Opal

Privacy Policy

Effective: April 14, 2026 · Version 1.0

TL;DR

  • Your Odoo business data is never stored on our servers
  • Chat messages are saved to your Odoo instance, not ours
  • We only store usage metadata for billing and service quality
  • AI queries are processed by third-party LLM providers via encrypted HTTPS
  • You can request deletion of all your data at any time

1. Data Controller

Bizzi Vietnam (“Bizzi”, “we”, “us”) is the data controller for the Opal service.

Contact: contact@bizzi.vn

2. What We Collect

We collect the minimum data necessary to provide and improve the Service:

Data TypePurpose
Tenant URLYour Odoo instance URL — used to route API requests and identify your account
API KeyA system-generated authentication token — encrypted at rest
Usage MetadataMessage counts, token consumption, timestamps — used for billing and quality monitoring
Tool Call MetadataTool names, call timestamps, and token counts from AI interactions — used for audit and service quality. Tool call content (your Odoo data) is not retained
Session MetadataSession IDs, Odoo user IDs (internal numeric), auto-generated titles — used for conversation continuity
Credit TransactionsPurchase amounts, payment provider references — used for billing records
ToS AcceptanceTimestamp and version of Terms accepted — used for legal compliance

3. What We Do NOT Store

The following data is explicitly never stored on our servers:

Data TypePurpose
Business RecordsYour Odoo data (contacts, invoices, orders, inventory, etc.) passes through our system transiently and is held only in memory for the duration of an AI request
Chat ContentConversation messages are persisted to your Odoo instance via the Module. Our Backend does not retain message text — messages are stored exclusively on your Odoo instance
Personal IdentifiersWe do not collect names, email addresses, phone numbers, or other personal identifiers. The only user reference is the Odoo-internal numeric user ID
Odoo CredentialsWe never receive or store your Odoo login password. Authentication uses JWT tokens issued by the Module

4. LLM Provider Data Processing

When you send a message through Opal, the following data flow occurs:

  1. Your message is sent to our Backend via encrypted HTTPS
  2. Our Backend retrieves relevant Odoo data via MCP tool calls to your instance
  3. Your message and the retrieved Odoo data are sent to a third-party LLM provider for AI processing
  4. The AI response is streamed back to you. No data is retained after the request completes

We currently use providers including OpenAI and Anthropic. These providers process data under their respective data processing agreements. We select providers that offer zero data retention policies for API usage where available.

Tenants with custom LLM configurations (bring-your-own API key) route queries directly to their configured provider. We do not inspect or log the content of these queries beyond token count metadata for billing.

5. Security Measures

  • All data in transit is encrypted via TLS 1.2+
  • API keys and LLM credentials are encrypted at rest
  • Tenant data is isolated at the database level — every query is scoped by tenant ID
  • Rate limiting protects against abuse (per-tenant and per-IP)
  • JWT tokens are short-lived (15 minutes) with refresh token rotation
  • The Backend is hosted on infrastructure with DDoS protection and network-level isolation

6. Data Retention

Data TypePurpose
Usage MetadataRetained for the lifetime of the Tenant account, for billing and analytics
Session MetadataRetained until Tenant disconnects, then deleted within 90 days
Credit TransactionsRetained for 7 years per financial record-keeping requirements
Server LogsRetained for 30 days, then automatically purged

Upon Tenant disconnection (Module uninstall), all Tenant-specific data except financial records is queued for deletion within 90 days.

7. Your Rights

Under GDPR, PDPA, and similar data protection frameworks, you have the right to:

  • Access — Request a copy of all data we hold about your Tenant
  • Rectification — Request correction of inaccurate data
  • Erasure — Request deletion of your data (subject to legal retention requirements)
  • Portability — Receive your data in a machine-readable format
  • Objection — Object to processing of your data for specific purposes
  • Restriction — Request restricted processing while a complaint is resolved

To exercise any of these rights, contact contact@bizzi.vn. We will respond within 30 days.

8. Cookies & Tracking

The Opal Module operates within your Odoo instance and does not set any cookies on user browsers. The admin dashboard uses a session-based authentication token stored in your Odoo session — not a separate cookie.

The opal.bizzi.ai landing page may use analytics cookies. These are governed by the landing page's cookie notice and are separate from the Opal Service.

9. Children's Privacy

The Service is designed for business use and is not directed at individuals under 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the admin dashboard at least 30 days before taking effect. The “Effective” date at the top of this page indicates the most recent revision.

11. Contact

For privacy-related inquiries or to exercise your data rights:

Bizzi Vietnam

Email: contact@bizzi.vn