Privacy Policy

1. Information We Collect

We collect information to provide, operate, and improve the Opus platform. The categories of information we collect include:

a) Account & Registration Data

When you register for an account, we collect:

• Full name and email address
• Organisation/company name and business details
• Role, position, and job title within your organisation
• Phone number (if provided)
• Password (stored in hashed form using industry-standard algorithms; we never store plaintext passwords)
• Billing and payment information (processed and stored securely by Stripe; we do not store full payment card numbers)

b) Usage & Telemetry Data

We automatically collect information about how you interact with the Service:

• Pages viewed, features used, and actions taken within the Service
• Session duration, frequency of use, and interaction patterns
• Device type, model, browser type, browser version, and operating system
• IP address and general geographic location (city/region level)
• Referral source, entry/exit pages, and search terms
• Clickstream data, navigation paths, and user interface interactions
• Error logs, crash reports, and performance metrics
• Feature engagement metrics and usage frequency

c) Project & Business Data

Data you create, upload, or input as part of using the Service:

• Project details, descriptions, status updates, and metadata
• Client and contact information you manage within the platform
• Documents, reports, proposals, and uploaded files
• Time entries, schedules, timesheets, and financial records
• Equipment records, resource allocations, and inventory data
• Communications, notes, and comments within the platform
• Invoice data, billing records, and expense information

d) AI Interaction Data

When you use AI-powered features of the Service, we collect:

• Queries, prompts, and inputs provided to AI features
• AI-generated outputs, responses, and recommendations
• User feedback on AI outputs (e.g., ratings, corrections, acceptance/rejection)
• Context data necessary for AI processing (e.g., project data referenced during analysis)
• AI feature usage patterns and interaction logs

2. Lawful Basis for Processing

We process your personal information on the following legal bases:

• Contractual Necessity: Processing necessary to perform our contract with you (providing the Service, managing your account, processing payments).
• Legitimate Interests: Processing necessary for our legitimate business interests, including improving the Service, analytics, fraud prevention, security, and direct marketing (where applicable), provided such interests are not overridden by your rights and freedoms.
• Consent: Where you have provided explicit consent, such as for certain AI data processing, marketing communications, or optional integrations. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal processes.

3. How We Use Information

We use the information we collect for the following purposes:

• Providing the Service: To operate, maintain, and deliver the features and functionality of the Opus platform, including processing transactions and managing your subscription.
• Account Management: To create and manage your account, authenticate your identity, enforce our Terms of Service, and process subscription billing.
• Service Improvement & Analytics: To analyse usage patterns, identify areas for improvement, measure feature effectiveness, conduct A/B testing, and develop new features and products.
• AI & Automated Processing: To power AI-assisted features such as project analytics, document generation, forecasting, intelligent suggestions, and automated workflows. Your data may be processed by our AI systems and third-party AI service providers to deliver these features.
• Aggregated Analytics & Insights: To create anonymised, aggregated, and de-identified datasets for analytics, benchmarking, trend analysis, industry reporting, research, and the development and improvement of our AI models, algorithms, products, and services. Aggregated data cannot be used to identify you or any individual.
• Communication: To send you service-related notices, system alerts, maintenance notifications, security warnings, billing information, and support messages. With your consent, we may also send marketing and promotional communications.
• Security & Fraud Prevention: To detect, investigate, prevent, and address security threats, fraud, unauthorised access, and abuse of the Service.
• Personalisation: To customise and personalise your experience, including tailoring content, features, and recommendations to your usage patterns and preferences.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests.

