Privacy Policy
Effective date: 1 July 2026. This page is maintained by Brain Junks Limited to explain how the OperExa platform collects, uses, stores, protects and shares personal data.
Summary. OperExa is a business-to-business software-as-a-service ("SaaS") platform. When you subscribe as an organisation, your organisation is the "data controller" of the operational data you upload (staff, payroll, sales, banking, stock, financials). Brain Junks Limited acts as the "data processor" and processes that data only on your documented instructions and to run the service. For our own website visitors, marketing contacts, and account holders, we act as the data controller.
1. Who we are
OperExa ("we", "us", "our", the "Service") is a project of Brain Junks Limited ("the Company"), company number 15736691. Where these terms apply to the collection of personal data by the Company as controller, the Company is the data controller under the UK GDPR and Data Protection Act 2018 and, where applicable, the EU General Data Protection Regulation.
For any questions relating to this policy or to exercise the rights described below, contact us at privacy@brainjunks.com.
2. Scope of this policy
This policy applies to:
- Visitors to our marketing site and product pages;
- Individuals who create an account or use the Service (including administrators, directors, managers, HR users and staff members invited by a customer organisation);
- Prospective customers who contact us for demonstrations, quotes or support;
- Personnel of our business customers whose data is uploaded into the Service by that customer as controller.
The Service is intended for business use only and is not directed to children under 16. We do not knowingly collect personal data from children.
3. Controller vs processor
Customer data (processor): When your organisation subscribes, you decide what personal data to upload (for example staff records, contracts, holiday balances, payroll data, TRONC allocations, sales and banking figures). Your organisation is the controller of that data. We process it only to provide, secure, support and improve the Service under the terms of our subscription agreement and any applicable Data Processing Addendum ("DPA"). If you require a signed DPA, contact privacy@brainjunks.com.
Account and website data (controller): We act as controller for account credentials, billing records, marketing communications, support tickets and website analytics described below.
4. Personal data we collect
4.1 Information you provide
- Account details: name, work email, role, telephone number, organisation, site/venue name.
- Authentication data: hashed password, multi-factor tokens, session tokens.
- Billing information: billing contact, VAT number, billing address, payment method (card brand and last four digits only, never the full PAN; or bank details for standing order / bank transfer). Full card numbers are handled by our payment processor and are never stored by us.
- Support and correspondence: messages, screenshots and attachments you send to us.
- Operational data uploaded by administrators: staff HR records, contracts, right-to-work documents, next of kin, bank details for payroll, holidays, disciplinary notes, sales, banking, cash, vouchers, deposits, stock, supplier details and financial figures.
4.2 Information we collect automatically
- Device and log data: IP address, browser type and version, operating system, referring URL, pages viewed, timestamps and error diagnostics.
- Cookies and similar technologies used to keep you signed in, remember preferences and measure aggregate usage. See section 11.
- Product telemetry used to detect faults, prevent abuse and improve the Service.
4.3 Information from third parties
- Identity providers (for example Google) where you choose to sign in through them, limited to your name, email and avatar.
- Payment processors, who confirm transaction status.
- Weather data provider (Open-Meteo) for the optional weather widget — no personal data is sent.
5. Why we process personal data and our legal basis
| Purpose | Legal basis (UK/EU GDPR) |
|---|---|
| Provide the Service to your organisation and its users | Performance of a contract; legitimate interests |
| Authenticate users and secure the platform | Contract; legitimate interests; legal obligation |
| Process payments and manage subscriptions | Contract; legal obligation |
| Provide support and respond to enquiries | Contract; legitimate interests |
| Send service and security notices | Contract; legal obligation |
| Send marketing about similar services | Legitimate interests (with an opt-out) or consent where required |
| Detect, investigate and prevent fraud, abuse and security incidents | Legitimate interests; legal obligation |
| Comply with legal, tax, employment and accounting obligations | Legal obligation |
| Aggregate, anonymised analytics to improve the product | Legitimate interests |
Where our processing is based on consent (for example non-essential cookies or optional marketing), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
6. Special category and sensitive data
HR features may allow your organisation to record data that is "special category" under UK/EU GDPR (for example health-related absence) or otherwise sensitive (for example right-to-work documents or bank details). Your organisation, as controller, is responsible for identifying an appropriate lawful basis and condition for processing such data and for obtaining any consents required from employees. We process such data solely on your instructions to deliver the Service and apply the security measures described in section 10.
