Privacy Policy

This Privacy Notice outlines

ORCA is committed to protecting our clients’ privacy! ORCA and our service providers can NOT access the sensitive information our clients store in their ORCA Accounts. ONLY the Account Users can access this information.

The only information ORCA and our service providers can access about our clients is:

This information includes personal data such as: the name of the Billing Contact, the Billing Address, etc. It does NOT include the sensitive information our clients specifically chose ORCA to store and protect (e.g. the names and details of legal entities, key documents etc.).

To ensure our clients’ privacy is protected as much as possible, ORCA does our utmost to limit the information we and our service providers can access. The exact information ORCA requires to run/operate our software and that our service providers need to provide their services is documented below. Any information entered into ORCA that is not listed below is encrypted and stored in such a way that neither ORCA nor our service providers can decipher it (e.g. the specifics of Legal Entities, Persons, Files etc.). We refer to this approach as zero-trust. For more information about our zero-trust approach and how we encrypt the data, please see our Security White Paper.

The information ORCA and our service providers need access to can not be encrypted in the same way as the sensitive information our clients specifically use ORCA to store and protect. We need access to this data to fulfill and honor the contract we have. The legal basis for us processing the personal data listed below is documented in each section.

Authentication Data

To use ORCA’s service, Users need to authenticate. To this end, ORCA must store:

Please note that ORCA can NOT see, infer, change or reset the Secret Key required to login for any User. ORCA does NOT possess the information required to decrypt the sensitive data kept in any ORCA Account.

The legal basis for processing this data is our legitimate interests in applying appropriate security measures for the provision of our services.

Database Data

To ensure that

ORCA needs to collect and store information about each User.

The information that ORCA has access to for every User, Account and Vault is limited to:

ORCA can NOT see any other information. Neither ORCA nor our carefully chosen service providers can see anything specific about the Assets, Persons, Files or Tasks stored within an Account. Specifically, we can NOT see or access any sensitive data, such as:

The legal basis for processing this data is the provision of our services to you based on our contract with you.

ORCA believes the best way we can provide value is to focus on developing our core offering whilst engaging carefully selected vendors to provide/support all ancillary services. Carefully selected means subjected to thorough security and privacy assessments.

Whilst we reserve the right to determine which vendors we engage for which purposes, we commit to 100% transparency, i.e. we will always communicate which service providers we engage for what.

ORCA strives to ensure our service providers can access as little information about our clients as possible. We only share information about our clients with a service provider if it is:

For instance, we must share the billing contact name and billing address for an Account with our payment provider (Stripe) for them to be able to process credit card payments. Whereas our file storage provider does NOT need to know the Account’s name, billing address or the contents of the Files being stored to be able to store them (Every File is encrypted on the User’s device before it is sent to the file storage provider in encrypted format, i.e. illegible).

For details on which service providers ORCA uses, what they are used for, and what information each can access, see below. The list contains all service providers ORCA uses that are privy to client and User information. It is NOT an exhaustive list of all service providers ORCA uses. Any service provider(s) we use that does NOT process personal and/or sensitive data is not listed.

Google Cloud

ORCA uses Google Cloud to host its services. Whilst Google Cloud stores and backs-up all the information Users upload into the ORCA Accounts (all of the details of the Legal Entities, Assets, Persons and Files as well as the Files themselves), Google Cloud can NOT access any of this information. All of the information a User enters into ORCA is encrypted on the User’s device before it is sent to Google Cloud. Meaning Google Cloud can NOT read any information or Files stored in an ORCA Account (as they can NOT infer the Users’ credentials / access the Account).

The only information Google Cloud can access is

The application logs are stored for a period of 180 days.

ORCA uses the Google Cloud data center in Zurich. Google Cloud is a certified PCI/DSS Service Provider (Level 1) and holds numerous other certificates, such as ISO 27001 and SOC 1, 2 and 3. More information about the certification and other security and privacy related details for Google Cloud can be found here.

The legal basis for processing this data is the provision of our services to you based on our contract with you.

Mailgun

Mailgun is ORCA’s tool for all technical email communications with clients. For example the email invitation each new User receives, or the email used to validate Users’ email address, etc are sent via Mailgun.

In performing this task, Mailgun becomes privy to every User’s email address and the email content.

Mailgun is GDPR compliant.  More information about the information security and compliance at Mailerlite can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you.

Stripe

Stripe is ORCA’s payment provider. We use Stripe to process credit card payments (example: for ORCA’s subscription fee).

As a regulated financial entity, Stripe is required by law to collect certain client specific data when conducting their business. They must however also adhere to very strict guidelines as to how to store/protect this sensitive information. Stripe is a certified PCI/DSS Service Provider (Level 1). More information about how Stripe treats security and privacy can be found here.

If the payment is executed via credit card, then the following information is shared with Stripe:

Please note that ORCA’s use of Stripe as a payment provider means ORCA never needs to know the credit card information for any of our clients (only Stripe needs to know the credit card details). Should a representative of ORCA ever ask for credit card information, please do not provide it and inform us immediately at privacy@withorca.com.

