Privacy Policy

Introduction

OpsCommon LLC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our operations management platform and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Personal Information

When you create an account or use our Service, we may collect:

• Name and email address
• Profile photo
• Organization name and details
• Authentication credentials (managed by our authentication provider)

Usage Information

We automatically collect certain information when you use the Service:

• Log data (IP address, browser type, pages visited)
• Device information
• Usage patterns and feature interactions
• Product analytics (consent-gated)
  • When you accept analytics via the consent banner, our product analytics provider captures page views and a defined set of product events (for example, creating an operation, creating a task, opening the billing portal, exporting a map to PDF). While signed in, events are linked to your account using your account ID, and your email, name, organization ID, and organization name are sent as profile properties so we can understand product usage at the account and organization level. The analytics provider sets first-party cookies and uses local storage to maintain a session and a distinct ID. If you reject analytics or have not yet decided, the provider operates in an opted-out state and captures nothing.
• Error reports and performance data (consent-gated)
  • When you accept analytics via the consent banner, our error monitoring provider captures error reports, stack traces, breadcrumbs, and performance traces (sampled at 20%). Session replay (a recording of page interactions) is sampled at 5% of sessions and 100% of sessions in which an error occurs to help us reproduce and fix bugs. Automatic collection of IP addresses and cookies by the error monitoring provider is disabled, and API tokens are stripped from all reports before they are sent.

Location Data

When you use mapping features, we process location data including:

• Coordinates you place on maps (markers, routes, polygons, etc.)
• Location searches and geocoding queries (processed by our mapping provider)
• Weather data requests for specific coordinates (processed by our weather data provider)
• Live location broadcasts (when you explicitly enable location sharing)
  • Requires your explicit consent before activation
  • Coordinates are shared with your operation team members in real time
  • Updates are throttled (minimum 10-second intervals, 50-meter movement threshold)
  • Readings with accuracy worse than 100 meters are discarded
  • Location data is automatically deleted after 5 minutes of inactivity
  • You can stop broadcasting at any time, which immediately removes your location data

We do not track your device's GPS location in the background. Location data is only collected when you actively interact with mapping features or explicitly enable location broadcasting.

Weather coordinate requests are proxied through our servers with reduced precision (approximately 1.1km) before reaching our weather data provider (UK-based). Our mapping provider receives your viewport coordinates and search queries for map rendering and geocoding. The mapping provider may log anonymized usage data (tile requests, API calls) for billing and service analytics. We have disabled mapping provider performance telemetry collection.

Voice Communication

When you join a voice room within an operation:

• Requires your explicit voice consent before your microphone is enabled
• Your microphone audio is transmitted in real time to the other participants in the room through our voice infrastructure provider
• Voice audio is not recorded or stored by OpsCommon
• Participant metadata (your name, mute state, connection state) exists only while you are connected and is removed when you disconnect or are disconnected
• You can leave the room or mute your microphone at any time

Content You Provide

We store content you create within the Service, including:

• Operations and their settings
• Tasks, events, and their assignments, schedules, and locations
• Map features (markers, lines, polygons, routes, circles), reference layers, and grid reference graphics
• Labels and feature categories
• Map comments and activity logs
• Team structures and member assignments
• Uploaded icons, files, and attachments

Payment Information

Payment processing is handled entirely by our payment processor. We do not store your credit card numbers, bank account details, or other sensitive payment information on our servers. Our payment processor may collect and process payment information in accordance with their own privacy policy.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Enable real-time map collaboration between organization members
• Process subscription payments and manage billing
• Send notifications and security alerts
• Respond to your questions and support requests
• Monitor and analyze usage trends to improve user experience
• Detect, prevent, and address technical issues and security threats
• Generate audit logs for organizational accountability
• Comply with legal obligations

Third-Party Services

We use third-party service providers to operate the platform. Each processes data according to their own privacy policies. The categories of providers we use include:

• Database and backend infrastructure — All your operational data (operations, map features, teams, etc.) is stored and synchronized through our real-time database provider.
• Authentication and identity management — Handles sign-in, sign-up, session management, and organization membership.
• Payment processing — Handles all financial transactions securely. We do not store payment card details on our servers.
• Map rendering and geocoding — Processes location queries, renders map tiles, and provides terrain data. Map tile requests may be served from global CDN edge nodes (ephemeral, no persistent storage). We have disabled mapping provider performance telemetry.
• Weather data — Weather requests are proxied through our servers with coordinates reduced to approximately 1.1km precision before reaching the provider. The weather provider does not store API request parameters (coordinates).
• Error monitoring (consent-gated) — Collects error reports, stack traces, breadcrumbs, and performance traces. Error reports may include user context (account ID, organization ID) for debugging. Session replay may be captured at a low sample rate. Automatic collection of IP addresses and cookies is disabled, and API tokens are stripped from all reports before they are sent.
• Product analytics (consent-gated) — Captures page views and a defined set of product events. Sets first-party cookies and uses local storage to maintain a session and a distinct ID. While signed in, your account ID is used as the identifier and your email, name, organization ID and organization name are sent as profile properties.
• Voice rooms (feature-consent-gated) — Real-time voice connections within an operation are routed through our voice infrastructure provider. Microphone audio is transmitted live and is not recorded by OpsCommon. Participant metadata exists only while you are connected.
• Bot protection — Public-facing forms (support contact and feature request forms in the product, and the newsletter signup form on opscommon.com) use a bot-protection challenge provided by our hosting/CDN provider. The challenge provider receives the challenge token, your IP address, and browser signals supplied by the challenge widget.
• Hosting, content delivery, and DNS — Application hosting and edge delivery. Standard server logs containing HTTP request metadata (IP address, request path, timestamp, user agent) are produced for security and operational purposes.

