psis
ResourcesPricingDocs

The fine print

Privacy Policy

Privacy PolicyTerms of ServiceData Processing

Last updated · June 12, 2026

1. About Opsis

Opsis ("we", "us") is a safety net for builders who ship fast, built on top of PostHog session replay. You connect your PostHog project with OAuth; Opsis analyzes real user sessions, finds broken flows, reproduces bugs with Playwright evidence, and gives developers actionable fixes. This policy explains how we collect, use, and protect personal data in accordance with applicable data protection laws (such as the GDPR and other regulations that apply where you operate).

2. Data we collect

  • Account data: your email address and password (stored by our authentication provider, Supabase; we never see your password in plain text).
  • PostHog OAuth tokens: when you connect PostHog, we receive read-only OAuth tokens scoped to organization, project, session recording, and query access. Tokens are encrypted at rest (AES-256-GCM), are never sent to your browser, and are never logged.
  • Session replay data from your PostHog project: events, console and network errors, click behavior (such as rage and dead clicks), and the routes users visited. This data is imported only after you connect your project and choose to import sessions.

3. Pseudonymization and redaction

  • End-user distinct IDs are pseudonymized with SHA-256 at import time. We do not store raw PostHog distinct IDs.
  • Personal data patterns — email addresses, phone numbers, national ID numbers, card numbers, and tokens — are redacted before storage, before any data is sent to an AI provider, and in generated reports.

4. How we use the data

Imported session data is used solely to provide the service: detecting signals of broken flows (rage and dead clicks, console errors, network failures, checkout abandonment), clustering related findings, AI analysis of redacted snippets, reproducing issues with Playwright, and generating reports with suggested fixes. AI findings must cite real sessions — the AI is never permitted to invent evidence.

5. Our role regarding session data

For end-user data inside your PostHog project, you are the Personal Data Controller and Opsis acts as the Personal Data Processor. PostHog remains your own data source, connected by you via OAuth. See our Data Processing Terms for details.

6. Storage and security

  • Data is stored in Supabase Postgres with deny-all row-level security on secret tables.
  • OAuth tokens are encrypted at rest with AES-256-GCM and never exposed to the browser or written to logs.
  • Verification artifacts (videos, traces, screenshots, logs) are private and served only through an authenticated gateway that checks your organization membership.
  • Unused pending OAuth grants expire after 30 minutes and are revoked and deleted.

7. Sub-processors

We use a small set of sub-processors to run the service:

  • Supabase — database and authentication; stores encrypted OAuth tokens.
  • Opsis AI — our AI analysis provider, used only on redacted data snippets; no unredacted personal data is sent.
  • Our cloud hosting provider — runs the Opsis application and stores verification artifacts.

8. Retention

  • Imported sessions and findings are kept while your workspace is active.
  • Playwright verification artifacts are kept for 30 days by default during early access, then deleted automatically. When paid plans launch, retention follows your plan (from 7 days on Free up to 365 on Enterprise; see the Pricing page).
  • When you disconnect PostHog, we revoke the tokens upstream (best-effort) and always delete our stored copies.

9. Your rights

Under applicable data protection laws you have the right to access, correct, and request deletion of your personal data, and to withdraw consent to processing. Send requests to admin@heyopsis.com and we will process them promptly.

10. Revoking access

You can disconnect PostHog at any time from the Opsis dashboard — we revoke both the refresh and access tokens with PostHog (best-effort) and always delete the tokens we hold. You can also revoke the Opsis authorization directly in your PostHog settings.

11. No sale of data

We do not sell personal data, and we do not share session data with third parties except the sub-processors listed above, strictly to provide the service.

12. Cookies

Opsis uses cookies only to keep you signed in (authentication session cookies). We do not use advertising or cross-site tracking cookies.

13. Contact

Privacy questions and requests: admin@heyopsis.com.