How we handle your data

Plain-text policy for orzed.com and any client-facing platform operated by Orzed, LLC. No legalese where a normal sentence will do.

Section 01

Overview and our principles

Orzed, LLC ("Orzed", "we", "our") builds and operates software products for clients and end-users. We collect only what we need, use it only for the purposes described here, and give you meaningful control over it.

This policy describes the personal data we process as a controller for orzed.com and our client console. When you provide us with personal data inside an engagement, we typically act as a processor on behalf of your organisation. The applicable Data Processing Agreement (DPA) and the engagement contract govern that relationship.

Minimum necessary

We collect the smallest dataset that lets us deliver the service. Nothing speculative, nothing collected just because the field exists.

Purpose limitation

Data collected for one stated purpose is not repurposed without a fresh legal basis or your renewed consent.

No sale, no ad targeting

We do not sell, rent, or trade personal information. We do not run targeted advertising or share data with ad networks.

Transparent sub-processors

The third parties that touch your data are listed here in plain text, and material changes are announced before they take effect.

Section 02

Data we collect

Depending on how you interact with us, we may collect:

Contact information: name, work email, company name. Submitted when you contact us or start an engagement.
Communication content: messages sent through our intake forms and related correspondence.
Usage data: pages visited, referrer URL, browser, OS, session duration via first-party server logs and analytics. No device fingerprinting, no cross-site tracking.
Account credentials: hashed password (Argon2id) and session token for client console access, where applicable.
Project data: documents, datasets and artefacts provided to us during an engagement. Governed separately by the engagement agreement and DPA.
Cookie data: see Section 08.

We do not collect payment card numbers directly. Billing is handled by a PCI-DSS Level 1 payment processor; only an opaque transaction token reaches us.

Section 03

Legal bases for processing

For users protected by GDPR, UK GDPR or comparable regimes, we rely on the following Article 6 bases:

Contract: processing necessary to deliver an engagement, send transactional notices and meet contractual commitments.
Legitimate interests: running first-party analytics, securing the platform, responding to enquiries you initiated. We balance these against your rights and reduce data where we can.
Legal obligation: retaining accounting records, responding to lawful requests, meeting tax and audit duties.
Consent: when we ask explicitly, for example to enable optional cookies. You may withdraw consent at any time, with no effect on prior lawful processing.

Section 04

How we use it

We use the data we hold to:

Respond to enquiries and conduct pre-engagement scoping.
Deliver, manage and improve the services you have contracted for.
Send transactional communications (status updates, invoices, milestone sign-offs).
Operate and improve orzed.com via aggregate analytics. No personal profiles are built.
Comply with legal obligations (accounting, regulatory reporting).
Protect the security and integrity of our systems, including investigating misuse.

We do not use your data for automated profiling that produces legal or similarly significant effects, for targeted advertising, or for any purpose that would surprise a reasonable reader of this policy.

Section 05

Sub-processors and international transfers

We share personal data with a limited set of sub-processors who operate under contractual obligations consistent with this policy. The current list relevant to orzed.com:

Role	What it processes	Region
Hosting and CDN	Web assets, server logs, anonymised request metadata	EU and US
Transactional email	Form confirmations and engagement correspondence; content not retained beyond delivery	EU
First-party analytics	Aggregated session metrics; IP addresses anonymised before storage	EU
Payment processor	Billing transactions; card data tokenised, never reaches Orzed systems	US (PCI-DSS Level 1)
Error monitoring	Stack traces and request context, scrubbed of bodies and headers that may carry secrets	EU

We maintain a current list of sub-processors and notify active clients in writing before adding a new one that processes their data, with at least 30 days' notice so an objection can be raised.

International transfers: where personal data leaves the European Economic Area, the United Kingdom or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, supplemented by appropriate technical measures (encryption in transit and at rest, access controls, audit logging). Where the destination has an adequacy decision, that decision is the basis instead.

We may disclose information if required by law, court order, or to protect the rights, property or safety of Orzed, our clients, or others. We will notify the affected user where legally permitted.

Section 06

Retention

We keep personal data only as long as needed to fulfil the purposes described in this policy, or as required by applicable law. After the period below, data is deleted or irreversibly anonymised.

Enquiry and contact form data: 24 months from last interaction.
Engagement project data: per the engagement agreement; financial records typically 7 years (Delaware tax retention).
Analytics logs: 13 months rolling, anonymised on day one.
Account credentials: for the active account lifetime plus 90 days after closure.
Security and audit logs: 12 months, longer only if an active investigation requires it.
Backups: encrypted, rotated on a 35-day cycle; deletions propagate within one cycle.

