookie (apps_session) — a random ID used to associate your trial run with you across the result page; not used for cross-site tracking
• Hashed IP address — for rate limiting and abuse prevention; the raw IP is never stored
• Marketing consent state — whether you opted in, when, which notice version you saw, and the hashed IP at the time of consent (so we can prove the consent was freely given)

These trial runs are anonymous-first. If you later sign up with the same email, we link the prior runs to your new account so you keep your work.

1.3 Automatically Collected Information

• IP address (security, fraud prevention, region detection)
• User agent (browser type, version, OS)
• Session data (login timestamps, duration)
• Usage data (token counts, message counts, feature usage)

2. How We Use Your Information

2.1 Provide the Service

• Conversational AI: Process your messages with approved Claude-family models and selected alternative models when the workspace configuration requires them
• Memory Extraction: Automatically extract decisions, hypotheses, experiments, blockers
• Intelligence Research: Generate market intelligence briefings using third-party search and intelligence providers
• Report Generation: Create board reports, investor updates, weekly summaries
• Document Processing: Analyze PDFs, Office files, and images using approved model families such as Claude, Mistral, Gemini, and Bedrock-routed open models depending on the workflow
• Voice Transcription: Convert voice messages to text using a Swiss transcription provider
• Multi-User Collaboration: Enable team workspaces, shared conversations

2.2 Account Management

• Create and maintain your account
• Authenticate and authorize access
• Enforce role-based access control and administrative policies
• Maintain security and compliance audit logs
• Send transactional emails (job completions, approvals, invitations)
• Process subscription payments through a PCI-compliant processor

2.3 Product Analytics

We use first-party analytics to understand product usage and improve the Service. This may include aggregated page views, feature usage, device and browser metadata, and approximate location derived from IP address. We use a processing provider for this telemetry.

Important: We do NOT use your data to train AI models for other customers. Your data remains private.

3. Legal Basis for Processing (GDPR)

For users in the European Union, we process your personal data based on the following legal grounds:

4. AI Processing & Third-Party Sharing

4.1 AI Providers

4.2 What We Do NOT Share

• ❌ No data sold to third parties
• ❌ No advertising networks
• ❌ No data brokers
• ❌ No training AI on customer data for other customers
• ❌ No marketing partners (unless you opt in)

Sub-Processor Information: See Section 16 for request details if you need the current list, data-location information, or supporting DPA materials.

5. International Data Transfers

5.1 Multi-Region Architecture

Current State: Customer data is currently stored in eu-central-2 (Zurich, Switzerland) on our primary data infrastructure.

Planned Regions:

• Americas: US-based companies → US region
• Asia-Pacific: APAC companies → APAC region
• MENA: Middle East & North Africa companies → MENA region

5.2 Cross-Border Data Transfers (EU → US)

When your data is processed by US-based AI, search, or delivery providers, it involves a cross-border data transfer from the EU to the United States. Such transfers are governed by:

• Standard Contractual Clauses (SCCs): Operalta has executed SCCs with US-based sub-processors, supplemented by the Swiss FDPIC-recognized adaptations for transfers from Switzerland
• Transfer Impact Assessment (TIA): Risk assessment per Schrems II requirements
• Data Processing Agreements (DPAs): Prohibiting retention of data after processing

The main countries to which data may be transferred are the United States (AI, search, and delivery providers) and the European Union, in addition to our primary data region in Switzerland. You may request a copy of the relevant transfer safeguards (such as the SCCs) by contacting privacy@operalta.com.

5.3 EU-Based and Swiss Alternatives

For privacy-conscious customers, Operalta offers EU-based and Swiss alternatives for some services:

• Mistral family models (EU, France) for selected document-processing paths
• Swiss transcription routes for voice processing
• EU communication providers for selected customer workflows
• Primary European data region in Zurich, Switzerland

Enterprise customers may request EU-only or Swiss-only processing (contact sales@operalta.com).

