VisOpus
Initializing Secure Passport...
Individual Users — Version 1.0 — Effective 12 March 2026
1.1 VisOpus Ltd (trading as VisOpus) is a company registered in England and Wales.
| Detail | Information |
|---|---|
| Company Name | VisOpus Ltd |
| Registered Address | Millfield Mill Farm, New Road, Laceby, DN37 7EF |
| Company Number | 17073404 |
| ICO Registration Number | ZC105282 |
| Data Protection Contact | privacy@visopus.com |
| Data Protection Officer | VisOpus has not appointed a DPO under Article 37 UK GDPR / EU GDPR, as it does not meet the mandatory appointment criteria. Data protection queries should be directed to privacy@visopus.com |
| EU Representative | Not yet appointed — will be appointed prior to offering services to EU residents, as required under Art. 27 GDPR |
1.2 For the purposes of UK GDPR and EU GDPR, VisOpus is the Data Controller in respect of the personal data of Individual Users. This means we determine how and why your personal data is processed.
1.3 The Platform involves multiple data controller relationships depending on context:
1.4 Where we use third-party services to help us operate the Platform (called "sub-processors"), those third parties process personal data only on our instructions. A list of our sub-processors is in Section 5.
1.5 If you have any questions or concerns about how we handle your personal data, please contact us at privacy@visopus.com. We will respond to all privacy enquiries within 30 days.
We collect only the personal data that is necessary to provide and improve our services to you. Below is a full account of what we collect and why.
This is the information you give us when you create and manage your account.
| Data Item | Details | Required? |
|---|---|---|
| Full name | Your legal name, as you provide it | Yes |
| Email address | Used for account access, notifications, and communications | Yes |
| Password | Stored as a one-way cryptographic hash only — we never store your password in readable form | Yes |
| Profile photo | A photo you choose to add to your profile | No (optional) |
| Job title | Your current job title | No (optional) |
| Employer name | The name of your current employer | No (optional) |
This is the data associated with the certificates you receive and store on the Platform.
| Data Item | Details |
|---|---|
| Certificate type | For example: STCW Basic Safety Training, First Aid, Medical Fitness Certificate |
| Issuing body (Provider) | The name of the training provider or certification authority |
| Issue date | Date the certificate was issued |
| Expiry date | Date the certificate expires (if applicable) |
| Certificate number | The unique reference number on the certificate |
| Certificate document or image | A digital copy of the certificate itself |
| Certificate metadata | Technical data associated with the certificate record (e.g., format version, issuance method) |
| Verification history | A log of when and how (QR, link, Company access) your certificate was verified |
When you use the Platform, your device and browser automatically send us certain technical information.
| Data Item | Details |
|---|---|
| User agent string | Identifies your browser and version |
| Operating system | Your device's operating system (e.g., iOS 17, Windows 11) |
| Browser type and version | The browser you use to access the Platform |
| Screen resolution | The resolution of your display |
| Device type | Whether you are using a mobile phone, tablet, or desktop computer |
We collect this data to protect your account and detect fraud.
| Data Item | Details |
|---|---|
| IP addresses | Your IP address at the time of account access or key actions |
| Login timestamps | Date and time of each login to your account |
| Failed login attempts | Records of unsuccessful login attempts to your account |
| MFA recovery codes | Multi-factor authentication recovery codes, stored in encrypted form |
| Session tokens | Temporary tokens used to maintain your logged-in session |
| Data Item | Details |
|---|---|
| Approximate location (city/region) | Derived from your IP address. This gives us a rough geographic location (city or region level). We do not collect GPS or precise geolocation data. Precise geolocation will only ever be collected if you separately and explicitly consent to it for a specific feature. |
We collect data about how you interact with the Platform in order to understand how it is used and how we can improve it. IP addresses are truncated before storage for analytics purposes, and user identifiers are pseudonymised in analytics datasets.
