Privacy policy
Privacy Policy
1. Scope
This Privacy Policy applies to the
OPNBuildings website and web app
(opnbuildings.com, ui.opnbuildings.com), the
OPN Meter Reader iOS app, and the
OPN Meter Reader Android app (together, “the
Service”).
It covers personal data we control about visitors, signed-in users (typically employees of our customers), and people who contact us. It does not cover personal data we process strictly on behalf of our customers — that is governed by the Data Processing Agreement between OPN and the customer.
OPN is a business-to-business (B2B) service. The OPN Meter Reader mobile apps are companion apps to the OPN web service: they let field technicians sign in with credentials issued by their organisation’s administrator and capture meter readings. The mobile apps do not allow you to create or delete an account — those actions take place in the OPN web service or via the privacy channels in §13.
2. Who we are
Controller: Inferrit Ltd, trading as OPN Buildings.
Registered in Ireland, CRO number 575431.
Registered address: 2018 Orchard Avenue, Citywest Business Campus, Dublin 24, D24 FR88.
Privacy contact: privacy@opnbuildings.com
UK representative (Article 27 UK GDPR): Forfend Ltd, 15 Finch Road, Earley, Reading, Berkshire, RG6 7JX, United Kingdom. privacy@forfend.pro.
3. What we collect and why
We collect the categories of data listed below. The lawful basis is one of: (b) performance of a contract, (f) legitimate interests, (a) consent, or (c) legal obligation under Article 6(1) EU GDPR (and the equivalent provisions of UK GDPR).
| Category | Where collected | Purpose | Basis |
|---|---|---|---|
| Account & identity — email, name, role, organisation membership | Web app, mobile apps | Provide and secure the Service | (b) |
| Authentication — salted hashed password, short-lived magic-link and password-reset tokens (hashed), session tokens | Web app, mobile apps | Sign you in and keep your session secure | (b) |
| OAuth identifiers — verified email and subject ID from Google or Microsoft (if you use OAuth) | Web app | Sign you in via your chosen identity provider | (b) |
| Meter photos and capture metadata — image, timestamp, thumbnail, the meter the image relates to | Web app, mobile apps | Record the meter reading you submit | (b) |
| AI-derived data — value, unit, meter type, digit count, serial number (where visible), image fingerprint | Web app, mobile apps | Suggest the meter value and match the photo to a known meter | (f) — automating manual data entry; you confirm every reading and can enter manually instead |
| Service-content data — buildings, zones, meters, alarms, dashboards, Data Explorer views, chart annotations, in-app notifications | Web app, mobile apps | Deliver the contracted Service | (b) |
| Usage, audit & security data — IP address, User-Agent, sign-in events, audit log of administrative changes | Web app, mobile apps, public website | Operate the Service securely, prevent abuse, investigate incidents | (f) — securing the Service and detecting abuse; (c) where retention is required by law |
| Web app error and performance telemetry (Grafana Cloud) | Web app, public website | Investigate errors and improve reliability | (f) — investigating errors and improving reliability of the Service |
| Mobile app crash and error telemetry (Sentry) — stack traces, device model, OS version, app version, your signed-in user id, in-app navigation breadcrumbs | Mobile apps | Investigate crashes and errors, improve reliability | (f) — investigating errors and improving reliability of the Service |
| In-app feedback — text, route, app version, User-Agent, IP, optional screenshot | Web app, mobile apps | Investigate and respond to issues you report | (f) — investigating and responding to issues you report |
| Public form submissions — name, email, organisation, sector, assessment answers; routed through Cloudflare Turnstile | Public website | Respond to your enquiry; bot-protect the form | (f) — responding to enquiries and protecting the form against abuse; (b) if you go on to become a customer |
| Transactional emails — recipient, subject, body (sent via SendGrid) | Web app, mobile apps | Magic-link sign-in, password reset, alarm and system notifications | (b) |
| Service emails — recipient, subject, body (sent via SendGrid) | Web app, mobile apps | Scheduled and managed system generated reports | (b) |
| Strictly-necessary authentication cookie | Web app | Keep you signed in | n/a (strictly necessary) |
We do not collect special-category data, children’s data, payment cards, phone numbers, postal addresses, advertising identifiers, cross-app tracking data, or precise location data on the mobile apps. We use no third-party analytics SDKs in the mobile apps. We use one third-party crash-reporting SDK (Sentry) to record technical diagnostics — see the table above. We do not track you across other companies’ apps or websites and do not use the App Tracking Transparency framework because we do not engage in cross-app tracking.
