Last Updated: 24th May 2018

Key Messages

  • Orca provides zero-knowledge cloud storage; Orca and our service providers can NOT decrypt the information you enter/upload to Orca.
  • Orca is committed to data privacy by design. We are EU General Data Protection Regulation (GDPR) compliant and only work with service providers that are GDPR and/or Privacy Shield compliant.
  • This Privacy Notice applies to all data collected when you use Orca’s software. If you have any question or feedback about it, please send an email to privacy@orca.xyz. We will be very happy to assist you.
  • Thank you for trusting and using Orca!

Contents

This Privacy Notice outlines

  1. WHICH information Orca and our service providers collect and can access about you, and
  2. WHAT this information is used for / WHY we need to collect/access this information (neither Orca nor our service providers ever collect information about you without a reason).

Which information Orca and our service providers can access about you

Orca is committed to protecting your privacy! Orca and our service providers can NOT access the sensitive Asset, Contact or File related information you store/protect in Orca. ONLY you can access this information.

The only information Orca and our service providers can access about you is

  1. the information Orca needs to run/operate Orca’s software, and
  2. what our service providers need to provide Orca/you services.

This information includes personal data such as: your name, address, billing information. It does NOT include the sensitive information you specifically use Orca to store/protect.

The information Orca and our service providers need access to can not be encrypted in the same way as the sensitive information you use Orca to store/protect. We need to be able to access it to provide our services and with respect to personal data subject to the GDPR, the legal basis for processing the personal data listed above is our necessity to use said personal data for the performance of the contract we have with you.

To ensure your privacy is as guarded as possible/practical, Orca does our utmost to limit the information we and our service providers can access about you to the least possible/practical. The exact information required is listed below. Any information entered into Orca that is not listed below is encrypted and stored in such a way that neither Orca nor our service providers can decipher it (e.g. the specifics of your Assets, Contacts, Files etc.). We refer to this approach as zero-knowledge. For more information about our zero-knowledge cloud storage and how we encrypt your data, please see our Security White Paper.

Orca needs access to the following information about you to run/operate our software

Orca collects and stores the following information about you when you use our software.


AUTHENTICATION DATA

To use Orca’s service you need to authenticate. To authenticate clients, Orca needs to know:

  • Your email.
  • Your authentication token

Orca can NOT infer your password or access your account.


DATABASE

Due to the nature of our database we can observe the following about your account:

  • The number of Files stored in your account.
  • The size of each File (e.g. 11.4mb).
  • The combined number of entities stored in your account. Example: we can tell that you have 100 entities in your account (some of which are Contacts, some are Assets and some are Files).Whilst we know the total number of entities, we can only identify how many are Files. We can NOT identify how many are Contacts and how many are Assets.
  • The date on which each entity was created.
  • The date on which each entity was last amended.

We do NOT know anything specific about your Assets, Contacts and Files. For example, we do NOT know/cannot access any personal data such as:

  • The names of Assets, Contacts or Files,
  • The pictures for Assets or Contacts,
  • The contact details (address, telephone numbers or email addresses) for Contacts,
  • The contents of your notes for Assets, Contacts or Files.


SECURITY

To help increase the security of your data, it is necessary for us to know:

  • IP address from which the user logged in
  • User-Agent of your browser

The legal basis for processing this data is our legitimate interests in applying appropriate security measures for the provision of our services.

Orca’s service providers need access to the following information about you to provide Orca/you with services

Orca believes the best way we can provide value is to focus on developing our core offering and engage carefully selected vendors to provide/support all ancillary services. Carefully selected = subjected to thorough security and privacy assessments.

Whilst we reserve the right to determine which vendors we engage for which purposes, we commit to 100% transparency, i.e. we will always communicate which service providers we engage for what.

True to our commitment to your privacy, Orca strives to ensure our service providers can access as little information about you as possible. We only share information about you with a service provider if it is a) integral for them to provide the desired service, or b) legally required. For instance, we must share certain information about you with our payment provider (Stripe) for them to be able to process payments (e.g. your name and billing address), whereas our file storage provider does NOT need to know the contents of your files in order to be able to store them (files are encrypted on your device and sent to the file storage provider encrypted).

For details on which service providers we use, what we use them for, and what information each can access about you, see below. The list contains all service providers Orca uses that are privy to client information. It is NOT an exhaustive list of all service providers Orca uses. Any service provider(s) we use that do NOT process personal data about you are not listed.


STRIPE

Stripe is Orca’s payment provider. We use Stripe to process credit card payments (example: for Orca’s subscription fee).

As a regulated financial entity, Stripe is required by law to collect certain client specific data when conducting their business. They must however also adhere to very strict guidelines as to how to store/protect this sensitive information. Stripe is a certified PCI/DSS Service Provider (Level 1). More information about how Stripe treats security and privacy can be found here.