| Data Item | Details |
|---|---|
| Pages visited | Which pages or screens within the Platform you visit |
| Features used | Which Platform features you interact with |
| Session duration | How long each Platform session lasts |
| Click patterns | Interactions such as button clicks, menu navigation |
| Certificate actions | Whether you share, download, or view certificates |
| Search queries | Searches you perform within the Platform |
We use cookies and similar tracking technologies as described in Section 10. The categories are:
| Data Item | Details |
|---|---|
| Support emails | The content of emails you send to our support team |
| In-app feedback | Feedback or bug reports you submit via the Platform |
| Marketing consent preferences | Your opt-in or opt-out preferences for marketing communications |
VisOpus does not intentionally collect special category personal data as part of standard account registration. However, certain certificates uploaded to or received through the Platform — such as medical fitness certificates (e.g., ENG1 Seafarer Medical), offshore medical assessments, or drug and alcohol test results — may contain health-related information.
Where such information is present, VisOpus processes it strictly for the purpose of providing certificate storage and verification services, and only on the basis of your explicit consent under GDPR Article 9(2)(a). This consent is captured separately when you upload a certificate containing health data, via an unchecked consent checkbox that you must actively tick before the upload proceeds. You may withdraw this consent at any time by deleting the relevant certificate from your account (see Section 8).
To be clear, we do not collect:
VisOpus supports passkey authentication technologies provided by third-party platform providers (such as Apple, Google, Microsoft, or password manager services).
Where you use biometric authentication (such as fingerprint or facial recognition) to access the Platform, this authentication is performed locally on your device and is managed entirely by your device operating system or authentication provider.
VisOpus does not collect, store, receive, or process biometric identifiers or biometric templates. The biometric matching happens on your device and only a cryptographic confirmation of your identity is transmitted to VisOpus — never the biometric data itself.
Under UK GDPR and EU GDPR, we must have a lawful basis for every type of processing we carry out. The table below sets out our lawful basis for each processing activity.
| Processing Activity | Legal Basis | GDPR Article | Explanation |
|---|---|---|---|
| Account creation and authentication | Contract performance | Art. 6(1)(b) | We need to process your account data to set up and maintain your account so that you can use the Platform. |
| Certificate storage and delivery | Contract performance | Art. 6(1)(b) | Storing and making available your certificates is the core function of the Platform. |
| Sharing certificates with verifiers (QR/link) | Consent | Art. 6(1)(a) | You initiate each sharing action — we only share Verification Data when you actively choose to do so. |
| Granting Company access to full certificates | Explicit consent | Art. 6(1)(a) | You must actively grant per-company consent before any Company can see your full certificate details. |
| Security logging (IP addresses, login history) | Legitimate interests | Art. 6(1)(f) | Necessary to detect fraud, protect your account, and maintain Platform security. We have balanced this against your interests and rights. |
| Analytics and product improvement | Legitimate interests | Art. 6(1)(f) | Helps us understand how the Platform is used and how to improve it. You may opt out — see Section 8. |
| Marketing communications | Consent | Art. 6(1)(a) | We only send marketing emails if you have opted in. You can withdraw consent at any time. |
| Non-essential cookies (analytics, marketing) | Consent | Art. 6(1)(a) | We obtain your consent via the cookie banner before setting non-essential cookies. |
| Legal compliance (regulatory requests, records) | Legal obligation | Art. 6(1)(c) | Where the law requires us to process data, for example in response to a valid court order or tax obligation. |
| Safety-critical verification audit trail | Legitimate interests | Art. 6(1)(f) | Retaining records of certificate verification events supports the integrity of audit trails for safety-critical industries (maritime, aviation, medical). We have balanced this against your rights. |
| Retention of audit logs that may reveal special category data (e.g., medical certificate type in verification log) | Substantial public interest | Art. 9(2)(g), read with UK DPA 2018 Schedule 1, Part 2, Paragraph 6 (statutory and government purposes) and Paragraph 12 (regulatory requirements relating to health and safety) | Where a verification audit log reveals that the certificate verified was a medical certificate (e.g., ENG1 Seafarer Medical), the log itself constitutes special category data. We anonymise certificate types in audit logs where possible (recording "Compliance Document" rather than the specific medical certificate name). Where anonymisation is not possible without destroying the audit trail's regulatory value, we rely on the substantial public interest derogation for health and safety record-keeping. |
