Privacy Policy

Last updated: April 15, 2026

1. Information We Collect

Account information: Email address, first name, and the identifier assigned by our authentication provider. Collected at signup via email/password, Google sign-in, or GitHub sign-in.

Search activity: Search queries, search type (username, email, domain, name), timestamps, and IP addresses are logged on our servers for abuse prevention, credit accounting, and legal compliance. Your search queries are stored only on our infrastructure and are never sent to advertising platforms or any other third party except the specific data sources we query on your behalf to produce results.

Billing information: Payment details are processed by Stripe. Opsis does not store credit card numbers. We receive subscription status, tier, and billing cycle from Stripe.

Technical data: Browser type, operating system, device information, IP address, and referrer URL, collected automatically on page load.

Geolocation: We derive an approximate country from your IP address using a third-party lookup (ipapi.co) to show region-appropriate pricing and for analytics. We do not collect GPS or precise location.

Acquisition attribution: When you arrive via a marketing link, we store UTM parameters (source, medium, campaign) and the referring domain in your browser's session storage and associate them with your account on signup.

Product analytics: We record events as you interact with the Service — for example, page views, upgrade-modal interactions, and checkout steps. These events include your account identifier and the metadata listed above. Search queries are not included in analytics events.

2. How We Use Your Information

  • To provide and operate the Service
  • To process billing and manage subscriptions
  • To detect and prevent abuse, fraud, and unauthorized use
  • To measure the performance of our marketing campaigns and optimize ad delivery (see "Advertising & Analytics" below)
  • To send transactional emails (account, billing, security) and, where permitted, product updates and marketing emails
  • To comply with legal obligations and respond to lawful requests
  • To improve the Service and fix technical issues

3. Third-Party Services That Receive Your Data

To operate the Service, we share specific pieces of personal data with the following processors and partners. Each is listed with the data they receive and the purpose.

  • Clerk — Authentication and session management. Receives email, name, password (hashed by Clerk), and OAuth tokens when you sign in with Google or GitHub.
  • Stripe — Payment processing and subscription billing. Receives email, billing address, and payment method details (handled entirely by Stripe, never by us).
  • Railway — Application hosting. Processes all traffic necessary to run the Service.
  • Cloudflare — Content delivery, bot protection, and DNS. Receives IP addresses and request metadata for security purposes.
  • Loops — Email delivery and marketing automation. Receives email, first name, subscription tier, country (2-letter code), signup date, and high-level activity flags (e.g. "has used the Service").
  • Meta Platforms (Facebook/Instagram Pixel and Conversions API) — Ad attribution and campaign optimization. Receives hashed (SHA-256) email, hashed account identifier, IP address, user-agent string, Meta's browser cookie (_fbp) and click identifier (_fbc), a shared event identifier for deduplication, the type of action you took (e.g. "started checkout"), and subscription value/currency. Your search queries are never sent to Meta.
  • TikTok (TikTok Pixel and Events API) — Ad attribution and campaign optimization. Receives hashed (SHA-256) email, hashed account identifier, IP address, user-agent string, TikTok's browser cookie (_ttp) and click identifier (ttclid), a shared event identifier for deduplication, the type of action you took, and subscription value/currency. Your search queries are never sent to TikTok.
  • ipapi.co — Geolocation lookup. Receives IP address, returns a 2-letter country code.
  • Third-party OSINT data sources — When you run a search, your query is sent to the specific third-party platforms we enumerate on your behalf (e.g., GitHub, Gravatar, public breach indexes). This is an essential part of performing the search you requested.

4. Cookies and Similar Technologies

We and our third-party partners set the following categories of cookies and browser storage:

  • Essential: Authentication session tokens (Clerk), CSRF protection, and bot-verification cookies. The Service will not work without these.
  • Analytics / advertising: The Meta Pixel sets _fbp; the TikTok Pixel sets _ttp. Cloudflare may set __cf_bm for bot protection.
  • Session storage: UTM parameters and referrer source are stored in your browser's session storage; they are cleared when you close your browser.

You can block these by using browser settings, Do-Not-Track flags, or ad blockers. Blocking advertising cookies will not disable the Service.

5. Advertising & Analytics

We use Meta and TikTok's advertising tools to measure the performance of our ads and to show our ads to people who may be interested in Opsis. To make this work, we share a limited set of hashed and raw attributes with these platforms, as listed in Section 3. We share these attributes:

  • Both from your browser (via the Pixel) and from our servers (via the Conversions API / Events API) for the same actions, using a shared event identifier so that the same action is not counted twice.
  • Only for standard funnel events: page view, checkout initiation, and purchase.

What we send to ad platforms is limited to the search type (e.g. "username" or "email") — never the actual query you searched for. For example, if you search for "[email protected]", Meta and TikTok only see that you performed an "email" search, not whose email it was.

6. Data Retention

Search logs and credit-usage records are retained for 90 days, then automatically purged. Account data and billing history are retained while your account is active, and for up to 6 years after account deletion where required by tax, accounting, or anti-fraud obligations. Analytics events are retained for up to 24 months. Advertising partners set their own retention periods, which you can review in their respective privacy policies.

7. Your Rights

Depending on your jurisdiction (e.g., EU/UK under GDPR, California under CCPA/CPRA), you may have the following rights:

  • Access: A copy of the personal data we hold about you
  • Correction: Fix inaccurate data
  • Deletion: Removal of your account and associated data
  • Export: Your data in a portable, machine-readable format
  • Objection / opt-out: Object to processing for direct marketing, including advertising attribution described in Section 5
  • Withdraw consent: Where processing is based on consent

To exercise these rights, contact [email protected]. We respond within 30 days.

8. Data Security

We implement industry-standard safeguards including TLS encryption in transit, JWT-based session authentication, rate limiting, role-based access controls, hashed passwords, and separation of payment data (handled by Stripe). No method of electronic transmission or storage is 100% secure; we cannot guarantee absolute security.

9. International Data Transfers

Opsis is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US and in the regions where our processors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

10. Sale and Sharing of Personal Information

We do not sell your personal information for money. We do share certain personal identifiers (hashed email, IP address, user agent) with Meta and TikTok for advertising attribution and optimization, as described in Sections 3 and 5. Under the California Consumer Privacy Act (CCPA/CPRA), this may constitute "sharing" for cross-context behavioral advertising purposes. California residents may opt out by emailing [email protected] or by enabling the Global Privacy Control (GPC) signal in a supporting browser.

11. Children's Privacy

Opsis is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or an in-product notice. The "Last updated" date at the top of this page reflects when the policy was last changed.

13. Contact

For privacy-related questions, data-subject requests, or regulator correspondence, contact [email protected].