Privacy Policy

1. Who We Are OPDigits is the data controller for personal data collected through the OPDigits website and our SaaS products (FB Lookup, Comments Exporter, OPDigits CRM, and any future agency tooling). You can reach our privacy team at privacy@opdigits.com. 2. What We Collect • Account data — full name, email, phone, country, company, password hash, plan, expiry date, last login timestamp. • Billing data — invoice line items, payment method metadata (we never store full card numbers; those live with our gateway), Egyptian receipt uploads. • Usage logs — search counts, ID lookup counts, successful match counts, export volumes per account. Used for quota enforcement and product analytics. • SaaS workload data — for the CRM, the contact records and notes you upload; for the Comments Exporter, the comment payloads you choose to capture; for FB Lookup, the FBIDs you submit in each query. • Inbound forms — contact, careers, and job-application form submissions including any CV/portfolio links you attach. • Cookies — a Sanctum session cookie (named opdigits_session) and an XSRF token; an opdigits-theme preference cookie/localStorage value. No third-party advertising cookies are set on the marketing site. 3. How Data from Meta-Facing Tools Is Handled FB Lookup and the Comments Exporter operate against Meta-owned surfaces. We treat data extracted through them with extra care: • Submitted FBIDs are matched in-memory against our licensed phone-database and only the resulting (FBID → phone) pairs you exported are stored on your account history for re-download. • We do not enrich, profile, sell, or share FBIDs or matched phone numbers with any third party. We do not run ads, data-broker resale, or affiliate trackers on top of this data. • Comments extracted via the Chrome extension are streamed through our pipeline solely so you can export them. We retain the raw extracted content only for 30 days for support / re-export, after which it is purged. • You confirm at registration that you will use matched data lawfully, with appropriate consent under PDPL (Egypt), GDPR (EU), and any applicable national telemarketing rules. 4. How CRM Data Is Protected For customers using the OPDigits CRM, the contact records, deals, notes, and files you upload remain your property and are stored in an isolated tenant scope. We encrypt data in transit (TLS 1.2+) and at rest (AES-256 on the database volume). Only authorised OPDigits engineers can access production data, gated by SSO + MFA and time-bound break-glass logging. We do not access your CRM workspace for any purpose other than support, fraud / abuse investigation, or where compelled by law. 5. Why We Process Your Data (Lawful Bases) • Contract — to provide the service you signed up for, enforce quotas, and bill you. • Legitimate interest — product analytics, fraud detection, security telemetry, internal abuse monitoring. • Consent — marketing emails (you can opt out at any time via the link in every email). • Legal obligation — tax records, responding to lawful authority requests. 6. Sharing We share data only with sub-processors that are contractually bound to GDPR-equivalent standards: our cloud provider, our payment gateways (LemonSqueezy, InstaPay, Vodafone Cash), our transactional email provider, and the WhatsApp messaging daemon (OpenWA) used for OTPs when enabled. We do not sell personal data. We do not run advertising on the marketing site. 7. Retention Account data is kept while your account is active and for 12 months after deletion (for billing & compliance records). Usage logs are kept for 24 months in aggregated form. CRM customer data is purged within 30 days of confirmed workspace deletion. Comment-extractor raw payloads are purged after 30 days. Job applications are kept for 12 months unless you ask us to delete sooner. 8. Your Rights You can request access, rectification, deletion, export (data portability), or restriction of processing of your personal data by emailing privacy@opdigits.com. We will respond within 30 days. If you believe we have mishandled your data, you may complain to your local data-protection authority — in Egypt, the Personal Data Protection Centre. 9. International Transfers Our infrastructure may process data outside your home country (typically EU or US regions). Where applicable, transfers are protected by Standard Contractual Clauses or an equivalent safeguard. 10. Security & Breach Notification We maintain reasonable technical and organisational measures (encrypted backups, role-based access, audit logging, dependency scanning, principle-of-least-privilege admin accounts). If a personal-data breach occurs that is likely to materially affect you, we will notify you and the relevant authority within 72 hours of becoming aware. 11. Children Our services are not directed at children under 16. If you believe a minor has created an account, contact us and we will delete it. 12. Updates We may update this Policy; the "Last updated" date at the top reflects the current version. Material changes will be announced via email or an in-app notice.