OptiStack is fully committed to the EU General Data Protection Regulation. We embed privacy by design and by default into every aspect of our platform.
Last updated: February 22, 2026 · Effective: February 22, 2026
Data Protection Officer
Datatent B.V. (trading as OptiStack)
Amsterdam, Netherlands
Email: dpo@optistack.com
We adhere to the six principles of GDPR (Article 5) in all our data processing activities.
We process personal data lawfully, fairly, and in a transparent manner. Every processing activity has a clearly documented legal basis under GDPR Article 6.
Personal data is collected for specified, explicit, and legitimate purposes. We never process data in a manner incompatible with the original collection purpose.
We collect only the minimum data necessary for our stated purposes. We access cloud metadata only — never your actual table data, files, or query results.
We take reasonable steps to ensure personal data is accurate and up to date. You can update your information at any time through your account settings.
Personal data is retained only for as long as necessary. We maintain documented retention schedules with automatic purging for expired data.
We implement appropriate technical and organisational measures including AES-256 encryption at rest, TLS 1.3 in transit, and strict access controls.
Every processing activity at OptiStack has a documented lawful basis under GDPR Article 6.
Processing necessary to provide the OptiStack service as agreed in our Terms of Service.
Examples: Account creation, authentication, connected platform data access for cost analysis, service delivery.
Processing necessary for our legitimate interests, balanced against your rights and freedoms.
Examples: Usage analytics, service improvement, security monitoring, fraud prevention, customer support.
Processing necessary to comply with legal obligations to which we are subject.
Examples: Tax compliance, financial record keeping, regulatory reporting, law enforcement requests.
Processing based on your freely given, specific, informed, and unambiguous consent.
Examples: Analytics cookies, marketing communications, optional feature telemetry.
We respect and facilitate all data subject rights under GDPR. Below is a detailed guide on how to exercise each right.
Obtain confirmation of whether we process your data and receive a copy of all personal data we hold about you.
Email dpo@optistack.com with subject 'Data Access Request'. We will verify your identity and respond within 30 days.
30 days
Request correction of inaccurate personal data or completion of incomplete personal data without undue delay.
Update directly via account settings, or email dpo@optistack.com for data we process on your behalf.
Without undue delay
Request deletion of your personal data when it is no longer necessary, you withdraw consent, or you object to processing.
Email dpo@optistack.com with subject 'Erasure Request'. Note: some data may be retained where required by law.
30 days
Request restriction of processing while we verify accuracy of your data, assess our legitimate interests, or if processing is unlawful.
Email dpo@optistack.com with subject 'Restriction Request' specifying the grounds for restriction.
Without undue delay
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
Email dpo@optistack.com with subject 'Portability Request'. Specify your preferred format (JSON or CSV).
30 days
Object to processing based on legitimate interests, including profiling. Object to direct marketing at any time.
Email dpo@optistack.com with subject 'Objection'. For marketing, use the unsubscribe link in any email.
Without undue delay
Not be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.
OptiStack does not make solely automated decisions with legal effects. Our cost recommendations are advisory only.
N/A
We maintain a comprehensive data breach response plan in compliance with GDPR Articles 33 and 34:
We conduct Data Protection Impact Assessments (DPIAs) in compliance with GDPR Article 35 whenever a processing activity is likely to result in a high risk to individuals' rights and freedoms. Our DPIA process includes:
OptiStack primarily stores and processes data within the EEA. Where international transfers are necessary, we rely on:
We maintain a transparent sub-processor management program in accordance with GDPR Article 28:
We maintain documented retention periods for all categories of personal data. Data is automatically purged when retention periods expire.
| Data Type | Retention Period | Justification |
|---|---|---|
| Account Information | Duration of account + 30 days | Contract performance, legitimate interest in account recovery |
| Usage Analytics | 24 months | Legitimate interest in service improvement |
| Technical/Security Logs | 12 months | Legitimate interest in security and fraud prevention |
| Connected Platform Metadata | Duration of account + 90 days | Contract performance |
| Billing Records | 7 years | Legal obligation (tax/financial regulations) |
| Support Communications | 36 months from last interaction | Legitimate interest in customer support quality |
| Cookie Consent Records | 365 days (auto-renewed) | Legal obligation (ePrivacy compliance) |
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority (GDPR Article 77). We encourage you to contact us first so we can address your concerns directly.
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Bezuidenhoutseweg 30, 2594 AV The Hague
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 8500
Our Data Protection Officer is available to answer any questions about our GDPR compliance or to assist with data subject requests.
Email: dpo@optistack.com · Response within 5 business days