| Expiry reminders and service notifications | Contract performance | Art. 6(1)(b) | Letting you know when certificates are about to expire is part of the service you have signed up for. |
| Processing special category data (e.g., medical fitness certificates) | Explicit consent | Art. 9(2)(a), read with Art. 6(1)(a) | Where you upload or receive certificates containing health data (such as medical fitness certificates, ENG1 seafarer medicals, or drug & alcohol test results), we process this data strictly on the basis of your explicit consent to store and display it within the Platform. You may withdraw this consent at any time — see Section 8. |
Where we rely on legitimate interests as our legal basis, we have carried out a legitimate interests assessment (LIA). In summary:
VisOpus has conducted Data Protection Impact Assessments (DPIAs) under GDPR Article 35 for processing activities that pose a higher risk to individuals' rights and freedoms. These include:
Our DPIAs are reviewed and updated when there are significant changes to our processing activities. Copies are available to the ICO and relevant supervisory authorities on request.
Access to personal data within VisOpus is restricted on a role-based basis. Only authorised personnel with a legitimate business need can access user data, and access is limited to the minimum necessary for each role. All access to certificate data and personal information is logged and auditable. Internal access logs are reviewed periodically and access rights are subject to regular review to ensure they remain appropriate.
This section explains in plain terms what we actually do with your data.
We use your name, email address, and password to create and manage your account, authenticate your identity when you log in, and let you use all Platform features. Providing your Account Data is a contractual requirement to use the Platform; without it, we cannot create your account or provide the service.
When a training provider issues you a certificate through the Platform, we store that certificate in your account. We use the certificate data to display it to you, let you manage it, and make it available for sharing when you choose to share it.
When you choose to share a certificate — by generating a QR code, creating a sharing link, or granting a Company access — we use your certificate data to provide the sharing function. For QR/link verification, we display only Verification Data (name, certificate type, issuing body, valid/expired status, expiry date) to the person scanning or accessing the link.
We use your email address and certificate expiry dates to send you reminders before your certificates expire, so that you can take action to renew them. We also send you service notifications such as security alerts, terms updates, and account confirmations.
We use your IP address, login history, and device data to detect and prevent fraudulent access, brute-force login attempts, and other security threats. This helps us protect your account and the accounts of all users. Where possible, IP addresses stored in security logs are truncated or pseudonymised after initial threat analysis. Full IP addresses are retained only where necessary for active security investigation or fraud prevention.
We use anonymised and aggregated analytics data to understand which features are useful, which areas of the Platform cause confusion, and where we can improve performance and design. Where we use identifiable analytics data, we rely on legitimate interests as our legal basis and you may opt out at any time.
If you have opted in to marketing communications, we may send you emails about new features, product updates, and news from VisOpus. We will only do this if you have given us your consent, and you can unsubscribe at any time by clicking the unsubscribe link in any marketing email or by updating your preferences in account settings.
Where we receive a valid legal request (such as a court order, warrant, or binding regulatory request), we may be required to process and disclose your personal data. We will notify you of such a request unless we are legally prohibited from doing so.
We share your personal data only as described below. We never sell your personal data to any third party for any purpose. This is an absolute commitment.
When a Provider issues a certificate to you, we send them a delivery confirmation confirming that the certificate has been delivered to and stored in your account. Providers can view the certificates that they themselves have issued to you — and only those certificates. A Provider cannot see certificates issued to you by any other Provider, your account details beyond what is necessary for certificate delivery, or any information about your interactions with other Providers, Companies, or verifiers.
We share your full certificate details with a Company only when you have explicitly and actively granted that specific Company access through your account settings. You can revoke this access at any time. If you revoke access, the Company will no longer be able to view your certificate details going forward through the Platform.
