Privacy Policy
Last updated: March 29, 2026
This Privacy Policy describes how Opsient ("we", "us", or "our") collects, uses, stores, and protects your information when you use our incident management platform and related services ("Service"). We are committed to protecting your privacy and handling your data transparently.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address
- Organization name
- Password (stored as a salted cryptographic hash; we never store plaintext passwords)
- Role and team assignment within your organization
1.2 Incident and Operational Data
In the course of using the Service, you may submit:
- Incident reports, timelines, and resolution notes
- Runbook definitions and execution logs
- On-call schedules and escalation policies
- Service status information
- Integration configurations (monitoring endpoints, webhook URLs)
- Alert data ingested from connected monitoring tools
1.3 Usage Analytics
We collect anonymized usage data to improve the Service, including:
- Pages visited and features used
- Session duration and frequency of use
- Browser type, operating system, and device type
- Error logs and performance metrics
We do not use third-party analytics trackers. Usage analytics are processed internally.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service Operation: To provide, maintain, and operate the Service, including processing incidents, executing runbooks, managing on-call schedules, and delivering notifications.
- Service Improvement: To analyze usage patterns, identify areas for improvement, fix bugs, and develop new features.
- Support: To respond to your support requests and provide technical assistance.
- Communication: To send service-related notifications such as incident alerts, SLA breach warnings, and account updates. We do not send marketing emails without your explicit opt-in consent.
- Security: To detect, prevent, and investigate fraud, abuse, security incidents, and other harmful activities.
3. Data Storage and Security
3.1 Encryption
All Customer Data is encrypted at rest using AES-256 encryption. Data in transit is protected using TLS 1.2 or higher. Database backups are also encrypted.
3.2 Self-Hosted Deployments
For self-hosted deployments, all Customer Data remains entirely on your own infrastructure. We do not have access to your data in self-hosted environments unless you explicitly grant us access for support purposes.
3.3 Cloud-Hosted Deployments
For cloud-hosted deployments, data is stored in secure, SOC 2 compliant data centers. Access to production systems is restricted to authorized personnel only, with all access logged and audited.
3.4 Access Controls
We implement role-based access controls (RBAC), multi-factor authentication for administrative access, and regular security audits. Employee access to Customer Data is limited to what is necessary for service operation and support.
4. Third-Party Services
We use the following third-party services in the operation of the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Billing name, email, payment method details (card numbers are handled directly by Stripe and never touch our servers) |
| SMTP Provider | Transactional email delivery | Recipient email addresses, notification content |
We do not sell, rent, or share your personal information with third parties for their marketing purposes.
5. Data Retention
We retain your data as follows:
- Account Data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days.
- Incident Data: Retained according to your plan's data retention policy (7 days for Free, 90 days for Pro, unlimited for Enterprise). You may configure custom retention periods on Enterprise plans.
- Usage Analytics: Aggregated analytics data is retained for up to 24 months. Individual session data is retained for up to 90 days.
- Audit Logs: Retained for 12 months, or longer if required by applicable law or your organization's compliance requirements.
- Backups: Encrypted backups are retained for up to 30 days after data deletion.
6. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Rectification: You may request correction of any inaccurate or incomplete personal data.
- Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements.
- Right to Data Portability: You may request an export of your data in a structured, machine-readable format (JSON or CSV).
- Right to Restrict Processing: You may request that we limit the processing of your data in certain circumstances.
- Right to Object: You may object to the processing of your personal data for certain purposes.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
To exercise any of these rights, please contact us at privacy@opsient.com. We will respond to your request within 30 days.
7. Cookie Policy
We use minimal cookies, strictly limited to what is necessary for the Service to function:
- Session Authentication: A session token stored in localStorage (not a cookie) to maintain your login state. This is cleared when you log out.
- Preferences: Local storage entries for UI preferences such as theme settings and dashboard layout. These do not contain personal data.
We do not use advertising cookies, tracking cookies, or any third-party cookie-based analytics. No cookie consent banner is required because we do not set non-essential cookies.
8. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
9. International Data Transfers
If you are accessing the Service from outside the United States, your data may be transferred to and processed in the United States. For self-hosted deployments, data remains in the jurisdiction where you deploy the platform. We implement appropriate safeguards, including Standard Contractual Clauses (SCCs), for any international data transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
Email: privacy@opsient.com
You also have the right to lodge a complaint with your local data protection authority.