Privacy Policy

Welcome to OPOY ("we," "us," or "our").

We take the protection of your personal data very seriously and process it exclusively in accordance with the General Data Protection Regulation (GDPR) and applicable European data protection laws.

This Privacy Policy explains how OPOY Cloud UG (haftungsbeschränkt) i.G. collects, processes, and protects personal data when you use the OPOY Web Platform or the OPOY Messenger App, whether as an individual or as part of an organization.

For individual users, OPOY acts as the data controller under the GDPR.

For organizational users (e.g., companies, law firms), the respective organization is the data controller, and OPOY acts as a data processor in accordance with a Data Processing Agreement (DPA).

All personal data processing is conducted exclusively within the European Union (EU).

OPOY processes only the data necessary to provide secure and reliable services:

• Account data: Username, email address, phone number, encrypted password
• Communication metadata: Timestamps, sender/receiver IDs (message content not accessible)
• Optional backups: Only if enabled by the user; encrypted before transfer
• Device information: Technical identifiers required for synchronization and performance

OPOY does not have access to message content, media files, or attachments.

All communication data is end-to-end encrypted (E2EE) and can only be decrypted on the user's device.

All chats, calls, file sharing, and media transfers are secured with true end-to-end encryption:

• • Only the sender and intended recipient can decrypt messages.
• • OPOY and its service providers cannot access content.
• • Encryption keys are generated and stored solely on the user's device.

Your communication remains private — even from OPOY.

All personal data is stored and processed exclusively within the European Union (EU) in certified, GDPR-compliant data centers.

Key points:

• • Chats, files, and media are stored locally and securely on the user's device.
• • Optional backups (if enabled) are encrypted before transfer and stored on EU-based infrastructure.
• • No unencrypted personal data ever leaves the user's device.
• • No data transfer outside EU/EEA.

OPOY does not transfer or process personal data outside of the EU/EEA.

OPOY processes personal data solely for the following purposes:

• • Providing, operating, and improving OPOY services (Web & App)
• • Ensuring reliable communication and synchronization
• • Fulfilling contractual obligations (Art. 6(1)(b) GDPR)
• • Complying with legal obligations (Art. 6(1)(c) GDPR)

We do not use personal data for advertising, profiling, or third-party analytics.

For paid users or organizational accounts, OPOY also processes the following data for contract fulfillment and accounting:

• • Company name
• • Billing and, if applicable, delivery address
• • Payment information (e.g., bank details, transaction ID, invoice number)
• • Contact details of the responsible accounting person

This processing is carried out to fulfill contractual obligations under Art. 6(1)(b) GDPR and to comply with legal retention requirements under trade and tax law (Art. 6(1)(c) GDPR).

Billing data is retained for the statutory retention period (typically 10 years) and subsequently deleted or anonymized.

OPOY does not sell, trade, or share personal data with third parties.

We use only EU-based infrastructure and hosting providers bound by GDPR-compliant data processing agreements.

These providers act solely on our instructions and cannot access user content.

• Local data: Remains on the user's device until manually deleted.
• Encrypted backups: Stored only while the account is active or until manually deleted.
• Account deletion: Users can delete their account and all associated data anytime via the app.

All remaining data and backups are permanently removed within 30 days of deletion.

You have the right to:

• • Access your personal data
• • Correct inaccurate data
• • Request deletion ("Right to be Forgotten")
• • Restrict or object to certain processing
• • Receive your data in a structured, machine-readable format

To exercise your rights, contact info@opoy.de.

We will respond to all legitimate requests within 30 days.

OPOY implements state-of-the-art technical and organizational measures to protect personal data:

• • End-to-end encryption for messages and media
• • AES-256 encryption for backups
• • TLS 1.2+ secure transmission
• • Strict access controls and zero-access architecture
• • Continuous monitoring and incident response

Our design principle: Privacy by Design & by Default.

This Privacy Policy may be updated to reflect technical or legal changes.

The latest version is always available in the app and on our website.

For organizational users, processing between OPOY (processor) and the organization (controller) is governed by a Data Processing Agreement (DPA) in compliance with Art. 28 GDPR.

This agreement defines processing purposes, security measures, and the use of EU-based subprocessors only.

A copy of the DPA is available upon request at info@opoy.de.