The legal basis for processing this data is the provision of our services to you based on our contract with you.

Xero

Xero is ORCA’s accounting software. We use Xero to reconcile our financial accounts and generate periodic profit and loss statements, balance sheets and other financial statements.

In the process of performing these functions, Xero becomes privy to the following information about:

Xero does not have access to any information about Users invited to an Account (e.g usernames etc.).

Xero is ISO 27001 and SOC 2 certified and is GDPR and PCI/DSS compliant. More information about the certification and other security and privacy related details can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you as well as fulfilling mandatory legal requirements with respect to bookkeeping and accounting.

Chargebee

Chargebee is ORCA’s subscription lifecycle management and recurring billing platform. We use Chargebee to document the pricing for every Account and to issue and circulate invoices on a recurring basis. In addition to this, if a client elects to pay for ORCA via credit card, then Chargebee is also used to collect the credit card information for the Account (ORCA uses the Chargebee and Stripe integration for this to ensure that ORCA does not become privy to our client’s credit card information at any point in time).

To perform the above tasks, Chargebee must have perfect working knowledge of: the exact details of every subscription (such as the number of Users, Vaults, Items and specific Features included), the start date of the subscription, the term, the billing details, the payment terms, etc. and any/all changes made to a subscription or billing details throughout the lifecycle of a client are maintained in Chargebee.

To perform the above tasks, Chargebee requires little information about the Account Owner:

Chargebee does not have access to any information about the Users invited to an Account (e.g Usernames, User Emails etc.) nor to the sensitive information stored in the ORCA Account.

Chargebee is GDPR compliant, and holds ISO 27001, SOC 1 and 2 and PCI/DSS Service Provider (Level 1) certifications. More information about the certification and other security and privacy related details can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you.

Close

Close is ORCA’s CRM and customer success management tool. We use it to maintain an overview of all prospective and current clients as well as all our touch points/interactions with them.

In performing this task, Close becomes privy to the following information for all active and potential Users:

Close‘s GDPR and CCPA information can be found here and here respectively.

The legal basis for processing is the provision of our services to you based on our contract with you.

Slack

Slack is ORCA’s internal communication tool. It is used for day to day discussions within the team, part of which are reviews of the key pain points and use cases gathered during prospect and client meetings. Whilst we share a lot of insights from client meetings in Slack, we are committed to using code names for all clients / users in Slack during internal discussions.

Slack holds a number of certifications including ISO 27001, SOC 2 and 3, etc. More information regarding their certifications can be obtained here.

The legal basis for processing is the provision of our services to you based on our contract with you.

Google Workspace

Google Workspace is ORCA’s principal repository for all emails, documents, etc.

ORCA strives to keep the client specific data in Google Workspace to a minimum, however given its key function, Google Workspace is able to see the following information from anyone communicating with the ORCA team:

Within Google Workspace, reports are created that contain the following information:

Other than this ORCA does not store any other client specific information in Google Workspace.

Google holds all information security and IT service management certifications recognized in US and EU markets. More information about their certifications can be obtained here.

The legal basis for processing is the provision of our services to you based on our contract with you and our legitimate interests to internally organize and coordinate the provision of our services.

Notion

Notion is ORCA’s internal knowledge center. Notion is the centralised location for

Whilst product insights shared by clients, users and prospects are processed and stored in Notion, we are committed to using code names for all clients and to not revealing client names, emails and details (any private information) in Notion.

Notion is GDPR compliant and SOC 2 and ISO 27001 certified. More information about their certifications can be obtained here.

The legal basis for processing is the provision of our services to you based on our contract with you.

ChartMogul

ChartMogul is ORCA’s internal reporting tool. ChartMogul has an integration with Chargebee and periodically imports the following information about all Accounts:

Whilst product insights are shared by clients, users and prospects, we are committed to using code names for all clients and to not revealing client names, emails and details in Notion.

ChartMogul is GDPR compliant and SOC 2 certified. More information about their certifications can be obtained here.

The legal basis for processing is the provision of our services to you based on our contract with you.

Mailerlite

Mailerlite is ORCA’s tool to send group emails to Users and Prospects, such as:

(To opt-out of any of the above emails, please contact support@withorca.com)

In providing these services, Mailerlite becomes privy to the following information about ORCA’s Users:

Mailerlite data is stored in the European Union and is GDPR compliant. More information about the information security and compliance at Mailerlite can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you and our legitimate interest to continually improve our services.

1password

1password is ORCA’s internal password manager for our team members. If one of ORCA’s clients invites any of our team members to be a User in their Account (which is the only way ORCA’s team can gain access to a client Account) then, ORCA stores the credentials for accessing the account in 1password. Additionally, all of the team members use 1password to store their credentials to internal tools.

The information stored in 1password is end-to-end encrypted. All the internal tools’ access are stored in 1password with the appropriate two factor authentication.

1password is GDPR compliant, SOC 2 certified and underwent through multiple independent assessments. More information about the information security, compliance and certifications at 1password can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you.

