Privacy Policy

1. Introduction

2413189 Ontario Inc., operating as OpsLink ("OpsLink," "we," "us," or "our"), is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our platform at operations-link.com and all related services, applications, and APIs (collectively, the "Service").

This Privacy Policy applies to all users of the Service, including account holders, team members, client portal users, and visitors to our website. By using the Service, you consent to the practices described in this Privacy Policy.

This Privacy Policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the General Data Protection Regulation (GDPR) of the European Union, and the California Consumer Privacy Act (CCPA) of the United States. Where these frameworks impose differing obligations, we apply the most protective standard.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: full name, email address, company or organization name, job title, and password (hashed, never stored in plain text).
• Billing information: billing name, billing address, and payment method details. Payment card numbers are processed and stored exclusively by our payment processor (Airwallex) and are never stored on our servers.
• Customer Data: any information you upload or enter into the Service, including project records, client contact information, financial data, HR and employee records, communications, documents, and files.
• Communications: any messages you send to us through email, support channels, or the in-app contact form, including their content and metadata.
• Booking and inquiry information: name, email, company name, and any details you provide when scheduling a demo or submitting a contact form.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, actions taken within the Service, timestamps, session duration, and referral sources.
• Device information: browser type and version, operating system, screen resolution, and device type.
• Network information: IP address, approximate geographic location (city/country level, not precise), and internet service provider.
• Log data: server logs recording HTTP requests, error reports, and system performance metrics.

2.3 Information from AI Features

When you use our AI Features (Aria, Nova, AI chat, or meeting minutes), we collect the queries you submit, the AI-generated responses, conversation history for context continuity, and token usage metrics. This data is processed by third-party AI providers as described in Section 7.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service, including processing your Customer Data as instructed by you.
• To authenticate your identity and manage your Account, including user provisioning and role-based access control.
• To process payments and manage your Subscription through our payment processor.
• To communicate with you about your Account, Service updates, security notices, and support requests.
• To provide AI-powered features, including sending your queries to third-party AI providers to generate responses.
• To monitor and improve the performance, security, and reliability of the Service.
• To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity.
• To comply with legal obligations, respond to lawful requests, and protect our legal rights.
• To send you marketing communications (only with your consent, and you may opt out at any time).

4. Legal Basis for Processing

Under the GDPR, we process personal data based on the following legal bases:

• Contractual necessity: Processing required to provide the Service you have subscribed to (Articles 6(1)(b) GDPR).
• Legitimate interest: Processing for system security, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights (Article 6(1)(f) GDPR).
• Consent: Processing for marketing communications and optional AI features, which you may withdraw at any time (Article 6(1)(a) GDPR).
• Legal obligation: Processing required to comply with applicable laws, regulations, or court orders (Article 6(1)(c) GDPR).

Under PIPEDA, we obtain meaningful consent for the collection, use, and disclosure of personal information, except where permitted or required by law without consent.

5. AI Features and Data Processing

Our AI Features use third-party large language models (LLMs) and embedding models to process your queries and generate responses. We believe in full transparency about how your data is handled by AI systems.

5.1 How AI Data Processing Works

• When you submit a query to Aria, Nova, or the AI chat widget, your query and relevant conversation context are sent to xAI (the provider of the Grok language model) for processing.
• When you use AI-powered search or memory features, text content is sent to OpenAI for generating numerical vector embeddings (using the text-embedding-3-small model).
• AI-powered meeting minutes sends transcript text to xAI Grok for structured summarization.

5.2 What We Do NOT Do with AI Data

• We do not use your Customer Data to train, fine-tune, or improve any AI models — ours or third-party.
• We do not share your Customer Data with AI providers for any purpose other than generating a response to your specific query.
• We do not sell your AI interaction data to any third party.

5.3 AI Data Retention

AI conversation history is stored in our database (hosted in Helsinki, EU) for the purpose of providing context continuity across sessions. You may request deletion of your AI conversation history at any time by contacting privacy@operations-link.com.

5.4 Opting Out of AI Features

AI Features are optional. You may use the Service without activating or engaging with any AI capabilities. If you have previously used AI Features and wish to opt out, contact us and we will delete your stored AI conversation history.

6. Cookies and Tracking Technologies

We use the following cookies and similar technologies:

• Essential cookies: Required for authentication (session tokens stored in httpOnly cookies), CSRF protection, and basic Service functionality. These cannot be disabled.
• Functional cookies: Remember your preferences, such as language and theme settings.
• Analytics cookies: Help us understand how the Service is used so we can improve it. We use self-hosted analytics tools; no data is sent to third-party advertising platforms.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or targeted advertising networks.

You can manage your cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

7. Third-Party Sub-Processors

We use the following third-party service providers (sub-processors) to operate the Service. Each sub-processor processes only the data necessary for its specific function.