When a third party scans your QR verification passport or accesses a certificate sharing link, they receive Verification Data only: your name, certificate type, issuing body, valid/expired status, and expiry date. No full certificate document and no other personal data is shared in this way.
We use a limited number of trusted third-party service providers (sub-processors) who process personal data on our behalf and under our instructions. These providers have contractual commitments to us that require them to protect your personal data to the same standard we apply.
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform (europe-west2, London) | Application hosting (Cloud Run), database (Cloud SQL PostgreSQL), certificate storage (Cloud Storage), AI-assisted verification (Vertex AI / Gemini), document processing (Document AI) | All Platform data, stored encrypted at rest and in transit |
| Infobip | SMS delivery (OTP codes, notifications), WhatsApp notifications, email delivery via SMTP gateway | Your phone number, email address, and notification content |
| Stripe | Payment processing for subscription billing (Provider tiers) | Payment data only — no payment data is collected for free tier Individual Users at this time |
| Google Wallet API | Delivery of digital compliance passes to your Google Wallet | Certificate holder name, certificate type, issuing body, status, and expiry date (the data required to create a Wallet pass) |
| Google OAuth 2.0 | Social login authentication (optional — if you choose to sign in with Google) | Your Google account email address and display name |
| WINDA API (Global Wind Safety) | Synchronisation and validation of GWO/OPITO training records where applicable | Certificate reference data for validation against authoritative training records |
We maintain a current list of sub-processors. You may request a copy at any time by emailing privacy@visopus.com. Where we appoint a new sub-processor that processes personal data, we will provide advance notice where reasonably practicable before the change takes effect and notify users who have subscribed to sub-processor notifications via their account privacy settings or by emailing privacy@visopus.com with the subject "Sub-processor Updates".
We may disclose your personal data to law enforcement agencies, courts, or regulatory authorities:
We will notify you of any such disclosure unless we are legally prohibited from doing so, or unless doing so would prejudice the relevant investigation.
In the event of a personal data breach affecting your personal data, VisOpus will notify the relevant supervisory authority and affected users where required under applicable data protection law, including UK GDPR and EU GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.
If VisOpus is involved in a merger, acquisition, restructuring, or sale of all or substantially all of its assets, your personal data may be transferred to the acquiring entity. We rely on our legitimate business interests to process data for this purpose. You have the right to object to this processing, and will have the opportunity to delete your account before any such transfer takes effect. We will notify you by email at least 30 days in advance of any such transfer.
6.1.1 VisOpus's primary data storage is located in Google Cloud Platform, europe-west2 region (London, United Kingdom). We aim to keep personal data of UK and EU users within the UK and EEA where possible.
6.1.2 Because we use cloud infrastructure, your data may be processed in multiple geographic regions as part of normal cloud operations (for example, for redundancy, performance, or disaster recovery purposes).
6.2.1 The UK government has granted an adequacy decision for the EEA, meaning personal data can flow freely from the UK to EEA countries without additional safeguards.
6.2.2 The European Commission granted an adequacy decision for the UK in June 2021, subject to a four-year sunset clause. That decision expired in June 2025. Where personal data is transferred from the EEA to the UK (for example, where you are based in an EEA member state), VisOpus relies on Standard Contractual Clauses (EU SCCs) adopted under Commission Implementing Decision (EU) 2021/914, as the applicable transfer mechanism under EU GDPR Article 46(2)(c). VisOpus will update this section promptly if a renewed EU adequacy decision for the UK comes into force.
6.2.3 You may request a copy of the applicable SCCs or further information about our EEA-to-UK transfer safeguards by contacting privacy@visopus.com.
6.3.1 Some of our sub-processors are based in the United States. For transfers of personal data to the US, we rely on the UK International Data Transfer Agreements (IDTAs) and/or EU Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures where required following our transfer impact assessments.
6.4.1 Where data is transferred to other countries, we use one of the following safeguards:
6.4.2 You may request details of the transfer mechanisms we use for specific transfers by contacting privacy@visopus.com.
