
OPPLY DATA PROTECTION & PRIVACY POLICY
1. Important information and who we are
This privacy policy describes how Opply Ltd and Opply US Inc. collects and uses personal data. This website, and our services, are not intended for children and we do not knowingly collect data relating to children.
The Opply website is owned and operated by:
Opply Ltd, a limited company registered in England and Wales under company number 13555177, whose registered address is: 42-46 Princelet Street, London, E1 5LP, England.
Opply US Inc., a company registered in the State of Delaware, with registered EIN: 33-4982807, whose registered address is: 215 N Peoria St, Chicago, IL 60607, USA.
If you are a UK-based buyer or user, Opply Ltd is your data controller and is responsible for the processing of personal data described in this privacy policy. If you are a US-based buyer or user, Opply US Inc., is your data controller and is responsible for the processing of personal data described in this privacy policy.
(collectively referred to as “Opply”, “we”, “us” or “our” in this privacy policy).
2. The types of personal data we collect
Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data which we have grouped together as follows:
We may also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ Usage Data for insights into how users are interacting with our services to help improve our services.
3. How is your personal data collected?
We use different methods to collect data from and about you including through:
Your interactions with us. You may give us personal data when you liaise with us to receive our services, including when you create an account with us, or ask us to provide services to you. You may also give us personal data, such as Contact Data when you attend events.
Automated technologies or interactions. As you interact with our services, we may automatically collect Technical Data, including by using cookies and other similar technologies. Please see our cookie policy https://www.opply.io/cookie-policy/ for further details.
Sources of personal data. We collect personal data from the following sources: (a) directly from you when you create an account, request services, or interact with us; (b) automatically through cookies and similar technologies when you use our website (including Google Analytics, Mixpanel, and Hotjar); (c) from third-party providers, including credit reference agencies, KYB and identity-verification providers, payment service providers (Two Inc. and Stripe), credit insurers, and analytics providers; and (d) from your business or its representatives when they provide your contact details in connection with our services.
4. How we use your personal data
The table below contains a description of the purposes for which we process personal data, and the legal basis we rely on to do so.
|
Purpose/Use |
Type of data |
Legal basis |
|
To register new customers, respond to user requests, manage accounts and support customer service. |
(a) Identity (b) Contact |
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)
|
|
To provide services to you, such as operations services.
|
(a) Identity (b) Contact (c) Technical (d) Usage
|
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to operate our business).
|
|
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
(a) Identity (b) Contact (c) Technical (d) Usage |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
|
|
To send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you |
(a) Identity (b) Contact (c) Technical (d) Usage (e) Marketing and Communications |
(a) Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business) (b) Consent, if we are required to obtain your prior consent to receiving direct marketing communications.
|
|
To facilitate access to extended payment terms through our third party partners, including Two Inc, which may include sharing your details to enable such providers to assess your creditworthiness and to issue and manage payment terms to you. |
(a) Identity (b) Contact |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to provide financial services options to our customers and grow our business) |
|
To process files uploaded to the platform (including invoices and other documents) in order to provide AI-assisted data extraction, analysis, and insights as part of the Opply AI services. |
(a) Identity (b) Contact (c) Any personal data contained within uploaded files, including data relating to third parties (for example, supplier pricing and contact details included in invoices). |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (in providing and improving the Opply AI services). |
|
To conduct internal credit assessments of your business, including evaluating your creditworthiness and financial standing to determine appropriate credit limits and payment terms offered directly by Opply. |
(a) Identity (b) Contact (c) Financial |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to manage credit risk, protect our business from financial loss, and determine appropriate credit terms for our customers) |
|
To conduct business verification (Know Your Business) checks, including verifying the identity, legal status, ownership structure and financial standing of your business, and to comply with applicable anti-money laundering, fraud prevention and legal and regulatory obligations. This may include sharing information with regulatory authorities, credit reference agencies and third-party verification providers where required by law or necessary for compliance purposes. |
(a) Identity (b) Contact (c) Financial |
(a) Necessary to comply with a legal obligation (b) Necessary for our legitimate interests (to verify the identity of businesses we transact with, prevent fraud and financial crime, and comply with applicable legal and regulatory requirements) |
|
