Privacy Notice

This Privacy Notice applies to:

  • visitors to our website;
  • business prospects who interact with us, request information, or receive marketing
    communications; and
  • business customers and their representatives who use or subscribe to our services.

It explains how OPIO collects, uses, shares, and protects personal data in these contexts, as well as the rights available to individuals under applicable data protection laws, in particular the General Data Protection Regulation (GDPR).

Protecting your privacy is important to OPIO. When you interact with us or use our services, you may share personal data with us, and we take this responsibility seriously. This Privacy Notice is intended to help you understand how and why we process your personal data and how you can exercise your rights.

This Privacy Notice applies regardless of whether you interact with us directly, through our website, or
through the use of our services by your organization.

1. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?

OPIO, a French company registered under the number 939 411 641 R.C.S. Paris, with its registered office at 27 rue des Panoyaux, 75020 Paris (France), acts as the data controller for the personal data described in this Privacy Notice.

In addition, when OPIO provides its services to business customers, it may process personal data on behalf of and under the instructions of such customers, acting as a data processor within the meaning of the GDPR. In those cases, the relevant customer acts as the data controller and is primarily responsible for the processing of personal data.

If you have any questions or wish to exercise your rights in connection with processing carried out on behalf of one of our customers, you should contact that customer directly. Where appropriate, any request we receive in this context will be forwarded to the relevant customer.

This Privacy Notice does not apply to personal data processed by our customers independently of our services, nor to personal data processed by OPIO solely on behalf of its customers in its capacity as a data processor. In such cases, the relevant customer acts as the data controller and is responsible for providing appropriate information to data subjects and handling data subject rights in accordance with applicable data protection laws.

2. WHAT PERSONAL DATA DO WE COLLECT?

We may collect and process different categories of personal data, depending on how you interact with OPIO, whether as a website visitor, a business prospect, or a business customer.

The categories of personal data processed may vary depending on the services used, the nature of the relationship with OPIO, and applicable contractual arrangements.

a. Data you provide directly

When you contact us, request information, book a demonstration, subscribe to our services, place an order, or otherwise interact with us, we collect the personal data that you choose to provide, which may include in particular:

  • identification data (such as your first and last name);
  • professional contact details (such as business email address, phone number, job title);
  • company-related information (such as company name, industry, or size);
  • account and subscription information;
  • the content of your communications with us.

We only collect personal data that is necessary for the relevant purpose. Providing such data is voluntary; however, if you choose not to provide certain information, we may be unable to respond to your request or provide access to certain services.

b. Data collected from third-party sources

Subject to applicable law, we may receive personal data from third-party sources, in particular in a B2B context, such as:

  • professional social networks;
  • publicly available databases or websites;
  • business partners or service providers.

Such data may be used, in particular, to identify potential business contacts, maintain and develop our commercial relationships.

c. Exclusion of sensitive data

We do not intentionally collect or process special categories of personal data within the meaning of Article 9 of the GDPR (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation).

If such data is inadvertently provided to us, it will be deleted as soon as we become aware of it, unless we are legally required to retain it.

3. WHY DO WE COLLECT YOUR DATA AND HOW LONG DO WE RETAIN IT?

We process personal data only for specific, explicit, and legitimate purposes, based on an appropriate legal basis under the GDPR, and for no longer than is necessary to achieve those purposes.

The table below is intended to provide a clear overview of why we process personal data, the legal bases relied upon, and how long such data is retained.

a. Contract management and service provision

Purpose
Legal basis
Retention period
Management of contractual
relationships and provision of
services
Processing is necessary for the
performance of a contract
between your company and
OPIO
Duration of the contractual
relationship
Compliance with accounting,
tax, and regulatory obligations
Processing is necessary to
comply with legal obligations
Retained in intermediate
archives for the applicable
statutory retention periods
Management of pre-litigation
and litigation
Legitimate interest in
establishing, exercising, or
defending legal claims
Duration of the applicable
statute of limitations (generally 5
years)

b. Marketing and commercial prospecting

Purpose
Legal basis
Retention period
Marketing communications and
commercial prospecting by
electronic means
Legitimate interest in promoting
and developing our business;
consent where required by law
Until withdrawal of consent
(where applicable), or 3 years
from: (i) the end of the
commercial relationship for
customers, or (ii) the last
contact or data collection for
prospects