4. AI Data Processing & Automated Decision-Making

a) How We Use AI

The Service uses artificial intelligence and machine learning technologies to provide:

• Project analytics and performance insights
• Financial forecasting and trend analysis
• Document generation and template assistance
• Resource allocation recommendations
• Intelligent search and information retrieval
• Automated categorisation and tagging
• Business health indicators and risk assessments

b) Data Sent to AI Systems

When you use AI features, relevant data from your account and projects may be sent to our AI processing systems, which may include third-party AI service providers. The data sent is limited to what is necessary to provide the specific AI feature you are using. We maintain data processing agreements with all third-party AI providers that include confidentiality obligations and restrictions on data use.

c) Third-Party AI Providers

We may use the following categories of third-party AI service providers:

• Large Language Model Providers (e.g., Anthropic, OpenAI): For natural language processing, document generation, and intelligent analysis. These providers process data pursuant to data processing agreements and do not use your data to train their general models.
• Machine Learning Infrastructure: For custom model training, analytics processing, and automated workflows using anonymised and aggregated data.

d) AI Model Training

• Third-Party Models: We do not permit third-party AI providers to use your individually identifiable data to train their general-purpose AI models. This is enforced through our data processing agreements.
• Our Internal Models: We may use anonymised, aggregated, and de-identified data to train, improve, and validate our own proprietary AI models and algorithms. This data cannot be used to re-identify you or any individual. This is essential for improving the accuracy and relevance of AI features for all users.

e) Automated Decision-Making & Profiling

The Service may use automated processing to:

• Generate project analytics, forecasts, and performance reports
• Provide recommendations for resource allocation and scheduling
• Detect anomalies and potential security threats
• Categorise and tag content automatically
• Assess business health indicators

These automated processes are designed to assist and augment your decision-making, not replace it. No automated decision produces legal effects or similarly significantly affects you without human oversight and review. You have the right to request human review of any automated decision, express your point of view, and contest the decision by contacting us at [email protected].

5. Aggregated & De-Identified Data

We may create aggregated, anonymised, and/or de-identified data from the information we collect ("Aggregated Data"). Aggregated Data is data that has been processed so that it can no longer reasonably be used to identify a specific individual, account, or organisation.

• Creation: Aggregated Data is created through techniques such as statistical aggregation, generalisation, data masking, hashing, pseudonymisation, and removal of direct identifiers.
• Use: We may use Aggregated Data for any lawful purpose, including but not limited to: analytics, research, product development, AI model training and improvement, benchmarking, trend analysis, industry reporting, marketing, and the creation of new products and services.
• Sharing: We may share Aggregated Data with third parties, including business partners, researchers, and the public. Because Aggregated Data does not identify you, it is not subject to the data sharing restrictions that apply to personal information.
• No Re-Identification: We maintain administrative, technical, and physical safeguards designed to prevent the re-identification of Aggregated Data. We do not attempt to re-identify Aggregated Data and contractually prohibit third parties from doing so.
• Ownership: We own all rights, title, and interest in Aggregated Data. Aggregated Data is not considered "Your Data" as defined in our Terms of Service and is not subject to data deletion or export requests.

6. Data Storage & Security

We implement comprehensive administrative, technical, and physical security measures to protect your data:

• Multi-Tenant Isolation: Opus uses a multi-tenant architecture with strict logical separation between tenants. Each organisation's data is isolated at the database level and cannot be accessed by other tenants.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). API communications use the same encryption standards.
• Encryption at Rest: Sensitive data, including passwords and authentication tokens, is encrypted at rest using industry-standard encryption algorithms (AES-256 or equivalent).
• Access Controls: Role-based access controls (RBAC) and the principle of least privilege ensure that users and personnel only have access to data necessary for their function.
• Regular Backups: We perform automated, encrypted backups to ensure data durability and support disaster recovery. Backups are retained in accordance with our data retention policy.
• Infrastructure Security: Our services are hosted on secure, professionally managed cloud infrastructure with physical security, network monitoring, intrusion detection, DDoS protection, and redundancy.
• Security Audits & Testing: We regularly review and update our security practices, conduct vulnerability assessments, and address emerging threats.
• Employee Access: Access to personal data by our employees and contractors is limited to those who need it to perform their duties and is subject to confidentiality obligations.

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and for any activity under your account.