4. AI processing — meter reading
When you upload a meter photo, we send the image to two AI sub-processors so we can suggest the meter value:
- OpenAI (United States) — a vision and language model that reads the meter dial, unit, type, digit count, and serial number. Under our agreement, OpenAI does not use API data to train its models. OpenAI may retain API request and response data for up to 30 days for abuse monitoring under its standard terms.
- Jina AI (Germany corporate; US inference) — an image-embedding model that produces a fingerprint of the image so we can match it to a known meter. Under our agreement, Jina AI does not use API data to train its models.
This is not “solely automated decision-making” under Article 22 EU/UK GDPR because you confirm every meter reading before it is saved. You can enter any reading manually instead.
5. Who we share data with
We share personal data with the service providers (“sub-processors”) who help us deliver the Service. A current list with the legal entity name, purpose, country of processing, and transfer safeguard for each is available on request by emailing privacy@opnbuildings.com. We give 30 days’ notice to affected customers before adding a new sub-processor.
Categories of recipient:
- Hosting — Amazon Web Services (data centres in Ireland)
- AI — OpenAI (US); Jina AI (Germany / US)
- Transactional email — Twilio SendGrid (US)
- Web app error / performance monitoring — Grafana Labs (Grafana Cloud, EU)
- Mobile app crash and error monitoring — Functional Software, Inc. (dba Sentry, US; EU region data centre in Frankfurt, Germany)
- Mobile app delivery and updates — Expo / 650 Industries (US); Apple Inc. (US); Google LLC (US)
- OAuth identity providers (if you use them) — Google LLC; Microsoft Corporation
- Address and weather — HERE Global B.V. (Netherlands); AccuWeather (US)
- Bot protection on public forms — Cloudflare, Inc.
Every sub-processor we engage is contractually bound to provide the same or equivalent level of protection for your personal data as set out in this Privacy Policy and required by applicable privacy laws (including the GDPR, the UK GDPR, and the Apple App Store Review Guidelines), and to notify us promptly of any breach affecting your data.
We do not sell personal data. We may also disclose personal data to professional advisers, regulators, courts, or law enforcement where required by law or necessary to defend our legal rights.
6. International transfers
Some sub-processors process personal data outside the EEA / UK, principally in the United States. We rely on:
- The EU-US Data Privacy Framework (and its UK Extension) where the recipient is certified;
- The EU Standard Contractual Clauses 2021, supplemented by the UK International Data Transfer Addendum for UK transfers;
- Where applicable, the UK International Data Transfer Agreement (IDTA).
You can request a copy of the safeguard in place with any specific provider by emailing privacy@opnbuildings.com.
7. Retention
We keep personal data for as long as your account is active and for a defined period afterwards as required to meet our legitimate interests and legal obligations. When your account is closed, we delete your account record and the personal data linked to it within 30 days, except where retention is required by law (e.g. Irish tax records — six years under the Taxes Consolidation Act 1997) or to defend legal claims (audit log entries identifying you as the actor). Residual copies may remain temporarily in backups until those backups expire or are overwritten in accordance with our backup retention schedule.
Sign-in tokens are short-lived and rotate; sessions for users with administrative privileges expire more frequently. Magic-link and password-reset tokens are short-lived. Web app error and performance telemetry is retained by Grafana Cloud for up to 30 days. Backups are retained for up to 35 days.
