Privacy Policy

Plain-English version: Operaite stores the data you put into it so the app works. We don’t sell it. We use a handful of well-known service providers (Supabase, Stripe, Vercel, Anthropic, optionally Intuit) to actually run the app, and they each see only the parts of your data they need. You can delete your account and your data anytime.

Who runs Operaite

Operaite is operated by Brent J. as a sole proprietor based in the United States. There’s no parent company, no investors, and no data team. When you email about privacy, the reply comes from me.

Contact for privacy questions: privacy@operaite.net

What data we collect

The data Operaite holds about you falls into four buckets:

• Account info — your email address and an encrypted password when you sign up. If you sign in with a third-party identity provider (e.g. Google), we store the identifier they give us plus your email.
• Business profile — the business name, address, phone, email, logo, and currency you enter on the profile page. Used to auto-fill into invoices, proposals, and other documents you generate.
• Business operating data — invoices, clients, line items, bookings, recurring schedules, accounting entries, AI-generated content you save, and anything else you type into the dashboard.
• Usage data — anonymized page views and feature interactions collected by Vercel Analytics. No personal identifiers, no cross-site tracking.

What we do with it

We use your data for one thing: to make Operaite work for you.

• Show you your invoices, customers, bookings, etc. when you log in.
• Auto-fill your business profile into documents you create.
• Process payments for your Operaite subscription via Stripe.
• If you opt into the QuickBooks integration, push your invoices to your QuickBooks account.
• Generate AI assists (proposal drafts, review responses, etc.) when you explicitly click an AI button.
• Send transactional emails (password reset, billing receipts, account notices). We do not send marketing email without explicit opt-in.

We do not:

• Sell your data to anyone, ever.
• Share your data with advertising networks or data brokers.
• Use your business data to train AI models. AI prompts sent on your behalf to Anthropic are processed under Anthropic’s commercial API terms: prompts may be retained for up to 30 days for abuse monitoring and are not used to train Anthropic’s models per their commercial agreement.
• Read your invoices or client data unless you explicitly ask for support and grant access in writing.

Who else touches your data

To actually run Operaite, a few service providers process specific slices of your data:

• Supabase (PostgreSQL database + authentication) — stores all your account data, business profile, invoices, customers, etc. Hosted in the United States.
• Vercel (web hosting + serverless functions + analytics) — serves the site, runs the API endpoints, and collects anonymized page-view metrics.
• Stripe (payment processing, PCI-DSS Level 1) — handles your subscription billing. Stripe stores your full card details; Operaite receives only a Stripe-issued token representing your payment method, plus the last 4 digits of the card and the brand (Visa, Mastercard, etc.) for display.
• Anthropic (AI provider) — processes prompts when you use AI features (proposal drafts, review responses, description polishing). Operates under Anthropic’s commercial API terms: prompts may be retained for up to 30 days for abuse monitoring and are not used to train Anthropic’s models.
• Resend (transactional email) — sends outbound system emails on our behalf (welcome, password reset, billing receipts, invoice reminders, appointment reminders). Resend receives recipient email addresses, message subjects, and message bodies. It does not retain attachments beyond delivery confirmation.
• ImprovMX (inbound email forwarding) — forwards messages sent to our public contact addresses (privacy@, support@, legal@, security@operaite.net) to our team inbox. ImprovMX processes message headers and bodies in transit only.
• Intuit / QuickBooks Online (optional integration) — if you opt into the QBO sync, your invoice and customer data is pushed to your QuickBooks account at your direction. Operaite holds an encrypted OAuth refresh token to do this on your behalf; we never see your QuickBooks login.

Each of these providers has its own privacy policy, and we pick them in part because they have credible privacy track records. We don’t hand your data to anyone outside this list except where legally compelled (e.g. a valid subpoena), in which case we will push back where reasonable and notify you if law permits.

Cookies and local storage

Operaite uses cookies and browser local storage for three things: keeping you logged in after you sign in, saving your draft invoice between page reloads so you don’t lose work, and remembering UI preferences (e.g. which tab you had open). We do not use third-party advertising cookies. Vercel Analytics uses a cookie-less, anonymized model.

Your rights and how to use them

You own your data. You can:

• Download it — email privacy@operaite.net and we’ll export your invoices, clients, and account data as JSON.
• Correct it — most fields are directly editable in the app.
• Delete it — open Business profile → Delete account in the app to remove your account, cancel your subscription, and wipe all associated data immediately. If you can’t access the app, email privacy@operaite.net from the address on your account and we’ll delete it within five business days. Backups roll off within 90 days. See operaite.net/delete-account for full details.
• Disconnect QuickBooks — in Business profile, click "Disconnect QuickBooks". This revokes our access at Intuit and deletes the stored OAuth token.

