Privacy Policy
Version 1.1 · Effective May 9, 2026
How Orchesty handles personal data on the website and within Orchesty Cloud.
At Orchesty, we take a "Privacy by Design" approach. This policy explains how we collect, use, and protect your personal data when you use our website and the Orchesty Cloud platform.
1. Data Controller and Roles #
- Data Controller: Orchesty Solutions s.r.o., registered office at Chládkova 898/2, Žabovřesky, 616 00 Brno, Czech Republic (Company ID: 02063450, VAT ID: CZ02063450). Contact: info@orchesty-solutions.com.
- Our Role: For website visitors and sales leads, we act as a Data Controller. For data processed within Orchesty Cloud instances by our customers, we act as a Data Processor.
2. Information We Collect #
A. Website and Marketing (Marketing Data) #
- Contact Information: Name, email, and company details provided via contact forms or registration.
- Usage Data: IP address, browser type, and interaction with our website.
- Analytics: We use Google Analytics 4 with IP anonymisation to understand website traffic and improve user experience. Analytics is loaded only with your explicit consent given through our cookie banner; without consent we use Google Consent Mode v2, which transmits anonymous, aggregated signals without setting analytics cookies. See section 9 below for details.
B. Platform and Support (System Data) #
- Account Data: Email address, encrypted password, and billing information (processed securely via Stripe).
- Support Data: Technical details and communication provided via Jira Service Management for helpdesk support.
- Infrastructure Logs: System-level logs (access logs, performance metrics) for security and stability.
3. Data Processing and "Zero-Knowledge" Commitment #
As a Data Processor, Orchesty Cloud is designed to act as a secure conduit for your data:
- Encrypted Pipelines: Data persisted in queues during transit is encrypted and not accessible by Orchesty employees.
- No Automatic Payload Logging: Our system logs only metadata (timestamps, status codes). We strictly do not log the content (payload) of the messages passing through your integrations.
- User-Controlled Audit Logs: Only you, through your specific configuration, can choose to include payloads in audit logs for debugging. This remains under your sole responsibility as the Data Controller.
4. Data Sub-Processors and Storage Location #
To provide our service, we use trusted third-party providers. All data processed within the platform is stored in the EU (Region: europe-west1, Belgium).
- Google Cloud Platform (GCP): Primary infrastructure and data storage (EU West 1).
- Stripe: Secure payment processing.
- Jira Service Management: Helpdesk and technical support.
- Pipedrive: Sales and CRM management.
- Ecomail: Email communication and newsletters.
- Google Analytics: Website usage statistics.
5. Data Retention #
- Account Data: Retained for the duration of your active subscription.
- Platform Logs: Subject to your plan's retention policy (maximum 30 days) or until storage capacity is reached.
- Marketing Data: Retained until you opt-out or request deletion.
6. Your Rights (GDPR) #
Under the GDPR, you have the following rights:
- Access & Portability: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your account and associated personal data.
- Object to Processing: Unsubscribe from marketing communications at any time via the "unsubscribe" link.
7. Security #
We implement industry-standard security measures, including TLS encryption for data in transit and AES-256 for data at rest. Access to infrastructure is restricted via multi-factor authentication (MFA) and strictly limited to authorized personnel only.
8. Data Processing within the Platform #
For information regarding how we process data transmitted through Orchesty Cloud on behalf of our customers (acting as a Data Processor), please refer to our Data Processing Agreement (DPA). This document outlines our technical security measures, sub-processors, and location of data storage.
9. Cookies and Similar Technologies #
We use a small number of cookies and equivalent browser-storage entries on orchesty.io. Non-essential cookies are loaded only after you give consent through the cookie banner that appears on your first visit. You can change or revoke your choice at any time via the Cookie settings link in the footer.
Categories #
- Essential (always on) — required for the site to function. Currently a single
localStorageentry (orchesty.cookieConsent.v1) stores your cookie decision so we don't ask again on every page. No identifiers are sent to third parties. - Analytics (opt-in) — Google Analytics 4 with IP anonymisation, used for aggregated traffic statistics. Data retention is set to 14 months.
- Marketing (opt-in, currently inactive) — kept as a separate category so your preference is respected if we ever introduce ad personalisation or remarketing. No marketing technologies are loaded today.
Specific cookies and storage entries #
| Name | Category | Provider | Lifetime | Purpose |
|---|---|---|---|---|
orchesty.cookieConsent.v1 | Essential | First-party (localStorage) | Persistent until you clear it or revoke consent | Stores your cookie banner decision |
_ga | Analytics | Google (.orchesty.io) | 13 months | Distinguishes unique users |
_ga_<container-id> | Analytics | Google (.orchesty.io) | 13 months | Persists session state for GA4 |
Google Consent Mode v2 #
Before you make a choice — and continuously if you reject analytics — gtag.js loads in denied mode. In this mode Google receives only anonymous, aggregated cookieless pings (no analytics or advertising cookies are written, no individual user identifiers are transmitted). Once you accept analytics, full GA4 measurement activates and the cookies above are set. Rejecting analytics later removes them on your next visit.
Opting out at the browser level #
In addition to our banner, you can opt out of GA tracking using Google's official browser add-on or by clearing site data via your browser's privacy settings.