Skip to main content
OpenSettle
Get Started
Legal

California Privacy Notice

Effective 2026-05-12

This California Privacy Notice supplements OpenSettle's main Privacy Policy at /legal/privacy. It applies to California residents and is provided under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (together, the "CCPA"). Capitalised terms not defined here have the meaning given in the CCPA.

Categories of personal information we collect. In the last 12 months we have collected the following CCPA-enumerated categories from California residents who use OpenSettle: (a) identifiers — your name, email address, workspace ID, IP address, and account credentials; (b) commercial information — records of products and services purchased through merchants on our platform, billing history, and subscription tier; (c) internet or other electronic network activity — application and access logs, dashboard usage events, error reports, and approximate device metadata such as user agent; (d) geolocation data — only the coarse, IP-derived country and region used for fraud prevention and sanctions screening, never precise geolocation; (e) professional or employment-related information — for business signups, the role you hold within your organisation (founder, finance, engineering) when you provide it.

Sources of personal information. We collect personal information directly from you during signup and use of the Service, automatically from your device when you interact with our marketing site and dashboard, and from our service providers and subprocessors listed at /legal/subprocessors (for example, error monitoring, transactional email, and infrastructure logs).

Purposes of collection. We use each category to operate, maintain, secure, and improve the Service; to bill and collect fees; to provide customer support; to detect, prevent, and investigate fraud, abuse, and security incidents; to comply with sanctions, anti-money-laundering, tax, and lawful-process obligations; and to communicate service announcements and material changes. We do not use personal information for behavioural advertising or to build profiles for advertising purposes.

Recipients of personal information. We disclose personal information only to our subprocessors (listed in full at /legal/subprocessors), to law enforcement and regulators in response to valid lawful process, and to a successor entity in the event of a merger, acquisition, or sale of assets. Our subprocessors are bound by written contracts that restrict them to processing data on our documented instructions.

Retention. We retain each category only as long as needed for the purposes above, governed exactly as our main Privacy Policy describes under "Retention periods." Today the one programmatic rule is the deleted-workspace lifecycle (90-day soft-delete-then-purge via foreign-key cascade); application logs roll off on a 30-day window and encrypted backups on a 30-day cadence. Fixed per-category caps — such as a seven-year cap on transaction metadata or a one-year cap on webhook-delivery records — are planned but NOT yet implemented; see /legal/privacy for the authoritative, current schedule.

Sale and sharing. OpenSettle does not sell personal information, and does not share personal information for cross-context behavioural advertising, as those terms are defined under the CCPA. We have not done so in the prior 12 months and have no plans to do so. As a result, there is no "Do Not Sell or Share My Personal Information" link to opt out from — the practice does not occur.

Sensitive personal information. The only sensitive personal information we collect is account credentials (your sign-in identifier and authentication factors). We use these only to authenticate you and to secure your account. We do not use sensitive personal information to infer characteristics, and we do not need to offer the CCPA right to limit its use because we already restrict it to the purposes permitted by CCPA section 1798.121(a).

Your CCPA rights. As a California resident you have: (a) the right to know what personal information we have collected, used, disclosed, and (if applicable) sold or shared; (b) the right to delete personal information we have collected, subject to legal exceptions; (c) the right to correct inaccurate personal information; (d) the right to limit the use of sensitive personal information (not applicable in practice — see above); (e) the right to opt out of sale or sharing (not applicable — we do not sell or share); and (f) the right not to receive discriminatory treatment for exercising any of these rights.

Exercising your rights. Submit requests to privacy@opensettle.io. We will acknowledge within 10 business days and respond within 45 calendar days (extendable once by another 45 days with notice). We will verify your identity using information already associated with your account; for deletion or correction requests we may require additional verification proportionate to the sensitivity of the data. We do not charge for responding to a verifiable request unless it is manifestly unfounded or excessive.

Authorised agents. You may designate an authorised agent to submit requests on your behalf. We accept agent requests accompanied by a notarised written authorisation, or by a power of attorney granted under California Probate Code sections 4000 to 4465. We may still require you to verify your own identity directly.

Appeals. If we decline a request in whole or in part, our response will explain the reason. You may appeal by replying to that response within 60 days; appeals are reviewed by a person not involved in the original decision and answered within 45 days. You may also file a complaint with the California Privacy Protection Agency at cppa.ca.gov.

Contact. OpenSettle Labs, Inc., a Delaware corporation. Email: privacy@opensettle.io for privacy requests; security@opensettle.io for security-sensitive correspondence. For postal correspondence (subpoenas, formal regulator inquiries, authorised-agent requests requiring mail service), email legal@opensettle.io and we will provide the current registered-agent address. CCPA requires us to maintain a contact method, not a physical address; the email channels above are the canonical contact methods for this notice.

This document is the current published version of the policy. Outside-counsel review is in progress and revisions will be announced on this page. For operational questions, contact support@opensettle.io.