7. Data Sharing & Disclosure

We are committed to protecting your privacy. We share your information only in the following circumstances:

• We Do Not Sell Your Personal Data: We do not sell, rent, or trade your personal information to third parties for their marketing or advertising purposes.
• Service Providers & Processors: We share data with trusted third-party service providers who perform services on our behalf, including payment processing (Stripe), cloud hosting, email delivery, analytics, AI processing, and customer support. These providers are contractually bound to protect your data, process it only as instructed, and not use it for their own purposes.
• AI Service Providers: As described in Section 4, data necessary for AI features may be shared with third-party AI providers pursuant to data processing agreements.
• With Your Consent & Authorisation: We may share your data with third parties when you explicitly authorise us to do so, such as when enabling integrations with Xero, Stripe, or other connected services.
• Aggregated & De-Identified Data: As described in Section 5, we may share Aggregated Data with third parties for any lawful purpose. This data does not identify you.
• Legal Requirements & Protection: We may disclose your information if required or permitted by law, regulation, legal process, subpoena, court order, or governmental request, or where we believe disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Trinity DAO Pty Ltd, our users, or the public; (c) detect, prevent, or address fraud, security issues, or technical problems; or (d) enforce our Terms of Service.
• Business Transfers: In the event of a merger, acquisition, reorganisation, bankruptcy, sale of assets, or similar transaction, your data may be transferred as part of the business assets. We will provide notice of any such transfer and your options regarding your data. The acquiring entity will be bound by this Privacy Policy with respect to your data.
• Professional Advisors: We may share data with our professional advisors, such as lawyers, auditors, and insurers, where necessary for them to provide their services.

8. Your Rights & Choices

You have the following rights regarding your personal data, subject to applicable law and verification of your identity:

• Right of Access: You may request a copy of the personal data we hold about you. Account holders can access most of this data directly through the Service.
• Right to Correction (Rectification): You may request that we correct any inaccurate or incomplete personal data. You can update most information directly through your account settings.
• Right to Deletion (Erasure): You may request the deletion of your personal data. We will comply with such requests unless we are required or permitted to retain certain data by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format, and have it transferred to another service provider where technically feasible.
• Right to Data Export: You may export your project data, client records, and other content using the built-in export functionality in Opus.
• Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.
• Right to Object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis, including profiling based on legitimate interests.
• Right to Withdraw Consent: Where we rely on your consent to process data, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.
• Right Regarding Automated Decisions: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significantly affects you. You may request human review of any such decision.
• Right to Opt-Out of AI Processing: You may request that your individually identifiable data not be used for AI model training or improvement. Note that this does not apply to Aggregated Data or to the basic operation of AI features you actively use.
• Marketing Communications: You may opt out of receiving marketing communications by following the unsubscribe link in any marketing email or contacting us. This does not affect service-related communications.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before fulfilling your request. In certain cases, we may charge a reasonable fee or decline requests that are manifestly unfounded or excessive.

9. Cookie Policy

Opus uses cookies and similar tracking technologies (such as pixels, web beacons, and local storage) to provide and improve the Service:

• Strictly Necessary Cookies: Required for the Service to function, including authentication tokens, session management, security features, and load balancing. These cannot be disabled without impairing the Service.
• Analytics & Performance Cookies: Used to understand how you interact with the Service, measure performance, identify errors, and improve the user experience. We may use services such as Google Analytics (with IP anonymisation enabled), Plausible Analytics, or similar providers.
• Functional & Preference Cookies: Used to remember your settings and preferences, such as theme selection, language, display options, and dashboard configurations.

You can manage cookie preferences through your browser settings or any cookie consent mechanism we provide. Note that disabling essential cookies may impair the functionality of the Service. For more information about the cookies we use, please contact us.

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, the Service does not currently respond to DNT browser signals. However, you can manage your tracking preferences through the cookie and privacy controls described above.

10. Third-Party Services & Sub-Processors

Opus integrates with and may share data with the following categories of third-party services. Each has its own privacy practices, and we encourage you to review their policies:

We maintain an up-to-date list of our sub-processors and their purposes. You may request the current list by contacting [email protected].

