Privacy Policy

This Privacy Policy explains what personal data OriHub collects, how it is used, and what rights you have over it. We aim for clarity and minimum data — we collect only what we need to operate the service.

This is a draft template. Replace each section with the legally-reviewed text appropriate to your jurisdiction (GDPR, CCPA, LFPDPPP, or others) before launching publicly.

1. Data we collect

• Account data — name, business email, phone, company name, country, tax ID, role, and any details you provide during signup.
• Operational data — shipments, quotes, invoices, attachments, and other content you create while using the platform.
• Authentication data — hashed passwords, session tokens, and audit records (login times, IP, user agent).
• Diagnostic data — anonymized error reports (Sentry) and uptime probes (BetterStack) used to keep the service healthy.

2. How we use the data

• To provide the service and authenticate you.
• To verify email ownership during signup and to enable password recovery.
• To maintain audit and security logs (legitimate-interest basis).
• To improve reliability via aggregated, non-identifying telemetry.

We do not sell personal data. We do not use your operational data to train external models. We do not run programmatic advertising.

3. Sub-processors

OriHub relies on the following service providers, each contractually bound to the same protection standards:

• Supabase — primary data store, authentication, storage.
• Render — application hosting.
• Resend — transactional email delivery (signup verification, password resets, alerts).
• Sentry — error tracking (PII scrubbed before transmission).
• BetterStack — uptime monitoring (no Customer Data).

4. Retention

• Audit log — retained for 90 days, then automatically purged.
• Operational data — retained while your account is active. Upon deletion request, removed within 30 days except where law requires longer retention (e.g. fiscal records).
• Backups — point-in-time backups may extend retention by up to 30 days after deletion. They are encrypted at rest and not actively read.

5. Your rights

You may, at any time:

• Access / Export — request a JSON export of your account data via GET /api/account/export (authenticated).
• Deletion — request the deletion of your account via POST /api/account/delete-request. We log the request and complete it within 30 days.
• Correction — update your profile from the application UI or contact support.
• Object to specific processing — write to privacy@orihub.com.
• Lodge a complaint with your local data-protection authority.

6. Security

We implement industry-standard security: HTTPS-only with HSTS, strict Content-Security-Policy, role-based access control, audit logging, encrypted storage, rate-limited authentication endpoints, and one-time tokens for sensitive actions. No system is perfectly secure; we encourage strong, unique passwords and recommend two-factor authentication where available.

7. International transfers

Our infrastructure providers operate primarily from the United States. By using OriHub you consent to the transfer of your data to those jurisdictions. Where applicable, we rely on Standard Contractual Clauses or equivalent legal mechanisms.

8. Changes to this policy

Material changes will be communicated via email to the address registered to your account, with at least 14 days' notice when feasible.

9. Contact

For privacy-related inquiries write to privacy@orihub.com.