← IN65

Legal

Privacy Policy

Last updated: 2026-05-19 · Effective on first use.

Template — not yet finalized.

This policy is starter copy pending legal review. The sub-processor list and retention schedule are accurate; the legal-rights language needs counsel review for PDPA (Thailand + Singapore) and GDPR alignment before public launch.

1. Who we are

Opsian Technologies Pte. Ltd. (“Opsian”, “we”) operates the IN65 platform. We’re the data controller for information you give us directly (account, billing, support correspondence). For data your Tenant uploads through IN65, we act as a data processor on behalf of the Tenant operator, under our Data Processing Agreement.

2. What we collect

Account information

  • Name, email, and password (hashed with argon2id).
  • SSO subject identifiers from Google or LINE Login when you sign in via SSO. We don’t receive your Google or LINE password.
  • Tenant + role assignment, last sign-in timestamp, and a flag indicating whether your email is verified.

Workspace content

  • BOQs, quotes, work orders, customer records, supplier and factory data, uploaded files (drawings, photos, spec sheets).
  • Comments, mentions, internal todos, and audit log entries describing actions taken within your Tenant.

Usage data

  • Pages viewed, features used, and basic device information (browser, OS) captured via PostHog product analytics — only if you accepted optional cookies.
  • Error reports and stack traces captured by Sentry to diagnose bugs — only if you accepted optional cookies.
  • Server-side request logs (path, status code, latency, tenant id, user id) retained for operational debugging. These are kept for 30 days then deleted automatically.

Payment data

We don’t store your card number. Card data is tokenized by Stripe before it reaches our servers. We record the tokenized reference, the last four digits, the card brand, and the result of the charge (success / failure / refund) for accounting and dispute resolution.

3. How we use it

  • Provide and secure the Service.
  • Bill you and the Tenants you administer for usage.
  • Send transactional and operational emails.
  • Debug errors and improve reliability.
  • Comply with legal obligations and respond to lawful requests.

We don’t sell your data. We don’t share Customer Content across Tenants. We don’t use Customer Content to train AI models shared with other tenants.

4. Sub-processors

We share data with the following third parties:

Sub-processorPurposeData sharedRegion
SupabaseManaged Postgres database + file storageAll Customer ContentSingapore (AWS ap-southeast-1)
DigitalOceanApplication hosting (compute)Customer Content in processingSingapore (SGP1)
CloudflareDNS + CDN / edge proxyRequest metadata, IP addressGlobal (edge)
StripeCard payments (Thailand + international)Tokenized payment dataUS / Ireland
LINE MessagingLINE push + Flex notificationsLINE user id, message contentJapan / Thailand
ResendTransactional emailEmail + message contentUS
PostHogProduct analytics (opt-in)Pseudonymous events, page viewsEU
SentryError tracking (opt-in)Stack traces, request metadataUS / EU

5. Where your data lives

Primary data (database and files) is stored with Supabase in Singapore (AWS ap-southeast-1); the application runs on DigitalOcean in Singapore (SGP1). Some sub-processors (e.g. Stripe, Resend, Sentry) are based in the US or EU; transfers occur under standard contractual clauses and the sub-processor’s own data protection commitments.

6. How long we keep it

  • Customer Content — for the lifetime of your Tenant + 90 days after termination, then deleted from primary storage. Encrypted backups expire on a 7-day rolling window.
  • Audit log entries — retained per the tenant-configurable window (default 13 months). See your tenant’s audit retention setting in /admin/audit.
  • Server logs — 30 days.
  • Billing records — 7 years to meet accounting and tax retention obligations.

7. Cookies

We use a small number of cookies:

  • omnix_at — your signed-in session token. Essential. HTTP-only, Secure, SameSite=Lax.
  • omnix_cookie_choice — records your consent preference (essential / all). Essential.
  • PostHog + Sentry cookies — set only if you accept optional cookies. They identify your session for analytics + error tracking purposes and are scoped to IN65 domains.

You can change your choice any time from the “Cookie settings” link in the footer.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, or export the personal information we hold about you, and to object to certain processing. To exercise these rights, email legal@opsian.io from the address associated with your IN65 account. We’ll respond within 30 days.

If you’re a user inside a Tenant administered by someone else, please direct privacy requests to your Tenant administrator first — they control the workspace data. We’ll assist them in responding to you.

9. Security

IN65 uses defense-in-depth: TLS in transit; encryption at rest at the storage layer; row-level security at the database to isolate Tenants; argon2id password hashing; HMAC-signed webhooks; rate-limited APIs; per-request audit logs. If you discover a vulnerability, please email legal@opsian.io with the subject “Security”.

10. Children

IN65 is built for businesses and isn’t intended for children under 16. We don’t knowingly collect their data.

11. Changes to this Policy

Material changes will be announced via the Service or by email at least 14 days before they take effect.

12. Contact

Email legal@opsian.io for privacy questions or to exercise your rights. Our Data Protection Officer can be reached at the same address.