Operance
Request access

Legal

Privacy Notice

Effective 11 May 2026 · Operance Connect Limited is the data controller for personal data processed through the Platform.

1.Who we are

Operance Connect Limited, registered in England & Wales (Company No. [Company No]), registered office [Registered office]. Contact: legal@operance.uk. We are registered with the Information Commissioner's Office under registration number [ICO Reg No].

2.What we collect

  • Account data — name, work email, organisation, role, password hash.
  • Operator profile data — career history, sectors, credentials, references, identity verification artefacts.
  • Engagement data — appointments, introductions, NDA acceptances, proposals, messages, engagement confirmations.
  • Billing data — VAT details, invoice history. Card details are processed by Stripe and never stored by us.
  • Platform telemetry — sign-in events, audit log entries, contact-share signals, IP and user-agent for security purposes.

3.Lawful bases

We process personal data on the following lawful bases under UK GDPR Art. 6:
  • Contract (6(1)(b)) — to provide the Platform to you and your organisation.
  • Legal obligation (6(1)(c)) — VAT records, financial reporting, regulatory disclosures.
  • Legitimate interests (6(1)(f)) — verification, fraud prevention, contact-share monitoring, audit logging, non-circumvention enforcement, product improvement. We have balanced these against your rights and consider them proportionate to a curated B2B platform.
  • Consent (6(1)(a)) — non-essential cookies and any optional notifications you opt into.

4.Sub-processors

We share personal data with the following sub-processors strictly to deliver the Platform:
  • Supabase (database, authentication, file storage) — hosted in the EU.
  • Stripe Payments Europe, Limited (payment processing, invoicing, tax handling).
  • Cloudflare, Inc. (DNS, edge delivery, bot mitigation).
  • Resend (Resend, Inc.) — outbound transactional and authentication email delivery from @operance.uk.
Each sub-processor is engaged under a written data-processing agreement.

5.International transfers

Personal data may be transferred outside the UK to sub-processors in the EEA or the United States. Where transferred to the US, we rely on the UK Extension to the EU-US Data Privacy Framework or, where unavailable, on the ICO International Data Transfer Addendum to the EU Standard Contractual Clauses.

6.Retention

  • Account & profile data — for the life of the account, plus 24 months after closure.
  • Engagement records, messages, audit logs — 7 years from the close of the engagement (commercial dispute and tax-record window).
  • Billing & VAT records — 7 years (HMRC requirement).
  • Identity verification artefacts — 12 months after verification or account closure, whichever is sooner.
  • Marketing preferences — until withdrawn.

7.Your rights

Under UK GDPR you have the right to access, rectification, erasure, restriction, portability and objection, and rights relating to automated decision-making. We do not carry out automated decision-making with legal or similarly significant effect. To exercise any right, write to legal@operance.uk. We respond within one calendar month. You have the right to complain to the Information Commissioner's Office at ico.org.uk.

8.Security

The Platform enforces row-level access controls, server-side authorisation, encryption in transit and at rest, audit logging of state transitions, and least-privilege service credentials. Card data is tokenised by Stripe and never reaches our infrastructure.

9.Cookies

See our separate Cookies notice.

10.Changes

Material changes to this notice will be communicated to the account contact and posted on this page with an updated effective date.