Privacy Protocol

    Privacy by
    Architecture.

    How Servance Pty Ltd (trading as OPPI) collects, uses, and protects your personal information.

    v1.0
    Effective 26 June 2026

    Vault Encryption

    All data encrypted in transit (TLS 1.3) and at rest (AES-256). No exceptions.

    Zero Sale

    We never sell, rent, or trade your personal or venue data to third parties.

    Total Ownership

    You retain full intellectual property rights over your venue data at all times.

    APAC Residency

    Primary data infrastructure hosted in the Asia-Pacific region under strict access controls.

    01. Who We Are

    This privacy policy is issued by Servance Pty Ltd, an Australian company trading as OPPI. We build operational intelligence software for the hospitality industry.

    When you use our website (oppi.au), sign up for our services, or interact with our platform, we act as the data controller. This means we decide how and why your personal information is processed.

    When our customers use OPPI to process their own venue data (including information about their staff, guests, or operations), we act as a data processor on their behalf. In those cases, your venue is the data controller and their privacy policy applies.

    Governing Law

    This policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we serve customers outside Australia, we also respect the principles of the EU General Data Protection Regulation (GDPR) and equivalent local frameworks.

    02. What We Collect

    We collect different categories of personal information depending on how you interact with us:

    Account Information

    • Name and email address
    • Organisation and role
    • Phone number (if provided)
    • Billing and payment details

    Venue Operational Data

    • Sales summaries and revenue metrics
    • Labour and roster information
    • Menu structure and product data
    • Task and workflow records

    Technical & Usage Data

    • IP address and browser type
    • Pages visited and interaction patterns
    • Device information and screen size
    • Referral source

    Communications

    • Support tickets and chat logs
    • Email correspondence
    • Feedback and survey responses
    • Waitlist and demo request details

    03. How We Collect It

    We collect personal information through three channels:

    • Directly from you: when you create an account, fill out a form, join our waitlist, or contact our team.
    • From your venue systems: when you connect integrations such as your POS, property management system, or rostering tool. We only access data you explicitly authorise.
    • Automatically: through server logs, cookies, and similar technologies when you visit our website. See Section 11 for details on cookies.

    We do not purchase personal information from third-party data brokers. We do not scrape publicly available information to build profiles.

    04. Why We Use It

    We use your personal information for the following purposes:

    • To provide and operate the OPPI platform, including generating insights, projections, and operational recommendations for your venue.
    • To process payments and manage your subscription.
    • To communicate with you about your account, service updates, and support requests.
    • To maintain the security and integrity of our systems, including fraud detection and abuse prevention.
    • To improve our products by analysing aggregated, anonymised usage patterns.
    • To comply with legal obligations, including Australian tax and corporate law.

    We will not use your personal information for purposes materially different from those described above without notifying you first.

    05. AI & Automated Processing

    OPPI uses artificial intelligence and automated systems to analyse venue operational data and generate actionable insights. This is a core part of our service. Here is how we handle it:

    No Model Training on Your Data

    Your venue data is never used to train general-purpose or foundational AI models. AI processing is performed exclusively to serve your venue's operational needs.

    Anonymisation Before Analysis

    When we analyse patterns across the platform to improve our algorithms, data is aggregated and anonymised first. Individual venue identities, staff names, and guest information are stripped before any cross-system analysis occurs.

    Human Oversight

    Automated recommendations generated by OPPI are advisory. Critical operational decisions remain with your team. We do not make automated decisions that produce legal effects or similarly significant impacts on individuals without human review.

    06. Who We Share With

    We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, and only to the extent necessary to operate our platform:

    Infrastructure & Hosting

    • Cloud database and authentication providers
    • Content delivery and edge hosting
    • Server monitoring and error tracking

    AI & Processing

    • Large language model API providers
    • Data pipeline and transformation services
    • All subject to data processing agreements

    Business Operations

    • Payment processing providers
    • Email and communication platforms
    • Customer support tooling

    Legal & Compliance

    • When required by law, regulation, or valid legal process
    • To protect rights, safety, or property
    • In connection with a merger or acquisition (with notice)

    All third-party processors are bound by data processing agreements that require them to protect your information to the same standard we apply internally.

    07. Where Your Data Lives

    Transparency about where your data is stored matters. Here is the current state of our infrastructure:

    • Our primary database and authentication infrastructure is hosted in Singapore (AWS ap-southeast-1) via our database provider.
    • Application hosting and edge delivery may utilise servers in multiple regions, including Australia and the United States, depending on the provider.
    • AI processing requests may be routed to API providers with infrastructure in the United States and Europe.

    Cross-Border Disclosure (APP 8)

    Under Australian Privacy Principle 8, we are required to disclose that your personal information may be transferred to recipients in countries outside Australia, specifically Singapore, the United States, and the European Union. We take reasonable steps to ensure that overseas recipients handle your information in accordance with the APPs. Singapore maintains strong data protection standards under its Personal Data Protection Act (PDPA).

    08. How We Protect It

    We implement technical and organisational measures appropriate to the sensitivity of the information we hold:

    • Encryption in transit using TLS 1.3 and at rest using AES-256.
    • Logically isolated infrastructure. Venue data is partitioned so one customer cannot access another's information.
    • Role-based access control (RBAC) with the principle of least privilege.
    • OAuth-based integrations. We never store your third-party system passwords.
    • Regular access reviews and security monitoring.

    No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches (NDB) scheme.

    For more detail on our security architecture, see our Security page.

    09. How Long We Keep It

    We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

    Data CategoryRetention Period
    Account & profile dataActive subscription + 90 days
    Venue operational dataActive subscription + 90 days
    Billing & transaction records7 years (Australian tax law)
    System logs & telemetry90 days rolling
    Support correspondence2 years from resolution
    Marketing preferencesUntil you unsubscribe

    When data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to an individual.

    10. Your Rights

    Under the Australian Privacy Principles and applicable international frameworks, you have the following rights:

    Access

    Request a copy of the personal information we hold about you.

    Correction

    Ask us to correct inaccurate or incomplete information.

    Deletion

    Request that we delete your personal information, subject to legal retention obligations.

    Complaint

    Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC).

    To exercise any of these rights, contact us at privacy@oppi.au. We will respond within 30 days. If we refuse a request, we will provide written reasons and information about how to complain.

    If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.

    11. Cookies & Tracking

    Our website uses minimal cookies and local storage, limited to what is necessary for the site to function:

    • Authentication tokens, stored in local storage to keep you signed in to the OPPI platform.
    • UI preference cookies, such as sidebar state, to remember your interface settings between visits.

    We do not currently use third-party advertising cookies, tracking pixels, or behavioural analytics tools on our marketing website. If this changes, we will update this policy and provide appropriate notice and controls.

    No Third-Party Tracking

    As of the date of this policy, oppi.au does not embed Google Analytics, Facebook Pixel, Hotjar, or any similar third-party tracking service on its public-facing website.

    12. Changes & Contact

    We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

    • Update the "last updated" date at the top of this page.
    • Notify active customers via email for significant changes.
    • Provide a reasonable period before changes take effect.

    Contact Details

    Entity: Servance Pty Ltd (trading as OPPI)

    Privacy enquiries: privacy@oppi.au

    Website: oppi.au

    Regulator: Office of the Australian Information Commissioner (OAIC)

    Servance Pty Ltd · oppi.au
    PP-2026-001

    Questions on
    Protection?