We retain your personal data only for as long as necessary for the purposes set out in this Policy, or as required by law. The table below sets out our retention periods.
| Data Type | Retention Period | Reason for Retention |
|---|---|---|
| Account data (name, email, profile) | Until account deletion, then deleted within 30 days | Account recovery window before permanent deletion |
| Certificate data | Until account deletion, then deleted within 30 days | Aligned with account lifecycle |
| Security logs (IP addresses, login history) | 12 months from the date of the log entry | Security investigation and fraud detection window |
| Certificate verification audit trail | 7 years from the date of the verification event | Integrity of audit trail for safety-critical certifications; aligns with industry record-keeping requirements including STCW Convention (maritime), OPITO standards (offshore), MLC 2006 (seafarer employment), and HSE regulatory expectations for safety-critical worker competence records. The seven-year period reflects common practice in safety-critical industries where qualification records may need to be reviewed during regulatory audits, incident investigations, or insurance compliance reviews |
| Analytics data | 26 months, after which data is anonymised or deleted | Product improvement; aligns with industry standard analytics retention |
| Marketing consent records | Duration of consent period plus 3 years | Regulatory obligation to demonstrate valid consent |
| Support communications | 3 years from the date of the communication | Service quality, dispute resolution, and regulatory compliance |
| Cookies | See Section 10 for individual cookie durations | Varies by cookie type and purpose |
When you delete your account, we begin the deletion process immediately. Your account data and certificate data will be removed from our active systems within 30 days. Some data may persist in backup systems for a limited period (typically up to 90 days) before it is overwritten in the normal backup cycle. Backup data is encrypted and automatically overwritten during the normal backup rotation cycle.
The verification audit trail (records of when certificates were verified) may be retained for up to 7 years even after you delete your account. This retention is based on our legitimate interest in supporting the integrity of safety-critical certification records. We retain only the minimum data necessary: the fact of verification, a generalised certificate category, and the date — not full personal profile data. Where a certificate type would reveal special category data (e.g., a medical fitness certificate), we anonymise it in the audit log to a generic category label (e.g., "Compliance Document") unless full specificity is required for regulatory compliance, in which case we rely on the substantial public interest derogation under UK DPA 2018 Schedule 1, Part 2 (see Section 3).
Under UK GDPR and EU GDPR, you have a range of rights in relation to your personal data. We explain each below in plain English and tell you how to exercise them.
What it means: You have the right to ask us for a copy of all the personal data we hold about you. This is sometimes called a Subject Access Request (SAR).
How to exercise it: Email privacy@visopus.com with the subject line "Subject Access Request", or use the data export function in your account settings. We will respond within 30 days. For complex or large requests, we may extend this to 90 days with notice to you.
What it means: If any of the personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.
How to exercise it: You can update most of your account data directly through your account settings. For data you cannot update yourself (such as certificate data), contact privacy@visopus.com. Note that certificate content can only be corrected by the issuing Provider.
What it means: You have the right to ask us to delete your personal data in certain circumstances — for example, if we no longer need it for the purpose it was collected, or if you withdraw consent and there is no other lawful basis for processing.
How to exercise it: Delete your account via account settings (which triggers deletion of account and certificate data within 30 days), or email privacy@visopus.com for specific data deletion requests.
Important limitation: The right to erasure is not absolute. We may retain certain data even after a deletion request, specifically:
We will always tell you clearly what we are retaining and why.
What it means: You have the right to receive a copy of the personal data you have given us in a structured, commonly used, and machine-readable format, so that you can transfer it to another service.
How to exercise it: Use the data export function in your account settings to download your profile data and certificate data. You can also request this by emailing privacy@visopus.com.
What it means: In certain circumstances, you can ask us to pause the processing of your personal data — for example, if you contest its accuracy, or while a complaint is being investigated.
How to exercise it: Email privacy@visopus.com explaining that you wish to restrict processing and the reason for your request.