We require all sub-processors to maintain appropriate security measures and to process personal data only in accordance with our instructions. We will update this list when we add or change sub-processors and will provide advance notice of material changes.

8. International Data Transfers

Our primary infrastructure is hosted in Helsinki, Finland (European Union) on Hetzner Cloud servers. Customer Data stored in our databases resides within the EU.

However, some of our sub-processors are located in the United States (xAI, OpenAI, AWS SES, Resend, Sentry). When your data is transferred to these providers, the following safeguards apply:

• We rely on the EU-US Data Privacy Framework where applicable.
• Where the Data Privacy Framework does not apply, we use Standard Contractual Clauses (SCCs) approved by the European Commission.
• All data transfers are encrypted in transit using TLS 1.2 or higher.
• We minimize the data transferred — only the information necessary for the specific processing purpose is sent to each sub-processor.

For PIPEDA compliance, cross-border transfers are governed by contractual arrangements that provide a comparable level of protection to that required under Canadian law.

9. Data Retention

We retain your information for the following periods:

• Active Account data: Retained for as long as your Account is active and you maintain an active Subscription.
• Customer Data after cancellation: Retained for 30 days after Account cancellation or Subscription expiry to allow for data export, then permanently deleted.
• Free trial data: Retained for 30 days after trial expiration if you do not subscribe, then permanently deleted.
• Billing and transaction records: Retained for 7 years to comply with tax and financial reporting obligations under Canadian law.
• Server logs and security audit data: Retained for 12 months for security monitoring and incident investigation.
• AI conversation history: Retained until you request deletion or your Account is terminated.
• Marketing communications consent records: Retained for 3 years after your last interaction or consent withdrawal.

When data is deleted, we use secure deletion methods. Encrypted backups that may contain residual data are overwritten according to our backup rotation schedule (maximum 30 days).

10. Data Security

We implement technical and organizational measures to protect your personal information, including:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database backups are encrypted with AES-256 GPG encryption before storage.
• Access control: 95 attribute-based access control (ABAC) policies enforced by Cerbos, with row-level security (RLS) on every database table to ensure strict tenant data isolation.
• Authentication: Keycloak-based SSO with JWT tokens, optional TOTP two-factor authentication, brute force protection, and refresh token rotation.
• Zero-trust networking: All internal service communication is governed by Kubernetes NetworkPolicies that deny all traffic by default and explicitly allow only necessary connections.
• Least-privilege database access: 12 dedicated PostgreSQL roles, each limited to the minimum permissions required for its function. No application service uses the database superuser.
• Monitoring: Real-time security alerting via Prometheus for unauthorized access attempts, rate limit violations, and certificate expiry.
• Incident response: We maintain an incident response process and will notify affected users and applicable regulatory authorities of any data breach in accordance with PIPEDA, GDPR, and CCPA requirements.

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security against all possible threats.

11. Your Privacy Rights

11.1 Rights Under PIPEDA (Canada)

Under the Personal Information Protection and Electronic Documents Act, you have the right to:

• Access: Request access to the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Withdrawal of consent: Withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

11.2 Rights Under GDPR (European Union)

If you are located in the European Economic Area (EEA), you have the right to:

• Access (Article 15): Obtain confirmation of whether we process your personal data and request a copy.
• Rectification (Article 16): Request correction of inaccurate personal data.
• Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
• Restriction (Article 18): Request restriction of processing of your personal data.
• Data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Objection (Article 21): Object to processing based on legitimate interest.
• Automated decision-making (Article 22): Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

11.3 Rights Under CCPA (California, USA)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of your personal information.
• Opt-out of sale: We do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" mechanism.
• Non-discrimination: Exercise your privacy rights without receiving discriminatory treatment.

11.4 How to Exercise Your Rights

To exercise any of the above rights, contact us at privacy@operations-link.com. We will respond to your request within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

You also have the right to export your Customer Data at any time through the Service's built-in export functionality or by contacting support@operations-link.com.

12. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may disclose your information only in the following circumstances:

• Sub-processors: We share data with the third-party sub-processors listed in Section 7, solely to operate and provide the Service.
• Legal requirements: We may disclose information when required by law, regulation, court order, or governmental request.
• Protection of rights: We may disclose information to protect the rights, property, or safety of OpsLink, our users, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.
• With your consent: We may share your information with third parties when you have given us explicit consent to do so.

13. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that a child has provided us with personal information, please contact us at privacy@operations-link.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective date" at the top of this page.
• Notify you by email at least 30 days before material changes take effect.
• Post a notice within the Service highlighting the changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

15. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (for PIPEDA), your local EU supervisory authority (for GDPR), or the California Attorney General's Office (for CCPA).