6. Data Retention

6.1 Active Accounts

• User data: Indefinite (while account active)
• Conversations: Active + archive policy (user-controlled)
• Technical logs: 90 days
• Audit logs: 7 years (EU requirement for compliance)

6.2 Deleted Accounts

When you delete your account:

1. Export and access requests: Handled through the applicable account workflow and privacy rights process
2. Account and content deletion: Executed within our documented operational windows, subject to valid legal holds and applicable law
3. Backups: Purged according to documented backup retention schedules
4. Audit logs: Selected audit and compliance logs may be retained longer where legally required

6.3 Third-Party Deletion

• AI and transcription providers: Retention follows applicable DPAs, provider terms, and configured settings
• Hosting and delivery providers: Logs and delivery metadata are retained according to operational retention windows
• Primary data infrastructure: Account data is deleted in accordance with account deletion and backup retention rules
• Communications providers: Message logs are retained only as long as operationally or legally required

7. Data Security

We apply the highest industry standards to protect your personal data, including encryption, multi-factor authentication, rate limiting, and database-level access controls.

Access to customer data is governed by role-based permissions and policy checks in both the application and the database (row-level security), with security and audit logging for sensitive actions.

For detailed information about our security practices, please visit our Security page.

Breach Notification

In the event of a data breach affecting your personal data, we will:

• 72 hours: Notify affected users within 72 hours (GDPR requirement)
• Details: Provide details of the breach, data affected, and remediation steps
• Authorities: Notify data protection authorities as required by law

8. Your Rights (GDPR)

If you are in the European Union, you have the following rights under the GDPR:

To exercise any of these rights, please contact us at privacy@operalta.com

9. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA).

9.1 Sale of Personal Information

9.2 Consumer Rights

9.3 "Do Not Sell My Personal Information"

Status: We do not sell personal information. This section is provided for transparency and to comply with CCPA disclosure requirements.

10. Swiss Privacy Rights (revFADP)

If you are in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP/nFADP, in force since 1 September 2023) applies to the processing of your personal data. Many of its protections mirror the GDPR rights described in Section 8.

Cross-Border Disclosure

Where we disclose data abroad (see Section 5), we rely on safeguards recognized under Swiss law, including the Standard Contractual Clauses with the FDPIC-recognized Swiss adaptations.

Swiss Supervisory Authority

You have the right to contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding our processing of your personal data: www.edoeb.admin.ch.

11. Automated Decision-Making & Profiling

Operalta is an AI platform: the Service uses large language models and automated processing to generate conversational responses, extract memory, synthesize intelligence, and produce reports and decks at your direction.

We do not use these systems to make decisions that produce legal effects concerning you, or that similarly significantly affect you, without human involvement (within the meaning of GDPR Article 22 and the equivalent revFADP provisions). AI-generated outputs are informational aids that you review and act on; they are not automated decisions about you.

12. Cookies & Tracking

Essential Cookies

We use essential cookies to maintain your login session and provide core functionality:

• Session Cookie: JWT token stored in HTTP-only cookie (7-day expiry)
• Preferences: Language, theme, UI settings (localStorage)

Essential cookies cannot be disabled without losing core functionality (authentication, session management).

No Tracking/Advertising Cookies

We do NOT use:

• ❌ Third-party advertising cookies
• ❌ Cross-site tracking cookies
• ❌ Behavioral profiling
• ❌ Marketing pixels

Product Analytics

We use first-party analytics to understand product usage and improve the Service. This includes aggregated page views, feature usage, device and browser metadata, and approximate location derived from IP address. We use a processing provider for this telemetry.

13. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are under 18, do not use the Service or provide any personal information.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email to your registered email address (at least 30 days' advance notice for material changes)
• Prominent notice on the Service homepage
• In-app notification upon next login

Effective Date: The "Last Updated" date at the top of this Policy reflects the most recent revision.

Continued Use: Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

For GDPR Requests: Subject line "GDPR [Request Type]" (e.g., "GDPR Access Request")

For CCPA Requests: Subject line "CCPA [Request Type]" (e.g., "CCPA Disclosure Request")

16. Sub-Processors & Requests

Operalta uses third-party providers to operate infrastructure, process payments, support communications, and deliver selected AI and search features.