Privacy Policy
This policy explains what personal data OrcaTrade collects, why, how we protect it, who we share it with, and the rights you have over it. We deliberately collect as little personal data as possible, and we never sell it.
1. Who we are
OrcaTrade ("we", "us", "our") operates the trade-compliance and import-operations platform at orcatrade.pl. For the personal data described here, OrcaTrade is the data controller. You can reach us about privacy at privacy@orcatrade.pl.
2. What data we collect
| Category | What it is | Why |
|---|---|---|
| Account identity | Your email address. | To create your account and send you passwordless sign-in (magic) links and the emails you opt into. |
| Your import data | The plans and portfolios you build — product category, HS codes, origins/destinations, values, weights, payment terms. | To compute your landed costs, compliance obligations and recommendations, and to save them for you. |
| Monitoring & assistant data | Alerts raised on your saved plans, and any facts you ask the assistant to remember. | To provide the proactive monitoring and continuity features. |
| Usage analytics | Anonymous page-view counts (via Vercel Analytics), and product events that are anonymised at the point of writing. | To understand which pages are useful. No behavioural profiling. |
| Billing | If you subscribe, payment is handled by Stripe; we hold a subscription record but not your card details. | To manage your subscription. |
We do not collect special-category data, and we ask you not to put personal data about other individuals into your plans.
3. How we protect it — data minimisation
Privacy is built into our data model:
- Your email is stored only as a one-way hash in our database and event logs. The raw address lives only where it is operationally required — the encrypted session cookie and our email provider.
- No passwords. We use magic-link sign-in, so there is no password for us to store or for anyone to steal.
- Encryption in transit is enforced (HTTPS/HSTS), and our application sets a strict set of security headers. See our Trust Centre.
4. Cookies & similar technologies
We keep cookies to a minimum and group them into two categories, which you control from the banner on your first visit and can change any time:
- Essential (always on) — a signed session cookie to keep you signed in, and a small preference store. These are necessary for the service and are not used for tracking.
- Analytics (off until you consent) — Vercel Analytics, which counts page views anonymously. No advertising or cross-site tracking cookies are used.
5. Legal bases (UK & EU GDPR)
- Performance of a contract — to provide the platform you signed up for (your account and saved plans).
- Legitimate interests — to keep the service secure and to understand aggregate, anonymised usage.
- Consent — for analytics cookies and any optional/marketing emails. You can withdraw consent at any time.
- Legal obligation — where we must retain records (e.g. for tax/accounting).
6. How long we keep it
- Saved plans and portfolios: retained while your account is active (and auto-expire after a period of inactivity).
- Monitoring alerts and assistant memory: retained while relevant, then aged out.
- Anonymised analytics/event data: retained in aggregate; it is not linked to you.
- When you delete your account, we erase your personal data and pseudonymise any remaining log entries — see section 8.
7. Who we share it with (sub-processors)
We use a small, deliberately limited set of infrastructure providers, each under a data-processing agreement. Some are located outside the UK/EU; where so, transfers are covered by appropriate safeguards (such as Standard Contractual Clauses or an adequacy decision).
| Provider | Purpose |
|---|---|
| Vercel | Application hosting & anonymous analytics |
| Neon | PostgreSQL database (durable records) |
| Upstash | Key-value store (sessions, cache) |
| Resend | Transactional email (sign-in links, digests) |
| Stripe | Payments & subscriptions |
| Anthropic | AI model provider for the assistant (zero-retention; we never send your raw email) |
We do not sell your personal data, and we do not share it for advertising.
8. Your rights
Under the UK GDPR and EU GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to withdraw consent. We make the two most important self-serve:
- Access & portability (Article 15 & 20) — download a complete copy of your data from your Privacy & data page.
- Erasure (Article 17) — delete your account and data from the same page; this is immediate and irreversible.
For any other request, email privacy@orcatrade.pl. You also have the right to lodge a complaint with your data-protection authority — in the UK the ICO, or your local EU supervisory authority.
9. Security & disclosure
Our security controls are documented in the Trust Centre. If you believe you have found a vulnerability, our responsible-disclosure policy is at /.well-known/security.txt.
10. Changes to this policy
If we make material changes we will update this page and the "last updated" date above. Significant changes affecting your rights will be communicated to account holders.