Privacy Policy
1. Controller
The data controller is Foighne Ventures Limited, Dublin, Ireland (company no. 738028), trading as Opsidion. Privacy contact: [email protected].
2. What we process and why
| Data | Purpose | Lawful basis (Art. 6 GDPR) |
|---|---|---|
| Stripe account data read via OAuth with your authorization: account profile (name, country, business website, account email, verification status), charges, disputes, refunds, Radar signals (including IP geolocation of reviewed payments) | Generating the report you purchased | Performance of a contract (6(1)(b)) |
| Your email address (prefilled from your Stripe profile or entered by you) | Delivering your report as a PDF when you request it | Performance of a contract (6(1)(b)) |
| Payment records (Stripe account ID, checkout/payment identifiers, amount, time) | Granting access to purchased reports, processing refunds, accounting | Contract (6(1)(b)); legal obligation (6(1)(c)) for tax records |
| Session data (a signed random session ID cookie, your OAuth access token stored server-side) | Keeping you signed in securely | Contract (6(1)(b)); legitimate interests (6(1)(f)) in service security |
| Technical logs (timestamps, request outcomes, errors) | Security, abuse prevention, debugging | Legitimate interests (6(1)(f)) |
Your Stripe data may include personal data of your customers (e.g. card country, dispute details). We process it solely to produce your report, immediately and transiently — see retention below.
3. What we do NOT do
- No advertising, tracking, or analytics cookies. The only cookie is the strictly necessary session cookie — which is why you don't see a cookie banner.
- We never sell or share personal data for marketing.
- We never receive or store your card number; payment is handled by Stripe Checkout.
- Reports do not produce legal effects by automated means — they are informational analyses that you choose how to act on (no Art. 22 automated decision-making).
4. Retention
- Report data: reports are generated on demand from Stripe's API and returned to you; the underlying Stripe data is not retained after generation. PDF copies exist only in the download/email we send you.
- Sessions & OAuth tokens: deleted after 7 days of inactivity, on disconnect, or immediately when you revoke access in Stripe.
- Payment records: kept 6 years as required by Irish tax law.
- Logs: kept up to 90 days.
5. Recipients & processors
We use a small number of processors under Art. 28 agreements: Stripe (payments and the API you authorize), our hosting provider, and our email delivery provider (only when you request an emailed report). We disclose data if legally required.
6. International transfers
Stripe, Inc. is a US company; transfers to it rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses. Where any other processor is outside the EEA, we use SCCs or an adequacy decision.
7. Your rights
Under GDPR you may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interests. Write to [email protected]; we respond within one month. You may also lodge a complaint with the Irish supervisory authority: the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28 (dataprotection.ie), or your local EU supervisory authority.
8. Security
OAuth tokens are held server-side only (never in your browser), session cookies are signed and HttpOnly, access is payment-gated per account, and we operate least-privilege read-only use of your Stripe data. Report a security concern to [email protected].
9. Changes
We'll post any changes here with a new effective date. Material changes will be flagged in the app.