Section 07

Your rights

Depending on your jurisdiction, you may exercise the following rights:

Access: a copy of the personal data we hold about you.
Rectification: correction of inaccurate or incomplete data.
Erasure: deletion when the legal basis for processing no longer applies.
Restriction: a pause on processing while a dispute is resolved.
Portability: a machine-readable export (JSON or CSV) of data you provided.
Objection: to processing based on legitimate interests, including profiling.
Withdraw consent: for any processing that relies on consent, at any time.
Complain to a regulator: typically your local data protection authority.

Email privacy@orzed.com. We respond within 30 calendar days. We do not charge for reasonable requests and we verify identity before disclosing any data.

California residents (CCPA / CPRA): you have the right to know, delete, correct and limit the use of sensitive personal information, and to opt out of any sale or sharing for cross-context behavioural advertising. We do not sell or share personal information in this sense. Submit a verified consumer request via the email above.

Section 08

Cookies

orzed.com uses a minimal cookie footprint. We do not use third-party advertising cookies, social-media tracking pixels, or session-replay scripts.

Strictly necessary: session state for the client console. Cannot be disabled without breaking sign-in.
Analytics: first-party, anonymised. Used to understand aggregate page performance. Honours the Global Privacy Control (GPC) signal and the legacy Do Not Track header.
Preference: stores UI preferences (theme, language). Expires after 12 months.

Most browsers let you refuse or delete cookies via their settings. Doing so may affect certain functionality on the site.

You can change or withdraw your choice at any time: open the cookie preferences panel.

Section 09

Security and breach response

We apply layered technical and organisational measures, including:

Encryption in transit: TLS 1.2 or higher, with TLS 1.3 preferred. HSTS enforced on production endpoints.
Encryption at rest: AES-256 for databases, backups and object storage holding personal data.
Access control: least-privilege role-based access, mandatory multi-factor authentication for all administrative accounts, hardware-bound tokens for production access.
Secrets management: centralised vault, rotation on a defined cadence, no secrets in source control.
Logging and monitoring: tamper-evident audit trails, anomaly alerts, integrity checks on critical data.
Internal review: regular code review with security focus, annual third-party penetration testing on the client console, dependency scanning on every build.

Breach response: if we determine that a personal data breach has occurred, we will notify the relevant supervisory authority within 72 hours of becoming aware where the breach is likely to result in a risk to individuals, and we will notify affected users without undue delay where the risk is high. Notice will describe the nature of the breach, the data categories affected, the likely consequences and the mitigation steps taken.

No system is impervious. To report a suspected vulnerability or compromise, email security@orzed.com. PGP key on request. Coordinated disclosure is welcomed and we will not pursue good-faith researchers.

Section 10

Children's data

Our services are directed at businesses and professionals. We do not knowingly collect personal data from children under 13 (US, COPPA) or under 16 in jurisdictions where that age threshold applies (EU and UK GDPR). If you believe a minor has submitted data to us, contact privacy@orzed.com and we will delete it promptly.

Section 11

Changes to this policy

We may update this policy. Material changes will be communicated by email to active clients at least 30 days before they take effect, and the effective date and version at the top of this page will be updated. A diff against the previous version is available on request via the privacy lead.

Section 12

Contact and privacy lead

For privacy questions, requests under Section 07, or to ask for the current sub-processor list:

Privacy lead, email: privacy@orzed.com
Security disclosures: security@orzed.com
Postal: Orzed, LLC, attn. Privacy Lead, 8 The Green #10689, Dover, DE 19901, USA

Response time: up to 30 calendar days for data-subject requests, faster for security disclosures. We do not route privacy enquiries through a chatbot or a generic ticket queue.

We are not currently required to appoint a Data Protection Officer under GDPR Article 37. The privacy lead above is the designated point of contact for individuals and supervisory authorities.

Privacy lead

Questions aboutyour data?

Reach the privacy lead directly. We respond within 30 days and we do not route you through a bot first.

Email the privacy leadprivacy@orzed.com

Artificial Intelligence

Machine Learning

Data Engineering

Computer Vision

Deep Learning

Natural Language Processing

MLOps & Governance

Cyber Security & Risk Ops

Technology Stack

AI Integration

SaaS Product Development

E-Commerce & Marketplace

Growth Analytics & SEO/GEO

Mobile App Development

Web & Content Platforms

CRM & Revenue Operations

Code & Performance Refactoring

Financial Technology

Healthcare & MedTech

E-Commerce & Retail

Manufacturing & Industrial

Media & Publishing

Education & EdTech

Real Estate & PropTech

Logistics & Supply Chain

Energy & Sustainability

Project Management

Product Strategy

DevOps & Cloud Infrastructure

Enterprise Workflow Automation

Business Intelligence

QA & Release Governance

UX/UI Systems & Design

Change Management & Transformation

Portfolio Management