Privacy Policy

PRIVACY NOTICE – Oplyon (Global)

Last updated: 20 February 2026

This Privacy Notice explains how New Media Shop s.r.l. (“Oplyon”, “we”, “us”, “our”) may access, collect, store, use, disclose, and otherwise process (“process”) personal data/personal information when you use our services (“Services”), including when you:

• Use the Oplyon web application at https://app.oplyon.com
• Visit our website at https://www.oplyon.com or any page linking to this Notice
• Contact us for support, administrative communications, sales/marketing, or events

Questions? Contact: newmediashop@pec.it.

1) WHO WE ARE (CONTROLLER / PROCESSOR ROLES) — CRITICAL FOR SaaS

1.1 Controller / Processor split (multi-tenant SaaS)

Oplyon is a multi-tenant business SaaS. Depending on the processing activity:

A) Tenant Data (Customer’s business data uploaded into Oplyon)
When a customer company (“Tenant”) uploads/creates data about its own clients, suppliers, employees, orders, invoices, etc., the Tenant typically acts as the Data Controller, and New Media Shop s.r.l. acts as the Data Processor processing that data only on the Tenant’s documented instructions (GDPR Art. 28 model).

B) Oplyon Account & Platform Data (your user account, platform security, billing)
When we process data to provide the platform, create and secure user accounts, manage subscriptions/billing, prevent fraud, and provide support, we generally act as the Data Controller for those purposes.

1.2 Data Processing Agreement (DPA)

Where required (especially for Tenant Data), we provide a Data Processing Agreement (DPA) governing processor obligations, sub-processors, security measures, assistance with data subject rights, and breach notifications.

2) KEY POINTS SUMMARY

• What data do we process? Account/contact data, company/tenant data, operational data entered into Oplyon, support content, and technical data (logs, IP, device/browser, security events).
• Sensitive data? Oplyon is not designed to collect special categories (GDPR Art. 9). Where a Tenant uploads them, the Tenant remains responsible as Controller; we process only as Processor under the DPA.
• Payments: If you buy subscriptions, payments are handled by a payment processor (e.g., Stripe). We typically receive transaction references/status but do not store full card numbers (the processor does).
• Sharing: Only with vetted vendors (sub-processors/service providers), legal authorities when required, and business transfers. No sale of personal data.
• International transfers: We use safeguards such as Standard Contractual Clauses (SCCs) where applicable.
• Your rights: You may have rights under GDPR/UK GDPR, Canada (PIPEDA / Québec Law 25), and US state laws depending on where you live.

3) WHAT INFORMATION WE COLLECT

3.1 Information you provide

Depending on how you use Oplyon:

A) Account & contact data

• Name, surname
• Email, phone (if provided)
• Username/password (stored using secure hashing)
• Role/permissions, tenant identifier, contract code/technical identifiers
• Company details (e.g., legal name, VAT/Tax IDs) where relevant to the account

B) Tenant operational data (uploaded/created in Oplyon)

• Customer/supplier records (names, addresses, tax IDs, VAT numbers)
• Orders, invoices, credit notes, shipping and logistics data
• Administrative/financial records entered into the system (amounts, dates, descriptions, due dates)

Important: Oplyon does not provide direct access to bank accounts; payment “flows” are recorded at a management level (amount/date/status), depending on configuration.

C) Support & communications

• Tickets, messages, attachments, call notes
• Support audit trails (timestamps, outcomes)

3.2 Information we collect automatically

• IP address, login events, security/audit logs
• Device/browser/OS/language
• Usage data (pages/actions, errors, performance)
• Cookies/session identifiers (see Cookies section)

4) HOW WE USE YOUR INFORMATION (PURPOSES)

We process data for:

1. Account creation & authentication (login, session, roles/permissions)
2. Service delivery (enable core SaaS features)
3. Support & operational communications (maintenance, security notices)
4. Security & abuse prevention (fraud prevention, intrusion attempts, monitoring, auditing)
5. Contract, subscription management & billing (plans, invoices, reconciliations)
6. Product improvement (aggregated analytics, debugging, performance tuning)
7. Marketing (business context) where permitted, with opt-out

5) LEGAL BASES (EU/EEA GDPR + UK GDPR)

If you are in the EU/EEA or UK, we rely on:

• Contract performance (provide Services, manage accounts)
• Legal obligations (tax/accounting, lawful requests)
• Legitimate interests (security, abuse prevention, service improvement, legal defense)
• Consent (non-essential cookies/marketing where required)

(If we act as Processor for Tenant Data, the Tenant determines the legal basis and provides required notices.)

UK framework is primarily the Data Protection Act 2018 and UK GDPR regime.

6) CANADA (PIPEDA + QUÉBEC LAW 25)

If you are in Canada, we align with:

• PIPEDA’s fair information principles (accountability, identifying purposes, consent, limiting collection/use/retention, safeguards, openness, access)
• Where applicable in Québec, Law 25 obligations (enhanced transparency, governance/accountability expectations, stronger consent standards for sensitive data, etc.).