For a complete list of our third-party data processors, including their names and processing locations, see our Subprocessors page.

Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

• With your organization: Information is shared within your organization as needed for collaboration. Organization administrators can view member activity and manage access.
• Service providers: We work with the third-party companies listed above to provide hosting, analytics, and other services.
• Legal requirements: We may disclose information if required by law or in response to valid legal requests.
• Business transfers: In connection with a merger, acquisition, or sale of assets.
• With your consent: We may share information with your explicit consent.

International Data Transfers

Our primary data processing occurs in the United States. All core infrastructure providers (database, authentication, hosting, payments, product analytics, error monitoring) process data in the US.

Weather data requests are proxied to our weather data provider (UK-headquartered) with reduced coordinate precision. Map tile requests and voice room connections may be served from global edge nodes for latency (ephemeral, no persistent storage outside the US).

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and service provider Data Processing Agreements to ensure adequate data protection. For a complete list of our data processors, see our Subprocessors page.

Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Authentication and authorization via our identity provider with organization-scoped access controls
• Content Security Policy (CSP) headers to prevent cross-site scripting
• Rate limiting on API endpoints
• Audit logging of data modifications
• Secure webhook signature verification

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms. Given that OpsCommon processes precise geolocation data and enables real-time location sharing between team members, we have assessed and documented the risks and safeguards for this processing, including:

• Explicit user consent required before location broadcasting activates
• Automatic 5-minute TTL on location data with immediate deletion on opt-out
• Privacy-preserving throttling (10-second intervals, 50-meter movement thresholds)
• Reduced coordinate precision for weather API requests (~1.1km)
• Organization-scoped access controls ensuring location data is only visible to authorized team members

Enterprise and government customers requiring a copy of our DPIA documentation may request it by contacting [email protected].

Data Retention

We retain different categories of data for different periods based on their purpose. The following schedule describes our retention practices:

When you delete your account, we remove your personal information within 30 days, except where retention is required by law. When an organization is deleted, all associated data (operations, map features, teams, files, audit logs, notifications) is permanently cascade-deleted.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate or incomplete information
• Deletion: Request that we delete your personal information
• Portability: Request a copy of your data in a portable format
• Objection: Object to certain processing of your information

To exercise these rights, please contact us at [email protected].

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

• Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to request a copy of that data.
• Right to rectification: You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
• Right to erasure: You have the right to request deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
• Right to restriction of processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
• Right to object: You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service to you under our Terms of Service.
• Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights.
• Consent: Processing based on your explicit consent, such as enabling product analytics and error monitoring when you accept analytics via the consent banner, enabling live location broadcasting, joining voice rooms, or sharing your map cursor.

You have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your personal data violates applicable law. Contact us at [email protected] and we will endeavor to resolve your concern.

Your Rights Under CCPA / CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

• Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. OpsCommon has not sold or shared personal information in the preceding 12 months.
• Right to limit use of sensitive personal information: We only use sensitive personal information (such as precise geolocation) for purposes necessary to provide the Service. You may limit the use of your precise geolocation data by disabling location broadcasting in the app at any time.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of Personal Information

Under CCPA/CPRA, we disclose the following categories of personal information we collect, the purposes for collection, and the categories of third parties with whom we share them:

To exercise your rights under the CCPA/CPRA, please contact us at [email protected]. We will verify your identity before fulfilling your request and respond within 45 days.

Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: Required for authentication sessions, bot protection on contact forms, and core Service functionality
• Preference storage: Browser local storage for your settings such as map style, grid preferences, unit preferences, sidebar state, and theme
• Analytics cookies (consent-gated): First-party cookies and local storage entries set by our product analytics provider to maintain a session and a distinct ID

We do not use advertising or cross-site tracking cookies.

Analytics and error monitoring are only enabled when you provide consent via our consent banner. You can change your preference at any time using the "Cookie Settings" link in the footer of any page.

For complete details about the cookies and local storage we use, see our Cookie Policy.

Children's Privacy

OpsCommon is a business-to-business platform intended for use by adults in a professional capacity through their employer or organization. The Service is not directed to children, is not designed for use by minors, and we do not knowingly process personal information from anyone under the age of 16. Customer organizations are responsible for ensuring that the individuals they grant access to the Service are eligible to use it under our Terms of Service. If we become aware that personal information from a child under 16 has been provided to us without appropriate authorization, we will delete that information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at: