Privacy Policy
Version 1.3 — Last updated: May 2026
1. Who We Are
opzz.io is operated by:
itemsnest GmbH
Görschstr. 38, 13187 Berlin, Germany
VAT: DE348793078
privacy@opzz.io
opzz.io is a connected operations platform for companies — one place where teams keep their tools, vendors, contracts, projects and budgets, and where leadership gets a horizontal view across them.
2. Controller and Processor Roles
Account, billing and usage data. For data we need to run opzz.io as a service — your account, your subscription, security and product telemetry — itemsnest GmbH is the data controller.
Operational content. For personal data your team enters into a workspace about other people — colleagues, contacts, clients, vendors — your organisation is the controller and itemsnest GmbH acts as a processor on your documented instructions under a Data Processing Agreement (GDPR Art. 28). Our standard DPA is available on request at legal@opzz.io.
3. What Data We Collect
Account data
Work email, display name, and role when you or your admin create a seat. Optional profile photo.
Workspace and board data
Data your team enters: boards, teams, members and roles, contacts, vendors and providers, contracts, tools, licences and assets, projects, roadmaps and tasks, budgets and finances, and related records.
Uploaded files
Documents, contracts, and images your team uploads.
Usage data
In-app activity and events needed to run the service. We do not use third-party advertising or analytics trackers.
Payment and subscription data
When your organisation subscribes, Stripe Payments Europe, Ltd. processes payment. We do not store full card or bank details. We store subscription status, seat count, billing period, and Stripe customer/subscription identifiers linked to your account.
AI processing
When you use AI features, we send the content you submit (e.g. text or documents you choose) to our AI provider to generate suggestions. Do not submit data you are not permitted to process for that purpose.
Optional integrations
If you connect third-party services (e.g. calendar, drive, or contract sources, when available), we process only what you authorise through that connection.
Consent records
When you accepted Terms and Privacy, including version, timestamp, and IP address.
Technical data
Server logs (IP address, browser type) for security, retained briefly.
4. Why We Collect It and Legal Basis
Providing opzz.io (including after your organisation subscribes):
Legal basis: Art. 6(1)(b) GDPR — contract
Storing your workspace data (as processor, on the customer's instructions):
Legal basis: Art. 6(1)(b) GDPR — contract / Art. 28 GDPR — processing on behalf
Payment processing:
Legal basis: Art. 6(1)(b) GDPR — contract
AI features you request:
Legal basis: Art. 6(1)(b) GDPR — contract
Transactional emails:
Legal basis: Art. 6(1)(b) GDPR — contract
Security and fraud prevention:
Legal basis: Art. 6(1)(f) GDPR — legitimate interest
Service improvement (aggregated, non-identifying where possible):
Legal basis: Art. 6(1)(f) GDPR — legitimate interest
Marketing communications:
Legal basis: Art. 6(1)(a) GDPR — consent (opt-in only)
Recording consent:
Legal basis: Art. 6(1)(c) GDPR — legal obligation
5. Where Your Data Is Stored
Primary hosting and storage use sub-processors in the European Union / EEA:
Supabase (database, authentication, file storage)
Region: EU (e.g. Ireland)
supabase.com/privacy
Stripe Payments Europe, Ltd. (payments)
Processes payment data; may use additional Stripe entities under their DPA and SCCs where applicable.
stripe.com/privacy
Anthropic PBC (AI features, when enabled)
Processes prompts and content you submit for AI responses. SCCs apply for any transfer outside the EEA.
anthropic.com/privacy
We do not sell personal data. We do not transfer your workspace data outside the EEA except where a sub-processor is required for a feature you use (e.g. AI) and appropriate safeguards apply.
6. How Long We Keep Your Data
Account and workspace data: until account deletion.
Uploaded files: until you delete them or delete the account.
Payment records: 10 years (German commercial law — HGB §257).
Server logs: 30 days.
Export files: 7 days after generation.
Consent records: duration of account plus 3 years.
After account deletion, personal data is purged within 30 days unless law requires longer retention.
7. Your Rights Under GDPR
Access, rectification, erasure, restriction, portability, and objection — contact privacy@opzz.io. Where itemsnest GmbH acts as a processor, we forward requests to the relevant customer (the controller) or support them in responding.
We respond within 30 days.
Supervisory authority (Germany):
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin — datenschutz-berlin.de
8. Sub-Processors
Supabase — hosting and auth — all account and workspace data
Stripe — payments — billing identity and payment metadata
Anthropic — AI — content you submit to AI features
Resend — transactional email — recipient address and message metadata
Vercel — application hosting — request data
10. Data Security
- Row-level security on database tables
- TLS in transit and encryption at rest
- Role-based access within each workspace (owner, admin, member, viewer)
11. Children
opzz.io is a workplace product intended for business use and is not directed at children under 16. Contact privacy@opzz.io if you believe a child provided data.
12. Changes to This Policy
Material changes are notified by email and in-app notice. Version and date at the top indicate the current version.
13. Contact
itemsnest GmbH
Görschstr. 38, 13187 Berlin, Germany
VAT: DE348793078
privacy@opzz.io