OPRA START — Privacy Policy Placeholder v1.0 · Effective May 2025

Privacy Policy

Your data is your data. Your intellectual property is yours. We store your data on GDPR-compliant servers in the European Union. We use your data for one purpose only: to provide you with OPRA START and to help if something goes wrong. We do not sell it. We do not analyse it for our own benefit. We do not share it with anyone except where the law requires us to.

1. Who we are

OPRA START is a product of OPRA FLOW Ltd (registered in England and Wales). We are the data controller for the personal data you provide when using OPRA START. If you have any questions about this policy, please contact us at team@opraflow.com

2. What we collect

We collect only what we need to run OPRA START for you:

  • Your name and email address when you create an account.
  • Your organisation name and the names of any team members you invite.
  • Basic usage logs (page visits, feature interactions) to identify and fix bugs.
  • Billing information processed securely through our payment provider. We do not store card details ourselves.

We do not collect health data, sensitive personal data, or data about your end users.

3. Your data is your intellectual property

Everything you create inside OPRA START — your product definitions, user needs, requirements, intended use statements, and all documents derived from them — belongs to you. OPRA FLOW Ltd claims no ownership, licence, or rights over your product data.

We will never use the contents of your product workspace to train AI models, improve our own products, benchmark against competitors, or for any commercial purpose other than delivering OPRA START to you.

4. How we use your data

We use your data for two purposes only:

  • To provide you with access to OPRA START and keep your account running.
  • To help you troubleshoot issues — our support team may access your account data with your permission when you raise a support request.

That is it. We do not use your data for advertising, profiling, marketing analysis, or any other purpose.

5. Where your data is stored

Your data is stored on servers located within the European Union. Our infrastructure providers are contractually bound to GDPR-compliant data processing terms. We do not transfer your data outside the EU/EEA without your knowledge.

6. Who can see your data

We share your data with no one, except:

  • Our infrastructure and hosting providers (e.g. cloud storage, database services), who process data only on our instructions under GDPR-compliant agreements.
  • Our payment provider, for billing purposes only.
  • Regulators or law enforcement, if we are legally required to disclose it.

We will always tell you if we are compelled to share your data unless the law prevents us from doing so.

7. How long we keep your data

We keep your data for as long as your account is active. If you close your account, we will delete your data within 30 days, except where we are required by law to retain records for longer (for example, billing records for HMRC compliance, which we retain for 7 years).

We do not retain records in accordance with Medical Device requirements. You are responsible for this in the current version of the platform.

8. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Correct any inaccurate data.
  • Request deletion of your data (the right to be forgotten).
  • Restrict how we process your data.
  • Export your data in a portable format.
  • Object to any processing you did not consent to.

9. Cookies and tracking

OPRA START uses a small number of essential cookies to keep you logged in and to protect your session. We do not use advertising cookies, third-party tracking, or analytics that identify you personally. We do not use Google Analytics or similar services.

10. Security

We use encryption in transit (TLS) and at rest for all stored data. Access to production systems is restricted to authorised OPRA START team members only, and is logged. If we ever become aware of a data breach that affects you, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

11. Children

OPRA START is a professional tool for medical device manufacturers. It is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

12. Changes to this policy

This is a placeholder policy. The final version will be reviewed by a qualified data protection professional before OPRA START launches publicly. We will notify all users by email at least 14 days before any material changes to this policy take effect.

See also: Terms and Conditions