If you’re in California (CCPA), the EU/UK (GDPR), or another jurisdiction with enumerated data-subject rights, the above applies to you with no extra hoops. We are a one-person operation; there’s no separate "data protection officer" bureaucracy to route through.

For people who book a service through an Operaite customer

When you book through a page like operaite.net/book/[business], the information you submit (name, contact details, booking notes) goes to the business you’re booking with — that business is the controller of your data. Operaite is a processor acting on their behalf: we store and display the booking so the business can fulfill it, but the business decides how long to keep the data and what to do with it.

For privacy questions about a specific booking (deletion, correction, etc.), contact the business directly. For technical issues with the booking page itself, email support@operaite.net.

Data security

Data is transmitted over HTTPS. Passwords are stored hashed (Supabase handles this). OAuth tokens for the QuickBooks integration are stored in Supabase with row-level security so only your account can read them. Database backups are encrypted at rest.

No system is impenetrable. If we discover a breach affecting your data, we’ll notify you by email without undue delay once we have enough information to describe what happened and the steps you should take. Where required by law (e.g. GDPR Article 33), we’ll also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

Children

Operaite is for adults running businesses. We do not knowingly collect personal data from anyone under the age of 18, and accounts are restricted to adults under our Terms of Service. If you become aware that a minor has created an account or submitted data, email privacy@operaite.net and we’ll delete the account and associated data.

California users (CCPA / CPRA)

We do not sell or share your personal information for cross-context behavioral advertising, and we have not done so in the preceding 12 months. There is therefore no "Do Not Sell or Share My Personal Information" link, because there is nothing to opt out of.

In the categories defined by the California Consumer Privacy Act, we collect:

• Identifiers — name, email address, phone number, account identifier
• Commercial information — subscription history, billing receipts, invoices and customers you create inside the dashboard
• Internet or other electronic network activity — anonymized page views collected by Vercel Analytics
• Inferences — none beyond what is displayed back to you in your own dashboard

California residents have the right to know what personal information we hold about them, to request deletion, to request correction, and to be free from retaliation for exercising these rights. To exercise any of these, email privacy@operaite.net.

Free tools at operaite.net/tools/

The free tools at /tools/ (invoice generator, hourly-rate calculator, estimate generator, etc.) do not require an account. Any data you enter into a tool is stored only in your browser’s local storage so the page can redisplay it on reload — nothing is transmitted to Operaite’s servers except anonymized page-view analytics. Closing the tab or clearing your browser storage removes the data.

Data Processing Agreements (B2B customers)

Operaite is a one-person operation. We do not currently sign individual Data Processing Agreements (DPAs) with customers. If your compliance program requires a DPA, please contact privacy@operaite.net and we’ll work with you on a lightweight one or, if it’s not viable on our end, help you cancel without penalty.

Data retention

Active accounts: we keep your data as long as your account is active. Cancelled accounts: we keep your data for 60 days after cancellation in case you want to reactivate, then purge from primary storage. Encrypted backups roll off within an additional 30 days. Transactional records required for tax/legal reasons (e.g. Stripe invoices) are kept for 7 years per US tax-law requirements.

International users

Operaite is operated from the United States, and your data is stored in US-region Supabase infrastructure.

European Economic Area, United Kingdom, and Switzerland: We are not currently set up to lawfully transfer personal data of EEA/UK/Swiss data subjects to the United States under GDPR Article 46 (Standard Contractual Clauses) or the EU–US Data Privacy Framework. If you are located in one of these regions, please do not create an Operaite account until we’ve put those transfer mechanisms in place (Phase 1.5 roadmap). If you signed up despite this notice, contact privacy@operaite.net and we’ll delete your account at no charge.

Canada, Australia, and other non-US jurisdictions: By creating an account, you understand that your data will be processed in the United States. You retain the same rights described in "Your rights and how to use them" above, plus any additional rights granted by your local law.

Changes to this policy

If we make material changes, we’ll update the effective date at the top of this page and email registered users at least 30 days before the change takes effect. Minor edits (typos, clarifications, new sub-processor additions that don’t expand the data they see) we’ll just update inline.

Contact

Privacy questions, deletion requests, GDPR/CCPA requests, security reports: privacy@operaite.net.

For general support: support@operaite.net.

See also: Terms of Service · About Operaite