ORIVYO – Privacy Policy

1. Overview

We build infrastructure for interactive content and communications. This policy explains what we collect, why, how we use it, when we share it, and the choices and rights available to you.

2. Scope & Roles

Scope. Applies to orivyo.com, our web applications, APIs, tracking endpoints (e.g., views, clicks, scans, votes), and hosted assets.

Controller vs Processor. We act as:

Controller for account data, billing, service analytics, product communications.
Processor for customer-controlled content and recipient data processed under your instructions. A Data Processing Agreement (DPA) is available on request.

3. Data We Collect

Account data. Name, email, company, role, auth identifiers.
Billing data. Plan, invoices, card brand/last 4/expiry via processors (no full card storage).
Usage data. In-product actions, feature flags, timestamps, performance metrics.
Event logs. Views/clicks/scans/votes with timestamp, IP, user-agent, campaign/test IDs, anti-fraud markers.
Device & network. IP address, user-agent, language, referrer, cookie IDs.
Support content. Tickets, attachments, reproduction steps, crash reports.
Marketing preferences. Opt-ins, unsubscribes, channels.
User-generated content. Images, text, overlays, configurations you upload.

4. Legal Bases (GDPR)

Purpose	Examples	Legal basis
Provide the Service	Auth, dashboards, APIs, asset delivery	Contract Art. 6(1)(b)
Improve & secure	Analytics, debugging, abuse prevention	Legitimate interests Art. 6(1)(f)
Billing & compliance	Invoices, tax, audits	Legal obligation Art. 6(1)(c)
Marketing	Newsletters, product updates	Consent Art. 6(1)(a) or legitimate interests Art. 6(1)(f)
Processor activities	Handle recipient data per client instructions	Processor under DPA; client is controller

5. How We Use Data

Operate, maintain, and secure the platform.
Measure performance, quality, and reliability.
Provide support and investigate issues or abuse.
Personalize product experience.
Send essential service communications; marketing with consent or where allowed.
Comply with law and enforce terms.

6. Sharing & Disclosures

Vendors/processors. Hosting, storage, analytics, payments, email delivery, security.
Change of control. Business transactions with equivalent protections.
Legal requirements. To comply with law, protect rights, prevent fraud/abuse.
With your direction. Integrations you enable or API calls you make.

7. Processors & Sub-processors

We use vetted providers bound by data protection terms. A current list is available on request and may include hosting (IaaS), email delivery, analytics, payments, error tracking, and security monitoring. We notify clients of material changes where required by the DPA.

To request the latest sub-processor list or subscribe to change notifications, email [email protected].

8. International Transfers

Where data moves outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and additional technical and organizational measures.

9. Retention

We keep personal data only as long as necessary for the purposes described, to meet legal obligations, or to resolve disputes. Processor data follows your configuration and instructions, with deletion/return on contract end where applicable.

10. Security

We implement administrative, organizational, and technical controls including access controls, encryption in transit, environment segregation, monitoring, logging, and backups. No system is completely secure; report issues using the contacts below.

11. Your Rights

Access, rectification, erasure.
Restriction and objection.
Data portability.
Withdraw consent where applicable.
Lodge a complaint with your supervisory authority.

For processor data, contact the relevant controller (our customer). We will assist under the DPA.

12. Cookies & Similar Technologies

We use cookies/local storage for sessions, preferences (e.g., theme), analytics, rate-limiting, and anti-fraud/anti-repeat mechanisms.

Strictly necessary. Authentication, security, load balancing.
Functional. Preferences, UI settings.
Analytics. Performance and product insights (aggregated/limited).
Marketing (where applicable). With consent or where permitted.

Manage settings via your browser and any in-product controls. See also our Cookie Policy.

13. Do Not Track

DNT is not standardized; we do not respond to DNT signals. We honor applicable consent and opt-out mechanisms required by law.

14. Children

The Service is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has provided personal data, contact us to remove it.

15. Automated Decision-Making

We do not engage in automated decisions producing legal or similarly significant effects without human involvement.

16. DPA & Controller Requests

We provide a GDPR-compliant DPA on request. For data subject requests where we act as processor, we will assist the controller to fulfill obligations.

17. Changes

We may update this policy. Material changes will be posted on our website or via in-product notices. Continued use after the effective date constitutes acceptance.

18. Contact

Controller: ORIVYO OOD (replace with exact legal name)

Registered address: [enter]

Support: [email protected]

Data Protection: [email protected]

Website: www.orivyo.com

For security reports, use subject “Security Report” and include reproduction details and logs where possible.