Legal & Privacy Hub

Master Terms of Service

Version 14.0 · EU/DK Compliant

Effective Date: April 19, 2026

Provider: Oprel Technologies (Denmark)

1. Regulatory Classification (EU AI Act)

1.1. Provider & Deployer Roles: Oprel Technologies is the "Provider" of a General Purpose AI (GPAI) system. By activating the VLA, you assume the role of the "Deployer" (per EU AI Act Article 3). You are responsible for the specific use case and output of the system.

1.2. Transparency Mandate (Article 50): You acknowledge that the VLA is an AI system. Any content or automation produced for public consumption must be clearly labeled as "AI-Generated" or "AI-Assisted." You agree not to remove any machine-readable watermarks embedded by Oprel.

1.3. Prohibited Practices: Use of Oprel for any "Unacceptable Risk" activities (Article 5) — including social scoring, subliminal manipulation, or unauthorized biometric categorization — is a material breach and will be reported to the Danish Digitalization Agency.

2. The "Human-in-the-Loop" (HITL) Defense

2.1. Proximate Causation: Oprel VLA is a "Direct Instruction" tool. The AI has no autonomous agency. Every system modification is technically and legally an act of the User.

2.2. Duty of Supervision: Failure to maintain continuous, real-time oversight of the "Ghost Hand" constitutes Gross Negligence (Grov Uagtsomhed) under Danish law. Oprel Technologies is not liable for damages that could have been prevented by the User's mandated supervision.

3. Statutory Limitation of Liability

3.1. Liability Cap: To the maximum extent permitted by the Danish Sale of Goods Act (Købeloven), Oprel's total liability for non-personal injury claims is limited to the total amount paid for the service in the 12 months prior to the claim.

3.2. Product Liability: Under the EU Product Liability Directive 2024/2853, Oprel is not liable for "defects" caused by:

(a) Third-party software environments (e.g., OS updates).
(b) User-provided prompts that are ambiguous or contradictory.
(c) Use in environments not explicitly supported (e.g., critical infrastructure).

4. Danish Consumer Rights & Withdrawal

4.1. Right of Withdrawal (Fortrydelsesret): In accordance with Forbrugeraftaleloven Section 18, you have a 14-day cooling-off period.

4.2. Loss of Right: By clicking "Start Automation" or "Execute Ghost Hand," you provide express prior consent to begin the service immediately. You acknowledge that you lose your right of withdrawal once the digital service has been fully or partially performed (i.e., API hours consumed).

4.3. Statutory Warranty: Consumers retain a two-year legal warranty regarding the "Software as a Service" functionality, but this does not cover "bad decisions" made by the AI based on user prompts.

5. Data Privacy & The "Legal Vault"

5.1. Data Controller Status: For the purposes of GDPR, the User is the Data Controller of all on-screen content. Oprel is the Data Processor.

5.2. Legitimate Interest: Oprel retains technical logs in the "Legal Vault" for 30 days based on the "Legitimate Interest" of security, anti-fraud, and legal defense (GDPR Article 6(1)(f)).

Privacy Sieve Notice

5.3. The automated "Privacy Sieve" is a technical safeguard, not a guarantee. You are legally prohibited from directing the VLA toward sensitive PII (health data, passwords, etc.).

6. Termination & Enforcement

6.1. The "Aegis" Protocol: If the Aegis Sentinel detects fraud or illegal activity (e.g., scraping protected Danish government databases or banking fraud), your account will be locked.

6.2. Evidence: You agree that Oprel's internal logs (The Iron Throne logs) shall serve as admissible evidence in any dispute regarding user intent or prompt history.

7. Governing Law

7.1. Venue: These terms are governed by Danish Law. Any dispute that cannot be settled via the Danish Consumer Complaints Board (Center for Klageløsning) shall be brought before the City Court of Copenhagen.

Privacy Policy & Data Governance

Version 4.0 · GDPR & AI Act Compliant

Effective Date: April 19, 2026

Data Controller: Oprel Technologies (Denmark) · support@getoprel.com

1. Data Categories & Collection

Oprel Technologies operates on the principle of Data Minimization. We only process data required for the functional execution of the VLA.

