ordalis.io
Sign inStart free
ProductSolutionsDevelopersPricingTrust
Sign inStart free
Legal

Privacy Policy

How Ordalis collects, uses, stores, and protects your information. We are committed to transparency and your right to control your data.

Effective date April 22, 2026Governing law Utah

1. Introduction

Ordalis LLC, a Utah limited liability company with its principal place of business at 5693 Sierra Grande Drive, Taylorsville, Utah 84129 ("Ordalis," "we," "us," or "our"), operates the ordalis.io website and the Ordalis API (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication, billing communications, and service notifications
  • Password — stored as a salted hash using PBKDF2-SHA256 (we never store plaintext passwords)
  • Plan and billing information — your subscription tier and payment status

2.2 Files and Documents

When you use the Service to process documents, we temporarily receive:

  • Uploaded files — PDFs, images, and other documents you submit for conversion
  • Extracted data — the structured output (JSON, CSV, XLSX) generated from your documents

Important: Source files are deleted by default immediately after processing. Extracted results are cached temporarily to improve performance on repeated requests and are subject to our data retention policy.

2.3 Usage Data

We automatically collect certain information when you interact with the Service:

  • IP addresses — for rate limiting, security monitoring, and abuse prevention
  • API request metadata — endpoints called, response times, status codes, and request timestamps
  • Conversion metadata — file types processed, output formats, file sizes, and processing duration
  • User agent information — browser type, operating system, and device information

2.4 Cookies

We use only essential cookies required for the Service to function:

  • Authentication tokens — JWT-based session cookies to keep you signed in
  • CSRF protection — security tokens to prevent cross-site request forgery

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site behavioral tracking.

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeData UsedLegal Basis (GDPR)
Document processing and AI extractionUploaded filesContract performance
Account management and authenticationEmail, password hashContract performance
Billing and subscription managementEmail, plan informationContract performance
Service analytics and improvementUsage data, conversion metadataLegitimate interest
Security and abuse preventionIP addresses, request metadataLegitimate interest
Service notifications and updatesEmail addressLegitimate interest

We do not use your uploaded documents or extracted data to train AI models. Your data is processed solely for the purpose of providing the conversion service.

4. Third-Party Processors

We share data with the following third-party service providers who process data on our behalf:

ProviderPurposeData Shared
CloudflareInfrastructure, CDN, edge computing, storage, AI inference (Workers AI), transactional email (Workers, D1, R2, KV, Workers AI, Email Routing)All service data — including document content for AI extraction — transits through Cloudflare and never leaves the Cloudflare network. Workers AI does not train on customer prompts.
StripePayment processing and subscription billingEmail address and payment information

Each third-party processor is contractually bound to process your data only as instructed by us and to maintain appropriate security measures. We do not sell your personal information to any third party.

5. Data Retention

5.1 Default Retention Periods

  • Source files (uploads): Retained for the duration of processing. After you delete a conversion, the source file and record are kept for 365 days before permanent removal, to meet legal, tax, and audit retention obligations.
  • Extracted results: Cached for up to 90 days, then automatically purged. After you delete a conversion, extracted results are retained on the same 365-day schedule as the source file.
  • Account data: Retained while your account is active. On closure, account metadata is kept for 365 days alongside any soft-deleted conversions before permanent erasure.
  • Usage logs and metadata: Retained for 90 days for analytics and security purposes.
  • Audit logs: Retained for 90 days (longer for enterprise accounts).

5.2 Immediate Deletion Requests

If you require removal of your data sooner than the 365-day retention window — for example, to exercise your GDPR or CCPA right to erasure — submit a request via the Data Deletion Request form. We verify your identity and complete deletion within 30 days of receipt, as required by GDPR Article 17 and CCPA §1798.105.

5.3 Enterprise Configuration

Enterprise customers may configure custom data retention periods, including shorter retention windows for compliance with industry-specific regulations. Contact us for details.

5.4 Legal Hold

Workspaces subject to a legal hold are exempt from automatic retention expiry. Data is preserved in place until the hold is lifted.

6. Data Security

We employ industry-standard security measures to protect your data:

  • Encryption in transit: All data is transmitted over TLS 1.3
  • Encryption at rest: All stored files are encrypted with AES-256-GCM
  • Password security: Passwords are hashed using PBKDF2-SHA256 with unique salts
  • API key security: API keys are stored as hashed values; only the prefix is visible to users
  • Infrastructure: All services run on Cloudflare's global edge network with built-in DDoS protection

For more details on our security practices, see our Security Practices page.

7. Your Rights

7.1 Access and Export

You have the right to access and export your personal data. You can request a full export of your data via the API:

GET /v1/data/export

This will return all personal data we hold about you, including account information, conversion history, and usage metadata.

7.2 Deletion

You have the right to request deletion of your personal data. Three paths are available:

  • In-app deletion: From your dashboard, click Delete on any conversion. The record and source file are marked deleted and purged permanently after 365 days.
  • API: DELETE /v1/conversions/:id for a single conversion, or DELETE /v1/data to wipe your entire account. Both follow the same 365-day retention schedule for legal and audit reasons.
  • Data Deletion Request form: For immediate removal bypassing the retention window, submit the Data Deletion Request form. We'll verify your identity and complete deletion within 30 days.

Retention beyond deletion exists solely to meet legal, tax, and audit obligations. Data is not processed for any other purpose during the retention window, and workspaces under legal hold are exempt from automatic expiry.

7.3 Data Portability

You have the right to receive your data in a structured, commonly used, machine-readable format. The data export endpoint provides your data in JSON format, which can be transferred to another service provider.

7.4 Rectification

You have the right to request correction of inaccurate personal data. You can update your email address and account information through your account settings or by contacting us.

7.5 Objection and Restriction

You have the right to object to processing of your personal data based on legitimate interest. You may also request restriction of processing in certain circumstances. Contact us at privacy@ordalis.io to exercise these rights.

8. GDPR Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

  • Right to be informed about how your data is processed (this Privacy Policy)
  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

To exercise any of these rights, contact us at privacy@ordalis.io. We will respond to your request within 30 days. A Data Processing Agreement (DPA) is available for Enterprise customers upon request.

9. CCPA Compliance

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of your personal information
  • Right to Opt-Out: You may opt out of the sale of your personal information. Note: we do not sell personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at privacy@ordalis.io or use the data export and deletion API endpoints described above. We will verify your identity before processing your request and respond within 45 days.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly.

11. International Data Transfers

Your data may be processed in data centers located outside your country of residence. Cloudflare operates a global edge network with 300+ data centers worldwide. We ensure that any international transfer of personal data is subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) where required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the effective date. For significant changes, we will send a notification to the email address associated with your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

  • Privacy inquiries: privacy@ordalis.io
  • General support: tyler@ordalis.io
  • Data controller: Ordalis LLC
  • Mailing address: Ordalis LLC, 5693 Sierra Grande Drive, Taylorsville, Utah 84129, United States

We aim to respond to all privacy-related inquiries within 30 days.