The data controller for your personal data is:
As the data controller, Opedd determines the purposes and means of processing your personal data. If you have any questions about how we handle your data, please contact us using the details above.
Opedd is registered with the Information Commissioner's Office (ICO) in the United Kingdom. Our ICO registration number is [ICO REGISTRATION NUMBER — to be added upon registration].
We collect different data depending on whether you are a Publisher, a Buyer, or simply visiting our website.
When you create a Publisher account, we collect:
| Data | Why we collect it |
|---|---|
| Email address | Account authentication, system notifications, transactional emails |
| Name (optional) | Personalisation, displayed on your publisher profile |
| Website URL | Publisher profile and domain verification for content sources |
| Password (hashed) | Account security — stored as a one-way hash, never in plain text |
| Stripe account details | Payment processing — handled by Stripe, not stored by Opedd |
| API keys | Programmatic access to your publisher account |
| IP address and login timestamps | Security, fraud detection, and audit logging |
| Content metadata (article titles, URLs, descriptions) | Core platform functionality — displaying and licensing your content |
| Webhook URLs and secrets | Delivering license event notifications to your systems |
When you purchase a License, we collect:
| Data | Why we collect it |
|---|---|
| Email address | Delivering your license key, certificate, and Handshake Email |
| Name (optional) | Included in your license certificate and Handshake Email |
| Organisation name (optional) | Included in your license certificate |
| Intended use (optional) | Recorded in the license ledger for transparency |
| Payment information | Processed entirely by Stripe — Opedd does not store card data |
| Stripe payment intent ID | Transaction record, idempotency, and dispute resolution |
| IP address | Fraud prevention and rate limiting |
| License key and transaction metadata | Immutable license ledger, verification, and audit trail |
When you visit opedd.com without creating an account, we collect limited data:
| Data | Why we collect it |
|---|---|
| IP address | Security and server logging |
| Browser type and version | Ensuring the site works correctly across browsers |
| Pages visited and timestamps | Understanding how visitors use our website |
| Referrer URL | Understanding how visitors find us |
Opedd does not collect:
Under UK GDPR, we must have a lawful basis for each type of processing. Here is how this applies to our activities:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) — necessary to perform the services you've requested |
| Issuing license keys and delivering Handshake Emails | Contract (Art. 6(1)(b)) — core service delivery |
| Processing payments via Stripe | Contract (Art. 6(1)(b)) — necessary to fulfil the transaction |
| Sending transactional emails (license confirmations, password resets, import completions) | Contract (Art. 6(1)(b)) — part of delivering the service |
| Maintaining the immutable license ledger | Legitimate interests (Art. 6(1)(f)) — integrity of the licensing record; Legal obligation (Art. 6(1)(c)) — financial record-keeping |
| Fraud detection and rate limiting | Legitimate interests (Art. 6(1)(f)) — protecting the Platform and users from abuse |
| Error monitoring and logging (Sentry) | Legitimate interests (Art. 6(1)(f)) — maintaining service reliability |
| Sending product and marketing emails | Consent (Art. 6(1)(a)) — only sent where you have opted in |
| Retaining financial records | Legal obligation (Art. 6(1)(c)) — HMRC requirements; typically 7 years |
| Improving the Platform | Legitimate interests (Art. 6(1)(f)) — aggregated, anonymised usage data only |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing carried out on the basis of legitimate interests — see Section 10.
In addition to the specific purposes described above, we use your data to:
We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review.
We do not sell your personal data to third parties. We do not use your data for targeted advertising.
We retain your personal data for as long as necessary for the purposes for which it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| Publisher account data (email, name, settings) | Duration of account + 30 days after closure |
| License transaction records | 7 years (legal/tax obligation under UK law) |
| License event ledger | Indefinite — immutable audit log |
| Payment records (Stripe references, amounts) | 7 years (legal/tax obligation) |
| Error logs (Sentry) | 90 days |
| Server access logs | 30 days |
| Email delivery logs (Resend) | 30 days |
| Webhook delivery logs | 90 days |
| Rate limit records | 24 hours (rolling window) |
| Blockchain records | Permanent — see Section 8 |
When data is no longer needed and retention periods have expired, we delete or anonymise it securely. Where technical constraints require a delay, data is restricted from active processing until deletion occurs.
