Privacy Policy

Who we are (data controller)

The data controller for Oppye is BEJAN DAVID PERSOANĂ FIZICĂ AUTORIZATĂ, B-dul Bucureștii Noi 136, parter, ap. 5, Sector 1, București, România. For any privacy question, data-deletion request, or data-subject-rights request, email privacy@oppye.com. Our full identification details are on the Imprint page.

What we collect

Account data — your email address, the display name you chose, and a hashed credential or an OAuth identifier from Google (if you use Sign in with Google).

Usage data — the credits you spend, which model produced each output, which platform sizes you exported, and the prompts you submit. For abuse-prevention/rate-limiting we briefly process your user identifier and IP address.

Content data — the banners you generate or import, the asset files you upload (logos, reference images), and the conversation history of each project.

Billing data — your Stripe customer ID, current plan, and subscription status. We never see your card details; those are handled by Stripe.

Why we are allowed to process it (legal bases)

Performance of a contract (GDPR Art. 6(1)(b)) — to provide the service you signed up for: generate and store banners, route edits, manage credits, and operate your account.

Legal obligation (Art. 6(1)(c)) — to keep billing and accounting records for the period tax law requires.

Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, and enforce rate limits; we balance this against your rights.

Consent (Art. 6(1)(a)) — only if we ever introduce non-essential cookies or marketing; you would be asked first and could withdraw at any time.

How we use it

To operate the service: generate banners, route edits, charge for the subscription you bought, restore items from your recycle bin, and send receipts and account emails. To meet legal obligations: keep billing records and respond to lawful requests. We do not sell your data, we do not build advertising profiles, and we do not use your prompts or generated content to train any model.

Who else sees it (sub-processors)

We share data with a small set of service providers who process it on our behalf, under data-processing agreements:

Supabase — database, authentication, and file storage (hosted in the EU, Stockholm region). Stripe — payment processing for your subscription. OpenAI — image generation (gpt-image-2) and text/vision reasoning. Anthropic — text/vision reasoning, quality checks, and layout/brief generation (Claude). Google — image generation for certain wide/tall "strip" ad sizes (Gemini). Upstash — short-lived rate-limiting data (your user identifier or IP). Vercel — application hosting, edge delivery, and scheduled jobs.

This list may change as the service evolves; we will keep this policy up to date. When we send your prompts, uploads, or generated images to OpenAI, Anthropic, or Google, we do so under each provider's API terms, which state that your content is not used to train their models.

International data transfers

Some of our providers (OpenAI, Anthropic, Google, Stripe, Vercel, Upstash) process data in the United States. Where data leaves the EU/EEA, the transfer is protected by appropriate safeguards — Standard Contractual Clauses approved by the European Commission and/or the providers' certification under the EU-US Data Privacy Framework. You can request a copy of the relevant safeguards by emailing privacy@oppye.com.

How long we keep it

Active account data: for as long as your account is open. Generated and imported banners: until you delete them. Deleted items: held in the recycle bin for 3, 7, 15, or 30 days (your setting, default 7), then a daily job permanently removes the database row and the stored file.

When you delete your account, we delete your profile, projects, banners, uploads, conversations, subscription records, and credit ledger, and we remove your stored files. We retain billing records (invoices) for 5 years because Romanian accounting law requires it — these are held by our payment processor, Stripe, and we keep the minimum needed to meet that obligation.

Your rights under GDPR

You can ask us for a copy of the personal data we hold about you, correct anything inaccurate, delete your account and its data (subject to the billing-record exception above), restrict or object to certain processing, and ask for your data in a portable format. Where processing is based on consent, you can withdraw it at any time.

The fastest way to delete everything is the in-app "Delete account" button in Settings. If you cannot sign in, email privacy@oppye.com from the address on your account and we will verify your identity and act within 30 days. You also have the right to lodge a complaint with the Romanian data-protection authority, ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) (https://www.dataprotection.ro).

Per-user isolation

Oppye uses Row-Level Security on every user-owned table in the database. No user can technically read or write another user's rows — the database itself enforces the boundary. Your banners, prompts, asset library, and credit balance are scoped to your user ID at the database layer.

Cookies and tracking

Oppye sets a session cookie from Supabase Auth so you stay signed in, and stores a small first-party preference (your sidebar layout) in your browser. We use no third-party analytics, no ad-tracking pixels, and no marketing cookies. If that ever changes, we will ask for your consent first and update our Cookie Policy. Stripe Checkout, which opens on a separate domain when you pay, sets its own cookies under Stripe's privacy policy. See the Cookie Policy for the full list.

Children

Oppye is not intended for users under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, email privacy@oppye.com and we will delete it.

Changes to this policy

When we materially change this policy we will notify active accounts by email at least 14 days before the change takes effect. The version and date at the top of this page always reflect the current edition.