Last updated: July 8, 2026
Privacy Policy
How Optonum collects, uses, stores, and protects personal and factory data — including AI processing and subprocessors.
Overview
Optonum ("we", "us", "our") operates a cloud manufacturing operations platform at optonum.com. This Privacy Policy explains what personal and factory data we process, why we process it, and your rights.
Data controller: Optonum. Contact: hello@optonum.com.
This policy applies to our website, web application, API, and email communications. By creating an account or using the service, you acknowledge this policy.
Data we collect
We process the following categories of information:
- Account data: name, email address, authentication identifiers, organization membership, and role assignments (via Supabase Auth).
- Factory and operations data you enter or upload: assets, orders, bills of materials, inventory, simulation inputs and results, workforce records, quality records, agent proposals, change requests, and audit logs.
- Usage and technical data: pages visited, feature usage, error reports, IP address, browser type, and performance metrics to operate and improve the service.
- Billing data: subscription plan, Stripe customer and subscription identifiers, and payment metadata. We do not store full credit card numbers.
- Communications: support messages and optional agent briefing emails sent to addresses you configure.
How we use data
We use your data to:
- Provide, authenticate, and secure the platform (multi-tenant access control, backups, incident response).
- Run discrete-event simulation, analytics, dashboards, and AI features grounded in your factory context.
- Operate autonomous AI agents that propose changes; proposals remain pending until a human approves them.
- Process subscriptions and send transactional email (invites, briefings, service notices).
- Improve reliability and product quality using aggregated, de-identified usage analytics where feasible.
- Comply with legal obligations and enforce our Terms of Service.
Legal bases (EEA / UK GDPR)
Where GDPR applies, we rely on: (a) contract — processing necessary to deliver the service you signed up for; (b) legitimate interests — security, fraud prevention, and product improvement, balanced against your rights; (c) consent — where required for optional marketing or non-essential cookies; (d) legal obligation — where law requires retention or disclosure.
You may withdraw consent for optional processing without affecting the lawfulness of prior processing.
AI & automated processing
Optonum includes an AI assistant and optional autonomous agents (Bottleneck Oracle, Procurement Agent, Scheduling Agent on eligible plans). When you use these features, relevant factory context — such as asset counts, bottleneck metrics, inventory levels, and order summaries — is sent to configured LLM providers to generate replies or structured proposals.
AI outputs are decision-support only. Agents cannot modify your production data without an explicit human approval step through our Change Request workflow. You should review all proposals before applying them.
We do not use your factory data to train public foundation models. Provider-side retention and zero-data-retention options depend on your API configuration and the provider's enterprise terms.
Primary AI subprocessors: Google Gemini API (agents and structured inference) and, when configured, OpenAI (assistant chat). See Subprocessors below.
Subprocessors
We use the following categories of service providers to operate the platform. They process data only on our instructions and under contractual safeguards:
| Provider | Purpose | Location | Data processed |
|---|---|---|---|
| Supabase, Inc. | Authentication, PostgreSQL database, file storage | United States / EU (region-dependent) | Account credentials, factory data, uploaded files |
| Vercel, Inc. | Application hosting, serverless API routes, cron jobs | Global edge network | Request metadata, API payloads in transit |
| Google LLC (Google Cloud / Gemini API) | LLM inference for autonomous agents and optional AI features | Global (Google Cloud regions) | Factory context snippets sent per AI request (no bulk export) |
| OpenAI, LLC | AI assistant chat (when OPENAI_API_KEY is configured) | United States | Chat messages and grounded project context per request |
| Stripe, Inc. | Subscription billing and payment processing | United States / EU | Billing contact, plan tier, payment method metadata (not full card numbers) |
| Resend, Inc. | Transactional email (agent briefings, invites) | United States | Recipient email address, message content |
International transfers
Your data may be processed in the United States, the European Union, and other regions where our subprocessors operate. Where required, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework (where applicable), or equivalent transfer mechanisms.
Retention
We retain account and factory data while your subscription or free account is active. After termination, we delete or anonymize data within a reasonable period unless longer retention is required for legal, tax, audit, or dispute-resolution purposes.
Audit logs and agent run records may be retained longer where needed for compliance features (e.g. 21 CFR Part 11 workflows on Enterprise plans).
AI usage counters reset daily; underlying audit entries follow the general retention schedule.
Your rights
Depending on your jurisdiction, you may have the right to:
- Access, correct, or delete personal data we hold about you.
- Export your data in a portable format where technically feasible.
- Object to or restrict certain processing, and withdraw consent where processing is consent-based.
- Lodge a complaint with your local supervisory authority.
KVKK (Turkey — Kişisel Verilerin Korunması Kanunu)
If you are located in Turkey or your factory operations are subject to Turkish law, the following KVKK disclosures apply in addition to this policy.
Veri sorumlusu: Optonum. İletişim: hello@optonum.com.
Kişisel verileriniz; hizmet sözleşmesinin ifası, meşru menfaat, açık rıza (gerektiğinde) ve hukuki yükümlülük hukuki sebeplerine dayanılarak işlenmektedir.
KVKK m. 11 kapsamında kişisel verilerinizin işlenip işlenmediğini öğrenme, bilgi talep etme, amacına uygun kullanılıp kullanılmadığını öğrenme, yurt içi/yurt dışı aktarılan üçüncü kişileri bilme, eksik/yanlış işlenmişse düzeltilmesini isteme, silinmesini veya yok edilmesini isteme, otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme ve kanuna aykırı işlenmesi halinde zararın giderilmesini talep etme haklarına sahipsiniz.
Başvurularınızı hello@optonum.com adresine iletebilirsiniz. Başvurular en geç 30 gün içinde sonuçlandırılır.
Yurt dışına aktarım: Supabase, Vercel, Google Cloud/Gemini, OpenAI, Stripe ve Resend gibi alt işleyiciler ABD/AB bölgelerinde veri işleyebilir; aktarımlar sözleşmesel güvenceler ve geçerli mevzuata uygun şekilde yapılır.
Children
The service is intended for business users aged 18 and over. We do not knowingly collect personal data from children.
Changes & contact
We may update this policy with reasonable notice for material changes. The "Last updated" date at the top reflects the latest revision.
Privacy inquiries and data subject requests: hello@optonum.com.
Questions? hello@optonum.com · Back to Optonum