OpsCommon Back to Home

Privacy Policy

Last updated: February 22, 2026

Introduction

OpsCommon LLC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our operations management platform and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Personal Information

When you create an account or use our Service, we may collect:

  • Name and email address
  • Profile photo
  • Organization name and details
  • Authentication credentials (managed by our authentication provider)

Usage Information

We automatically collect certain information when you use the Service:

  • Log data (IP address, browser type, pages visited)
  • Device information
  • Usage patterns and feature interactions
  • Anonymized website analytics (consent-gated)
    • When you consent to analytics, our analytics provider collects page views, referrers, browser, OS, and country-level location. No cookies are used — visitors are identified by a daily-rotating anonymized hash. No personally identifiable information is stored.
  • Error reports and performance data (consent-gated)
    • When you consent to analytics, our error monitoring provider may also capture session replay data (a recording of page interactions) to help us reproduce and fix bugs. Replay data is sampled at a low rate (5% of sessions) and captures 100% of sessions where an error occurs.

Location Data

When you use mapping features, we process location data including:

  • Coordinates you place on maps (markers, routes, polygons, etc.)
  • Location searches and geocoding queries (processed by our mapping provider)
  • Weather data requests for specific coordinates (processed by our weather data provider)
  • Live location broadcasts (when you explicitly enable location sharing)
    • Requires your explicit consent before activation
    • Coordinates are shared with your operation team members in real time
    • Updates are throttled (minimum 10-second intervals, 50-meter movement threshold)
    • Readings with accuracy worse than 100 meters are discarded
    • Location data is automatically deleted after 5 minutes of inactivity
    • You can stop broadcasting at any time, which immediately removes your location data

We do not track your device's GPS location in the background. Location data is only collected when you actively interact with mapping features or explicitly enable location broadcasting.

Weather coordinate requests are proxied through our servers with reduced precision (approximately 1.1km) before reaching our weather data provider (UK-based). Our mapping provider receives your viewport coordinates and search queries for map rendering and geocoding. The mapping provider may log anonymized usage data (tile requests, API calls) for billing and service analytics. We have disabled mapping provider performance telemetry collection.

Content You Provide

We store content you create within the Service, including:

  • Operations and their settings
  • Map features (markers, lines, polygons, routes, circles)
  • Labels and feature categories
  • Map comments and activity logs
  • Team structures and member assignments
  • Uploaded icons and files

Payment Information

Payment processing is handled entirely by our payment processor. We do not store your credit card numbers, bank account details, or other sensitive payment information on our servers. Our payment processor may collect and process payment information in accordance with their own privacy policy.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Enable real-time map collaboration between organization members
  • Process subscription payments and manage billing
  • Send notifications and security alerts
  • Respond to your questions and support requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, prevent, and address technical issues and security threats
  • Generate audit logs for organizational accountability
  • Comply with legal obligations

Third-Party Services

We use third-party service providers to operate the platform. Each processes data according to their own privacy policies. The categories of providers we use include:

  • Database and backend infrastructure — All your operational data (operations, map features, teams, etc.) is stored and synchronized through our real-time database provider.
  • Authentication and identity management — Handles sign-in, sign-up, session management, and organization membership.
  • Payment processing — Handles all financial transactions securely. We do not store payment card details on our servers.
  • Map rendering and geocoding — Processes location queries, renders map tiles, and provides terrain data. Map tile requests may be served from global CDN edge nodes (ephemeral, no persistent storage). We have disabled mapping provider performance telemetry.
  • Weather data — Weather requests are proxied through our servers with coordinates reduced to approximately 1.1km precision before reaching the provider. The weather provider does not store API request parameters (coordinates).
  • Voice and video communication — Real-time audio/video is transmitted through our communication provider's servers. We store only metadata (participant name, mute status, join time) — no audio or video is recorded.
  • Error monitoring (consent-gated) — Collects error reports, stack traces, and performance metrics. Error reports may include user context (user ID, organization ID) for debugging. Session replay data may be captured at a low sample rate when you consent to analytics. We do not send your IP address or browser cookies to the error monitoring provider. API tokens are automatically scrubbed from all error reports.
  • Hosting and analytics (analytics consent-gated) — Application hosting, content delivery, and anonymized web analytics. The analytics component does not use cookies; visitors are identified by an anonymized, non-persistent hash that resets daily. No personally identifiable information is stored.

For a complete list of our third-party data processors, including their names and processing locations, see our Subprocessors page.

Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

  • With your organization: Information is shared within your organization as needed for collaboration. Organization administrators can view member activity and manage access.
  • Service providers: We work with the third-party companies listed above to provide hosting, analytics, and other services.
  • Legal requirements: We may disclose information if required by law or in response to valid legal requests.
  • Business transfers: In connection with a merger, acquisition, or sale of assets.
  • With your consent: We may share information with your explicit consent.

International Data Transfers

Our primary data processing occurs in the United States. All core infrastructure providers (database, authentication, hosting, payments, error monitoring) process data in the US.

Weather data requests are proxied to our weather data provider (UK-headquartered) with reduced coordinate precision. Map tile requests may be served from global CDN nodes (ephemeral only, no persistent storage outside the US).