Zoom

Zoom is one of ORCA’s video conferencing tools. We use it for virtual meetings, audio conferencing, webinars, meeting recordings, and live chat. Zoom is privy to the following information about every meeting held via Zoom:

Event content is protected by encrypting the session’s video, audio, and screen sharing. This content is protected during transit with 256-bit Advanced Encryption Standard (AES) using a one-time key for that specific session when all participants use a Zoom client.

Zoom holds numerous certifications, including SOC 2 & ISO 27001 certified and is GDPR compliant. More information about the information security, compliance and certifications at Zoom can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you.

Calendly

Calendly is one of ORCAs meeting scheduling platforms. We use it to schedule meetings with prospects and clients. In performing this task, Calendly becomes privy to:

Calendly is GDPR Compliant and holds numerous certifications, including SOC 2 and 3 and ISO 27001. More information about the information security and compliance at Mailerlite can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you.

SavvyCall

SavvyCall is one of ORCAs meeting scheduling platforms. We use it to schedule meetings with prospects and clients, especially those who book demos via the website. In performing this task, SavvyCall becomes privy to the following information:

SavvyCall is GDPR Compliant.

The legal basis for processing is the provision of our services to you based on our contract with you.

Docusign

Docusign is ORCA’s e-signature tool used to automate the signature of official documents and agreements, namely clients’ contracts. In performing this task, Docusign becomes privy to the following information:

The documents are encrypted during upload to the DocuSign eSignature service and remain so while stored there.

Docusign is GDPR compliant and SOC 2 and ISO 27001 certified. More information about their certifications can be obtained here.

The legal basis for processing is the provision of our services to you based on our contract with you.

You have substantial rights with regards to the information ORCA and our service providers have about you.

If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by signing in to your ORCA Account (to amend your email address or subscription details) or by contacting us on privacy@withorca.com.

Clients who want to exercise their right to delete their data from ORCA need to submit their request to privacy@withorca.com. ORCA reserves the right to verify the identity of the requesting entity before complying with the request to ensure validity of the request. After validating your identity, your request shall be completed within 30 working days. We will erase personal data unless we are subject to legal requirements requesting us to retain data or we have legitimate interests to retain personal data.

Clients who want to exercise their right to access all their data from ORCA need to submit their request to privacy@withorca.com. ORCA reserves the right to verify the identity of the requesting entity before complying with the request to ensure validity of the request. After validating your identity, your request shall be completed within 30 days. The information in ORCA’s database is encrypted, therefore the information provided to you will be encrypted and can only be accessed using your authentication credentials.

You are entitled to complain to the supervisory authority if you deem our processing of your data is not in compliance with the legal requirements.

ORCA will not use or disclose your personal information other than for the purposes for which it was collected unless we receive your consent or are required to by law.

When providing information in response to a legal inquiry or order, we will verify its validity and disclose only the information legally required. ORCA will make reasonable efforts, within the bounds of the law, to notify you should your personal information be subject to disclosure.

ORCA is not directed to children under 18 years old. We do not knowingly collect personally identifiable information from children. If a parent or guardian becomes aware that their children’s information is available in an ORCA Vault without their consent, please contact us at privacy@withorca.com.

ORCA will retain personal data for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law.

Whilst no personally identifiable information is ever included, ORCA assembles aggregated data for any number of reasons including but not limited to improving our products and services, developing new ones or sharing it with third parties. . For example, we may tell a third party how many Users have subscribed to a particular service, but not identify  which clients are  subscribers.

Aggregate data is general information about groups of clients in which individual clients are not identified. ORCA reserves the right to assemble aggregated data based on any collected data, i.e. we may combine your information with that of other clients.

All of our rights and obligations under our Privacy Notice are freely assignable by us to any of our affiliates, in connection with a merger, acquisition, restructuring, or sale of assets, or by operation of law or otherwise, and we may transfer your information to any of our affiliates, successor entities, or new owner.

Our services are global. Data we use and process to run our ORCA business (as defined in the beginning of the document) can be shared with global service providers that are enlisted in this document. This information (encrypted or unencrypted) may be stored and processed in any country where we have operations or where we engage service providers, and we may transfer data to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your data remains protected to the standards described in this Privacy Notice. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your data.

The data (sensitive information about Legal Entities, Assets, Persons and Files) stored inside ORCA’s zero-trust cloud is hosted in Switzerland (including production data and backups). Even though the sensitive data that ORCA is specifically used to protect is always stored in servers in Switzerland, the data's transfer depends on the User’s location, connection and set up. However, all such transfers are well protected and encrypted.

We may change this Privacy Notice. The “Last updated” legend at the top of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes are effective when we post the revised Privacy Notice.

We may provide you with disclosures and alerts regarding the Privacy Notice or personal data collected by posting them on our website and, if you are a User, by contacting you through your email address listed in your ORCA account. You agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures. Disclosures and notices in relation to this Privacy Notice or personal data shall be considered to be received by you within 24 hours of the time they are posted to our website or, in the case of Users, sent to you through one of the means listed in this paragraph.

If you have questions about our data security, please contact us any time privacy@withorca.com.