Privacy Policy
This Privacy Policy describes how IntellibizOps ("we", "us", "our") processes personal data when you visit our website, register for the service, or use the IntellibizOps platform.
1. Who we are
IntellibizOps is operated by [Legal entity name TBD — sole proprietorship, Poland].
Contact: charlesmorrisonbell@gmail.com
We are the data controller for personal data we collect about visitors to our website and registered users of our platform.
For data that you (as a business customer) upload about your own customers, suppliers, or staff, you are the data controller and we are your data processor. This relationship is governed by a separate Data Processing Agreement (DPA) made available on request.
2. What data we collect
From website visitors
- IP address and browser metadata (security and abuse prevention)
- Email address (when you submit the waitlist form)
- Optional: business name, business type, country, free-text notes
From registered users
- Account details: email, password (stored only as a bcrypt hash — we never see your plaintext password)
- Workspace details: business name, business type, country
- Login activity: timestamps, session metadata
From your use of the platform
- Audit log entries: actions you take inside the platform (logins, approvals, exports, deletions)
- Business data you upload (sales, expenses, inventory, menu, customer records, etc.). Stored under your tenant ID and accessible only to you. You are the controller; we are the processor.
3. Why we process it (legal basis under GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Operating your account, providing the service | Contract — Art. 6(1)(b) |
| Securing the platform, preventing fraud | Legitimate interest — Art. 6(1)(f) |
| Sending product updates if you opt in | Consent — Art. 6(1)(a) — withdrawable at any time |
| Complying with tax / accounting law | Legal obligation — Art. 6(1)(c) |
4. How long we keep it
| Data | Retention |
|---|---|
| Active account data | While your account exists |
| Account data after deletion | Anonymised in audit log; hard-deleted from main tables within 30 days |
| Audit logs | 6 years (Polish business records requirement), anonymised after deletion |
| Waitlist entries (not approved) | 1 year |
| Backups | Rolling 30-day window, encrypted at rest |
5. Who we share it with
A current list of sub-processors is published at Subprocessors. It includes (as of the date above): Hetzner (hosting, Germany), Stripe (billing, Ireland), Xero (accounting, Ireland/UK — only when you connect it), Google (email delivery, US under EU-US DPF + SCCs).
We do not sell or share your data for advertising.
6. Where your data lives
Application servers and primary database are physically located in the European Union (Hetzner Falkenstein, Germany). Email delivery via Google involves transfer to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses.
7. Your rights under GDPR
- Access your personal data — see Account & Privacy in the app, or email us
- Export your data in a machine-readable format — one-click ZIP download in Account & Privacy (Articles 15 + 20)
- Erase your account and data — one-click in Account & Privacy (Article 17)
- Rectify inaccurate data — edit in your workspace, or email us
- Object to or restrict processing — email us
- Withdraw consent for marketing — toggle in Account & Privacy
- Lodge a complaint with the Polish data protection authority (UODO — uodo.gov.pl)
We will respond to all requests within 30 days.
8. Security
- Passwords stored as bcrypt hashes
- Sensitive credentials encrypted at rest using Fernet (AES-128)
- All connections use HTTPS (TLS 1.3) in production
- Audit log of every sensitive action
- Production data access is limited to the founder and is logged
9. Children
The service is for businesses, not individuals. We do not knowingly process personal data of anyone under 16.
10. Changes
We will notify registered users by email of material changes at least 30 days before they take effect. Continued use after the effective date implies acceptance.
11. Contact
Email: charlesmorrisonbell@gmail.com
Postal address: TBD prior to commercial launch