GDPR Notice
Last Updated: March 21, 2026
- 1. What is GDPR?
- 2. Key GDPR Principles
- 2.1 Lawfulness, Fairness, and Transparency
- 2.2 Purpose Limitation
- 2.3 Data Minimization
- 2.4 Accuracy
- 2.5 Storage Limitation
- 2.6 Integrity and Confidentiality
- 2.7 Accountability
- 3. Data Subject Rights
- 3.1 Right to Access
- 3.2 Right to Rectification
- 3.3 Right to Erasure
- 3.4 Right to Restriction of Processing
- 3.5 Right to Data Portability
- 3.6 Right to Object
- 3.7 Right to Withdraw Consent
- 4. Our GDPR Compliance Measures
- 4.1 Data Protection Responsibilities
- 4.2 Data Processing Agreements
- 4.3 Data Protection Impact Assessments (DPIAs)
- 4.4 Security Measures
- 4.5 Training and Awareness
- 5. International Data Transfers
- 6. Data Breach Notification
- 7. Data Processing for Fraud Prevention
- 8. EU Representative
- 9. Supervisory Authority
- 10. Automated Risk Scoring and Decision Responsibility
- 11. Contact Us
At Opportify, we take your privacy seriously and are committed to complying with the General Data Protection Regulation (GDPR). This page outlines our legal obligations and positioning regarding GDPR, ensuring transparency in how we handle personal data.
This page provides a general overview of how Opportify approaches GDPR compliance and data protection. Detailed information about how Opportify collects and processes personal data can be found in our Privacy Policy.
For information about cookies and tracking technologies used on our website, see our Cookie Notice.
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It aims to protect the personal data of individuals within the European Union (EU) and the European Economic Area (EEA) and regulates how organizations collect, store, process, and share that data.
2. Key GDPR Principles
2.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and transparently, ensuring that individuals are aware of how their data is being used.
2.2 Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner that is incompatible with those purposes.
2.3 Data Minimization
We collect only the personal data that is necessary for the purposes for which it is processed, ensuring data adequacy and relevance.
2.4 Accuracy
We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
2.5 Storage Limitation
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with our data retention policies.
2.6 Integrity and Confidentiality
We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
2.7 Accountability
We are responsible for complying with GDPR principles and can demonstrate our compliance through comprehensive documentation and procedures.
3. Data Subject Rights
Under the GDPR, individuals have specific rights regarding their personal data:
3.1 Right to Access
You have the right to request access to your personal data and obtain information about how we process it.
3.2 Right to Rectification
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
3.3 Right to Erasure
You have the right to request the deletion of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.
3.4 Right to Restriction of Processing
You have the right to request the restriction of processing your personal data in specific circumstances.
3.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
3.6 Right to Object
You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
3.7 Right to Withdraw Consent
If you have given consent for the processing of your personal data, you have the right to withdraw your consent at any time.
These rights may be subject to limitations under applicable law depending on the context of the data processing.
To exercise any of these rights, please contact us at legal@opportify.ai.
4. Our GDPR Compliance Measures
4.1 Data Protection Responsibilities
Opportify maintains internal privacy and data protection responsibilities to oversee compliance with applicable data protection laws, including the GDPR.
4.2 Data Processing Agreements
Opportify enters into Data Processing Agreements (DPAs) with service providers and partners where required under applicable data protection law.
4.3 Data Protection Impact Assessments (DPIAs)
Opportify may conduct Data Protection Impact Assessments (DPIAs) where processing activities present elevated privacy risks.
4.4 Security Measures
Opportify implements appropriate technical and organizational measures consistent with industry standards to protect personal data.
4.5 Training and Awareness
We provide regular training and awareness programs for our employees to ensure they understand their responsibilities under GDPR and follow best practices for data protection.
5. International Data Transfers
Transfers of personal data from the EU/EEA to the United States are safeguarded using Standard Contractual Clauses (SCCs) where required.
6. Data Breach Notification
In the event of a data breach that may pose a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected data subjects without undue delay.
7. Data Processing for Fraud Prevention (Processor Role)
When Opportify provides Fraud Protection services to its business customers (data controllers), Opportify acts as a data processor. In this capacity:
- Legal Basis: The legal basis for processing end-user behavioral and identifier data for fraud prevention is the legitimate interests of the data controller (our customer) in preventing fraud, subject to the data controller's own legal basis assessment.
- Data Processing Agreement: Business customers using Fraud Protection may request a Data Processing Agreement (DPA) by contacting privacy@opportify.ai. Our DPA includes standard contractual clauses for cross-border transfers where applicable.
- Sub-processors: Opportify uses Amazon Web Services (AWS) as its primary infrastructure sub-processor. A complete and current list of Opportify's sub-processors is available at opportify.ai/legal/sub-processors.
- Data Subject Rights: Individuals whose data was processed for fraud prevention purposes may contact the website operator (data controller) to exercise rights. Opportify will support data controllers in fulfilling data subject requests.
- Data Retention (Processor): Fraud analysis results are retained for 120 days by default (configurable by the customer via the client dashboard). Raw behavioral signals are not stored beyond the analysis session.
- Cross-Border Transfers: Data is processed in the United States on AWS infrastructure. Cross-border transfers from the EU/EEA to the United States are covered by Standard Contractual Clauses where required.
8. EU Representative
Opportify, Inc. is not established in the European Union or the European Economic Area.
Opportify primarily provides services to businesses and processes personal data in the context of business-to-business relationships.
When Opportify provides Fraud Protection or other services to business customers, those customers act as the data controllers under GDPR. Opportify acts as a data processor and processes personal data only in accordance with the instructions of the data controller.
Opportify has assessed its processing activities and, on the basis that it primarily processes personal data in the context of B2B services where its business customers act as data controllers, and does not directly target EU consumers, has determined that a representative under Article 27 is not currently required. Opportify monitors its processing activities and will reassess this position as its services and customer base evolve.
9. Supervisory Authority
Individuals located in the European Union have the right to lodge a complaint with their local data protection authority if they believe their personal data has been processed in violation of applicable data protection laws.
10. Automated Risk Scoring and Decision Responsibility
Opportify provides fraud risk indicators and risk scores generated through automated analysis of device, network, and behavioral signals.
These scores are provided solely as informational indicators to assist Opportify's business customers in identifying potentially fraudulent activity. Opportify does not take enforcement actions, block transactions, approve or deny access, or otherwise make decisions affecting individuals.
All operational decisions based on risk scores — including whether to allow, deny, review, or investigate a transaction or user activity — are made solely by the customer using their own systems and policies.
Opportify does not act as a payment processor, financial intermediary, or transaction decision authority. The services provided by Opportify are limited to risk analysis and fraud detection signals supplied to customers for their own evaluation and decision-making.
Accordingly, Opportify's services are not intended to constitute automated decision-making producing legal or similarly significant effects on individuals within the meaning of Article 22 of the GDPR.
11. Contact Us
For any questions or concerns, Opportify, Inc. can be contacted at:
Address: Opportify, Inc., a Delaware corporation, 2093 Philadelphia Pike, Unit 1183, Claymont, DE 19703, United States
Email: legal@opportify.ai
Thank you for using Opportify. We are committed to providing you with high-quality, secure, and innovative AI-driven SaaS solutions.