Skip to content
Legal

Privacy Policy

How Ordak collects, uses, and protects information you share with us.

Effective 22 April 2026

This is a drafted template. Review with qualified legal counsel before relying on it. Nothing here is legal advice.

Who we are

This privacy policy applies to the Ordak marketing site at ordak.io. The data controller is Ordak (the legal entity operating the Ordak products), contactable at privacy@ordak.io. The Ordak product apps (ordak.app, app.ordak.io, and related) are covered by their own privacy policies linked from inside each app.

What this policy covers

This document covers the marketing site only — what happens when you visit ordak.io, read the content, and optionally submit a contact, trial, demo, waitlist, or sales form.

Information we collect

When you use the marketing site, we collect:

Information you give us voluntarily through a form:

  • Email address
  • Name (optional)
  • Company (optional)
  • Product interest (which Ordak product the form is about)
  • Intent (trial, waitlist, demo, or contact)
  • A free-text note (optional)

Information collected automatically when you submit a form:

  • An SHA-256 hash of your IP address (used only for rate limiting; the raw IP is not stored)
  • The page path you submitted from
  • The URL parameters utm_source, utm_medium, utm_campaign, utm_content, utm_term if present
  • The HTTP Referer header
  • The browser User-Agent string
  • Timestamp

Information collected by analytics (only if you accept analytics cookies):

  • Pageviews and click events on CTAs
  • Anonymous usage patterns
  • These are collected by PostHog. You can opt out of analytics cookies at any time — by default analytics runs in memory-only mode without cookies until you click Accept all in the cookie banner.

Why we collect it

  • Form submissions: to respond to your inquiry, enrol you in a trial or waitlist, or schedule a demo.
  • UTM + referrer + user agent: to understand which channels bring customers to Ordak so we can invest in what works.
  • IP hash: to rate-limit abusive submissions. We cannot recover the original IP from the hash.
  • Analytics (with consent): to understand which content resonates and improve the site.

Where GDPR or similar law applies:

  • Contact, trial, demo, waitlist submissions: processed under your consent (you submitted the form) and/or our legitimate interest in responding to business inquiries.
  • Marketing analytics: processed under your explicit consent via the cookie banner. You can withdraw consent at any time by clearing site data in your browser or contacting us.

Who has access

Access to submitted data is restricted to Ordak staff who need it to respond to your inquiry. We store form submissions in a managed database (Supabase, hosted in Sydney, Australia) and send confirmation and notification emails via Resend (hosted in the United States).

Sub-processors

The marketing site relies on the following third-party services. Each processes limited personal data on our behalf:

  • Supabase — managed Postgres database; stores form submissions. Region: ap-southeast-2 (Sydney).
  • Resend — sends the confirmation email to you and a notification email to our sales inbox. Region: US.
  • Upstash — Redis used for per-IP rate limiting. Region: ap-southeast-2 (Sydney) where available; US otherwise.
  • PostHog — product analytics, cookieless by default. Region: US.
  • Sentry — error monitoring, captures error traces and a limited set of context. Region: US.
  • Vercel — web hosting, which sees HTTP requests as they’re served. Region: global edge, origin US.

We do not sell personal data. We do not use personal data for advertising.

Retention

We keep form submissions as long as they are useful for responding to the inquiry and staying in touch. On request we will delete submissions associated with your email address within 30 days, subject to any legal obligation we have to retain them.

Analytics events, when recorded, are kept by PostHog under their default retention.

Your rights

Depending on your jurisdiction, you have the right to:

  • Access the data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Withdraw consent to analytics at any time
  • Object to or restrict processing
  • Lodge a complaint with a supervisory authority (for EU/UK residents: your local data protection authority; for Australian residents: the OAIC)

To exercise any of these rights, email privacy@ordak.io from the address associated with the data. We aim to respond within 14 days.

Cookies

The marketing site does not set its own cookies by default. PostHog analytics sets cookies only if you click Accept all in the cookie banner; until then it runs in memory-only mode. Essential operational cookies (e.g. session continuity if you log into the Ordak app from a link on this site) are set by the destination site, not ordak.io.

Security

We use industry-standard measures (TLS in transit, managed databases with access controls, least-privilege service-role keys scoped to server code) to protect submitted data. No system is perfectly secure.

Updates to this policy

If we change this policy materially, we’ll update the effective date at the top and, where reasonable, flag the change on the site. The current version always lives at ordak.io/legal/privacy.

Contact

For anything privacy-related, email privacy@ordak.io.