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and service provider Data Processing Agreements to ensure adequate data protection. For a complete list of our data processors, see our Subprocessors page.

Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Authentication and authorization via our identity provider with organization-scoped access controls
  • Content Security Policy (CSP) headers to prevent cross-site scripting
  • Rate limiting on API endpoints
  • Audit logging of data modifications
  • Secure webhook signature verification

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms. Given that OpsCommon processes precise geolocation data and enables real-time location sharing between team members, we have assessed and documented the risks and safeguards for this processing, including:

  • Explicit user consent required before location broadcasting activates
  • Automatic 5-minute TTL on location data with immediate deletion on opt-out
  • Privacy-preserving throttling (10-second intervals, 50-meter movement thresholds)
  • Reduced coordinate precision for weather API requests (~1.1km)
  • Organization-scoped access controls ensuring location data is only visible to authorized team members

Enterprise and government customers requiring a copy of our DPIA documentation may request it by contacting support@opscommon.com.

Data Retention

We retain different categories of data for different periods based on their purpose. The following schedule describes our retention practices:

Data Category Retention Period Details
Account profile Duration of account Deleted within 30 days of account deletion request. Map comments are anonymized ("Deleted User").
Operations & map data Duration of organization Archived items (soft-deleted) are retained until permanently removed by an organization administrator via a two-step deletion process with a grace period.
Live location broadcasts 5 minutes Automatically purged after 5 minutes of inactivity. Immediately deleted when you stop broadcasting.
Collaborative cursors 3 seconds Ephemeral data automatically cleaned up within seconds of inactivity.
Voice communication Duration of session Audio is transmitted in real time and not recorded. Participant metadata is deleted when you leave the voice channel or the room ends.
Audit logs Configurable per organization Retention period set by organization administrators. Expired logs are automatically purged daily.
Notifications Duration of account Deleted when your account is deleted or when the organization is deleted.
Analytics data Per provider policy Website analytics: anonymized, daily-rotating hash (no persistent visitor identity). Error monitoring: per provider data retention settings (typically 90 days for error data).

When you delete your account, we remove your personal information within 30 days, except where retention is required by law. When an organization is deleted, all associated data (operations, map features, teams, files, audit logs, notifications) is permanently cascade-deleted.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that we correct inaccurate or incomplete information
  • Deletion: Request that we delete your personal information
  • Portability: Request a copy of your data in a portable format
  • Objection: Object to certain processing of your information

To exercise these rights, please contact us at support@opscommon.com.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

  • Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to request a copy of that data.
  • Right to rectification: You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
  • Right to erasure: You have the right to request deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
  • Right to restriction of processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
  • Right to object: You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service to you under our Terms of Service.
  • Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights.
  • Consent: Processing based on your explicit consent, such as enabling website analytics and error monitoring when you accept analytics via the consent banner.

You have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your personal data violates applicable law. Contact us at support@opscommon.com and we will endeavor to resolve your concern.

Your Rights Under CCPA / CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
  • Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. OpsCommon has not sold or shared personal information in the preceding 12 months.
  • Right to limit use of sensitive personal information: We only use sensitive personal information (such as precise geolocation) for purposes necessary to provide the Service. You may limit the use of your precise geolocation data by disabling location broadcasting in the app at any time.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Global Privacy Control (GPC)

We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we treat it as a request to opt out of analytics tracking. When GPC is detected, website analytics and error monitoring will not be initialized, and no telemetry data will be collected. This applies automatically without requiring interaction with our consent banner.

Categories of Personal Information

Under CCPA/CPRA, we disclose the following categories of personal information we collect, the purposes for collection, and the categories of third parties with whom we share them:

Category Examples Purpose Shared With
Identifiers Name, email, user ID Account creation, authentication, support Authentication provider, database provider
Professional information Job title, department, skills, certifications User profile, team organization Database provider
Geolocation data Map coordinates, live location broadcasts Collaborative mapping, weather, team coordination Database provider, mapping provider, weather provider (reduced precision)
Internet activity Page views, browser type, error reports Analytics (consent-gated), error monitoring Analytics provider (consent), error monitoring provider (consent)
Audio data Voice communication (real-time only, not recorded) Team voice collaboration Communication provider (real-time transit only)

To exercise your rights under the CCPA/CPRA, please contact us at support@opscommon.com. We will verify your identity before fulfilling your request and respond within 45 days.

Cookies and Tracking

We use cookies and similar technologies for:

  • Essential cookies: Required for authentication sessions and core Service functionality
  • Preference cookies: Store your settings such as map style, grid preferences, and theme

We do not use advertising or third-party tracking cookies. Our website analytics provider is entirely cookie-free and uses only an anonymized daily-rotating hash to identify visitors.

Analytics and error monitoring are only enabled when you provide consent via our consent banner. You can change your preference at any time using the "Cookie Settings" link in the footer of any page.

For complete details about the cookies and local storage we use, see our Cookie Policy.

Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

OpsCommon LLC

Email: support@opscommon.com

By using OpsCommon, you acknowledge that you have read and understood this Privacy Policy and our Terms of Service. See also our Cookie Policy, Subprocessors, and Data Processing Agreement.