Privacy & Confidentiality Notice

Last updated: 4 October 2025

1) Scope & Roles

This notice explains how Orvenzia handles personal data and confidential information.

Website & business contacts: Orvenzia acts as Data Controller (EU GDPR).

Engagement delivery (client projects): Orvenzia acts as Processor (or joint Controller where agreed) under a written contract (MSA/SOW), a Mutual NDA, and a Data Processing Agreement (DPA). Where roles differ per workstream, the contract prevails.

2) Contractual Framework (NDA by default)

All project-specific information and deliverables are confidential and covered by a Mutual NDA by default. Our employees, contractors, and sub-processors are bound by confidentiality and access is least-privilege. If anything here conflicts with your contract/DPA/NDA, the contract supersedes this notice.

3) What We Process (business context only)

Identifiers: name, work email, role/title, company, phone (if provided).
Engagement data: RFPs, requirements, project communications, documents you share, meeting notes, approvals, and audit trails.
Technical/telemetry: IP address, device/agent, timestamps, and minimal service analytics (e.g., page views, referral) respecting your cookie settings.
Special categories: not intentionally collected. If you send such data, we restrict or delete unless required for legal claims.

4) What We Never Do

No marketing use. We do not use your personal data for newsletters, ads, profiling, or any third-party marketing.
No sale of data.
No training of public AI models on client-provided confidential data. Any optional private model tuning is contractual, opt-in and uses de-identified or synthetic data unless otherwise agreed in writing.

5) Purposes & Legal Bases (GDPR)

Service delivery & improvement (non-marketing): contract necessity (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) to ensure quality, availability, and security.
Compliance & finance: legal obligation (Art. 6(1)(c)) for invoicing, accounting, sanctions checks where required.
Security, fraud prevention, audit: legitimate interests (Art. 6(1)(f)).
Recruitment (if you apply): steps prior to contract; consent where required.

6) Processors & Sub-processors

We use reputable providers (e.g., hosting, email, CRM, analytics, secure file transfer) under written DPAs and NDAs. They act only on our documented instructions. A current sub-processor list is available on request; we notify materially relevant changes per the DPA.

7) International Transfers & Data Residency

We prioritise EU/EEA data residency where feasible. If data is transferred outside the EEA/UK, we rely on EU Standard Contractual Clauses (SCCs) / UK IDTA/Addendum and implement additional safeguards as appropriate (e.g., encryption in transit, access controls).

8) Security (high level)

Encryption in transit; encryption at rest where supported by the platform.
Role-based access control, need-to-know, least-privilege, MFA where available.
Segregation of environments, logging, and change control.
Vendor due diligence and contractual security requirements.

No method is perfect, but we continuously improve our controls.

9) Incident Response & Breach Notification

We operate an incident process aligned with GDPR. For personal-data breaches, we will notify affected clients and—where required—authorities without undue delay and within 72 hours of awareness, including scope, impact, and mitigation steps.

10) Retention & Deletion

Prospect/business contact data: ~24 months after last interaction (earlier on request).
Client engagement records (project content): for the contract term and up to 6 years for legal/accounting.
Telemetry/analytics: per cookie settings and vendor retention windows.

On request or contract end, we return or delete client data within 30 days, unless longer retention is legally required or permitted by contract.

11) Analytics & Quality Improvement (non-marketing)

We may analyse aggregated/de-identified usage and outcomes to improve methods, benchmarks, and quality. This does not include using identifiable client confidential content for public AI training. You may opt out of improvement analytics for your account—contact us.

12) Lawful Requests & Disclosures

We do not disclose data to third parties except:

to our processors under contract;
where you instruct us or consent via contract;
where required by law/regulator/court with a valid order.

Where permitted, we will notify you in advance and limit the scope to the minimum legally required.

13) Children

Our services and site are not directed to children. We do not knowingly collect children’s data.

14) Your Rights (EU/EEA/UK)

You can access, rectify, erase, restrict, object, and request data portability. Where processing relies on consent, you can withdraw at any time. We respond within 30 days (extendable once if complex). To exercise rights or appoint an authorised agent, contact privacy@orvenzia.com. You can also complain to your local supervisory authority.

15) Changes to this Notice

We may update this notice to reflect changes in law or our practices. Material updates will be posted here with a new Last updated date and, where appropriate, notified to clients.