This Privacy Policy explains how Oppalin ("Oppalin", "we", "us", or "our") collects, uses, shares, and protects personal data when you use the Oppalin service at oppalin.com (the "Service").
This Policy is written to be readable. We try to say what we actually do, in plain language, with the legal detail that applicable laws require. Where local law gives you stronger rights than this Policy describes, those rights apply.
Quick summary (not a substitute for the rest of this Policy):
The data controller (under GDPR, UK GDPR, and similar laws) and equivalent operator (under LGPD) is:
Fabio Torlai Pereira. Address: Fernando de Noronha 436, Curitiba – PR, Brazil
For privacy questions, contact: privacy@oppalin.com
If you are in the European Economic Area, the United Kingdom, or another jurisdiction that grants you the right to lodge a complaint with a supervisory authority, you can do so. In Brazil, the relevant authority is the Autoridade Nacional de Proteção de Dados (ANPD).
This Policy applies to personal data we process when you:
It does not cover websites, apps, or services operated by other people, even if you reach them through Boards or links shared on the Service.
We collect only what we need. Here's the full list, organized by source.
Account information. When you create an Account, our identity provider (Clerk) collects your email address, a password (or a third-party login such as Google), and any optional profile information you choose to provide (such as a display name or avatar). Clerk handles this data on our behalf — see Section 6.
Subscription and billing information. If you subscribe to a paid plan or purchase a Founders' Lifetime License, our payment provider (Stripe) collects your payment details directly. We don't store full payment card numbers on our systems. We do receive and store: a Stripe customer ID, the plan you bought, billing dates, the last four digits of the card and its country, and invoice records.
Content. Anything you upload, draw, write, or otherwise add to a Board: images, text, drawings, arrows, links, and similar items. This is stored on our infrastructure for as long as the Board exists.
Communications. If you email us, fill out a form, or send feedback, we keep a record of the communication and our response.
Waitlist signups. If you join a waitlist (such as the Max-tier waitlist), we collect your email address and the date you signed up.
Technical and device data. When you use the Service, we receive: IP address, browser type and version, operating system, device type, screen resolution, language preference, referring URL, and timestamps.
Usage data. We log basic events: pages visited, Boards opened, features used, and errors encountered.
Real-time collaboration data. When you have a Board open with others, we transmit cursor position, selection state, presence, and the changes you make to Board Content. This is short-lived sync data — it's not stored beyond what's needed to keep Collaborators in sync and recover from disconnections.
Cookies and similar technologies. We use cookies and similar storage on your device. See Section 9.
Identity providers. If you sign in with Google (or another third-party login), we receive the data they share with us — typically your email address, name, and profile picture.
Payment providers. Stripe shares the subscription and transaction information described in Section 3.1.
We do not buy personal data from data brokers, and we don't combine your Service activity with data acquired from outside sources for advertising or profiling.
| What we do | Why | Legal basis |
|---|---|---|
| Create and operate your Account | To deliver the Service you signed up for | Contract performance |
| Host, display, and sync Boards and Content | To deliver the Service | Contract performance |
| Process payments and manage Subscriptions | To deliver the paid Service you bought | Contract performance |
| Send transactional emails (security, billing, account changes) | To keep you informed and the Service working | Contract performance / Legal obligation |
| Send service announcements and product updates by email | To keep users informed | Legitimate interest (you can opt out) |
| Detect and prevent fraud, abuse, and security incidents | To protect users and the Service | Legitimate interest / Legal obligation |
| Comply with tax, accounting, and other legal requirements | Legal compliance | Legal obligation |
| Improve and develop the Service (in aggregate or anonymized form) | To make the Service better | Legitimate interest |
| Respond to support requests and inquiries | To help users and resolve issues | Contract performance / Legitimate interest |
| Send marketing emails (newsletters, launch announcements) | To grow the Service | Consent (you can withdraw at any time) |
Private Boards are visible only to you and Collaborators you explicitly invite.
Link-shared Boards are visible to anyone with the link. We can't control who that link is forwarded to.
Public Boards are visible to anyone with the URL and may be indexed by search engines.
When other users contribute Content to a Board you own, you'll see their display name and any avatar they've chosen, alongside the Content they've added.
We share personal data with a small number of providers and parties, only as needed and with appropriate safeguards.
| Provider | What they do | Where they're based |
|---|---|---|
| Cloudflare | Hosting, content delivery, edge compute (Workers), database (D1), object storage (R2) | Global network, with data centers worldwide |
| Clerk | Authentication, account management, session handling | United States |
| Stripe | Payment processing, billing, invoicing | United States, with EU subprocessors |
A current list of subprocessors will be maintained at oppalin.com/subprocessors. We'll provide reasonable notice of material changes.
We may also share personal data with professional advisers (lawyers, accountants, auditors) bound by confidentiality; with authorities where required by law; and in connection with a corporate transaction such as a merger or acquisition.
We do not sell or rent your personal data, and we do not share it for cross-context behavioral advertising.
The Service uses providers and infrastructure in multiple countries. Your personal data may be transferred to, stored in, and processed in countries other than the one you live in — including the United States and the European Union.
Where required, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and Brazil-recognized transfer mechanisms under the LGPD. You can ask us for a copy at privacy@oppalin.com.
| Category | Retention |
|---|---|
| Account data | While your Account exists, plus up to 90 days after deletion in backup systems |
| Board Content | While the Board exists; up to 90 days after Board deletion in backup systems |
| Subscription and billing records | At least 5 years after the transaction (Brazilian tax/accounting law) |
| Communications and support records | Up to 3 years after the last communication |
| Real-time collaboration sync data | Short-lived; not retained beyond what's needed to keep Collaborators in sync |
| Server logs (technical and security) | Up to 12 months |
| Waitlist signups | Until you ask to be removed, or until the waitlist purpose ends |
Strictly necessary. To run the Service — for example, to keep you signed in (set by Clerk), remember your preferences, and protect against abuse.
Functional. To remember choices you've made, such as your last opened Board or UI preferences.
Analytics. To understand how the Service is used in aggregate, so we can improve it. If we use analytics that require consent in your jurisdiction, we'll ask for it before setting those cookies.
We don't use advertising cookies, and we don't track you across other websites. You can control cookies through your browser settings.
Whatever jurisdiction applies, you can access, correct, delete, and export the personal data we hold about you. Contact us at privacy@oppalin.com.
You also have the right to restrict processing, object to processing based on legitimate interest, withdraw consent, not be subject to fully automated decisions, and lodge a complaint with your local supervisory authority.
Under LGPD Article 18 you have additional rights including confirming whether we process your data, receiving information about sharing, anonymizing or blocking unnecessary data, and filing a complaint with the ANPD.
California residents may know, delete, correct, and opt out of the sale or sharing of personal information (we do not sell or share it). We won't discriminate against you for exercising these rights.
To exercise any right, email privacy@oppalin.com. We'll respond within the timeframes required by applicable law.
We use TLS for traffic in transit, encryption at rest where provided by our infrastructure, access controls, authentication via Clerk, and payment processing isolated to Stripe. No system is perfectly secure. If you suspect unauthorized access, contact security@oppalin.com.
The Service is not intended for children under 13, and we do not knowingly collect personal data from children under 13. If we learn that we've collected such data, we'll delete it. Contact privacy@oppalin.com if you believe a child has given us personal data.
We may update this Policy from time to time. For material changes, we'll provide at least 30 days' notice by email or in-app notice. Non-material changes (clarifications, typo fixes, subprocessor list updates) take effect when we update the "Last Updated" date.
For privacy-related questions, requests, or complaints: privacy@oppalin.com