This Privacy Policy explains how Opera Group collects, uses, shares and protects personal data when you visit operag.com, use our Client Portal, contact us through forms, or engage with us through any service. We comply with the EU General Data Protection Regulation (GDPR), Brazil's LGPD (Lei 13.709/2018), Argentina's Personal Data Protection Act (Ley 25.326) and Chile's Ley 19.628 (as reformed in 2024).
Note. This document is a framework template provided for transparency. It does not constitute legal advice. For specific engagements, the signed MSA / SOW prevails. Consult qualified counsel for your jurisdiction.
🇬🇧 This document is provided in English. The English version prevails in case of any discrepancy.
🇪🇸 Este documento se proporciona en inglés. La versión en inglés prevalece en caso de discrepancia.
🇧🇷 Este documento é fornecido em inglês. A versão em inglês prevalece em caso de divergência.
1. Data controller & contact
The data controller is Opera Group, with operating offices in Buenos Aires (Argentina) and Santiago (Chile) and representation in Toronto, Miami and Shanghai. For all privacy matters — including exercise of rights, requests for information or complaints — please contact:
- Privacy team: privacy@operag.com
- Brazil — Encarregado de Dados (DPO under LGPD): dpo-br@operag.com
- Argentina — Responsable de Datos (Ley 25.326): privacy@operag.com
2. Categories of personal data we process
| Category | Examples |
|---|---|
| Identity | Full name, professional title, organization |
| Contact | Email, phone, country, LinkedIn URL |
| Professional | Role, industry, brand/fund/institution profile, target markets, areas of interest |
| Account | Portal credentials, account type, role permissions, authentication metadata |
| Engagement | Brief data, diagnostic answers, partner-fit responses, uploaded documents (NDAs, brand assets), messages exchanged with Opera Group |
| Usage | IP address, browser, device, pages viewed, referrer, timestamps, basic analytics |
| Marketing | Email engagement, event RSVPs, content downloads, communication preferences |
| Financial (limited) | Billing entity, tax ID, payment references — only for clients with active engagements |
We do not knowingly collect special-category data (health, racial or ethnic origin, political opinions, religious beliefs, biometric data) and ask you not to submit such data through our forms or Portal.
3. Sources of data
- Directly from you: forms on our website, Portal sign-up, emails, calls, meetings.
- From your organization: where a colleague invites you or provides your details for an engagement.
- Automatically: cookies and similar technologies (see Cookie Policy).
- From third parties: publicly available business databases (LinkedIn, company registries), referral partners, and B2B enrichment providers — only for legitimate prospecting in a B2B context.
4. Purposes & lawful basis
| Purpose | Lawful basis (GDPR Art. 6 / LGPD Art. 7) |
|---|---|
| Respond to enquiries and route leads to the right partner | Pre-contractual measures at your request; legitimate interest |
| Provide the Portal and deliver contracted Services | Performance of a contract |
| Generate diagnostics, briefs, market recommendations | Performance of a contract; legitimate interest |
| Operate Opera Group's business: billing, accounting, audit, vendor management | Legal obligation; legitimate interest |
| Send relevant insights and marketing (B2B) | Legitimate interest, with opt-out; consent where required |
| Improve the Services and analytics | Legitimate interest |
| Comply with law, sanctions screening, KYC where applicable | Legal obligation |
| Defend legal claims | Legitimate interest |
6. International data transfers
Opera Group operates across LatAm, North America, the EU and Asia. Personal data may be transferred to and processed in countries outside your country of residence. Where required, we rely on appropriate safeguards: EU Standard Contractual Clauses (SCCs), UK IDTA, adequacy decisions where available, and equivalent mechanisms under LGPD (Resolução ANPD nº 19/2024) and Argentine law.
