Oper Credits BV and its current and future subsidiaries, including Oper Credits AG (collectively, “Oper”, “we”, “us”), take your privacy seriously. This Privacy Notice explains how we handle personal data for:
• Site Visitors: individuals who visit our website or interact with our online content, including marketing pages, contact forms, newsletters, or event registrations.
• Customers: employees or representatives of financial institutions using Oper’s platform.
• End Users: borrowers who use our platform through a financial institution. (End Users are not Oper employees.)
Our roles under the GDPR:
• Controller: Oper is the data controller for personal data relating to Site Visitors and for administrative or operational data relating to Customers and End Users (e.g., account management, authentication, security logs, support tickets, and communications).
• Processor: Oper is the data processor when handling End Users’ mortgage-application data and other platform-hosted personal data processed on behalf of a Customer, strictly under their instructions.
How Oper Acts as Controller vs. Processor
| Category |
Controller Role |
Processor Role |
| Site Visitors |
All personal data relating to website operation, analytics (with consent), marketing, security and enquiries. |
Not applicable. |
| Customers (employees/ representatives) |
Account creation, authentication, permissions, audit logs, support, security monitoring, product analytics, marketing (with consent). |
Only where the Customer instructs Oper to perform processing on Customer-provided datasets within the platform (rare; usually none). |
| End Users (borrowers) |
Limited administrative communication and optional product-research activities (consent-based). |
All mortgage-application data and related workflow processing performed strictly on Customer instructions. |
If you have questions, please contact: privacy@opercredits.com.
2. What Personal Data We Process and Why
We only process personal data where we have a lawful basis under the GDPR. For each data category, we indicate the role in which Oper acts:
• Controller: Oper determines the purposes and means of the processing.
• Processor: Oper processes personal data solely on behalf of and under the instructions of a Customer (typically a financial institution).
2.1. Site Visitors
A. Website operation, security and performance
Data: IP address, browser/device details, security logs, event timestamps.
Legal basis: Legitimate interests (ensuring the website works reliably and safely), legal obligations.
B. Analytics and product improvement (only with consent)
Data: Cookie identifiers, usage metrics, page-performance data.
Legal basis: Consent.
C. Responding to enquiries
Data: Name, email, phone number, and any information you submit.
Legal basis: Legitimate interests (responding to requests), steps prior to entering a contract.
D. Marketing and advertising audiences (legitimate interest; consent where required by local law)
Data: Email address, cookie identifiers, IP address, and hashed identifiers used to create professional advertising audiences (e.g., LinkedIn custom audiences).
Legal basis: Legitimate interests (promoting our B2B services to relevant professional audiences); consent for cookie-based tracking where required.
Individuals can opt out of marketing communications or marketing audiences at any time through our preference-management tools or by contacting privacy@opercredits.com.
2.2. Customers
A. Providing and managing access to the platform (Oper as Controller)
Data: Name, professional contact details, organisation, role/permissions, login credentials.
Legal basis: Performance of a contract.
B. Authentication, access control and audit logging (Oper as Controller)
Data: Login timestamps, IP address, device/browser information, audit logs.
Legal basis: Legitimate interests (security and auditability), legal obligations.
C. Platform performance, monitoring and security (Oper as Controller)
Data: Error logs, diagnostic data, system events.
Legal basis: Legitimate interests (ensuring stability and security).
D. Product analytics (Oper as Controller for Customer-user analytics)
Data: Feature-usage patterns, interaction data, pseudonymised or anonymised metrics.
Legal basis: Legitimate interests for essential analytics; consent for additional analytics.
(Analytics relating to End Users’ mortgage data is performed only where instructed by the Customer and treated under Section 2.3.)
E. Customer support and service improvement (Oper as Controller)
Data: Support tickets, communication history, configuration details.
Legal basis: Legitimate interests (providing support), performance of a contract.
F. Marketing and product research (Oper as Controller, consent-based)
Data: Contact details, engagement data, survey responses.
Legal basis: Consent.
2.3. End Users
A. Mortgage application processing (Oper as Processor)
Data:
• Identification: name, contact details, address history, ID documents.
• Financial: income, payslips, tax records, debts, savings, property documents.
• Derived: affordability calculations and workflow-supporting outputs.
Legal basis: Performance of a contract between the End User and the financial institution. Processing follows Customer instructions.
B. Fraud prevention, KYC support and document handling (Oper predominantly as Processor; Controller only for system-level security metadata)
Data: Metadata from uploads, verification checks, IP address, device data.
Legal basis: Legitimate interests (security and integrity), legal obligations of financial institutions.
C. Administrative notices (Oper as Controller)
Data: Contact information required to provide operational updates related to the use of our platform.
Legal basis: Legitimate interests (ensuring correct platform operation), performance of a contract.
D. Product research (Oper as Controller, consent-based)
Data: Survey responses, interview participation, usage insights (minimised where possible).
Legal basis: Consent.