1.1. Telemetry Data: We collect Hardware UID, IP addresses, and OS version to enforce the "Soul-Bond" device binding and prevent fraud.

1.2. Visual Data (The Ghost Hand): During an active session, screenshots of your desktop are transmitted to our API for analysis. These are processed in volatile memory (RAM) and are not stored permanently.

1.3. The Legal Vault (Action Logs): We store "Metadata" of actions taken (e.g., "Clicked 'Submit' at coordinates X,Y"). We do not store the raw images of the screen in this vault unless an "Aegis Sentinel" fraud alert is triggered.

2. The "Privacy Sieve" Protocol

Automated Masking

2.1. Oprel employs a "Privacy Sieve" layer that attempts to redact sensitive fields (passwords, credit card numbers, and known PII) before the screenshot is analyzed by the AI.

2.2. User Responsibility: The Privacy Sieve is a secondary safeguard. As the "Deployer," you are instructed not to direct the AI to windows containing classified, medical, or highly sensitive personal information.

3. Legal Basis for Processing (GDPR Article 6)

We process your data under the following legal grounds:

Contractual Necessity: To provide the VLA automation you paid for.
Legitimate Interest: To protect Oprel from reverse-engineering, fraud, and illegal use via the "Aegis Sentinel."
Legal Obligation: To comply with the EU AI Act's logging requirements for General Purpose AI systems.

4. Data Retention & The "30-Day Purge"

4.1. Ephemeral Processing: Visual screen data is deleted immediately after the AI sends the movement command to your device.

4.2. Action Logs: Metadata in the "Legal Vault" is held for exactly 30 days to allow for dispute resolution and anti-fraud auditing. On day 31, the logs are permanently overwritten via cryptographic erasure.

4.3. Subscription Data: Payment info (handled by Stripe) and account info are kept for the duration of your subscription plus statutory tax periods under Danish law (Bogføringsloven).

5. Your Rights Under GDPR

As a user in Denmark/EU, you have the following rights:

Right to Access: You may request a copy of your Action Logs from the last 30 days.
Right to Erasure ("Right to be Forgotten"): You may request the deletion of your account. Note that "Legitimate Interest" logs (fraud detection) may be retained as permitted by law.
Right to Data Portability: You can export your automation history in a machine-readable format.
Right to Complain: You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

6. Sub-Processors

Oprel Technologies uses a "Privacy Sieve" to ensure data is clean before it reaches our infrastructure. We utilize the following essential sub-processors:

Oprel AI (Oprel-Core Flash / Oprel-Core Thinking / Oprel-Core Pro): For the "AI Brain" processing (Actionable VLA commands).
Stripe: For secure payment processing.
Hetzner / AWS (EU-Central): For secure hosting of the Iron Throne and Legal Vault.

All AI processing is conducted on servers located within the EEA (European Economic Area) to ensure compliance with Schrems II rulings.

7. Security Measures

Encryption: All data in transit between your laptop and our API is encrypted via TLS 1.3.
The Iron Throne: Access to user logs is strictly limited to the "CEO Vault" or authorized system administrators for support purposes only.
Zero-Knowledge Goal: We aim to build "blind" systems where our developers cannot see your screen content, only the technical output of the VLA.

Data Processing Agreement (DPA)

Version 2.0 · High-Security Edition

Effective Date: April 19, 2026

Scope: Applies to all processing of Personal Data performed by Oprel Technologies on behalf of the User ("The Controller").

1. Subject Matter & Duration

Subject: The provision of AI-driven desktop automation and Vision-to-Action (VLA) services.

Duration: The duration of the User's active subscription plus 30 days (the "Legal Vault" retention period).

2. The Parties' Roles (GDPR & AI Act)

2.1. Oprel as Processor: Oprel processes data only on the documented instructions of the Controller (the User's prompts).

2.2. User as Controller: The User is responsible for the lawfulness of the data on their screen and for ensuring they have a legal basis to process that data using AI.

2.3. Deployer Status: Under the EU AI Act, the User is the Deployer and must ensure "Human-in-the-Loop" oversight to mitigate automated processing risks.

3. Technical & Organizational Measures (TOMs)

Oprel Technologies implements the following "Fortress" security measures:

Fortress Security Stack

3.1. The Privacy Sieve: Automated logic to detect and mask PII (names, emails, IDs) and credentials before data leaves the local client.