7. Retention
| Data | Retention |
|---|---|
| Lead enquiries (no engagement) | 24 months from last interaction |
| Active client / Portal accounts | For the duration of the relationship + 7 years (legal/accounting) |
| Billing & tax records | 10 years (Argentina) / per local tax law |
| Marketing preferences | Until you opt out, then suppressed indefinitely to honor the opt-out |
| Server & security logs | 12 months |
8. Your rights
Subject to applicable law, you have the right to: access your data; rectify inaccurate data; request erasure; restrict or object to processing; data portability; withdraw consent at any time (without affecting prior lawful processing); and lodge a complaint with the supervisory authority of your jurisdiction.
- EU/UK: your local Data Protection Authority.
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
- Argentina: Agencia de Acceso a la Información Pública (AAIP).
- Chile: the supervisory authority designated under the 2024 reform of Ley 19.628.
To exercise rights, write to privacy@operag.com. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).
9. Security
We implement technical and organizational measures appropriate to the risk: encryption in transit (TLS) and at rest, role-based access control, row-level security in the database, audit logging, least-privilege principle, vetted subprocessors, periodic security reviews and incident response procedures. No system is completely secure; we cannot guarantee absolute security.
10. Breach notification
In the event of a personal data breach likely to result in a risk to your rights, we will notify the competent authority within 72 hours (where required by GDPR / LGPD) and affected individuals without undue delay where the breach is likely to result in a high risk.
11. Children
The Services are B2B and not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe we have, contact privacy@operag.com and we will delete it.
12. Changes to this Policy
We may update this Policy. The "effective date" at the top reflects the latest version. Material changes will be notified by email to Portal account holders or via a prominent notice on the website.
13. When we act as processor on your behalf
Sections 1–12 above describe how Opera Group acts as Controller of its own data (leads, prospects, marketing). When a Client uploads data to the Portal, shares records for an engagement, or otherwise instructs us to process personal data on its behalf, Opera Group acts as Processor and the Client as Controller. The terms below summarize that relationship; they form part of the Terms of Service and any signed MSA.
- Instructions: we process personal data only on the Client's documented instructions, including for international transfers, unless required otherwise by law.
- Confidentiality: personnel authorized to process Client data are bound by confidentiality and receive privacy and security training.
- Security: TLS 1.2+ in transit and AES-256 (or equivalent) at rest, row-level security and least-privilege access, MFA for administrative access, audit logging, vulnerability scanning, tested backups and incident response.
- Subprocessors: the Client provides general written authorization for the subprocessors listed in section 5 (Supabase, Cloudflare, Odoo, AI Gateway providers, transactional email, analytics). We impose equivalent contractual obligations on each, remain liable for their acts and omissions, and give at least 30 days' notice of additions or replacements, with a right to object on reasonable data-protection grounds.
- Data-subject rights: we assist the Client, by appropriate technical and organizational measures and to the extent possible, in responding to requests from data subjects.
- International transfers: where personal data leaves the EEA, UK, Brazil or other restricted jurisdictions, the parties incorporate the EU SCCs (Module Two — Controller to Processor) by reference, plus the UK IDTA and equivalent mechanisms under LGPD and Argentine law.
- Breach notification: we notify the Client without undue delay (and within 72 hours where feasible) of a personal data breach affecting Client data, with the information reasonably available.
- Audit: we make available the information necessary to demonstrate compliance. Audits may be performed by an independent auditor agreed by the parties, no more than once per year (except after a material breach), at the Client's expense, with 30 days' notice and subject to confidentiality.
- Return or deletion: upon termination, and at the Client's choice, we return or delete personal data processed on the Client's behalf, unless retention is required by law. Backups are deleted on the regular rotation schedule.
- Liability: subject to the limits in the Terms of Service and any signed MSA, except where data-protection law mandates otherwise.
Clients with regulated workloads or vendor-onboarding requirements can download the full DPA template (signature-ready), execute it as an annex to the MSA, and return it to legal@operag.com.
Version History
Material changes to this document are recorded below. Minor corrections are not listed.
| Date | Change |
|---|---|
| 2026-04-19 | Initial publication. |