Privacy Policy

Last updated: 16 June 2026

This Privacy Policy explains how PE “Firma Modul” (“OpenBP”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit our website at openbp.io (the “Website”) or use the hosted OpenBP platform at panel.openbp.io (the “Platform”).

It also describes your rights under the EU General Data Protection Regulation (GDPR) 2016/679 and Polish data-protection law. We are committed to processing personal data lawfully, fairly, and transparently. Please read this Policy together with our Terms of Service.

1. Controller and Contact

The controller of your personal data is:

PE “Firma Modul”, 4/3 Sviatovasylivska St., 43025 Lutsk, Ukraine. EDRPOU: 33463295.

For any privacy question, or to exercise your rights, contact our data-protection point of contact:

Email: info@modulsoft.eu

Or by post at: PE “Firma Modul”, 4/3 Sviatovasylivska St., 43025 Lutsk, Ukraine.

2. Scope of This Policy

This Policy covers personal data we process as a controller in connection with the Website and your use of the Platform and your Account. It does not cover third-party websites we link to, nor any open-source components of OpenBP that you download and host yourself — when you self-host, you are the controller of any data you process.

3. What Personal Data We Collect

Depending on how you use the Service, we may collect the following categories of personal data:

  • Account and identity data: name, username, email address, hashed password, organisation, and role.
  • Contact data: email address, phone number, and postal or billing address.
  • Billing and transaction data: plan, invoices, tax identifiers (such as VAT IDs), and limited payment metadata (full card details are handled by our payment provider, not stored by us).
  • Customer Content: data you upload to or create within the Platform, which may include personal data about your own customers, employees, or contacts (see “Data you process through OpenBP”).
  • Usage and technical data: IP address, device and browser type, log data, pages and features used, actions taken, and timestamps.
  • Cookies and analytics data: identifiers and usage information collected through cookies and similar technologies.
  • Communications: messages you send us (for example, support requests) and your contact preferences.

4. Data You Process Through OpenBP

When you use the Platform to store data about your own customers, employees, or contacts, you are the controller of that data and we act as a processor on your behalf, on your instructions, under our Terms of Service and Data Processing Agreement. This Policy primarily concerns data for which we are the controller — namely your use of the Website and your Account.

5. How We Collect Data

  • Directly from you — when you register, fill in forms, make a payment, or contact us.
  • Automatically — through cookies, server logs, and your interactions with the Service.
  • From third parties — such as our payment provider and analytics providers, where applicable.

6. Purposes and Legal Bases for Processing

We process personal data for the following purposes and on the following legal bases under Article 6 GDPR:

  • To provide the Service and manage your Account — performance of a contract (Art. 6(1)(b)).
  • To process payments and manage subscriptions — contract and legal obligation (Art. 6(1)(b),(c)).
  • To comply with accounting, tax, and other legal obligations — legal obligation (Art. 6(1)(c)).
  • To operate, secure, maintain, and improve the Service, and to prevent fraud and abuse — our legitimate interests (Art. 6(1)(f)).
  • For analytics and product improvement — your consent or our legitimate interests (Art. 6(1)(a)/(f)).
  • To send service-related communications (contract/legitimate interests) and, with your consent, marketing communications (Art. 6(1)(a)) — which you can withdraw at any time.
  • To establish, exercise, or defend legal claims — our legitimate interests (Art. 6(1)(f)).

7. Cookies and Similar Technologies

  • We use essential cookies that are necessary to operate the Website and Platform.
  • With your consent, where required, we use analytics and preference cookies to understand usage and remember your settings.
  • You can manage your preferences through our cookie settings and your browser. Withdrawing consent does not affect processing carried out before withdrawal.

8. Marketing Communications

With your consent, we may send you newsletters and product updates. You can unsubscribe at any time using the link in our emails or by contacting us. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

9. Who We Share Data With

We share personal data only where necessary, with appropriate safeguards, including with:

  • Service providers (processors) acting on our instructions — including cloud hosting and infrastructure providers, our payment provider, and analytics providers.
  • Our EU affiliate Modul Soft sp. z o.o. (Poland), which supports EU operations, billing, and customer support as our processor.
  • Professional advisers (such as accountants, auditors, and lawyers) where necessary.
  • Public authorities, where required by law or to protect rights, property, or safety.
  • A successor entity, in connection with a merger, acquisition, or sale of assets.

We do not sell your personal data.

Current categories of sub-processors

  • Hosting and infrastructure: managed servers in the EU.
  • Payment processing: Stripe (Stripe Payments Europe, Ltd).
  • Web analytics: Google Analytics (Google Ireland Ltd).

An up-to-date list of sub-processors is available on request.

10. International Transfers

Some recipients are located outside the European Economic Area (EEA), including our affiliate in Ukraine and certain providers in the United States. Where we transfer personal data to a country without an EU adequacy decision, we rely on appropriate safeguards — primarily the European Commission’s Standard Contractual Clauses (SCCs), together with supplementary measures where needed. You can request a copy of the relevant safeguards by contacting us.

11. Data Retention

We keep personal data only for as long as necessary for the purposes described, then delete or anonymise it:

  • Account data — for the life of your Account and a reasonable period afterwards.
  • Billing and accounting records — for as long as required by Polish tax and accounting law (generally up to 5 years from the end of the relevant year).
  • Customer Content — until you delete it or for a limited period after Account termination, after which it is deleted.
  • Data we process based on potential legal claims — until the relevant limitation periods expire (generally up to 6 years).
  • Data processed on the basis of consent — until you withdraw your consent.

12. How We Protect Data

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, hashing of passwords, monitoring, backups, and confidentiality obligations for our staff. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. Your Rights

Subject to the conditions in the GDPR, you have the right to:

  • access your personal data and obtain a copy;
  • rectify inaccurate or incomplete data;
  • erase your data (the “right to be forgotten”);
  • restrict processing in certain circumstances;
  • data portability — receive your data in a structured, commonly used, machine-readable format;
  • object to processing based on our legitimate interests, and to direct marketing at any time;
  • withdraw consent at any time, without affecting processing carried out before withdrawal;
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, contact us at info@modulsoft.eu. We respond within one month (which may be extended by two further months for complex requests). Exercising your rights is free unless a request is manifestly unfounded or excessive.

You also have the right to lodge a complaint with a supervisory authority — in particular the Polish President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl) — or with the authority in your country of residence.

14. Automated Decision-Making and Profiling

We do not make decisions producing legal or similarly significant effects based solely on automated processing. We may use limited profiling, such as aggregated usage analytics, to understand and improve the Service.

15. Is Providing Data Mandatory?

Providing certain data — such as your email address and password — is necessary to create an Account and use the Service; without it we cannot provide the Service. Some data is required by law (for example, billing data needed to issue invoices). Other data, such as data used for marketing, is optional and provided with your consent.

16. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us and we will delete it.

17. Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice where required.

18. How to Contact Us

For any privacy matter, contact us at info@modulsoft.eu or by post at PE “Firma Modul”, 4/3 Sviatovasylivska St., 43025 Lutsk, Ukraine. You can also review our Terms of Service.