What it means: You have the right to object to processing that is based on our legitimate interests (such as analytics and the security audit trail). We will stop the processing unless we have compelling legitimate grounds that override your interests.
How to exercise it: You can opt out of analytics tracking through your account privacy settings or by emailing privacy@visopus.com. For other legitimate interest processing, email privacy@visopus.com.
What it means: Where we process your data based on your consent (such as marketing emails, non-essential cookies, or Company access to certificates), you can withdraw that consent at any time without giving a reason.
How to exercise it:
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
What it means: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you.
Our position: VisOpus does not make any decisions about you using solely automated processing that produce legal or similarly significant effects. No automated decisions are made about your account status without human review.
VisOpus uses automated tools to assist in the preliminary analysis of uploaded certificates — for example, detecting missing information, formatting inconsistencies, or potential anomalies.
These tools are used only to support human review. AI tools operate only as anomaly detection tools and do not make decisions affecting users' legal rights or employment status. Final verification decisions are made by human reviewers and are not based solely on automated processing. The AI tools flag potential issues for review; they do not approve, reject, or make any binding determination about any certificate.
The AI authenticity indicators displayed on certificates are informational only — they reflect the outcome of the human-reviewed verification process. They do not determine your access to the Platform, your employment status, or any legal rights.
AI-assisted certificate analysis does not determine employment eligibility, compliance status, or regulatory certification. These determinations remain the sole responsibility of employers and training providers. Employers who access your certificates through the Platform must independently verify compliance with their own regulatory obligations.
Because human oversight is always involved, GDPR Article 22 (automated individual decision-making) does not apply to this processing.
AI governance: VisOpus maintains internal human oversight procedures for all AI-assisted certificate analysis. No AI output is acted upon without human review. Human reviewers are responsible for reviewing all AI-flagged anomalies before any action is taken within the Platform.
AI training data: VisOpus does not use your certificate images or personal data to train AI models. Where AI tools are improved, this is done using anonymised and aggregated datasets that cannot identify any individual user or certificate.
To exercise any of your rights:
We will respond within 30 days. For complex or multiple requests, we may extend this to 90 days and will notify you of the extension within the initial 30-day period.
We will not charge a fee for reasonable requests. For manifestly unfounded or excessive requests (for example, repetitive requests), we may charge a reasonable administrative fee or decline to act.
We may ask you to verify your identity before processing your request, to ensure we do not disclose your data to the wrong person.
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the relevant supervisory authority:
We would appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please email privacy@visopus.com first and we will do our best to resolve your concern promptly.
If you are a resident of California, USA, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following additional rights:
9.1.1 Right to Know You have the right to know:
9.1.2 Right to Delete You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions under California law.
9.1.3 Right to Opt-Out of Sale We do not sell your personal information. We have not sold and do not sell personal information to any third party. You therefore do not need to opt out, but you are entitled to this assurance.
9.1.3a Right to Opt-Out of Sharing (Cross-Context Behavioural Advertising) Under CPRA, you also have the right to opt out of the "sharing" of your personal information — meaning disclosure to third parties for cross-context behavioural advertising purposes. VisOpus uses retargeting cookies only with your explicit prior consent. You may withdraw this consent at any time via the cookie preferences link in the Platform footer, or by emailing privacy@visopus.com with the subject "Do Not Share — CPRA".
9.1.4 Right to Correct You have the right to request that we correct inaccurate personal information we hold about you.
9.1.5 Right to Limit Use of Sensitive Personal Information Where we process any sensitive personal information (as defined under CPRA), we use it only for the purpose of providing the Platform service to you. Categories of SPI we may process include: health-related information contained in medical fitness certificates (e.g., ENG1 Seafarer Medical, offshore medical assessments, drug and alcohol test results), and government-issued identification numbers contained in certain professional certificates. We do not use SPI for any purpose other than delivering the certificate storage and verification services you have requested.
