Privacy Policy — Opyrion

1. Who We Are

Opyrion (“we”, “us”, “our”) is a software service operated from the Republic of Cyprus. We operate the website opyrion.com and the application at app.opyrion.com (collectively, the “Service”). For the purposes of the General Data Protection Regulation (GDPR), we are the data controller of your personal information.

Contact: privacy@opyrion.com

This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Username
Email address
Full name
Password (stored as a bcrypt hash — we never store or see your plain-text password)

2.2 Business Data

All data you enter into the Service — including clients, suppliers, inventory items, orders, invoices, financial records, tasks, events, and settings — is stored in our database. This data belongs to you and is accessible only to your account.

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not collect, store, or have access to your credit card number, CVV, or bank account details. We store only your Stripe customer ID and subscription status to manage your account access.

2.4 Technical Data

We may collect standard server logs including IP address, browser type, and access timestamps for security and operational purposes.

3. How We Use Your Information

We use your information to:

Provide and maintain the Service
Authenticate your identity and manage your account
Process subscription payments via Stripe
Communicate with you about your account or the Service (e.g. password resets, billing issues)
Protect the security and integrity of the Service

3.1 Lawful Basis for Processing

We process your personal data under the following lawful bases (GDPR Article 6):

Contract performance (Art. 6(1)(b)) — processing your account information and business data is necessary to provide the Service you have signed up for.
Legitimate interests (Art. 6(1)(f)) — server logs and security monitoring are necessary to protect the Service and our users from abuse and unauthorized access.
Legal obligation (Art. 6(1)(c)) — we may process data where required to comply with applicable law.

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your business data for advertising, profiling, or analytics beyond what is needed to operate the Service.

4. Data Isolation

Each user's data is fully isolated. Your business records (clients, orders, inventory, finances, etc.) are accessible only to your authenticated account. No other user can access, view, or modify your data.

5. Data Storage & Security

All data is transmitted over HTTPS (TLS encryption in transit)
Passwords are hashed using bcrypt with a cost factor of 12
Authentication uses short-lived JWT access tokens (5 minutes) with refresh token rotation
Session cookies are HttpOnly, Secure, and SameSite=Lax
All database queries use parameterized prepared statements to prevent SQL injection

6. Third-Party Services

We use the following third-party services:

Stripe — payment processing. Stripe's privacy policy: stripe.com/privacy

We do not use any tracking, analytics, or advertising services.

7. Cookies

We use essential cookies only:

opyrion_access_token — short-lived JWT for authentication (5-minute expiry)
opyrion_refresh_token — longer-lived token for session renewal (7-day expiry)

We do not use tracking cookies, advertising cookies, or third-party cookies.

8. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — update your account information through the Settings page
Erasure — request deletion of your account and all associated data
Portability — request your data in a machine-readable format
Restriction — request that we limit processing of your data
Objection — object to processing of your data

To exercise any of these rights, contact us at privacy@opyrion.com. We will respond within 30 days.

8.1 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority. As we are based in Cyprus, the lead supervisory authority is:

Office of the Commissioner for Personal Data Protection (CPDP)
1 Iasonos Street, 1082 Nicosia, Cyprus
Tel: +357 22 818 456
www.dataprotection.gov.cy
commissioner@dataprotection.gov.cy

9. Data Retention

We retain your data for as long as your account is active. If you cancel your subscription, your data remains accessible should you choose to resubscribe. To permanently delete your account and all associated data, contact us at privacy@opyrion.com.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Cyprus Commissioner for Personal Data Protection within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

11. Data Processor Relationship

When you use Opyrion to store information about your own clients, employees, or suppliers, you act as the data controller for that personal data, and Opyrion acts as your data processor. We process that data solely on your instructions (i.e. to operate the Service) and do not use it for any other purpose. This Privacy Policy and our Terms of Service together constitute the data processing agreement between us for the purposes of GDPR Article 28.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email at least 14 days before they take effect and by updating the "Last updated" date at the top of this page.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
privacy@opyrion.com