3. Cookies and Similar Technologies
We use essential cookies necessary for the website to function securely and reliably.
We use analytics or advertising cookies only if you consent. Details are provided in our Cookie Policy.
4. How We Share Personal Data
We share personal data only when needed and with appropriate safeguards.
4.1. Service Providers
We rely on specialised service providers to help us deliver a secure and reliable platform. These providers support areas such as:
• Hosting and cloud infrastructure (including compute, storage, database services)
• Security and monitoring (intrusion detection, anomaly detection, log management)
• Customer support and communication tools (ticketing systems, email services, inapp messaging)
• Operational tooling (deployment systems, CI/CD tooling, workflow automation)
• Analytics and performance monitoring (site performance, uptime, product telemetry — only activated with consent where required)
Before engaging any service provider, we conduct due diligence to assess security, privacy controls, financial stability, and GDPR compliance. All service providers:
• operate under a Data Processing Agreement (DPA);
• access personal data only as needed to provide their service;
• must implement appropriate technical and organisational measures, including encryption, access controls and audit logging;
• are subject to ongoing monitoring and periodic reviews.
We maintain a structured subprocessor management process. Our current list of subprocessors is available on our website.
Oper applies a formal vendormanagement framework covering risk assessment, security review, contractual controls, and ongoing monitoring. Each subprocessor is assessed for technical and organisational measures, incidentresponse capability, and compliance with GDPR and relevant financialsector expectations.
4.2. Marketing and advertising tools (consent-based)
If you give consent, we may use tools that support our CRM, communications, analytics or advertising activities. These tools may process limited identifiers to help us understand engagement or reach relevant audiences. Examples include:
• CRM and email platforms (e.g., for newsletters, optin product updates)
• Analytics tools (activated only with consent)
• Advertising platforms used to create or measure audiences (e.g., hashed contact identifiers or cookie IDs)
• HubSpot (CRM, email automation, subscription management)
• LinkedIn Marketing Solutions (custom audiences, LinkedIn Ads)
Key points about these tools:
• They operate only if you provide consent through our cookie banner or communication preferences.
• Identifiers used for advertising purposes may be hashed or pseudonymised before being shared.
• We do not share full customer or End User data with advertising platforms.
• Opt-out: You may opt out of receiving marketing communications or being included in marketing audiences (including LinkedIn custom audiences) at any time by using the unsubscribe or preference-management links in our emails, or by contacting privacy@opercredits.com.
4.3. Marketing and advertising tools (consent-based)
If you consent, we may use CRM, analytics or advertising tools that process limited identifiers, such as hashed email addresses or cookie IDs.
4.3. Security, fraud prevention and compliance
We may disclose data where required by law, or to prevent, detect or investigate fraud or security issues.
4.4. Business transactions
In the event of a merger, acquisition or restructuring, personal data may be transferred under appropriate safeguards.
5. International Data Transfers
We do not transfer personal data outside the European Economic Area (EEA) in the normal course of our activities. All core infrastructure and services are located within the EEA.
In exceptional cases, where a transfer outside the EEA is unavoidable, we rely on:
• an adequacy decision, or
• Standard Contractual Clauses, supported by additional measures such as encryption and strict access controls.
We maintain internal controls to prevent unauthorised transfers.
6. Data Retention
We keep personal data only for as long as necessary for the purposes described in this Notice or to meet legal or regulatory requirements.
• As controller, we follow documented retention schedules for operational, security and audit needs.
• As processor, we handle End User mortgageapplication data strictly in line with Customer instructions.
Regular reviews ensure data is not stored longer than needed.
7. Security
We apply a range of organisational and technical measures aligned with recognised standards such as ISO 27001, including:
• Encryption in transit and at rest
• Rolebased access controls
• Secure development practices
• Monitoring and anomaly detection
• Regular security testing
• Subprocessor due diligence
While no online system is entirely riskfree, we take appropriate steps to safeguard the data entrusted to us.
8. Children
We do not knowingly collect or process data from individuals under 18. If you believe this has occurred, please contact us so we can take appropriate action.
9. Your Rights
You have rights under the GDPR, including:
• Access to your data
• Correction of inaccuracies
• Erasure (where applicable)
• Restriction of processing
• Data portability
• Objection to processing (including marketing)
• Withdrawal of consent at any time
To exercise your rights, contact privacy@opercredits.com. We will respond within one month.
You may also contact your local Data Protection Authority. However, we encourage you to reach out to us first so we can address your concerns.
10. Automated Decision-Making
We do not carry out automated decision-making that produces legal or similarly significant effects under Article 22 GDPR. Financial institutions make all lending decisions.
11. Updates to This Notice
We may update this Notice occasionally. The revision date will indicate the latest version. Significant changes may also be communicated directly.
12. Contact
Oper Credits BV
Lange Gasthuisstraat 29-31
Antwerp, 2000, Belgium
Email: privacy@opercredits.com