11. Data Retention

We retain your data for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy:

• Active Accounts: Your data is retained for the duration of your active subscription and account.
• Cancelled Accounts: After account cancellation, we retain your data for 30 days to allow for reactivation or data export. After this period, your data will be scheduled for permanent deletion from our active systems.
• Backup Retention: Data may persist in encrypted backups for up to 90 days after deletion from active systems, after which it is permanently removed through our backup rotation process.
• Legal & Regulatory Requirements: We may retain certain data for longer periods if required by applicable law (such as tax and accounting laws), regulation, or to resolve disputes, enforce our agreements, and protect our legal rights.
• Aggregated & De-Identified Data: We may retain anonymised, aggregated, and de-identified data indefinitely for analytical, statistical, research, product improvement, and AI training purposes. This data cannot be used to identify individual users and is not subject to deletion requests.
• AI Interaction Logs: Logs of AI feature interactions may be retained for up to 12 months for quality assurance, service improvement, and debugging purposes, after which they are anonymised or deleted.
• Security Logs: Security and access logs may be retained for up to 24 months for fraud prevention, security monitoring, and compliance purposes.

12. Data Breach Notification

We take data security seriously and have procedures in place to address data breaches:

• Detection & Response: We maintain incident response procedures to promptly detect, investigate, contain, and remediate data breaches or security incidents.
• Notification to Authorities: Where required by applicable law (including the Australian Privacy Act's Notifiable Data Breaches scheme), we will notify the relevant supervisory authority (such as the OAIC) of qualifying data breaches within the required timeframe.
• Notification to Affected Users: If a data breach is likely to result in serious harm to you, we will notify you as soon as practicable, providing information about the nature of the breach, the data affected, the steps we have taken, and recommendations for protecting yourself.
• Remediation: We will take all reasonable steps to contain and remediate the breach, prevent future occurrences, and mitigate any harm caused.

13. Children's Privacy

Opus is a business-to-business (B2B) platform designed exclusively for use by professionals and organisations. The Service is not intended for, marketed to, or designed for use by individuals under the age of 18 (or the applicable age of majority in their jurisdiction).

We do not knowingly collect, solicit, or process personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child, we will take immediate steps to delete such information from our systems. If you believe a child has provided us with personal information, please contact us immediately at [email protected].

14. International Data Transfers

Opus is operated by Trinity DAO Pty Ltd from Australia, and our primary data processing occurs in Australia. However, your data may be transferred to and processed in other countries where our service providers and sub-processors operate, including the United States and other jurisdictions.

• We ensure that any international transfers of personal data comply with applicable data protection laws, including the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
• We use appropriate safeguards for international transfers, including data processing agreements incorporating standard contractual clauses, binding corporate rules, or other recognised transfer mechanisms.
• We take reasonable steps to ensure that overseas recipients of personal data do not breach the APPs in relation to that data, as required under APP 8.
• For users in the European Economic Area (EEA) or United Kingdom, transfers to countries without an adequacy decision are protected by Standard Contractual Clauses approved by the European Commission, or other appropriate safeguards.

15. Region-Specific Rights

a) Australian Users — Privacy Act 1988

If you are located in Australia, your personal information is handled in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You have the right to access and correct your personal information, and to make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

b) European Economic Area & UK Users — GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR provides you with additional rights, including:

• The right to access, rectify, erase, restrict, or port your personal data
• The right to object to processing based on legitimate interests
• The right not to be subject to solely automated decision-making
• The right to withdraw consent at any time
• The right to lodge a complaint with your local data protection authority

Our lawful bases for processing are set out in Section 2 above. For GDPR-related enquiries, contact [email protected].

c) California Users — CCPA/CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information as defined under the CCPA/CPRA. We do not share your personal information for cross-context behavioural advertising.
• Right to Limit Use of Sensitive Information: You may request that we limit our use of sensitive personal information to purposes permitted under the CPRA.
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, contact [email protected] or submit a request through your account settings. We will verify your identity before processing your request.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this page.
• For material changes that affect how we collect, use, or share your personal data, we will notify you through the Service (e.g., in-app notification) or via email at least 30 days before the changes take effect.
• Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service.
• We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your data.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or wish to exercise any of your privacy rights, please contact us:

We aim to respond to all privacy-related enquiries within 30 days (or such shorter period as required by applicable law). If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

• Australia: Office of the Australian Information Commissioner (OAIC)
• EEA/UK: Your local data protection authority
• California: California Attorney General's Office