7) US PRIVACY (STATE LAWS — GENERAL RIGHTS MODEL)

If you are in the United States, your rights depend on your state, but many modern state privacy laws provide rights to:

• Access and obtain a copy of personal data
• Correct inaccuracies
• Delete personal data (with exceptions)
• Opt out of:
• sale of personal data (as defined by state law)

• “sharing” for targeted advertising (where defined)

• targeted advertising

• profiling in furtherance of decisions with legal/similarly significant effects

California’s and other states’ frameworks commonly include opt-out rights and transparency duties.

8) WHEN AND WITH WHOM WE SHARE DATA

We may share data with:

8.1 Service providers / sub-processors

Cloud hosting, database, backups, monitoring, email delivery, ticketing/support tools, analytics, payment processors—under written contracts and only as needed to provide the Services.

Annex recommended: Publish/attach a “Sub-processors List” with vendor names and locations.

8.2 Legal requests

Authorities, regulators, or courts when required by law or to protect rights/safety.

8.3 Business transfers

Mergers, acquisitions, financing, or asset sales—subject to appropriate safeguards.

We do not sell personal data for independent third-party marketing.

9) COOKIES & TRACKING

• Essential cookies: login/session/security (necessary)
• Preferences cookies: language/settings (if used)
• Analytics/marketing cookies: only where enabled and, where required, after consent

If you run targeted advertising/analytics on oplyon.com, you should publish a dedicated Cookie Policy and use a compliant consent banner (especially EU/UK and potentially Québec).

10) SOCIAL LOGIN

If Oplyon offers social login (e.g., Google/Microsoft), we receive limited profile information necessary to authenticate. We do not control third-party social providers’ processing; please review their privacy policies.

(If you do not offer social login yet, state that clearly.)

11) INTERNATIONAL TRANSFERS

We may process data in the EU/EEA, UK, and other locations where we or our service providers operate.

Where required, we use safeguards such as:

• Standard Contractual Clauses (SCCs) and supplementary measures as appropriate.

12) DATA RETENTION

We retain data only for as long as necessary:

• Account data: for the duration of the contract/account, plus a limited period for disputes/compliance
• Billing/tax records: typically up to 10 years (where required by law)
• Security logs: proportionate retention (e.g., weeks to 12 months), unless needed longer for investigations
• Tenant Data: retained per Tenant instructions/settings and DPA terms; on termination we delete/return per contract, subject to backup cycles and legal obligations

13) SECURITY

We implement reasonable technical and organizational measures, such as:

• TLS/HTTPS encryption in transit
• Access control, roles/permissions, least privilege
• Monitoring, logging, intrusion detection
• Secure backups & recovery procedures
• Vulnerability and patch management

No system is 100% secure; users must protect credentials and use secure environments.

14) DATA BREACH NOTIFICATION

If a personal data breach occurs:

• We will investigate and mitigate promptly
• Where required, we will notify relevant parties (e.g., Tenants as Controllers for Tenant Data) and assist them with regulatory obligations
• Where we are the Controller, we will comply with applicable legal notification duties

(PIPEDA also contains breach notification rules for “breaches of security safeguards” in certain circumstances.)

15) CHILDREN

Oplyon is intended for business use and not for children. We do not knowingly collect data from minors.

16) YOUR PRIVACY RIGHTS (BY REGION)

16.1 EU/EEA & UK (GDPR / UK GDPR)

You may have rights to:

• access, rectification, erasure, restriction
• data portability
• objection (legitimate interests)
• withdraw consent (where processing is based on consent)
• lodge a complaint with your supervisory authority

16.2 Switzerland

You may contact the competent authority (where applicable).

16.3 Canada (PIPEDA / Québec Law 25)

You may request access, correction, and information about our processing, subject to applicable exceptions.

16.4 United States (State privacy rights)

Depending on your state, you may have rights to access/correct/delete and opt out of targeted advertising/sale/sharing/profiling.

Authorized agents (US)

Where applicable, you may use an authorized agent to submit requests; we may require proof of authorization.

17) HOW TO EXERCISE RIGHTS / CONTACT US

Email/PEC: newmediashop@pec.it
Include:

• Product: Oplyon
• Your tenant/company (if known)
• Account email/username
• The right you want to exercise (access/correction/deletion/etc.)
• Details to help locate the data

We may request additional information to verify identity and prevent unauthorized access.

Tenant Data note: If your request concerns data your employer/company uploaded into Oplyon, your request may need to be handled by the Tenant (Controller). We will assist by routing it appropriately.

18) UPDATES TO THIS NOTICE

We may update this Notice to reflect changes in law, technology, or our practices. The updated version will be indicated by the “Last updated” date and, where appropriate, we will provide additional notice (in-app, email, or website).

19) COMPANY DETAILS

Data Controller (where applicable):
New Media Shop s.r.l.
Via Vincenzo Lupoli 22, 24, 26 – 81100 Caserta (CE) – Italy
VAT: 04387950613
PEC: newmediashop@pec.it
App: https://app.oplyon.com
Website: https://www.oplyon.com