OrthıD
Start free
Legal

Privacy Policy

Last updated 21 June 2026.

Template only.[Legal to supply final copy before publish.] This document is placeholder structure and language only; it is not legal advice and does not yet reflect OrthID’s binding privacy commitments.

1. Who we are

This Privacy Policy explains how [entity] (“OrthID”, “we”, “us”) handles personal data in connection with our website and identity platform. For data we process on behalf of our customers as part of the Service, the customer is the controller and we act as a processor under the relevant data processing agreement. The controller responsible for this website is [entity], [registered address].

2. Data we collect

We may collect the following categories of personal data:

  • Account & contact data - name, work email, organisation, role, and authentication details for those who create accounts or contact us;
  • Usage & device data - log data, IP address, browser and device information, and interactions with our website and consoles;
  • Communications - records of correspondence, support requests, and demo or sales enquiries;
  • Customer end-user data - identity and authentication data processed on behalf of customers, handled per the applicable [data processing agreement].

3. How we use it

We use personal data to:

  • provide, secure, maintain, and improve the Service and website;
  • authenticate users and detect, prevent, and respond to abuse and security incidents;
  • communicate about accounts, support, and service changes;
  • comply with legal obligations and enforce our terms.

4. Legal bases (GDPR)

Where the GDPR or equivalent law applies, we rely on the following legal bases: performance of a contract; our legitimate interests in operating and securing the Service (balanced against your rights); compliance with legal obligations; and, where required, your consent (which you may withdraw at any time). [Specific bases per processing activity to be confirmed by Legal.]

5. Data residency & sovereignty

OrthID is designed for sovereign deployment. Customer data can be configured to remain within a designated region or a self-hosted environment, with customer-managed encryption keys where supported. The applicable residency arrangements are set out in your deployment configuration and order form. [Residency commitments to be confirmed by Legal.]

6. Sub-processors

We engage a limited set of vetted sub-processors to help deliver the Service (for example, infrastructure hosting and operational tooling). We maintain a current list of sub-processors and impose data-protection obligations on them consistent with this Policy. [Link to sub-processor list to be added by Legal.]

7. Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, to comply with legal obligations, and to resolve disputes. Retention periods for customer end-user data are governed by the relevant data processing agreement and customer configuration. [Specific periods to be confirmed by Legal.]

8. Your rights

Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. Where we process data on behalf of a customer, we will direct relevant requests to that customer. To exercise your rights, contact [DPO email].

9. International transfers

Where personal data is transferred across borders, we put appropriate safeguards in place, such as standard contractual clauses or other mechanisms recognised under applicable law. [Transfer mechanisms to be confirmed by Legal.]

10. Security

We maintain technical and organisational measures designed to protect personal data, including encryption in transit and at rest, access controls, tamper-evident audit logging, and ongoing monitoring. No method of transmission or storage is completely secure; we work continuously to protect your information. Learn more on our Trust Center.

11. Cookies

Our website uses cookies and similar technologies. For details on the cookies we use and how to manage them, see our Cookie Policy.

12. Contact / DPO

For privacy enquiries, or to reach our Data Protection Officer, contact [DPO email] or write to [entity] at [registered address]. You also have the right to lodge a complaint with a supervisory authority in your [jurisdiction].