Privacy Policy
Last updated: 18 April 2026
This policy explains how Opmore AB(“Opmore”, “we”, “us”) collects, uses, and protects personal data when you use our website, sales diagnostic platform, and associated services. It is written to comply with the EU General Data Protection Regulation (GDPR) and Swedish data protection law.
If you have any questions, email mo@opmore.io.
1. Who we are
Opmore AB, a Swedish limited company. The data controller for all processing described below is Opmore AB. Contact: mo@opmore.io.
2. What data we collect
Data you give us directly
- Account data: your email address, password (stored as a bcrypt hash, never in plaintext), and the list of client playbooks you have access to.
- Questionnaire and workshop submissions: the answers you provide when filling out an OPTICS diagnostic, a discovery questionnaire, or a workshop registration. This typically includes your name, email, company, website, LinkedIn URL, and free-text answers about your sales process.
- Playbook content: any text you write into your playbook pages, including fields you edit inline.
- Integration credentials: if you connect Google Workspace, we store an OAuth refresh token so we can read your Gmail and Calendar on your behalf. If you connect Attio, we store your API key. These credentials live in our database and are used only to fulfill your requests.
- MCP connection data: if you connect an MCP client (Claude Desktop, Cursor, etc.) to your playbook, we store the access token we issue, the client name, and a log of write actions taken through that connection.
Data we collect automatically
- Session cookies: a NextAuth session cookie that keeps you signed in. See our Cookie Policy.
- Server logs: standard web server logs (IP address, user agent, request path, timestamp) retained for up to 30 days for security and debugging.
Data we do NOT collect
- We do not run analytics tools (no Google Analytics, no PostHog, no Plausible).
- We do not use tracking pixels or advertising cookies.
- We do not sell your data to anyone. Ever.
3. Why we process your data (legal basis)
| Purpose | Legal basis |
|---|---|
| Delivering the sales diagnostic and playbook features you asked for | Contract (Art. 6(1)(b) GDPR) |
| Reading your Gmail/Calendar or CRM data to generate AI insights you requested | Contract + your explicit OAuth consent |
| Sending essential account emails (invites, password resets) | Contract |
| Investigating fraud, abuse, and security incidents | Legitimate interest (Art. 6(1)(f)) |
| Complying with Swedish accounting and tax law | Legal obligation (Art. 6(1)(c)) |
4. Who we share data with (sub-processors)
We use a small set of third parties to operate Opmore. All of them are bound by data processing agreements or equivalent terms. We share only what each one needs to do its job.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hostup AB | VPS hosting (Coolify server where the application runs) | Älvsjö, Sweden (EU) |
| Turso | Database hosting (playbook content, user accounts, MCP tokens) | AWS eu-west-1 (Ireland, EU) |
| Resend | Transactional email delivery (invites, password resets) | United States |
| Google OAuth sign-in; reading Gmail and Google Calendar data on your behalf when you connect those integrations | United States + global | |
| Attio | Reading your CRM data when you connect the Attio integration | United Kingdom / United States |
| MiniMax | Large language model processing for chat responses and playbook suggestions. Playbook content and the most recent messages of your chat conversations are sent to MiniMax's API to produce the response shown to you. | Shanghai, China |
| Anthropic | Fallback large language model provider. Used when MiniMax is unavailable or when an integration requires Anthropic-compatible features. | United States |
International data transfers
Some sub-processors (Resend, Google, Attio, Anthropic, MiniMax) are located outside the EEA. Where transfers to third countries occur, we rely on the following safeguards where applicable:
- Adequacy decisions (e.g. the EU–US Data Privacy Framework) for transfers to Anthropic, Resend, and Google where those providers are certified.
- EU Standard Contractual Clauses (SCCs) for other US and UK transfers.
- For MiniMax (China): we rely on EU Standard Contractual Clauses and additional contractual safeguards. Data transfers to mainland China are subject to Chinese law (including the PRC Cybersecurity Law and the Data Security Law). If this is unacceptable for your use case, please contact us — we can route chat processing through a different provider on request.
5. How long we keep data (retention)
| Data type | Retention |
|---|---|
| Active customer account data, playbook content, connected integrations | While your account is active |
| Data after account cancellation | 90 days, then permanently deleted |
| Workshop submission forms | Until you request deletion |
| Discovery questionnaire submissions | Until you request deletion |
| MCP tool-call audit logs | 90 days (longer if referenced in an active security investigation) |
| Transactional email logs (Resend) | Up to 30 days (Resend's retention) |
| Server access logs | Up to 30 days |
| Invoices and accounting records | 7 years (required by Swedish Bokföringslagen) |
6. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Erasure(“right to be forgotten”) — request deletion of your data. We will comply unless we are legally required to retain it (e.g. invoices).
- Portability — receive your data in a machine-readable format.
- Restriction — ask us to pause processing while we resolve an issue.
- Object — to processing based on legitimate interest.
- Withdraw consent at any time, where consent is the legal basis (e.g. by disconnecting a Google integration).
- Lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.
To exercise any of these rights, email mo@opmore.io. We will respond within 30 days.
7. Security
We use standard security practices: TLS on all traffic, bcrypt for password hashing, OAuth tokens are stored server-side only, short-lived access tokens for MCP connections, rate limits on authentication endpoints, and principle-of-least-privilege access controls. Full encryption-at-rest for integration credentials is on our roadmap.
No online service is perfectly secure. If you discover a vulnerability, please report it to mo@opmore.io.
8. AI-specific notes
When you use chat, suggestions, or the MCP integration, parts of your playbook content, CRM excerpts, and email excerpts may be sent to a large language model provider (MiniMax or Anthropic) to generate the response you requested. Contents of individual tool calls are sent only when needed to answer a specific question and are not used to train models (neither MiniMax nor Anthropic train on API data by default).
9. Children
Opmore is a B2B product for founders and sales teams. We do not knowingly collect data from anyone under 13 (the digital age of consent under Swedish law implementing GDPR Article 8). If we learn we have, we will delete it.
10. Cookies
Opmore uses a single cookie: a NextAuth session cookie (__Secure-authjs.session-token in production, authjs.session-token in local development), which keeps you signed in while you use the site. This cookie is:
- Strictly necessary for the site to function — you cannot stay logged in without it.
- First-party only — set by opmore.io, never read by third parties.
- HttpOnly and Secure in production — not accessible to JavaScript and only transmitted over HTTPS.
- Lifetime: 30 days by default, or until you sign out.
Because this cookie is strictly necessary, no consent banner is required under the EU ePrivacy Directive. We do not use analytics, advertising, tracking, or any other non-essential cookies.
If you clear your browser cookies, you will be signed out and will need to log in again.
11. Changes to this policy
When we make material changes, we will update the “Last updated” date at the top and, if the change is significant, notify account holders by email.