← Back to Home

Privacy Policy

Last updated: May 7, 2026

1. Introduction

Opseer ("we", "us", "our") operates a SaaS dashboard service at opseer.com. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

2. Information We Collect

We collect the minimum information necessary to operate the service. All sensitive credentials are encrypted at rest with AES-256-GCM.

  • Account Profile: Your name, email address, and profile picture provided when you sign up via email or Google OAuth, plus your user ID for activity tracking.
  • Encrypted Integration Credentials: Tokens and keys for the external platforms you voluntarily connect, encrypted at rest with AES-256-GCM: (1) Supabase Management OAuth tokens, (2) Firebase service account JSON, (3) Neon connection strings + Neon Management API keys, (4) Google Ads OAuth tokens (AdMob/AdSense), (5) Stripe Restricted API Keys (read-only), (6) RevenueCat OAuth tokens, (7) Polar OAuth tokens. These credentials are used solely to read data from your own accounts on your behalf.
  • Revenue and Stats Cache: Daily aggregated revenue data fetched from your connected revenue platforms (AdMob, AdSense, Stripe, RevenueCat, Polar) is cached for up to 90 days as a sliding window. The cache exists to (1) speed up page loads, (2) reduce external API calls, and (3) generate daily alert messages. Data older than 90 days is automatically deleted.
  • Project Statistics Data: Metadata for the statistics columns and data tables you define, plus the daily aggregated values automatically collected. We do not store the raw data inside your databases — only the aggregated results.
  • Push Tokens and Targeting Data: FCM topic and token information you register as push targets is stored within your own Firebase project. CSV files of tokens uploaded for targeted push delivery are temporarily stored in Cloudflare R2 and automatically deleted immediately upon delivery completion or cancellation.
  • Notification Channel Configuration: Slack/Discord/Telegram/Webhook URLs and chat IDs that you provide as notification destinations. Used solely to deliver alerts and daily reports.
  • User Preferences: Timezone, notification delivery time, onboarding state, active project, and similar configuration values needed for the service to function.
  • Payment Information: Customer ID and subscription ID issued by Polar (our Merchant of Record), plan type, and subscription end date. Card numbers and other payment instruments are held by Polar; we do not have access to them.
  • Push API Keys and Usage: SHA-256 hashes of the Push API keys you issue (plaintext keys are shown only once at issuance), key prefixes, last-used timestamps, and daily call counts.
  • Operational Logs: Activity logs for audit and debugging purposes (record CRUD, push delivery results, stats collection results, integration connect/disconnect, etc.). Automatically deleted after 90 days.
  • Usage Data: Basic analytics such as pages visited and features used, collected via Google Analytics.

3. How We Use Your Information

  • To authenticate your identity and provide access to the service.
  • To use your encrypted tokens and keys to read (or read-only) data from the external platforms you have connected (Supabase, Firebase, Neon, Google Ads, Stripe, RevenueCat, Polar).
  • To generate daily revenue and subscription reports from connected revenue platforms and cache them for up to 90 days.
  • To deliver alert notifications through your configured channels (Slack, Discord, Telegram, or Webhook).
  • To deliver FCM push notifications to end-user devices through your own Firebase project.
  • To process subscription payments through Polar, our Merchant of Record.
  • To improve the service through aggregated, anonymized analytics.
  • To communicate with you about your account or service updates.

4. Your Data Stays With You

Opseer does not store the raw application data inside the databases you connect (Supabase, Firebase, Neon, etc.) on our servers. All raw data remains in your own infrastructure. We cache only the daily aggregated values for the statistics columns you define and the daily totals from your revenue platforms. We act as a management interface to your existing services.

5. Third-Party Services

We use the following third-party services. Each has its own privacy policy and we encourage you to review them.

  • Google OAuth & Google Ads APIfor Google account sign-in and AdMob/AdSense revenue data access.
  • Supabase, Firebase, Neonas the database/backend platforms you voluntarily connect — used to query your own account data.
  • Polar(1) as our Merchant of Record for Opseer's own subscription billing, and (2) when you connect, to read revenue data from your own Polar seller account.
  • Stripeto read your own account's revenue and subscription data via the Restricted API Key you issue (read-only).
  • RevenueCatvia OAuth 2.0 PKCE, to read your own account's mobile IAP and subscription revenue data.
  • Slack, Discord, Telegramas the notification destinations you configure for alerts and daily reports.
  • Cloudflare (R2 + DNS/CDN/WAF)(1) for temporary storage of push targeting CSVs (R2), and (2) for DNS, CDN, WAF, Bot Fight Mode, and rate limiting on our infrastructure.
  • Resendfor transactional email delivery (team invitations, usage warnings, system notifications).
  • Vercelfor web application hosting and serverless function execution.
  • Google Analyticsfor usage analytics.

6. Data Retention

We retain different data types as follows:

  • Account information — retained while your account is active.
  • Encrypted integration credentials — deleted immediately when you disconnect the integration, or within 30 days when you delete your account.
  • Revenue cache — up to 90 days as a sliding window. Data older than 90 days is deleted daily.
  • Operational and activity logs — automatically deleted after 90 days.
  • Push targeting CSVs — deleted from Cloudflare R2 immediately upon delivery completion or cancellation.
  • Revoked Push API keys — retained for 1 year after revocation for audit purposes, then deleted.
  • Anonymized analytics data — may be retained indefinitely.

When you delete your account, your personal data and all encrypted tokens/keys are removed within 30 days.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access, correct, or delete your personal data.
  • Export your data in a portable format.
  • Withdraw consent for data processing.
  • Object to or restrict certain processing activities.
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at [email protected].

8. Cookies

We use essential cookies to maintain your session and authentication state. We also use analytics cookies via Google Analytics to understand how the service is used. You can disable non-essential cookies through your browser settings.

9. Security

Sensitive tokens and keys are encrypted at rest with AES-256-GCM using a 32-byte master key held in server environment variables. Row Level Security (RLS) policies are applied to every database table so that only the data owner or co-members of the same project can access the data. All communication is protected with HTTPS, and our external API endpoints (api.opseer.com) are protected by Cloudflare WAF, Bot Fight Mode, and rate limiting. However, no method of transmission or storage is 100% secure.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date above.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at [email protected].