To provide AI-powered features and services (“Opply AI”), including generating responses, recommendations, and insights based on your account data and interactions with the platform; to improve, develop, and maintain Opply AI; to conduct safety monitoring and abuse detection; and to generate anonymised and aggregated market intelligence, benchmarking and analytics. |
(a) Identity (b) Contact (c) Technical (d) Usage (e) Financial (f) Any data you input into Opply AI features, including files you upload |
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to develop and improve our AI-powered services, ensure platform safety, and generate market intelligence that does not identify any individual)
|
|
To pull accounting and supplier data from third-party accounting platforms you choose to connect to the Opply Marketplace (such as Xero) (“Connector Data”), at your direction and on a read-only basis, in order to: (i) surface insights and analytics back to you in connection with the Services; and (ii) generate anonymised and aggregated market intelligence and benchmarking data. Connector Data will not be used to train AI or machine learning models. Raw Connector Data will be deleted within 30 days of disconnection. Anonymised and aggregated data derived from Connector Data may be retained by Opply as set out in Section 9. |
(a) Financial (b) Contact (supplier/contact records obtained via the Connector) |
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to surface relevant insights to you and to generate market intelligence that does not identify any individual)
|
5. Direct marketing
When your personal data is collected, you may be asked to indicate your preferences for receiving direct marketing communications from us via email. You can opt-out at any time using the link in our messages.
We may also analyse your Identity, Contact, Technical and Usage Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications.
6. Disclosures of your personal data
We do not sell or license personal data to third parties. We may share your personal data with sub-processors and service providers that help us operate our business and deliver the Services, for the purposes shown in the table above and subject to written agreements with appropriate privacy and security terms. The sub-processors and service providers we use may change from time to time as our business and technology stack evolves. For the U.S.-specific definitions of ‘sale’ and ‘sharing’ (which are broader than the ordinary meaning) and your rights in relation to them, please see Section 13.
We enter into written agreements with all third-party service providers and processors that handle personal data on our behalf. These agreements require the recipient to: (a) use the data only for the limited and specified purposes described in our instructions; (b) comply with applicable data protection laws; (c) refrain from selling or sharing the data, or combining it with information from other sources except as permitted; (d) implement reasonable security measures; and (e) notify us of any inability to comply or of any security incident affecting personal data. Some third parties act as independent controllers (rather than service providers / processors) for their own purposes — see below in relation to Two Inc., Stripe, credit reference agencies, and credit insurers.
Where you elect to use our extended payment terms service, we may share your identity, company registration information, contact information and Financial Data with our third-party payment terms providers and payment service providers (which may include Two Inc, whose privacy policy is available at www.two.inc) to the extent necessary for the provision of those services. Such providers may act as independent data controllers in respect of your personal data and processes data for its own purposes, including to assess creditworthiness and to manage the payment terms arrangement. We encourage you to review the privacy policy of any applicable third-party provider offering you an extended payment terms service. . Where we conduct internal credit assessments or offer credit terms directly, we may share your Identity, Contact and Financial Data with our credit insurer(s) for the purposes of obtaining or maintaining credit insurance cover in respect of amounts owed to us by you. Our credit insurer(s) will act as an independent data controller in respect of your personal data and will process it for their own purposes, including underwriting and claims management. We encourage you to review the privacy policy of any credit insurer we notify you of.
Categories of recipients. We disclose personal data to the following categories of recipients: (i) payment service providers (Stripe, Two Inc., and banking partners); (ii) credit reference agencies and credit insurers; (iii) KYB and identity-verification providers; (iv) cloud hosting, IT, and infrastructure providers; (v) analytics providers (Hotjar, Mixpanel, and Google Analytics); (vi) AI, machine learning, and large language model providers used to power platform features including Opply AI (which may include cloud-based AI services; we take steps to ensure appropriate data protection safeguards are in place with all such providers) (vii) professional advisors (legal, accounting, and tax); (viii) regulators, law enforcement, and government bodies, where required; and (ix) acquirers and their advisors in connection with any corporate transaction.
We may also share your Identity, Contact and Financial Data with recognised credit reference agencies for the purposes of conducting credit reference checks in connection with our assessment of your creditworthiness. Credit reference agencies will act as independent data controllers and will process your data in accordance with their own privacy policies.