c. Commercial activity management

Purpose
Legal basis
Retention period
Business analytics, statistics,
surveys, and service
improvement
Legitimate interest in improving
our services, user experience,
and business performance
1 year

d. Security, operation and performance of services

Purpose
Legal basis
Retention period
Monitoring, ensuring security,
preventing fraud, and
maintaining the performance of
our website and services
(including logs and technical
data)
Legitimate interest in ensuring
the security and proper
functioning of our services
1 year

e. Data subject rights management

Purpose
Legal basis
Retention period
Handling requests to exercise
data subject rights
Compliance with a legal
obligation
Time necessary to process the
request (generally 1 month, up
to 3 months for complex
requests)

Personal data may be retained for longer periods where required to comply with legal obligations or for the establishment, exercise, or defense of legal claims. In all cases, personal data is not retained beyond what is strictly necessary. Once the applicable retention period expires, data is deleted or irreversibly anonymized.

4. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

We do not sell personal data.

We share personal data only where necessary and only with appropriate recipients, in accordance with the purposes described in this Privacy Notice.

a. Internal recipients

Personal data may be accessed by OPIO’s authorized employees, strictly on a need-to-know basis and solely for the performance of their duties.

b. External recipients

We may share personal data with the following categories of external recipients, where necessary:

  • professional advisors (such as legal counsel, auditors, or accountants);
  • technical and operational service providers acting as data processors on our behalf (such as hosting providers, CRM tools, customer support platforms, or analytics providers);
  • public or judicial authorities, where disclosure is required by applicable law or a binding legal request.

All data processors are subject to appropriate contractual obligations, including confidentiality and data protection commitments in accordance with the GDPR.

c. Corporate transactions

Personal data may also be disclosed in the context of a potential or actual merger, acquisition, restructuring, or sale of all or part of OPIO’s assets, subject to appropriate safeguards.

d. International data transfers

Some of our service providers are located outside the European Economic Area (EEA), including in countries such as the United States. Where personal data is transferred outside the EEA to a country that is not subject to an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, such transfers are governed by appropriate safeguards under Articles 46 et seq. of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission.

Where required, we implement additional technical and organizational measures to ensure a level of protection essentially equivalent to that guaranteed within the EEA.

You may obtain further information on international data transfers and a copy of the relevant safeguards (excluding confidential information) by contacting us as indicated in Section 7 .

5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?

Under applicable data protection laws, you have the following rights, subject to legal conditions:

  • To withdraw your consent at any time where processing is based on consent;
  • To obtain confirmation as to whether we process your personal data and, if so, to access it and receive a copy;
  • To request correction or completion of inaccurate or incomplete data;
  • To request erasure of your data or restriction of processing in certain circumstances;
  • To receive your data in a structured, commonly used, and machine-readable format, or to request its transmission to another controller;
  • To define instructions regarding the processing of your data after your death;
  • To object to processing based on our legitimate interests, unless we demonstrate
    compelling legitimate grounds or the processing is required for legal claims;
  • To object at any time to the processing of your data for direct marketing purposes.

You can exercise your rights by contacting us at the email address provided in Section 7 .
You also have the right to lodge a complaint with the competent supervisory authority. In France, the relevant authority is the CNIL (www.cnil.fr).

These rights may be subject to limitations or exceptions under applicable law.

6. PROTECTION OF MINORS

Our services are intended for business users only and are not designed for use by minors. We do not knowingly collect personal data from minors.

Any individual providing information to OPIO in connection with an order or service represents that they are of legal age. If we become aware that we have collected personal data from a minor without appropriate consent, we will promptly delete such data.
Where personal data relating to minors is processed as part of customer-submitted content, the customer is responsible for obtaining all required consents. If we discover that such consents have not been obtained, the data will be deleted.

Please contact us if you believe that personal data relating to a minor has been provided to us without proper authorization.

7. CONTACT

For privacy related questions or requests, contact:

tristan@opio-ai.com

8. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time to reflect changes in legal requirements, our services, or our data processing practices. The version in force at the time of data collection applies.

The version of the Privacy Notice in force at the time the personal data is processed applies.


Where appropriate, we will inform you of material changes by posting a notice on this page.

Effective date: Tuesday, January 13, 2026

Supercharge your FDD

Start working more efficiently

Book a demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.