8. Your rights
Under EU GDPR (and UK GDPR for UK data subjects) you have the right to:
- Access a copy of your personal data (Article 15)
- Correct inaccurate data (Article 16)
- Erasure in defined circumstances (Article 17)
- Restrict processing in defined circumstances (Article 18)
- Portability in a machine-readable format (Article 20)
- Object to processing based on legitimate interests (Article 21)
- Withdraw consent at any time where we rely on it (Article 7(3))
- Complain to a supervisory authority (see §13)
To exercise any of these, email privacy@opnbuildings.com. We respond within one calendar month (extendable by up to two further months for complex requests, with notice). Free of charge unless manifestly unfounded or excessive.
9. App permissions and account deletion
The OPN Meter Reader mobile apps request only the device permissions strictly needed:
| Permission | Why we ask for it |
|---|---|
| Camera (iOS and Android) | To take photos of meters |
| Photo library, read access (iOS and Android) | To pick an existing photo of a meter |
| Background processing (iOS only) | To upload queued readings when the app is in the background or offline |
We do not request location, push notifications, microphone, contacts, calendar, motion data, Bluetooth, or local network access.
Deleting your account. Account creation and deletion happen in the OPN web service, not in the mobile apps. To delete your account you can:
- Ask your organisation’s administrator to delete your account on your behalf
- Email privacy@opnbuildings.com — we action deletion requests within one calendar month (Article 12 EU/UK GDPR)
When your account is deleted we permanently delete the entire account record and the personal data associated with it (subject only to the limited retention exceptions in §7) — this is a full deletion, not a temporary deactivation or disable.
10. Cookies
The web app sets one strictly-necessary authentication cookie, configured to be sent only over secure connections, not accessible to JavaScript on the page, and limited to the OPN website. It keeps you signed in. We do not set non-essential cookies. Our use of cookies is governed by the Irish ePrivacy Regulations (SI 336/2011) and, for UK users, the UK Privacy and Electronic Communications Regulations (PECR). The mobile apps do not use HTTP cookies — they store the equivalent session data in the iOS Keychain or Android Keystore.
11. If your data was provided by your employer
If your employer’s administrator created your OPN account, the source of your account data is your employer; we did not obtain your data from publicly accessible sources. The categories are described in §3; the purposes and lawful bases in the same table. Your employer can see your sign-ins, the meter readings you capture, and the administrative actions you perform in the Service. OPN is a controller for the service-operation data we generate about you; your employer is a separate controller for the employment relationship. A Data Processing Agreement between OPN and your employer governs OPN’s processing on your employer’s behalf.
The Service is not directed at, and not intended for use by, anyone under the age of 18. We do not knowingly collect personal data from children.
12. Whether providing personal data is required
An email address and credentials (or OAuth sign-in with Google or Microsoft) are necessary to create or use an account; without them we cannot deliver the Service. To use the meter-capture features you must allow the app to access the camera or photo library and upload a meter photo. All other personal data you provide is optional — for example, you do not need to use the in-app feedback widget.
13. Contact and complaints
Privacy contact:
privacy@opnbuildings.com
Security vulnerability reports:
security@opnbuildings.com
Post:
Data Protection Officer, OPNBuildings, The Well, 2018 Orchard Avenue,
Citywest Business Campus, Dublin 24, D24 FR88.
UK representative (Article 27 UK GDPR): Forfend Ltd,
15 Finch Road, Earley, Reading, Berkshire, RG6 7JX, United Kingdom.
privacy@forfend.pro.
If you are not satisfied with our response, you can complain to a supervisory authority:
- Ireland (lead SA for OPN): Data Protection Commission — dataprotection.ie
- United Kingdom: Information Commissioner’s Office — ico.org.uk
- Other EU/EEA Member States: your local supervisory authority — see the EDPB members list
14. Changes to this policy
We may update this policy. When we make material changes we will update the effective date and tell affected users. We will not use your personal data for a new purpose without notifying you and, where required, obtaining your consent.