In connection with our business verification (Know Your Business) checks, we may share relevant information with regulatory authorities, credit reference agencies and third-party verification providers where required by law or necessary for compliance purposes.
Where we conduct internal credit assessments or offer credit terms directly, we may share your Identity, Contact and Financial Data with our credit insurer(s) for the purposes of obtaining or maintaining credit insurance cover in respect of amounts owed to us by you. Our credit insurer(s) will act as an independent data controller in respect of your personal data and will process it for their own purposes, including underwriting and claims management. We encourage you to review the privacy policy of any credit insurer we notify you of.
7. International transfers
We may store or transfer some or all of your personal data in countries outside of the UK and EEA. These are known as “third countries”. Where you are a US-based user, personal data may be stored by Opply US Inc. in the United States.
Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring that appropriate contractual safeguards, such as standard contractual clauses (“SCCs”) or the UK International Data Transfer Agreement (“IDTA”) are in place.
8. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures use a multi-layered approach to data security, including access controls, authentication requirements, infrastructure security and data minimisation. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
9. Data retention
How long will you use my personal data for?
We retain your personal data only for as long as reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. By way of guide: (i) Identity and Contact Data — duration of the account plus up to 7 years for tax and recordkeeping; (ii) Financial Data and KYB records — up to 7 years after the last transaction, or longer if required by anti-money laundering, credit insurance, or other legal obligations; (iii) Technical and Usage Data — typically up to 14 months in Google Analytics and 26 months in Mixpanel, with shorter periods configured where possible; (iv) Marketing Data — until you opt out, plus a reasonable suppression period; (v) Authentication and security logs — up to 12 months; (vi) Opply AI conversation logs — up to 180 days from the date of creation, after which they are automatically deleted from live systems; residual copies in encrypted backup systems are overwritten in the ordinary course of backup rotation; (vii) files uploaded by you to the platform — retained until you request deletion You may request deletion of uploaded files at any time by contacting us at hello@opply.com. We will action your request within 30 days of receipt; and (viii) raw data pulled via any connected third-party accounting platform (such as Xero) — deleted or rendered inaccessible within 30 days of disconnection, with residual copies in encrypted backup systems overwritten in the ordinary course of backup rotation. Anonymised, aggregated, or derived data generated from Connector Data prior to disconnection (including benchmarking outputs and market intelligence) is not subject to this deletion obligation and may be retained by Opply indefinitely. We may retain personal data for a longer period than listed in this clause 9 in the event of a complaint or if we reasonably believe there is a prospect of litigation.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Files uploaded to the platform are retained until deletion is requested. You may request deletion at any time by contacting us at hello@opply.com. Residual copies stored in encrypted backup systems are overwritten in accordance with standard backup rotation processes.
9A. Automated decision-making
Where we process personal data relating to individuals, including sole traders, directors, beneficial owners or guarantors, in connection with credit assessments or business verification checks, and where a decision based solely on automated processing produces legal or similarly significant effects on that individual, the individual has the right to: (i) request human review of the decision; (ii) express their point of view; and (iii) contest the decision. For the avoidance of doubt, this section does not apply to decisions made solely about a legal entity. If you wish to exercise these rights or obtain further information about how automated decisions are made, please contact us at hello@opply.com.
9B AI-Generated Outputs
Opply AI may be used to generate responses, recommendations, and insights based on data associated with your account and your interactions with the platform. Outputs generated by Opply AI are provided for informational purposes only. AI-generated outputs may not always be accurate or complete. You should verify any AI-generated output before relying on it. Opply does not warrant the accuracy or completeness of any output generated by Opply AI.
10. Your legal rights
You have a number of rights under data protection laws in relation to your personal data, such as the right to:
(i) request access to your personal data;
(ii) request correction or erasure of your personal data;
(iii) restrict the processing of your personal data (for example, where you contest the accuracy of the data, or where you have objected to processing and we are considering whether our legitimate interests override your rights);
(iv) object to the processing of your personal data where we rely on legitimate interests as our lawful basis. Where you object on this basis, we will stop processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or where the processing is necessary for the establishment, exercise or defence of legal claims; and
(v) request the transfer of your personal data to a third party (data portability).