Opedd does not sell your personal data. We share data only with the following categories of trusted third-party processors, under contractual obligations that protect your data:
| Processor | Purpose | Country |
|---|---|---|
| Stripe, Inc. | Payment processing, Stripe Connect payouts, subscription billing. Stripe processes card data directly — we share transaction amounts, buyer email, and Stripe session IDs. | USA |
| Supabase, Inc. | Database hosting and authentication. All platform data (accounts, licenses, transactions, events) is stored in Supabase. Our database is hosted in the EU (West) region. | USA (EU-hosted data) |
| Resend, Inc. | Transactional email delivery. We share email addresses and email content (license keys, certificates) with Resend to deliver emails on our behalf. | USA (EU region) |
| Sentry (Functional Software, Inc.) | Error monitoring and crash reporting. Sentry may receive limited contextual data (e.g. anonymised request metadata) when errors occur. Our Sentry instance is hosted in the EU. | USA (EU-hosted) |
| BetterStack, Inc. | Uptime monitoring and status page. Receives endpoint availability signals; no personal data is shared. | USA |
| Vercel, Inc. | Hosting of the Opedd frontend application and static sites (docs, legal pages). Receives standard HTTP request metadata. | USA |
| Base (Coinbase) | Public blockchain network. License registration data (hashed license key, article ID, license type, timestamp) is written to the public Base blockchain. See Section 8. | Decentralised |
We may also disclose personal data to:
Some of our third-party processors are based in the United States. When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
You may request details of the specific transfer mechanisms we have in place by emailing privacy@opedd.com.
When a license is issued, Opedd optionally registers it on the Base blockchain via a public smart contract. This creates a permanent, publicly viewable record.
The following data is written to the blockchain:
No personal data — no name, email address, or organisation — is written to the blockchain.
By its technical nature, data written to a public blockchain cannot be modified or deleted. This means that if you request erasure of your personal data under Article 17 UK GDPR, Opedd can delete all personal data held in its databases, but cannot delete on-chain records.
We mitigate this by ensuring no directly identifiable personal data is written to the blockchain. The on-chain record is limited to identifiers that are not, by themselves, personal data.
By using Opedd and having licenses issued through the platform, you acknowledge and accept this limitation.
Opedd's web application uses cookies and similar technologies for the following purposes:
| Cookie / Technology | Purpose | Type |
|---|---|---|
| Authentication session cookie | Keeps you logged in to your Publisher dashboard (set by Supabase Auth) | Strictly necessary |
| CSRF protection token | Prevents cross-site request forgery attacks | Strictly necessary |
| Preference cookies | Remembers your display preferences (e.g. theme) | Functional |
We do not currently use third-party advertising cookies or cross-site tracking cookies. We do not use Google Analytics or similar analytics platforms that track users across websites.
Strictly necessary cookies cannot be disabled as they are required for the service to function. You can manage other cookies through your browser settings, but this may affect the functionality of the Platform.
You have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@opedd.com. We will respond within one calendar month of receiving your request.
| Right | What it means |
|---|---|
| Right of access (Art. 15) | You can request a copy of all personal data we hold about you, along with information about how we use it. |
| Right to rectification (Art. 16) | You can ask us to correct inaccurate or incomplete personal data. |
| Right to erasure (Art. 17) | You can ask us to delete your personal data in certain circumstances. Note the blockchain limitation in Section 8. We cannot delete transaction records we are legally required to retain (Section 5). |
| Right to restrict processing (Art. 18) | You can ask us to limit how we use your data in certain circumstances — for example, while we investigate a disputed accuracy claim. |
| Right to data portability (Art. 20) | Where processing is based on contract or consent and carried out by automated means, you can request your data in a structured, machine-readable format. |
| Right to object (Art. 21) | You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Right to withdraw consent (Art. 7) | Where processing is based on consent (e.g. marketing emails), you can withdraw consent at any time. This does not affect the lawfulness of processing carried out before withdrawal. |
| Right not to be subject to automated decisions (Art. 22) | You have the right not to be subject to purely automated decisions that have legal or similarly significant effects. Opedd does not engage in such processing. |
Email privacy@opedd.com with the subject line "Data Subject Request" and describe what you are requesting. We may ask you to verify your identity before processing the request. There is no charge for submitting a request.
If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We would appreciate the opportunity to address your concerns before you contact the ICO — please reach out to us first.
Opedd is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at privacy@opedd.com and we will delete it promptly.
We take security seriously and implement appropriate technical and organisational measures to protect your personal data, including:
No security system is perfect. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and notify affected individuals without undue delay where required.
We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or our services. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.
Your continued use of Opedd after the effective date of any changes constitutes your acceptance of the updated policy.
For all privacy-related enquiries, data subject requests, or concerns:
For complaints to the regulator: