Legal
Privacy Policy
What we collect, how we use it, who we share it with, how long we keep it, and what rights you have to access or delete it.
Effective date: 2026-05-21 · Version: 1.0 (initial draft)
⚠️ Draft — not yet lawyer-reviewed
This is OpsLight's initial Privacy Policy draft, prepared 2026-05-21. It accurately describes our current data practices but has not been reviewed by a privacy attorney for CCPA, GDPR, or other regulatory compliance language. We're publishing it now so it's better than nothing while we wait for lawyer-reviewed v2.
1. Who we are
OpsLight is operated by Altin Sallaku, a sole proprietor doing business as "OpsLight" ("we," "us," "our," or "OpsLight"). Our address is 311 Mainsail Ct, Foster City, CA 94404, USA. Contact: altin@opslight.app.
This policy explains how we handle personal information when you use opslight.app, sign up via /onboard, or interact with the OpsLight Service.
2. What we collect
2.1 From you (the business owner) at signup
- Business name (what you put on customer-facing emails)
- Your email address (for welcome email + urgent intake alerts)
- Your phone number (optional — for SMS owner-alerts)
- Trade/vertical (so we can pre-pick classification defaults)
- One-sentence business description (optional — helps tune the classifier)
2.2 From your customers (the people who email/text/call your OpsLight intake address)
When your customers reach out to you via OpsLight, we receive whatever they send: their name, email, phone, subject, message body, and any attachments. This is "Customer Data" in the Terms of Service. It belongs to you, not us — we process it on your behalf.
2.3 Automatically (when you visit opslight.app)
- IP address, user agent, and referring URL — standard web-server logs retained ~30 days
- Aggregate page-view counts via Cloudflare Web Analytics — no cookies, no cross-site tracking, no PII
- Cloudflare Turnstile token when you submit the /onboard form — anti-spam only, retained ~7 days
2.4 What we do NOT collect
- Google Analytics, Facebook Pixel, TikTok Pixel, or other third-party advertising trackers — we don't use any
- Cross-site cookies
- Device fingerprinting
- Browser history outside opslight.app
- Payment/credit-card information (during pilot — the Service is free)
3. How we use it
- Provide the Service — receive your customers' messages, classify them with AI, store them in your Google Sheet, alert you when urgent.
- Send you transactional emails — welcome email at signup, urgent-intake alerts, daily portfolio digest if you opt in.
- Operate and improve the platform — aggregate, anonymized metrics on classification accuracy, response time, and reliability. Never tied to an identifiable individual.
We do not:
- Use your data or your customers' data to train AI models (Anthropic's API has zero-retention defaults for API customers; we don't enroll in training programs).
- Sell your data to anyone.
- Use your data to advertise to your customers.
- Share your data with anyone other than the subprocessors below, except as required by law.
4. Subprocessors (who we share with)
To operate the Service, we rely on the following service providers ("subprocessors"). They receive only the data necessary to perform their specific function and are contractually bound to use it solely for that purpose.
| Subprocessor | What they do | Data location |
|---|---|---|
| Cloudflare, Inc. | Hosts opslight.app (Pages + Workers), DNS, Email Routing for @opslight.app addresses, Turnstile anti-spam, KV storage for client registry |
US |
| Anthropic, PBC | AI classification (Claude API) — processes the text content of each inbound customer message to assign urgency, intent, and trade category | US |
| Google LLC | Google Sheets API — stores your classified intake records in a Sheet you own and we have Editor access to | US |
| Brevo (Sendinblue) | Outbound email for internal daily digest and operator replies | EU (France) |
| Postmark (ActiveCampaign) | Outbound transactional email for client-facing communications (welcome, SOWs, invoices, status) | US |
| Twilio, Inc. (when you opt into SMS/voicemail intake) | Receives voicemail and SMS from your customers; transcribes voicemail; sends owner-alert SMS | US |
We will update this list before adding any new subprocessor that handles your data, with at least 14 days' notice.
5. How long we keep it
- Your account record (business name, owner email, phone) — for as long as your account is active, then 30 days after termination for billing/wind-down purposes
- Classified intake records in your Google Sheet — for as long as you keep the Sheet; you control deletion
- Raw inbound emails/voicemails on Cloudflare Email Routing / Twilio — 30 days then auto-purged unless promoted to a classified intake
- Web-server logs — ~30 days, rolling
- Turnstile tokens — ~7 days (Cloudflare-managed)
6. Your rights
As a California resident (or under any other applicable privacy law), you have the right to:
- Access — get a copy of all the personal information we have about you. Email altin@opslight.app with subject "Privacy: Access request" and we'll respond within 30 days.
- Correct — fix anything that's wrong. Most fields you can update yourself from the dashboard; for others, email us.
- Delete — terminate your account and have us delete all personal information (see Terms § 13).
- Export — download your data as a CSV from the dashboard.
- Opt out of "sale" — we don't sell personal information, so there's nothing to opt out of, but the right exists if our practices change.
To exercise any of these, email altin@opslight.app.
7. Children's privacy
The Service is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe we have inadvertently done so, email us and we'll delete it.
8. Cookies and tracking
opslight.app uses minimal cookies and no third-party advertising trackers. Specifically:
- Cloudflare session cookies — strictly necessary for the site to function (CDN, security)
- Cloudflare Turnstile — anti-spam, set only when you submit the /onboard form
- Cloudflare Web Analytics — aggregate page-view counts, does not use cookies, no PII
That's the entire list. No Google Analytics, no Meta Pixel, no advertising retargeting. You don't need a cookie banner to accept anything on opslight.app — there's nothing optional to accept.
9. Security
We use industry-standard security practices, including:
- TLS 1.2+ encryption for all data in transit
- Encrypted storage on Cloudflare Workers + Google Drive
- API authentication on all internal endpoints (token-gated)
- DKIM + SPF + Return-Path authentication on all outbound email
- Cloudflare Email Routing for inbound (no inbox plaintext storage on third-party servers)
No system is 100% secure. If we discover a breach affecting your data, we will notify you within 72 hours of discovery and tell you what was affected and what we're doing about it.
10. International transfers
OpsLight is operated from the United States. Your data is processed primarily in the US (Cloudflare, Anthropic, Google, Postmark, Twilio). Brevo processes data in the EU (France) and may transfer it to the US under standard contractual clauses. If you are located outside the US, you consent to your data being transferred to and processed in the US by your use of the Service.
11. Changes to this policy
We may update this Privacy Policy. Material changes will be announced by email to the address on file at least 14 days before they take effect. The "Effective date" at the top of this page indicates the current version.
12. Contact us
Privacy questions or requests:
- Email: altin@opslight.app
- Mail: OpsLight, c/o Altin Sallaku, 311 Mainsail Ct, Foster City, CA 94404, USA
See also: Terms of Service · Contact us