3.2. Volatile Processing: Screen screenshots are processed in volatile memory (RAM). Raw image files are never written to disk during standard operation.

3.3. Cryptographic Erasure: All session metadata in the "Legal Vault" is purged after 30 days using cryptographic erasure standards, making recovery impossible.

3.4. Access Control: Only the "Iron Throne" administrative system (accessed via the CEO Vault) can trigger a manual log review, and only in cases of suspected fraud or "Aegis Sentinel" alerts.

4. Sub-Processors

4.1. Authorization: The Controller grants a general authorization for Oprel to use sub-processors (e.g., Google Cloud, Stripe).

4.2. EEA Residency: All primary AI processing and data storage for the "Legal Vault" are located within the European Economic Area (EEA). Oprel complies with the Schrems II ruling by ensuring no unencrypted personal data is transferred to "third countries" without adequate protection.

5. Assistance & Audit Rights

5.1. Data Subject Rights: Oprel will assist the Controller in responding to GDPR requests (Access, Deletion, Portability) via the automated "Request Log Export" tool in the dashboard.

5.2. Audit: Upon 30 days' notice, and no more than once per year, the Controller may request evidence of Oprel's security compliance. Oprel may provide third-party audit reports (SOC2/ISO) to satisfy this requirement.

6. Incident Notification

6.1. Breach Protocol: In the event of a personal data breach at the infrastructure level, Oprel will notify the Controller without undue delay — within 36 hours of becoming aware of the breach, exceeding the GDPR 72-hour standard.

7. Data Deletion

7.1. Termination: Upon termination of the service, Oprel shall delete all metadata in the Legal Vault within 30 days. No "backdoor" copies of user screen data are retained.

Labor & Usage Accounting Protocol

Version 1.0 · Audit-Ready

Effective Date: April 19, 2026

Compliance Standard: Danish Bookkeeping Act 2026 / SAF-T

1. Revenue Recognition (The "API Burn" Ledger)

1.1. Deferred vs. Earned Revenue: When a user buys a "Pro" plan, that money is Deferred Revenue (a liability). As the user consumes "Automation Hours," Oprel moves that value to Earned Revenue in real-time.

1.2. The Consumption Log: Every "Ghost Hand" action generates a micro-transaction record in the Iron Throne database. This serves as the "Proof of Delivery" required by the Danish Tax Authority (Skattestyrelsen) if a user disputes a charge.

2. Digital Bookkeeping Compliance (Denmark 2026)

2.1. Certified Systems: Oprel uses a digital accounting system registered with the Danish Business Authority (Erhvervsstyrelsen).

2.2. SAF-T Generation: Our system is capable of generating a Standard Audit File for Tax (SAF-T), providing full transaction and "API Burn" metadata visibility to Danish authorities upon request.

2.3. Digital Archiving: All invoices, receipts, and consumption logs are stored digitally for five (5) years on EEA-based servers, in compliance with Danish law.

3. E-Invoicing (NemHandel & PEPPOL)

3.1. Structured Invoicing: For Enterprise and B2B clients in Denmark, Oprel issues invoices in OIOUBL or Peppol BIS 3 formats.

3.2. Automatic VAT Handling: Our billing engine automatically applies the 25% Danish VAT for domestic customers and handles "Reverse Charge" VAT for EU-based business customers with a valid VAT ID.

4. Labor vs. Compute Costing

4.1. COGS (Cost of Goods Sold): Our accounting separates Compute Cost (the cost of AI inference via Oprel models) from Labor Value (the price the user pays for automation hours).

4.2. R&D Capitalization: Under Danish accounting standards, the costs of developing the "Ghost Hand" and "Aegis Sentinel" are capitalized as intangible assets, improving the company's balance sheet valuation.

5. Anti-Fraud Reconciliation

Aegis-Ledger Sync

5.1. If the Aegis Sentinel terminates a session for fraud, the accounting system automatically "Freezes" the remaining API Burn balance.

5.2. Audit Trail: Every refund or credit issued to a user must carry a "Reason Code" and a direct link to the specific session log in the Legal Vault. This prevents internal fraud and satisfies Danish auditor requirements.