Operating systemCapabilitiesWorkflowLocationsTrustDemo
Start early accessSign in

Legal

Privacy Policy

Last updated: May 28, 2026

1. Overview

Onyx Systems Ltd ("we", "us", "our") operates the Onyx OS platform at useonyxos.com and app.useonyxos.com. This Privacy Policy explains what information we collect, how we use it, and your rights. We are committed to protecting your personal data and complying with applicable privacy laws including the GDPR and the California Consumer Privacy Act (CCPA).

2. Information We Collect

Account information: Name, email address, and password when you create an account.

Business information: Organisation name, location names, addresses, and other operational data you enter into the Service (inventory items, staff records, shift notes, etc.).

Billing information: Payment method details, processed and stored securely by Stripe. We do not store full card numbers.

Usage data: Log data including IP address, browser type, pages visited, and timestamps. This is used to maintain and improve the Service.

Communications: Any messages you send us via email or support channels.

3. How We Use Your Information

We use your information to: (a) provide and operate the Service; (b) process payments and manage your subscription; (c) send transactional emails (account verification, password reset, billing receipts); (d) respond to support requests; (e) improve the Service through anonymised analytics; (f) comply with legal obligations. We do not use your business operational data for any purpose other than providing the Service to you.

4. AI Features

Onyx OS includes optional AI-powered features that analyse your operational data (inventory levels, staff schedules, shift notes) to generate insights and summaries. This analysis is performed by Anthropic's Claude API. Data sent to this service is governed by Anthropic's data processing terms. We send only the minimum necessary data and do not use your data to train AI models. You can choose not to use AI features.

5. Data Sharing

We do not sell your personal data. We share data only with: (a) Supabase — database and authentication infrastructure; (b) Stripe — payment processing; (c) Anthropic — AI features, where you use them; (d) Resend — transactional email delivery; (e) legal authorities where required by law. All third-party providers are contractually required to protect your data.

6. Data Storage and Security

Your data is stored on Supabase infrastructure hosted in the United States. We implement industry-standard security measures including encryption at rest and in transit, row-level security on all database tables, and access controls. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your account data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. billing records, which we retain for 7 years for tax purposes). Anonymised, aggregated data may be retained indefinitely.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to certain processing activities.
  • Opt-out of sale (CCPA): We do not sell personal data.

To exercise these rights, email [email protected]. We will respond within 30 days.

9. Cookies

We use essential cookies and local storage to maintain your session and authentication state. We do not use advertising or tracking cookies. We do not use Google Analytics or similar third-party analytics trackers.

10. Children's Privacy

The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected such data, we will delete it promptly.

11. International Transfers

Your data may be processed in the United States. If you are located in the European Economic Area or United Kingdom, you acknowledge that data protection laws in the US may differ from those in your country. We take appropriate safeguards to ensure your data is treated securely and in accordance with this policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions or to exercise your rights, contact us at [email protected]. We aim to respond to all requests within 30 days.