Privacy Policy
1. What we collect
- Account data. Your name, email address, hashed password, account tier, and your chosen timezone.
- Workflow definitions. The step configurations you build — step types, their parameters, any credentials you enter (encrypted at rest), schedules, and triggers.
- Data you upload. Files you put into Data Storage and the rows they contain. These are yours; we store them so your workflows can read them.
- Execution history. Records of workflow runs: which steps executed, how long they took, step output snapshots, error messages, and the small HTML reports we render for each run.
- Usage telemetry. Counts of API calls per minute/hour/day, used to enforce rate limits and show you your own usage chart. No third-party analytics and no tracking cookies.
- Billing metadata. If you subscribe, Stripe customer and subscription identifiers, plus the subscription's current status and period. Your card number never touches Orkidata servers — Stripe handles payment data directly.
- Transactional logs. Standard infrastructure logs (IP address, request path, timestamp, response status) retained for security and debugging.
2. What we don't collect
- No third-party analytics (no Google Analytics, no Mixpanel, no Facebook pixel).
- No marketing cookies. Only a session cookie used to keep you logged in.
- No content of your data files beyond what is necessary to execute the workflow you configured.
3. How we use it
- Operating and securing the service (authenticating you, running your workflows, billing).
- Communicating with you about your account (confirmation emails, password resets, subscription notices, security alerts).
- Enforcing rate limits and detecting abuse.
- Complying with legal obligations when required by valid process.
We do not use your data to train machine-learning models and we do not sell it to any party.
4. Where it lives
All customer data is stored in Amazon Web Services us-east-1 (N. Virginia, USA) — in MongoDB Atlas (account metadata, workflow definitions, execution history) and Amazon S3 (Data Storage files). Payment data is held by Stripe in the United States. Email sending is performed by Twilio SendGrid in the United States. DNS and CDN edge are operated by Cloudflare globally.
5. Sub-processors
Orkidata relies on the following sub-processors to operate the service. Each is listed with the category of data it receives. This list is authoritative as of the effective date above; material additions will be announced at least 30 days in advance by email.
| Sub-processor | Purpose | Data received | Region |
|---|---|---|---|
| Amazon Web Services | Compute (Lambda), storage (S3), CDN (CloudFront), API routing (API Gateway), secrets (Secrets Manager) | All customer data, workflow definitions, execution history, transactional logs | us-east-1 (USA) |
| MongoDB Atlas | Primary database for account metadata, workflow definitions, execution history, rate-limit counters | Account data, workflow definitions, execution history, billing metadata | AWS us-east-1 (USA) |
| Stripe | Payment processing, subscription state, Customer Portal | Name, email, billing address, card details (held by Stripe, not by us), subscription status | USA |
| Twilio SendGrid | Transactional email (confirmation, password reset, billing notices) | Email address, name, email content | USA |
| Cloudflare | Authoritative DNS and edge DNS/CDN for orkidata.com | Request metadata (IP, URL, headers) transiting the edge | Global anycast |
6. International transfers
Primary processing happens in the United States. If you access Orkidata from outside the US, your data will be transferred to and processed in the US under the sub-processors listed above. Where required, transfers are covered by the sub-processor's own Standard Contractual Clauses or equivalent legal mechanisms.
7. Retention
- Account and workflow data: retained for as long as your account is active.
- Execution history: retained for the life of the account unless you delete specific runs or clear history.
- Infrastructure logs: retained for up to 90 days for security and debugging.
- Billing records: retained for the period required by applicable tax and accounting law (typically 7 years).
8. Your rights
Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data. To exercise any of these, or to ask a question about this policy, email privacy@orkidata.com. We will respond within 30 days.
You can delete your account at any time from the profile page or by emailing the address above. Deletion removes your account metadata, workflow definitions, execution history, and uploaded files. Backups older than 30 days may retain a copy until they are overwritten on the normal rotation schedule.
9. Cookies
Orkidata uses one cookie: a secure, HTTP-only session cookie that keeps you logged in. The browser also stores a small sessionStorage hint so in-tab navigation feels instant — this is cleared when you log out and is never shared with any third party.
10. Security
Passwords are hashed with bcrypt. Credentials you enter for database or API connectors are encrypted at rest with AES-GCM. Transport uses TLS 1.2+. AWS Secrets Manager holds infrastructure secrets with scoped IAM access. We apply the principle of least privilege across all services. Security is a moving target; no system is perfectly safe, and you should follow good operational hygiene in what you upload.
11. Children
Orkidata is not intended for and is not directed at children under 18. If you believe a child has created an account, please email privacy@orkidata.com and we will delete it.
12. Changes to this policy
Material changes will be announced by email to the address on file and reflected here with an updated version number. Continued use of the service after the effective date of an update constitutes acceptance.
13. Contact
Privacy questions: privacy@orkidata.com.
General: hello@orkidata.com.