If you pay for your Orca subscription via credit card, the following information about you is shared with Stripe:

  • your name
  • your email address, and
  • your credit card information (including billing address etc.).

Please note that Orca’s use of Stripe as a payment provider means we never need to know your credit card information (only Stripe needs to know your credit card details). Should a representative of Orca ever ask for your credit card information, please do not provide it and inform us immediately via privacy@orca.xyz.

The legal basis for processing is the provision of our services to you based on our contract with you.


CHARGEBEE

Chargebee is Orca’s subscription management tool. We use Chargebee to manage the key information regarding each user’s subscription. For example, what product(s) you subscribed to, as of when you subscribed, for how long etc. Any/all changes made to your subscription are stored in Chargebee. For instance changing your payment method, prolonging your subscription, etc.

In addition to using Chargebee to manage your subscription details, if you elect to pay for Orca via credit card we will also use Chargebee to collect your credit card information - Chargebee and Stripe are integrated. This integration ensures Orca at no point in time becomes privy to your credit card information.

To perform above tasks, Chargebee requires access to the following information about you:

  • your name,
  • your email,
  • your address,
  • your subscription details (incl. product, currency, price, start date, length etc.), and
  • your credit card information (only if you pay via credit card).

Chargebee is a certified PCI/DSS Service Provider (Level 1). More information about the certification and other security and privacy related details can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you.


XERO

Xero is Orca’s accounting software. We use Xero to reconcile our accounts and generate periodic profit and loss statements as well as our balance sheet.

In the process of performing these functions, Xero becomes privy to the following information about you:

  • your name,
  • your email,
  • your address, and
  • how much you paid for Orca.

Xero‘s SOC2 (Service Organizational Control) report can be requested here. This is a highly valued certification for US based service providers.

The legal basis for processing is the provision of our services to you based on our contract with you as well as fulfilling mandatory legal requirements with respect to bookkeeping and accounting.


FLOAT

Float is Orca’s liquidity forecasting tool. We use Float to forecast revenues and expenses and to reconcile forecasted with realised cash flows.

In the process of performing these functions, Float becomes privy to the following information about you:

  • your name, and
  • how much you paid for Orca.

The legal basis for processing is the provision of our services to you based on our contract with you.


INTERCOM

Orca uses Intercom to

  1. provide live chat within our app (any time you chat with an Orca representative within the app the chat takes place via Intercom) and
  2. monitor your general satisfaction with Orca.

Live chat helps Orca ensure you have quick and easy access to support any time you have a comment/question. Monitoring your general satisfaction with Orca ensures we can actively help you get the maximum benefit from Orca.

In providing these services, Intercom becomes privy to the following information about you:

  • your name,
  • your subscription details (all the information Chargebee knows),
  • any personal details you share in conversation with Orca (Please note that there should not be need to mention any personal details in the chat), and
  • general information about your usage of the Orca app (such as session length, etc.).

Intercom publishes SOC2 (Service Organizational Control) report. This is a highly valued certification for US based service providers. Intercom also complies with EU-US Privacy shield framework and is member of Cloud Security Alliance. More information about information security and compliance at Intercom can be found here.

The legal basis for processing is the provision of our services to you based on our contract with you and our legitimate interest to continually improve our services.


SWISSCOM APPLICATION CLOUD

Orca uses Swisscom Application Cloud for cloud storage and backup. Whilst Swisscom stores and backs-up all the information you upload to Orca (all of the details regarding your Assets, Contacts and Files as well as the Files themselves), Swisscom can NOT access any of this information. All of the information you enter into Orca is encrypted on your device before being sent to Swisscom. Swisscom can NOT

  • read any of information or Files you store in Orca, nor
  • infer your password or access your account.

The only information Swisscom can access is the same information Orca can access about the database (see Orca needs access to the following information about you to run/operate our software → Database).

Swisscom is one of the principle cloud service providers in Switzerland. All their data centers are physically located in Switzerland and they hold a number of industry recognized information security and IT service management certifications (see here).

The legal basis for processing is the provision of our services to you based on our contract with you.


PIPEDRIVE

Pipedrive is Orca’s CRM. We use it to maintain an overview of all current and prospective clients as well as all of our touch points/interactions with them.

In performing this task, Pipedrive becomes privy to the following information:

  • your name,
  • your contact details,
  • your email interactions with Orca, and
  • dates, times and high level details of any interactions between Orca and you (be it a meeting, phone call, meal etc.).

Pipedrive‘s SOC2 (Service Organizational Control) report can be found here. This is highly valued certification for US based service providers.

The legal basis for processing is the provision of our services to you based on our contract with you.


EVERNOTE

Evernote is Orca’s central repository for strategic planning materials. It contains an overview of all key insights/thoughts gained during client meetings, all internal product concepts and general notes regarding Orca’s strategic vision.