9.1.6 Right to Non-Discrimination We will not discriminate against you for exercising any of your CCPA/CPRA rights. Exercising your rights will not affect the quality or availability of the service we provide to you.
9.1.7 Categories of Personal Information Collected We collect the following CCPA categories of personal information: identifiers (name, email, IP address); personal records; internet or other electronic network activity; geolocation data (approximate only); professional or employment-related information; and inferences drawn from other personal information.
9.1.8 No Financial Incentives We do not offer financial incentives for the collection, retention, or sale of personal information.
9.1.9 How to Exercise California Rights Email privacy@visopus.com with the subject "California Privacy Request" or use your in-app privacy settings. To exercise your right to limit the use of Sensitive Personal Information (clause 9.1.5), you can do so directly via the privacy controls in your account settings, or by emailing privacy@visopus.com with the subject "Limit SPI". We will respond within 45 days as required by CCPA (extendable by a further 45 days with notice).
9.2.1 All rights described in Section 8 of this Policy apply fully to EU/EEA residents.
9.2.2 EU Representative: As VisOpus is established in the United Kingdom, we are required to designate an EU representative under Article 27 of EU GDPR if we offer services to individuals in the EU on a regular basis. Our EU representative details will be published here once appointed.
9.2.3 EU residents may lodge complaints with their local Data Protection Authority. A directory of EU DPAs is available at edpb.europa.eu.
9.2.4 EU residents also have the right to an effective judicial remedy against our decisions and against any supervisory authority decision, in accordance with Articles 78 and 79 of EU GDPR.
9.3.1 If you are located in Australia, the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to how we handle your personal information.
9.3.2 Right of Access: You have the right to request access to the personal information we hold about you. We will respond within a reasonable time (typically 30 days) and will not charge a fee for reasonable requests.
9.3.3 Right to Correction: If you believe any personal information we hold is inaccurate, out of date, incomplete, or misleading, you have the right to ask us to correct it.
9.3.4 Overseas Transfers: Where we transfer your personal data to overseas recipients, we remain accountable for ensuring those recipients comply with the APPs, unless an exception applies.
9.3.5 Complaints: If you have a complaint about how we have handled your personal information, contact us first at privacy@visopus.com. If we cannot resolve your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9.4.1 If you are located in Singapore, the Personal Data Protection Act 2012 (PDPA) applies to the collection, use, and disclosure of your personal data by VisOpus.
9.4.2 Right of Access: You have the right to request access to the personal data we hold about you and information about how it has been used or disclosed in the past 12 months.
9.4.3 Right to Correction: You have the right to request correction of any inaccurate personal data we hold about you.
9.4.4 Right to Withdraw Consent: You may withdraw consent for any consent-based processing at any time. We will inform you of the likely consequences of withdrawal before it is effected.
9.4.5 Overseas Transfers: Where we transfer your personal data outside Singapore, we comply with the PDPA's transfer limitation obligation by ensuring comparable protection is in place.
9.4.6 Complaints: Contact us at privacy@visopus.com. If your complaint is not resolved, you may contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
9.5.1 If you are located in the UAE, the UAE Personal Data Protection Law applies to our processing of your personal data.
9.5.2 We process your personal data on a consent basis and for contractual necessity. You have the right to:
9.5.3 Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. As described in Section 8.9, VisOpus uses AI tools only as decision-support tools with mandatory human review; no decisions affecting your rights are made by automated means alone.
9.5.4 Cross-Border Transfers: Where we transfer your personal data outside the UAE, we ensure that comparable protection standards are in place, including through contractual safeguards.
9.5.5 To exercise your rights, contact privacy@visopus.com.
9.6.1 If you are located in Saudi Arabia, the Saudi Personal Data Protection Law (PDPL) and its implementing regulations apply to the processing of your personal data.
9.6.2 We process your personal data with your consent where required, and for the performance of our contract with you. You have the right to:
9.6.3 Cross-Border Transfers: Where we transfer your personal data outside Saudi Arabia, we ensure that the transfer meets the requirements of the Saudi PDPL, including that the destination country provides an adequate level of protection or appropriate safeguards are in place.
