Web Opuna Ltd — Privacy Policy

Effective date: 14 October 2025

At a glance

• Scope: This is a company‑wide privacy policy for Web Opuna Ltd (reg. no. HE 461150), Anastasiou Sioukri, 1, THEMIS COURT, 4th floor, Office 402, 3105 Limassol, Cyprus ("Web Opuna", "we"). It covers our corporate sites and services. Product‑specific notices live on each product's site.
• Role: We act as controller for our own sites and operations, and as processor where we handle data solely on a customer's instructions.
• No sale or ad‑tech sharing: We do not sell personal information and do not share it with third parties for cross‑context behavioral advertising.
• Platform data: Data from connected third‑party platforms is used only to provide the features you request, subject to those platforms' terms, and is retained no longer than necessary.

What this policy covers

This policy explains what we collect, why, how we share it, international transfers, your rights, how to contact us, and how to exercise deletion/objection choices. If a product requires additional disclosures (e.g., specific API data categories), those appear in that product's own privacy notice.

Our roles

Depending on context, we may act as a controller (we determine purposes and means of processing) or a processor (we process solely on another controller's documented instructions). When you connect a social or other third‑party platform, we access and process data on your behalf only to deliver the requested functionality and in compliance with the platform's developer terms and policies.

Categories of personal data

• Identifiers & contact data: name, business email, role, company, communications, account identifiers.
• Integration data (when you connect platforms): connected handle or account ID, profile details exposed by the integration, content/metadata you submit for scheduling/publishing, and analytics/metrics the integration makes available.
• Technical & usage data: IP address, device and browser type, OS, language, time zone, session IDs/cookies, service telemetry, error/audit logs.

We do not intentionally collect sensitive categories unless you proactively provide them (e.g., in a support message). Please avoid sharing sensitive data with us unless strictly necessary.

Sources

We obtain data directly from you, from platforms you choose to connect, and from cookies/SDKs with consent where required. We do not purchase personal data from data brokers.

Purposes and legal bases

• Provide and operate services you request (e.g., account administration, integrations, scheduling/publishing, analytics, collaboration). Legal bases: Contract; Legitimate interests where applicable.
• Support, security, and integrity (incident response, fraud/abuse prevention, auditing, service continuity). Legal bases: Legitimate interests / Legal obligation.
• Product improvement and analytics (aggregated or de‑identified where possible). Legal bases: Legitimate interests / Consent where required (e.g., non‑essential cookies).
• Communications (onboarding, updates, newsletters where opted‑in). Legal bases: Consent / Legitimate interests in B2B contexts as permitted by law.
• Compliance and enforcement (legal requirements, dispute resolution, enforcing terms). Legal bases: Legal obligation / Legitimate interests.

Platform data commitments

When you connect a third‑party platform (e.g., a social network):

• We request the minimum scopes needed for the features you choose.
• We use platform data only to provide those features; we do not use it for independent ad targeting, profiling, or building unrelated datasets.
• We do not sell, license, or disclose platform data to data brokers or third parties for their independent marketing.
• We store tokens and platform data securely and retain them only while necessary to provide the features or until you disconnect/revoke access.
• Disconnecting or revoking permissions stops further access; we then delete associated tokens and data within our retention windows.

Sharing

We share personal data with:

• Service providers (processors) for hosting, storage, analytics, email delivery, and security—under contracts requiring confidentiality and appropriate data protection.
• Corporate transactions (e.g., merger, acquisition); we will provide notice where legally required.
• Legal/safety recipients when necessary to comply with law, enforce terms, or protect rights and safety.

We do not sell personal information and we do not share it for cross‑context behavioral advertising.

International transfers

We may transfer personal data internationally (e.g., EEA↔US/UK). Where required, we use appropriate safeguards such as Standard Contractual Clauses and perform transfer risk assessments. Some of our US vendors may participate in the EU‑U.S. Data Privacy Framework; where they do, we rely on their certification.

Security

We apply industry‑standard controls: encryption in transit and at rest, least‑privilege access, role‑based controls, logging/monitoring, vulnerability management, and incident response. While no online service is 100% secure, we continually improve our safeguards.

Retention

We retain personal data only as long as needed for the purposes above, then delete or anonymize it. Typical periods:

• Contact & support data: up to 24 months after last interaction.
• Technical logs (including access/publish/audit logs): approximately 180 days unless needed longer for security or legal claims.
• Analytics/telemetry: approximately 12 months.

Where immediate deletion is not feasible (e.g., encrypted backups), data is isolated and deleted per backup rotation schedules.

Your choices and rights

Depending on your location, you may have rights to request access, rectification, deletion, restriction, or portability of your personal data, and to object to processing (including direct marketing). You can:

• Opt out of marketing emails via the unsubscribe link or by contacting us.
• Disconnect integrated platforms at any time to stop further access.
• Request deletion or exercise other rights by emailing compliance@opuna.com.

You also have the right to lodge a complaint with your local supervisory authority. We will respond to requests within the timeframes required by law.

California privacy disclosures (CPRA)

For California residents, in the preceding 12 months we have collected the categories described above. We do not sell personal information and do not share it for cross‑context behavioral advertising. You may exercise the rights to know/access, delete, correct, and to opt out of sale/share (not applicable here) and non‑discrimination. You may use an authorized agent if they provide proof of authorization. To submit a request, contact compliance@opuna.com.

Cookies & tracking

We use necessary cookies to operate the sites and, with consent where required, functional and analytics cookies to improve performance. You can manage preferences through your browser and (where available) our cookie consent banner. You can manage cookie preferences through your browser settings and, where present, via our on‑site consent banner.

Children

Our services and sites are not directed to children, and we do not knowingly collect personal data from anyone under 13 (or higher local age where applicable).

Contact

Controller: Web Opuna Ltd
Email: compliance@opuna.com
Postal: Anastasiou Sioukri, 1, THEMIS COURT, 4th floor, Office 402, 3105 Limassol, Cyprus

Changes to this policy

We will update this policy from time to time and post the effective date at opuna.com/privacy-policy.html. If changes materially affect your rights, we will provide additional notice.