Evernote was chosen as custodian of this highly sensitive data based on its ability to aggregate key information on any topic quickly and comprehensively.

We store the following information about you in Evernote:

  • your name,
  • your contact details,
  • your device preferences (e.g. mobile, tablet, laptop, exact brand and model etc.),
  • your key pain points and use cases (e.g. to quickly retrieve all tax relevant documents, identify if I am missing an important document etc.), and
  • rough indications for the types and volumes of data you consider storing in Orca (e.g. I have 1’000 contacts and 400 documents etc.).

The legal basis for processing is the provision of our services to you based on our contract with you.


GSUITE

GSuite is Orca’s key internal collaboration tool. It is our principal repository for all emails, documents etc.

Orca keeps the client specific data stored in GSuite to an absolute minimum. Other than email correspondence (product updates, general enquiries, etc.) and your contact details (name, email, telephone number etc.), we do not store any other client specific information about you in GSuite.

Google holds all information security and IT service management certifications recognized in US and EU markets. More information about their certifications can be obtained here.

The legal basis for processing is the provision of our services to you based on our contract with you and our legitimate interests to internally organize and coordinate the provision of our services.


MAILGUN

Mailgun is a tool to distribute email communications to our clients. For example the initial email validation and confirmation email.

We share the following information about you with Mailgun:

  • your email address.

The legal basis for processing is the provision of our services to you based on our contract with you.

Your Rights

You have substantial rights with regards to the information Orca and our service providers have about you.

Right to access and/or change your personal data

If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by signing in to your Orca account or by contacting us on privacy@orca.xyz.

Right to erasure (“right to be forgotten”)

Customers who want to exercise their right to delete their data from Orca need to submit their request to privacy@orca.xyz. Orca reserves the right to verify the identity of requesting entity before complying with the request to ensure validity of the request. We will erase personal data unless we are subject to legal requirements requesting us to retain data or we have legitimate interests to retain your personal data.

Right to access

Customers who want to exercise their right to access all their data from Orca need to submit their request to privacy@orca.xyz. Orca reserves the right to verify the identity of requesting entity before complying with the request to ensure validity of the request.

Right to complain to a supervisory authority

You are entitled to complain to the supervisory authority if you deem our processing of your data is not in compliance with the legal requirements.

General principles regarding your data

Limiting Use and Disclosure

Orca will not use or disclose your personal information other than for the purposes for which it was collected unless we receive your consent or are required to by law.

When providing information in response to a legal inquiry or order, we will verify its validity and disclose only the information legally required. Orca will make reasonable efforts, within the bounds of the law, to notify you should your personal information be subject to disclosure.

Retention

Orca will retain personal data for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law.

Aggregated Data

Orca may assemble aggregated data for any number of reasons including but not limited to improving our products and services or developing new ones. To this end, we reserve the right to share aggregated data with third parties so long as no personally identifiable information is included in the aggregated data. For example, we may tell a third party how many users have subscribed to a particular service, but not identify that you personally are a subscriber.

Aggregate data is general information about groups of clients in which individual clients are not identified. Orca reserves the right to assemble aggregated data based on any collected data, i.e. we may combine your information with that of other clients.

Assignment, Change of Control, and Transfer

All of our rights and obligations under our Privacy Notice are freely assignable by us to any of our affiliates, in connection with a merger, acquisition, restructuring, or sale of assets, or by operation of law or otherwise, and we may transfer your information to any of our affiliates, successor entities, or new owner.

Jurisdiction and Cross-Border Transfer

Our services are global. Data we use and process to run our Orca business (as defined in the beginning of the document) can be shared with global service providers that are enlisted in this document. This information (encrypted or unencrypted) may be stored and processed in any country where we have operations or where we engage service providers, and we may transfer data to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your data remains protected to the standards described in this Privacy Notice. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your data.

Your data (sensitive information about your assets, contacts and files) stored inside the zero-knowledge cloud storage (Orca platform) are hosted only in Switzerland (with offerings of our service provider - Swisscom). That includes the production data and its backups. Your data may be transferred outside of Switzerland only if you connect to our platform from a location outside of Switzerland. However all such transfers are well protected and encrypted.

Updates to This Privacy Notice and Notifications

We may change this Privacy Notice. The “Last updated” legend at the top of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes are effective when we post the revised Privacy Notice.

We may provide you with disclosures and alerts regarding the Privacy Notice or personal data collected by posting them on our website and, if you are a user, by contacting you through your email address listed in your Orca account. You agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures. Disclosures and notices in relation to this Privacy Notice or personal data shall be considered to be received by you within 24 hours of the time they are posted to our website or, in the case of users, sent to you through one of means listed in this paragraph.

Did this answer your question?