To exercise any of these rights, contact us at hello@opply.com.
If you are a U.S. resident or user, additional rights and disclosures applicable to you are set out in Section 13 (the U.S. Privacy Addendum).
11. Complaints
You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, before doing so, please first raise your complaint to us or asked us for clarification if there is something you do not understand. It is important that the personal data we hold about you is accurate and current.
Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.
12. Third-party links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
13. U.S. Privacy Addendum
This U.S. Privacy Addendum applies to residents of the United States and users accessing Opply US Inc. services. It supplements the other provisions of this Privacy Policy. If there is any conflict between this addendum and another provision, this addendum controls solely with respect to processing governed by U.S. state privacy laws. Capitalized terms not defined here have the meanings given in the rest of this Policy.
Opply US Inc. as Data Controller
For U.S.-based users, Opply US Inc., 215 N Peoria St, Chicago, IL 60607, USA, is the data controller / business responsible for your personal data. Some processing may be performed by, or accessed by, Opply Ltd. personnel in the United Kingdom under appropriate intragroup contractual safeguards.
Categories of Personal Data Collected
We collect the following categories of personal data from U.S.-based users, which correspond to the statutory categories under the CCPA (Cal. Civ. Code § 1798.140(v)):
Sensitive Personal Information. Some of the information above is treated as ‘sensitive personal information’ under California law and as ‘sensitive data’ under other U.S. state privacy laws. This includes: (i) financial account information (bank account numbers, payment card numbers, and other financial credentials) and (ii) any government identifiers we obtain in connection with Know Your Business (KYB) checks. We use Sensitive Personal Information only for the purposes described in this Policy (including providing extended payment terms, processing payments, conducting internal credit assessments, and KYB checks), and we do not use it to infer characteristics about you. You may have the right to limit our use of, or to withdraw consent for our processing of, Sensitive Personal Information as described below.
CCPA/CPRA Rights
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), US residents have the following rights:
Right to Know: You have the right to request what personal data we collect, use, share, and sell about you.
Right to Delete: You have the right to request deletion of personal data we have collected from you, subject to certain exceptions (for example, where we need to retain data to complete a transaction or comply with legal obligations).
Right to Correct: You have the right to request correction of inaccurate personal data.
Right to Opt Out of Sale/Sharing: You have the right to opt out of the sale or sharing of your personal data. Opply does not sell or share personal data of US residents for purposes of targeted advertising or cross-context behavioral advertising.
Right to Limit Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to what is necessary to provide the services you requested.
Sensitive Data Consent (Non-California States). For residents of Virginia, Colorado, Connecticut, Oregon, Montana, Delaware, New Hampshire, New Jersey, Tennessee, Indiana, Iowa, Nebraska, and other states requiring opt-in consent for sensitive data, we will obtain your affirmative consent at the point of collection where required. You may withdraw consent at any time by contacting hello@opply.com. Withdrawal will result in cessation of the relevant processing, though some uses may continue where another legal basis applies (e.g., compliance with anti-money laundering laws).
Right to Non-Discrimination: You have the right to non-discrimination for exercising your privacy rights. We will not deny, charge different prices or rates, provide a different level or quality of services, or suggest that you will receive a different price or quality of services because you exercised your rights. We do not currently offer any ‘financial incentive’ or ‘price or service difference’ in exchange for personal data.
Right to Data Portability: Where required by applicable state law, you have the right to obtain a copy of the personal data you have provided to us in a portable and, where technically feasible, readily usable format that allows you to transmit it to another entity without hindrance.
No Sale of Personal Data
Opply does not ‘sell’ personal data of U.S. residents for monetary consideration as defined under CCPA/CPRA, and does not knowingly engage in ‘sharing’ for cross-context behavioral advertising or ‘targeted advertising’ under any state privacy law. Some analytics technologies we use (Google Analytics, Mixpanel, and Hotjar) may, depending on configuration, involve disclosures that qualify as ‘sharing’ under CCPA; we have configured these tools to limit such uses. You may opt out of any sharing by emailing hello@opply.com.
