OpenCall Radar

Last updated: 20 April 2026 · Version 1.0.0

Privacy Policy

This Privacy Policy explains how OpenCall Radar collects, uses, discloses and protects your personal data when you use our service. We comply with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.

1. Data Controller

The data controller responsible for your personal data under GDPR Article 4(7) is:

Gyuchul Moon (sole proprietor) Berlin, Germany Email: privacy@opencallradar.com

Full postal address and business identification are available in the Impressum at /impressum. Business registration is in progress (expected June 2026); this Privacy Policy will be updated with the registration number when available.

2. Categories of Personal Data We Process

We process the following categories of personal data:

  • Account data — email address, encrypted password hash, account creation timestamp.
  • Profile data — self-declared practice attributes (primary discipline, career stage, motivation, fee tier, award tier, preferred regions) provided during onboarding.
  • Usage data — pages viewed, filters applied, outbound link clicks to third-party opportunities (for analytics and to improve matching).
  • Payment data — handled exclusively by our merchant of record (see §5); we do not store card numbers or bank details.
  • Communications — emails you send us and our replies.

3. Purposes and Legal Bases

We process your data for the following purposes, each with a GDPR Article 6 legal basis:

  • Provide and operate the Service (GDPR Art. 6(1)(b) — performance of contract): authenticating you, personalizing matches, processing your subscription.
  • Comply with legal obligations (GDPR Art. 6(1)(c)): tax records, accounting, responding to lawful authority requests.
  • Improve the Service and measure usage (GDPR Art. 6(1)(f) — legitimate interests): aggregate analytics, debugging, security monitoring. Our interest in improving a paid service is balanced against your reasonable expectations.
  • Send service-related communications (GDPR Art. 6(1)(b)): account notifications, billing receipts, security alerts.
  • Marketing communications (GDPR Art. 6(1)(a) — consent): only when you explicitly opt in; you can withdraw consent at any time.

4. Retention Periods

We retain your personal data only as long as necessary for the purposes for which it was collected:

  • Account and profile data — for the duration of your account, plus 30 days after deletion to allow recovery from accidental deletion.
  • Payment records — retained by our merchant of record and by us for up to 10 years as required by German commercial and tax law (HGB §257, AO §147).
  • Usage logs — up to 90 days, then aggregated or deleted.
  • Support communications — up to 3 years after case closure for quality and legal purposes.
  • Marketing consent records — for the duration of your subscription to the communication channel, plus 3 years as proof of consent.

5. Third-Party Processors

We share data with carefully selected processors under GDPR-compliant Data Processing Agreements. Each processor acts only on our instructions and is bound to appropriate technical and organizational safeguards:

  • Supabase Inc. — database and authentication hosting in the EU (Frankfurt) region. DPA: https://supabase.com/legal/dpa
  • Polar (merchant of record) — payment processing, VAT handling, invoicing. DPA: https://polar.sh/legal/dpa
  • Email service provider — transactional emails (verification, billing receipts, support replies). DPA in place with the selected provider; details available on request.
  • Railway Corp. — application hosting infrastructure. DPA: https://railway.com/legal/dpa

6. International Data Transfers

Our primary database and authentication services are hosted in the European Union (Frankfurt). Where a processor transfers personal data outside the European Economic Area — for example, analytics or support tools headquartered in the United States — the transfer is covered by Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures where required. We do not sell or voluntarily transfer personal data to jurisdictions lacking adequate protection.

7. Your Rights

As a data subject under GDPR, you have the following rights:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — limit how we use your data in specific circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
  • Right to lodge a complaint (Art. 77) — with a supervisory authority (see §9).

8. How to Exercise Your Rights

To exercise any of the rights listed above, email privacy@opencallradar.com from the address associated with your account. We will respond within one month as required by GDPR Art. 12(3). We may ask for additional information to verify your identity. There is no fee for reasonable requests; manifestly unfounded or excessive requests may be charged or refused as permitted by law.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our establishment is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219, 10969 Berlin, Germany https://www.datenschutz-berlin.de

You may also complain to the supervisory authority in your EU country of residence, place of work, or place of the alleged infringement.

10. Data Protection Contact

Although we are not legally required to appoint a Data Protection Officer under GDPR Art. 37, we maintain a dedicated privacy contact. For any question regarding this policy or our data practices, write to privacy@opencallradar.com.

11. Cookies and Similar Technologies

We use only strictly necessary cookies and local-storage entries required to authenticate your session and remember your tier. We do not currently deploy analytics, advertising, or tracking cookies. If we introduce any non-essential cookies in the future, we will update this policy and present an explicit consent banner as required by the ePrivacy Directive and GDPR.

12. Security

We implement appropriate technical and organizational measures including encryption in transit (TLS), encryption at rest for databases, role-based access controls, and secret management. No system is perfectly secure; in the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, technology, or our practices. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be announced by email to registered users. Your continued use of the Service after the effective date indicates acceptance of the updated policy.