9.6.4 To exercise your rights, contact privacy@visopus.com.
If you are located in a jurisdiction not specifically mentioned in Sections 9.1 to 9.6 above, you may have additional rights or protections under your local data protection or privacy laws. These terms do not limit any rights you may have under your local law.
Contact us at privacy@visopus.com to exercise any such rights or to ask questions about how your local law applies to our processing of your personal data.
Cookies are small text files stored on your device by websites and applications. They help the Platform remember you, keep you logged in, and understand how you use the service. Some cookies are essential for the Platform to work; others are optional.
| Cookie Name | Type | Purpose | Duration | Can It Be Disabled? |
|---|---|---|---|---|
visopus_session | Essential | Maintains your login session so you stay logged in while using the Platform | Session (expires when you close your browser) | No — this cookie is required for the Platform to function. Disabling it will prevent you from logging in. |
visopus_csrf | Essential | Prevents cross-site request forgery attacks that could allow malicious sites to perform actions on your behalf | Session (expires when you close your browser) | No — this is a security-critical cookie. |
visopus_consent | Essential | Stores your cookie consent preferences so you are not shown the consent banner on every visit | 12 months | No — if this cookie is disabled, we cannot remember your preferences. |
visopus_analytics | Analytics | Collects anonymised data about pages visited, features used, and session duration to help us improve the Platform | 26 months | Yes — opt out via the cookie banner or your account privacy settings. |
visopus_mktg | Marketing | Enables retargeting advertising on external platforms (LinkedIn, Google Ads) based on your Platform activity | 12 months | Yes — opt out via the cookie banner or your account privacy settings. This cookie is only set if you have explicitly consented. |
Our analytics and marketing cookies may involve third-party providers (such as Google Analytics or LinkedIn Insight Tag). These third parties may set their own cookies on your device subject to their own privacy policies.
When you first visit the Platform, you will be shown a cookie consent banner that lets you accept or decline non-essential cookies.
At any time, you can:
Browser-level controls: Most browsers allow you to refuse cookies or delete them. Refer to your browser's help documentation for instructions:
11.1 The Platform is intended for users aged 18 and over only. We do not knowingly collect personal data from anyone under the age of 18.
11.2 If we discover that we have collected personal data from a person under 18, we will delete that data and suspend the associated account as quickly as reasonably practicable.
11.3 If you are a parent or guardian and believe that a person under 18 has created an account or provided personal data to VisOpus, please contact us at privacy@visopus.com and we will take prompt action to investigate and delete the data.
12.1.1 We review this Privacy Policy periodically and update it to reflect changes to our practices, the Platform, or applicable law.
12.1.2 For material changes (changes that significantly affect how we use your data or your rights), we will notify you by email at least 30 days before the changes take effect.
12.1.3 For non-material changes (corrections, clarifications, formatting updates, or minor administrative changes that do not affect how your data is processed or your rights), we may make changes without advance notice. We will always update the "Last Updated" date at the top of this document.
Material changes include, for example:
Previous versions of this Privacy Policy are archived and available on request from privacy@visopus.com.
If you have any questions, requests, or concerns about this Privacy Policy or about how we handle your personal data, please contact us:
| Contact Type | Details |
|---|---|
| Privacy enquiries and rights requests | privacy@visopus.com |
| General support | support@visopus.com |
| Registered Company Name | VisOpus Ltd |
| Registered Address | Millfield Mill Farm, New Road, Laceby, DN37 7EF |
| Company Number | 17073404 |
| ICO Registration Number | ZC105282 |
| EU Representative | Not yet appointed — will be confirmed prior to EU rollout |
UK Supervisory Authority: Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF ico.org.uk | 0303 123 1113
EU Supervisory Authorities: Contact your local Data Protection Authority. A directory is available at edpb.europa.eu.
This Privacy Policy was last updated on 12 March 2026 and takes effect from that date. Version 1.0.