How to Exercise Your Rights
To exercise any of the rights described in this addendum, you may: (a) email us at hello@opply.com with the subject line ‘U.S. Privacy Request’; (b) write to us at 215 N Peoria St, Chicago, IL 60607, USA; or (c) submit a request through the cookie preferences panel on our website.
We will respond to your request within 45 days of receipt. We may extend this period by an additional 45 days (for a total of up to 90 days) when reasonably necessary, in which case we will notify you of the extension and the reason. For Utah residents, no extension is available beyond the initial 45-day period. To verify your identity, we may ask you to provide information matching what we already have on file (such as your name, business name, and the email address associated with your account). We will not require you to create an account as a precondition to submitting a request. You may designate an authorized agent to submit a request on your behalf; the agent must provide signed, written authorization, and we may verify the agent’s identity.
Right to Appeal
If we deny your request, residents of states with statutory appeal rights (including Virginia, Colorado, Connecticut, Oregon, Texas, Montana, Delaware, New Hampshire, New Jersey, Tennessee, Indiana, and Iowa) may appeal our decision by submitting a written appeal to hello@opply.com. The appeal window varies by state – generally 45 to 60 days from our denial. We will respond to your appeal within 60 days. If we deny the appeal, we will inform you of how to contact the relevant state Attorney General. California does not provide a statutory appeal right; California residents may contact us to discuss the response, or may lodge a complaint with the California Attorney General (oag.ca.gov) or the California Privacy Protection Agency (cppa.ca.gov).
Applicability to Other US States
To the extent that other US state privacy laws (including Virginia CDPA, Colorado CPA, Connecticut CTDPA, and others) apply to you, the rights and protections set out in this Section 13 shall apply to the extent required by those laws.
California ‘Shine the Light’ Disclosure. California Civil Code § 1798.83 permits California residents to request from us, once per year, information about our disclosure of personal data to third parties for those third parties’ direct marketing purposes in the preceding calendar year. We do not currently share personal data with third parties for their own direct marketing purposes.
Children, Minors, and California Consumers Under 16. Opply’s services are business-to-business and are not directed to children or minors. We do not knowingly collect, sell, share, or otherwise process the personal data of any individual under 18 in the ordinary course of providing the services.
(a) Children under 13 (COPPA). If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will promptly delete the data and terminate any associated account.
(b) California consumers under 16 (CCPA § 1798.120(c)). We do not “sell” or “share” the personal data of a California consumer under 16 without affirmative authorization (opt-in by the consumer if 13–15, or by a parent or guardian if under 13). Opply does not engage in any practice that would require such authorization. If we determine we have inadvertently sold or shared a minor’s data, we will cease the sale or sharing, instruct recipients to delete the data, and notify the individual or parent/guardian where reasonably possible.
(c) Other states. Several other state privacy laws treat minors’ personal data as sensitive data requiring opt-in consent. We apply the same deletion procedure below if we learn we hold a minor’s data.
(d) To report or request deletion. If you believe Opply holds a minor’s personal data, contact hello@opply.com (subject line: “Minor Data Request”) with the minor’s name, approximate age, the account or email at issue, and your relationship to the minor. On verification we will delete the data, instruct any recipients to do the same, terminate the account, and confirm deletion. No fee.
Automated Decision-Making / Profiling. If we use your personal data to make a decision concerning credit eligibility, payment terms, or any other comparably significant decision through automated profiling, you have the right (where applicable under your state’s law) to: (i) opt out of such profiling; (ii) request meaningful information about the logic involved; (iii) request human review of the decision; and (iv) contest the decision. To exercise these rights, contact us at hello@opply.com.
Data Broker Status. Opply is not a ‘data broker’ as defined under the California Delete Act (Cal. Civ. Code § 1798.99.80 et seq.), the Texas data broker registration statute, or Vermont’s or Oregon’s data broker laws, because we collect personal data directly from the individuals and businesses to whom we provide services. We are not registered as a data broker in any state.
Contact Information for US Privacy Inquiries
Email: hello@opply.com
Postal Address: 215 N Peoria St, Chicago, IL 60607, USA
Last Updated: 19 June 2026.
Fill in a few details before connecting with us!