Privacy

Privacy Policy

We keep operator data tight: only what we need, no selling, EU/EEA rules first.

Last updated: 30 Dec 2025Data controller: Operator Club — contact: privacy@operator.club

What we collect

  • Account + auth. Email, password hashes (bcrypt), optional name/avatar, verification and reset tokens, passkey or OAuth IDs (Google, GitHub).
  • Workspace + profile. Workspace names/codes, roles, display name, bio, timezone, focus tags, skills, availability, location preferences, status, rule acceptance timestamps.
  • Product content. Channels, messages, replies, mentions, attachments, reactions, read states, notifications, push subscription keys, course/module progress, onboarding data.
  • Technical signals. Log data (IP, device/browser info, event timestamps), service worker cache data for offline mode, error traces (Sentry EU endpoint), security telemetry.
  • Support + feedback. Anything you share with us when requesting help or sending feedback.

Why we process it (legal bases)

  • Run the product. Create accounts, maintain sessions, deliver workspaces, channels, messages, notifications, course progress. Basis: contract.
  • Protect the space. Security, fraud/abuse prevention, service monitoring (Sentry), backups, access control, enforcing Sub Rosa rules. Basis: legitimate interests; contract for abuse response.
  • Communicate with you. Password resets, transactional emails, service changes, critical notices. Basis: contract; legal obligation where required.
  • Optional choices. Push notifications, marketing/product updates if you opt in. Basis: consent.
  • Comply with law. Record keeping, responding to lawful requests, handling billing/tax if paid plans apply. Basis: legal obligation.

Who sees your data

  • Service providers. Convex (data + storage), hosting/CDN (e.g., Vercel), email delivery (Resend), monitoring (Sentry EU), push notification services, authentication providers you choose (Google, GitHub).
  • Workspace visibility. Your content is visible to members/admins based on channel visibility, roles, and notifications.
  • Payments. If/when you buy paid seats, card data is handled by our payment processor; we keep billing metadata, not full card numbers.
  • No selling. We do not sell or rent personal data.

International transfers

Data may be processed in the EU/EEA, US, and other regions where our providers operate. When data leaves the EEA/UK, we use safeguards such as the EU Standard Contractual Clauses or equivalent transfer mechanisms. Sentry uses an EU ingestion endpoint.

Retention

  • Accounts and workspace data stay while your account/workspace is active or until you request deletion.
  • Messages, files, and course progress remain until removed by you or workspace admins, or when a workspace is deleted.
  • Password reset tokens expire after one hour; push subscriptions are removed when you unsubscribe; logs and backups rotate and are retained only as long as needed for security and recovery.
  • Legal, billing, or dispute records may be kept longer where law requires.

Your rights (EU/EEA/UK)

  • Access, rectify, erase, restrict, or port your personal data; object to processing based on legitimate interests.
  • Withdraw consent at any time (e.g., for marketing or push notifications).
  • Lodge a complaint with your local supervisory authority.
  • To exercise rights, email privacy@operator.club. We may verify your identity and respond within the timelines set by law.

Security

We encrypt data in transit, hash passwords with bcrypt, restrict employee access, log access, and monitor errors. No platform is perfectly secure; report issues to security@operator.club.

Cookies, storage, and notifications

  • Essential cookies/session storage keep you signed in and protect against fraud. Service workers cache static assets for offline mode.
  • We do not run third-party advertising trackers. If we add analytics, we will update this notice and offer controls.
  • Push notifications are opt-in and use browser/device tokens; turn them off in your device settings or in the app.

Children

Operator Club is for people 16+ (and typically 18+ for work). We do not knowingly collect data from children.

Changes

If we update this policy, we will post the new version here and adjust the date. Material changes may also be announced in-app or by email.