Privacy Policy
How Ordalis collects, uses, stores, and protects your information. We are committed to transparency and your right to control your data.
Effective date: March 5, 2026
1. Introduction
Ordalis, Inc. ("Ordalis," "we," "us," or "our") operates the ordalis.io website and the Ordalis API (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — used for authentication, billing communications, and service notifications
- Password — stored as a salted hash using PBKDF2-SHA256 (we never store plaintext passwords)
- Plan and billing information — your subscription tier and payment status
2.2 Files and Documents
When you use the Service to process documents, we temporarily receive:
- Uploaded files — PDFs, images, and other documents you submit for conversion
- Extracted data — the structured output (JSON, CSV, XLSX) generated from your documents
Important: Source files are deleted by default immediately after processing. Extracted results are cached temporarily to improve performance on repeated requests and are subject to our data retention policy.
2.3 Usage Data
We automatically collect certain information when you interact with the Service:
- IP addresses — for rate limiting, security monitoring, and abuse prevention
- API request metadata — endpoints called, response times, status codes, and request timestamps
- Conversion metadata — file types processed, output formats, file sizes, and processing duration
- User agent information — browser type, operating system, and device information
2.4 Cookies
We use only essential cookies required for the Service to function:
- Authentication tokens — JWT-based session cookies to keep you signed in
- CSRF protection — security tokens to prevent cross-site request forgery
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site behavioral tracking.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Document processing and AI extraction | Uploaded files | Contract performance |
| Account management and authentication | Email, password hash | Contract performance |
| Billing and subscription management | Email, plan information | Contract performance |
| Service analytics and improvement | Usage data, conversion metadata | Legitimate interest |
| Security and abuse prevention | IP addresses, request metadata | Legitimate interest |
| Service notifications and updates | Email address | Legitimate interest |
We do not use your uploaded documents or extracted data to train AI models. Your data is processed solely for the purpose of providing the conversion service.
4. Third-Party Processors
We share data with the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Infrastructure, CDN, edge computing, storage (Workers, D1, R2) | All service data transits through Cloudflare infrastructure |
| Anthropic | AI-powered document extraction and data structuring | Document content for processing (not retained by Anthropic for training) |
| Stripe | Payment processing and subscription billing | Email address and payment information |
| Resend | Transactional email delivery | Email address and message content |
Each third-party processor is contractually bound to process your data only as instructed by us and to maintain appropriate security measures. We do not sell your personal information to any third party.
5. Data Retention
5.1 Default Retention Periods
- Source files (uploads): Deleted immediately after processing by default
- Extracted results: Cached for up to 90 days, then automatically purged
- Account data: Retained while your account is active, deleted within 30 days of account closure
- Usage logs and metadata: Retained for 90 days for analytics and security purposes
- Audit logs: Retained for 90 days (longer for enterprise accounts)
5.2 Enterprise Configuration
Enterprise customers may configure custom data retention periods, including shorter retention windows for compliance with industry-specific regulations. Contact us for details.
6. Data Security
We employ industry-standard security measures to protect your data:
- Encryption in transit: All data is transmitted over TLS 1.3
- Encryption at rest: All stored files are encrypted with AES-256-GCM
- Password security: Passwords are hashed using PBKDF2-SHA256 with unique salts
- API key security: API keys are stored as hashed values; only the prefix is visible to users
- Infrastructure: All services run on Cloudflare's global edge network with built-in DDoS protection
For more details on our security practices, see our Security Practices page.
7. Your Rights
7.1 Access and Export
You have the right to access and export your personal data. You can request a full export of your data via the API:
GET /v1/data/export
This will return all personal data we hold about you, including account information, conversion history, and usage metadata.
7.2 Deletion
You have the right to request deletion of your personal data. You can delete your data via the API:
DELETE /v1/data
This will permanently remove your account, conversion history, stored results, and all associated metadata. This action is irreversible.
7.3 Data Portability
You have the right to receive your data in a structured, commonly used, machine-readable format. The data export endpoint provides your data in JSON format, which can be transferred to another service provider.
7.4 Rectification
You have the right to request correction of inaccurate personal data. You can update your email address and account information through your account settings or by contacting us.
7.5 Objection and Restriction
You have the right to object to processing of your personal data based on legitimate interest. You may also request restriction of processing in certain circumstances. Contact us at [email protected] to exercise these rights.
8. GDPR Compliance
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):
- Right to be informed about how your data is processed (this Privacy Policy)
- Right of access to your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Rights related to automated decision-making and profiling
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. A Data Processing Agreement (DPA) is available for Enterprise customers upon request.
9. CCPA Compliance
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
- Right to Delete: You may request deletion of your personal information
- Right to Opt-Out: You may opt out of the sale of your personal information. Note: we do not sell personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, contact us at [email protected] or use the data export and deletion API endpoints described above. We will verify your identity before processing your request and respond within 45 days.
10. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly.
11. International Data Transfers
Your data may be processed in data centers located outside your country of residence. Cloudflare operates a global edge network with 300+ data centers worldwide. We ensure that any international transfer of personal data is subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) where required by applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the effective date. For significant changes, we will send a notification to the email address associated with your account.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
- Privacy inquiries: [email protected]
- General support: [email protected]
We aim to respond to all privacy-related inquiries within 30 days.