Trust & Security
Last updated: February 28, 2026
At Opairly, we take data protection seriously. This page explains what data we collect, how we secure it, and what rights you have.
Also see our privacy policy and terms of service for the full legal documentation.
What data we collect
| Category | Examples | Classification |
|---|---|---|
| Personal data | Name, email address, profile photo | Personal data (GDPR Art. 6) |
| Household data | Household name, work hours, tasks, schedules, house rules, leave requests | Personal data (GDPR Art. 6) |
| Children's medical data | Allergies, medications, blood type, doctor, medical conditions | Special category data (GDPR Art. 9) |
| Emergency information | Home address, GP, hospital, pharmacy, emergency contacts | Personal data (GDPR Art. 6) |
| Financial data | Subscription details via Stripe | Processed by Stripe (PCI-DSS) |
How we protect your data
Encryption in transit
All traffic between your browser and our servers is encrypted via TLS (HTTPS). Data cannot be intercepted during transport.
Encryption at rest
Our database (Supabase) encrypts all data at rest. This protects against unauthorized physical access to the servers.
Application-level encryption
Medical and emergency data is encrypted before it is stored using AES-256-GCM. This means that even with direct database access, these sensitive fields are unreadable — they appear as encrypted ciphertext. Each household has its own derived encryption key.
Specifically, the following fields are encrypted:
- Children: allergies, medical conditions, medications, blood type, doctor name, doctor phone, medical notes
- Household: home address, GP (name, phone, address), hospital (name, phone, address), pharmacy (name, phone, address)
- Emergency contacts: name, phone number, email address
Decryption only happens through a controlled server process when you or your household members access the data. Learn more about how emergency data works in the emergency contacts documentation.
Household isolation
Every database query is scoped to your own household via Row Level Security (RLS). Household members can only see their own data — never that of other families.
Children's data
Children's medical data falls under GDPR Article 9 as special category data. We take extra measures to protect it:
- Explicit consent (Art. 9): Medical data is only stored after you provide explicit consent per child through a dedicated consent form. The consent states which data is stored, the legal basis (GDPR Art. 9), and how to withdraw consent.
- Encryption: All medical fields are encrypted before storage using AES-256-GCM (see above).
- Restricted access: Only members of your own household can view medical data.
- Audit trail: Changes to medical data are recorded in an internal log (retained for 90 days). This log is not currently visible in the app, but can be provided upon request.
Learn more about managing child profiles in the children documentation.
Your GDPR rights
As an Opairly user, you have the following rights under the GDPR:
Right of access (Art. 15)
You can view your personal data, household data, tasks, hours, house rules, and leave requests in your dashboard. For a complete overview of all stored data, you can use the export function (see Art. 20 below) or contact us.
Right to rectification (Art. 16)
You can update your profile name, household data, child profiles, emergency contacts, tasks, and house rules via the dashboard and settings page. Contact us to change your email address.
Right to erasure (Art. 17)
You can permanently delete your account and all associated data via Settings > Members > Delete account. This is an irreversible hard deletion — all data is permanently erased.
Right to restriction of processing (Art. 18)
Contact us if you wish to temporarily restrict the processing of your data.
Right to data portability (Art. 20)
You can export your data as a JSON file via Settings > Privacy > Export data. For family members, this includes: profile, children (with decrypted medical data), emergency contacts, tasks, task assignments, hours, house rules, leave requests, and expenses. Au pairs can export their own profile, hours, leave requests, and task completions.
Right to object (Art. 21)
Contact us if you wish to object to the processing of your data.
Right to withdraw consent (Art. 7(3))
You can withdraw previously given consent at any time. For medical data, you can do this by removing the medical information for a child in the settings.
Filing a complaint
You have the right to file a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
Third-party processors
We work with the following trusted partners:
| Processor | Function | Location | Certification |
|---|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) | SOC 2 Type II |
| Cloudflare | Hosting & CDN | EU-US Data Privacy Framework | ISO 27001 |
| Stripe | Payment processing | EU | PCI-DSS Level 1 |
| Resend | Transactional email | EU/US | SOC 2 Type II |
We have a Data Processing Agreement (DPA) in place with each processor.
Data breaches
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) within 72 hours in accordance with GDPR Art. 33. If the breach poses a high risk, we will also inform affected users directly, in accordance with GDPR Art. 34.
Contact
Have questions about how we handle your data, or want to exercise one of your rights?
Email: hello@opairly.nl
We aim to respond within 30 days, in accordance with GDPR requirements.