This Privacy Policy explains how opynt (“we”, “us”, or “our”) collects, uses, and shares information when you use our website and services (the “Services”).
Information we collect
Account and organization dataName, work email, organization name, and domain. If you choose Google or GitHub sign-in, we also receive basic profile identifiers from that provider as part of the OAuth flow.
Workspace / OAuth integration dataMetadata about connected third-party apps (e.g., app name, publisher, scopes), and administrative identifiers needed to operate the integration.
Security training and simulation eventsEvents such as delivered / opened / clicked / reported and training completion.
Usage dataProduct usage analytics and logs required to secure and operate the Services.
How we use information
We use the information we collect to operate, secure, and improve the Services and to communicate with the people who use them.
Provide & improveProvide, maintain, and improve the Services.
SecureSecure the Services, prevent abuse, and troubleshoot issues.
Operate integrationsOperate integrations you enable and display risk insights you request.
CommunicateCommunicate with you about the Services (e.g., support and administrative notices).
Security and data protection
We apply administrative, technical, and organizational measures appropriate to the data processed in the Services, including information obtained through Google Workspace and other integrations you connect.
Encryption in transitWe use TLS (HTTPS) for traffic between your browsers, our web application, and our APIs.
Storage and infrastructureApplication data is stored in a PostgreSQL database and supporting systems (for example, a Redis cache for background work). We rely on our hosting and database providers for industry-standard protections, including encryption at rest where supported by those environments.
Access and isolationThe Services are built for multi-tenant use. We restrict access to operational data on a need-to-know basis and isolate customer data in the application layer.
Accounts and credentialsSign-in secrets (such as passwords) are handled using one-way hashing; we do not store raw passwords. Session mechanisms use signed tokens.
Integration tokensOAuth and integration credentials are stored only on our servers and are used solely to perform the features you enable (e.g., Workspace directory sync and reading OAuth app grants via the Admin SDK). They are not exposed to end-user browsers except through the secure flows we operate.
Google OAuth scopes and Workspace API data
The OAuth scopes we request are the same ones listed on our Google Cloud OAuth consent screen (and in your Google account’s consent UI when you authorize the app). The exact set may be updated as features change, but sensitive scope use always matches our verification submission and in-app behavior.
Non-sensitive (sign-in / identity)
openidOpenID Connect sign-in.
userinfo.emailPrimary Google account email address for sign-in flows.
userinfo.profileBasic profile information you have made available for sign-in.
Sensitive (Google Workspace — Admin SDK)
admin.directory.user.readonlyList users in your Workspace (name, email, account status) so we can sync our employee roster and associate risk data with the correct people.
admin.directory.user.securityRead OAuth token and third-party app grant information per user (Admin SDK Tokens API), so administrators can see which apps have access and which scopes were granted.
Artificial intelligence
opynt does not operate its own general-purpose machine learning model for customer content. Phishing-awareness simulation templates may be generated using third-party APIs configured with keys in our application: Anthropic Claude (including Claude Opus 4.7 where selected) and OpenAI. Depending on configuration, we may alternatively use xAI (Grok, OpenAI-compatible API).
Separation from Workspace dataPrompts sent for template generation do not include your Google Workspace directory export, per-user OAuth token inventories, or other bulk Admin SDK payloads. Workspace data obtained under Google OAuth scopes is not transmitted to Anthropic or OpenAI for template generation.
Third-party AI providersProcess only the prompts and parameters needed for a given template request, under their respective API and privacy terms.
No AI credentials configuredWhen AI credentials are not configured, we use built-in non-AI templates so core workflows remain available.
How we share information
We share information with the categories of subprocessors listed below to operate the Services. We may also share information if required by law, to protect our rights, or to prevent fraud or abuse.
InfrastructureCloud hosting and container runtime for the web app and API (for example, providers such as Vercel or equivalent).
Database and queuesManaged or self-hosted PostgreSQL and Redis for application data and background jobs.
Email deliveryResend (or dev-only mail preview tools in local environments) when you send simulation or transactional email through the Services.
Google APIsGoogle Workspace / Google Cloud Identity services when you authorize the integration; processing is subject to Google’s terms and the scopes you approve on the OAuth consent screen.
Optional SlackSlack APIs if you connect Slack to the Services.
Billing (optional)Polar (polar.sh) for checkout, subscription, and customer billing portal flows when billing is enabled for your organization.
Artificial intelligenceAnthropic (Claude, including Opus 4.7), OpenAI, and optionally xAI (Grok) — for template prompts only; not used to ingest Workspace directory OAuth exports.
Data retention
We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
Your choices
You may request access, correction, or deletion of certain information by contacting us at skushagra.sharma@gmail.com.