Privacy Policy
Last updated: 19 March 2026
1. Introduction
Ordro ("Ordro", "we", "us", or "our") is committed to protecting the privacy and personal data of our users. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Ordro platform and services ("Service").
This policy is prepared in accordance with applicable UAE data protection laws. We also endeavour to comply with applicable data protection laws across the GCC region.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to the practices described in this policy, please do not use the Service.
2. Data Controller
Ordro is the data controller for your account information and usage data. For end-customer data that you enter into Ordro (your customers' names, phone numbers, orders, etc.), you are the data controller and Ordro acts as a data processor on your behalf.
For data protection enquiries, contact us at:
- Email: ordroteam@gmail.com
- Website: ordro.io
3. Personal Data We Collect
3.1 Account Data (provided by you)
When you create an account or use the Service, we collect:
- Full name — to identify your account
- Email address — for account authentication, service communications, and account recovery
- Business name — to set up your business tenant
- Business type — to customise your experience
- Business logo — for display on your dashboard (optional)
- Business hours — for operational settings (optional)
- Password — stored in hashed form, never in plain text
If you sign up using a third-party provider (Google, Facebook, or Apple), we receive your name and email address from the provider. We do not receive or store your third-party passwords.
3.2 Business Data (entered by you into Ordro)
In the course of using the Service, you may enter data about your business operations, including:
- Customer names, phone numbers, email addresses, and delivery addresses
- Order details, amounts, and delivery information
- Product catalogue information and pricing
- Business notes and labels
You are the data controller for this data. You are responsible for ensuring that you have the legal right to collect and process your end-customers' personal data, including obtaining any necessary consent from your customers. Ordro processes this data solely on your behalf to provide the Service.
3.3 Automatically Collected Data
When you access the Service, we automatically collect:
- IP address — for security, fraud prevention, and analytics
- Device and browser information — type, operating system, browser version
- Usage data — pages visited, features used, timestamps, and interaction patterns
- Cookies and similar technologies — see Section 10 below
4. How We Use Your Data
We process your personal data for the following purposes, each with a lawful basis under applicable data protection law:
| Purpose | Lawful Basis |
|---|---|
| Provide and operate the Service | Contract performance |
| Authenticate your identity | Contract performance |
| Send service notifications (e.g., trial expiry, billing) | Contract performance |
| Process payments and billing | Contract performance |
| Prevent fraud and abuse | Legitimate interest / Legal obligation |
| Improve the Service and fix bugs | Legitimate interest |
| Send marketing communications | Consent (opt-in only) |
| Comply with UAE law and regulations | Legal obligation |
| Generate anonymised analytics and benchmarks | Legitimate interest |
We will not process your personal data for purposes incompatible with those stated above. If we need to process your data for a new purpose, we will notify you and, where required, obtain your consent.
5. Third-Party Processors
We use the following third-party service providers ("sub-processors") to operate the Service. Each processes data on our behalf and is bound by data processing agreements:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States / EU |
| Railway | Application hosting | United States |
| Vercel | Website hosting (landing page) | Global CDN |
We will update this list as our infrastructure evolves. We carefully evaluate each sub-processor to ensure they maintain adequate data protection standards.
6. Cross-Border Data Transfers
Your personal data may be transferred to and processed in countries outside the United Arab Emirates, including the United States and the European Union, where our infrastructure providers operate.
We ensure adequate protection for cross-border transfers through:
- Standard contractual clauses with our sub-processors
- Reliance on the contract performance basis (the transfer is necessary to provide you with the Service you signed up for)
- Verification that sub-processors maintain appropriate technical and organisational security measures
By creating an account and using the Service, you explicitly consent to the transfer of your personal data outside the UAE for the purposes described in this policy.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service delivery and data export grace period |
| Business data (orders, customers) | Duration of account + 30 days | Service delivery |
| Payment and invoice records | 5 years after transaction | Tax compliance as required by applicable law |
| Usage logs and analytics | 12 months | Security monitoring and service improvement |
| Consent records | Duration of consent + 2 years | Proof of consent compliance |
After the retention period, data is permanently deleted or anonymised so that it can no longer be associated with you.
8. Your Data Protection Rights
Under applicable UAE data protection law, you have the following rights:
- Right of access — Request a copy of all personal data we hold about you
- Right to correction — Request correction of inaccurate or incomplete data
- Right to erasure — Request deletion of your personal data, subject to legal retention requirements
- Right to restrict processing — Request that we limit how we use your data
- Right to data portability — Receive your data in a structured, machine-readable format (CSV or JSON)
- Right to object — Object to processing of your data, particularly for direct marketing
- Right regarding automated decisions — Object to decisions made solely by automated means that significantly affect you
- Right to withdraw consent — Withdraw your consent at any time, as easily as you gave it
How to Exercise Your Rights
To exercise any of these rights, contact us at ordroteam@gmail.com. We will respond within 14 working days. We may need to verify your identity before processing your request.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant data protection authority.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption of data in transit using TLS/HTTPS
- Encryption of data at rest at the database level
- Row-level security (RLS) ensuring strict tenant data isolation — your data is never accessible to other users
- Secure authentication with hashed passwords and multi-provider OAuth
- Access controls limited to authorised personnel on a need-to-know basis
- Regular security reviews of our infrastructure and dependencies
While we take all reasonable measures to protect your data, no system is completely secure. If you discover a security vulnerability, please report it immediately to ordroteam@gmail.com.
10. Cookies
We use cookies and similar technologies on the Service:
- Essential cookies — Required for the Service to function (authentication, session management). These cannot be disabled.
- Analytics cookies — Help us understand how users interact with the Service to improve functionality and performance. These are only set with your consent.
We do not use third-party advertising or tracking cookies. You can manage cookie preferences through your browser settings.
11. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights:
- We will notify the relevant authorities as required by applicable law
- We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights
- Our notification will include: the nature of the breach, the data affected, likely consequences, and the measures we have taken or propose to take
12. Children's Data
The Service is intended for business users aged 18 and above. We do not knowingly collect personal data from individuals under 18 years of age. If you are under 18 years of age, you may not use the Service.
If we become aware that we have collected personal data from a minor without appropriate consent, we will take steps to delete that data promptly. If you believe we have inadvertently collected such data, please contact us at ordroteam@gmail.com.
13. GCC Regional Note
Ordro is designed for businesses operating in the UAE and GCC region. If you are located in a GCC country outside the UAE (Saudi Arabia, Bahrain, Qatar, Oman, or Kuwait), your use of Ordro may also be subject to the data protection laws of your jurisdiction.
We endeavour to comply with applicable data protection laws across the GCC region.
If you are accessing Ordro from outside the UAE and GCC region, please be aware that your data will be processed in accordance with UAE law.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you by email at least 30 days before the changes take effect
- We will display a notice within the Service
- We will update the "Last updated" date at the top of this page
We encourage you to review this policy periodically. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
- Privacy enquiries: ordroteam@gmail.com
- General support: ordroteam@gmail.com
- Security issues: ordroteam@gmail.com
- Website: ordro.io
© 2026 Ordro. All rights reserved.