GDPR Compliance

Opendio is committed to protecting the personal data of individuals in the European Economic Area (EEA) and United Kingdom (UK) in accordance with the General Data Protection Regulation (EU 2016/679) ("GDPR") and the UK GDPR. This page explains how we comply with GDPR requirements and outlines your rights as a data subject.

Opendio, Inc. is the data controller responsible for your personal data. You can reach our Data Protection Officer at:

• Email: dpo@opendio.com
• Address: Opendio, Inc.

We process your personal data only when we have a valid legal basis under Article 6 of the GDPR:

• Contractual Necessity (Art. 6(1)(b)): Processing needed to provide the Service — account creation, Open-To state publishing, AI matching, marketplace transactions, inquiry handling, and notifications.
• Legitimate Interests (Art. 6(1)(f)): Analytics and platform improvement, fraud detection and security, enforcing our Terms of Service, and maintaining platform integrity. We conduct balancing tests to ensure our interests do not override your rights.
• Consent (Art. 6(1)(a)): Marketing emails, non-essential cookies and tracking, and optional profile enhancements. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation (Art. 6(1)(c)): Tax record retention, responding to lawful government requests, and compliance with applicable regulations.

As a data subject in the EEA/UK, you have the following rights:

You can exercise your rights by:

• Using the privacy controls in your account dashboard (Settings → Privacy)
• Emailing our Data Protection Officer at dpo@opendio.com
• Using the "Export my data" feature in Settings

We will respond to your request within 30 days. If the request is complex or we receive many requests, we may extend this period by up to 60 additional days, in which case we will inform you of the extension and the reasons within the initial 30-day period.

We may ask you to verify your identity before processing your request to protect your data from unauthorized access.

For a comprehensive list of the personal data we collect and process, please refer to Section 2 of our Privacy Policy. In summary, this includes:

• Account and profile information
• Open-To States and marketplace activity
• Inquiry and messaging data
• Usage data and analytics
• Device and log data
• Data from third-party OAuth providers

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active accounts: Data retained for the duration of account activity.
• Deleted accounts: Personal data deleted or anonymized within 30 days. Backups purged within 90 days.
• Transaction records: Retained for up to 7 years as required by tax and financial regulations.
• Security logs: Retained for up to 12 months for fraud prevention and security.

Opendio is based in the United States. When we transfer personal data outside the EEA/UK, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with all sub-processors.
• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection.
• Technical Safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and regular security assessments.

We engage the following categories of sub-processors to help deliver the Service:

• Cloud Infrastructure: Vercel (hosting), Supabase (database and auth)
• Analytics: Vercel Analytics
• Payment Processing: Stripe
• Email: Transactional email provider

All sub-processors are bound by Data Processing Agreements (DPAs) that include GDPR obligations. A complete list of sub-processors is available upon request to dpo@opendio.com.

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals, including:

• AI-powered matching based on user profiles and Open-To States
• Large-scale processing of user behavior data for analytics
• New features that involve novel types of data processing

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware
• Notify affected data subjects without undue delay if the breach is high-risk
• Document all breaches, including facts, effects, and remedial actions taken

For any GDPR-related inquiries, please contact our Data Protection Officer:

• Email: dpo@opendio.com
• General Privacy: privacy@opendio.com
• Address: Opendio, Inc.