8. Sub-processors and hosting
The Service is hosted on secure cloud infrastructure inside the United Kingdom / European Economic Area where possible. Current categories of sub-processor include:
- Cloud database, authentication and storage provider (managed Postgres, object storage, authentication).
- Application hosting and content delivery provider (edge compute and CDN).
- Transactional email provider for account, security and support emails.
- Payment processor for card and bank payments.
- Error monitoring and product analytics provider (aggregated, non-marketing).
- Customer support tooling.
A current list of named sub-processors is available on request from privacy@brainjunks.com. We enter into written contracts with all sub-processors imposing appropriate data protection, security and confidentiality obligations.
9. International transfers
Where personal data is transferred outside the UK or EEA, we rely on an adequacy decision or, where none applies, on appropriate safeguards such as the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, together with any supplementary measures required following a transfer risk assessment.
10. Security
We apply organisational and technical measures appropriate to the risk, including: encryption in transit (TLS) and at rest, row-level access controls in the database, role-based access controls in the application, principle-of-least-privilege for employees, MFA on administrative accounts, audit logging for period-close and financial events, secure software development practices, dependency vulnerability scanning, secrets management, and regular backups. No system can be guaranteed to be 100% secure; you must also keep credentials confidential and configure user roles carefully.
If we become aware of a personal data breach affecting your data, we will notify the relevant customer administrators without undue delay and, where required, cooperate with regulators in accordance with Article 33/34 GDPR.
12. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, to comply with legal, tax, accounting or regulatory requirements, and to resolve disputes and enforce our agreements. Customer operational data is retained for the duration of the subscription and for a limited grace period after termination (typically 30 days) during which the customer administrator may export data, after which it is deleted or irreversibly anonymised in accordance with our documented retention schedule. Backups are cycled on a rolling basis and overwritten within a defined retention window.
13. Your rights
Subject to conditions in applicable law, you have the right to: access your personal data; request rectification of inaccurate data; request erasure; restrict or object to processing; portability; withdraw consent; and not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
If you are an employee, contractor or other individual whose data has been uploaded to the Service by an employer or other organisation, please contact that organisation first — as controller, they are responsible for responding. We will support them in handling your request.
To exercise your rights, contact privacy@brainjunks.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or with your local supervisory authority in the EEA.
14. Automated decision-making and AI features
The Service includes optional forecasting and AI-generated narrative features (for example sales forecasts and executive summaries). These outputs are advisory and intended to assist human decision-making. They do not, on their own, produce legal or similarly significant effects. Administrators remain responsible for reviewing outputs before relying on them for operational, financial or employment decisions.
15. Marketing communications
Where permitted, we may send marketing about the Service and related products to business contacts. You can opt out at any time via the unsubscribe link in any marketing email or by contacting us. Service and security notices are transactional and cannot be unsubscribed from while you hold an account.
16. Third-party links and integrations
The Service may link to third-party websites or allow integrations with third-party services chosen by your organisation. We are not responsible for the privacy practices of those third parties. Review their policies before providing personal data.
17. Changes to this policy
We may update this policy from time to time. When we make material changes we will notify account administrators by email or in-product notice and update the "Effective date" above. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
18. Limitation of liability
Nothing in this policy limits or excludes any liability that cannot be limited or excluded under applicable law (including liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation). Subject to that, and to the fullest extent permitted by law, the Company's liability arising out of or in connection with this Privacy Policy is governed by, and subject to the exclusions and limitations set out in, the subscription agreement or terms of service between you and the Company. We are not liable for any loss caused by your failure to keep credentials confidential, to configure user roles appropriately, or to instruct us lawfully in your capacity as controller.
19. Governing law and jurisdiction
This policy and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) are governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any such dispute or claim, without prejudice to any mandatory rights you may have as a consumer or employee under local law.
20. Contact us
Brain Junks Limited
Company number: 15736691
Email: privacy@brainjunks.com
This document is provided by Brain Junks Limited as app-owned editable content. It is a template drafted in good faith to explain our current practices; it is not legal advice. You should have it reviewed by qualified legal counsel before relying on it for regulatory compliance in your jurisdiction.