Privacy Policy

Effective Date: 01/03/2025

This Privacy Policy explains how Productized Inc. (“we,” “us,” or “our”), operating the Orchestra SaaS application (the “Service”), collects, uses, and protects your personal information. By accessing and using Orchestra, you agree to the practices described in this Privacy Policy.

1. Who We Are

• Data Controller: Productized Inc. is the company responsible for determining how and why your personal data is processed.
  Registered Location: 1007 N Orange St. 4th Floor 3309 Wilmington, DE 19801
• Data Protection Officer (DPO): Our Data Protection Officer isAnthony Riera (CEO). You can reach him at:anthony@getorchestra.com

2. Personal Data We Collect

We collect the following personal data:

• Name: Used to personalize your account and communications.
• Email Address: Used to communicate with you (e.g., account-related notices, Service updates, user support).
• Session Cookies: Strictly necessary cookies for authentication and maintaining your login session.
• Other Non-Sensitive Data: We may store basic usage logs (e.g., timestamps of logins, actions within the Service) to improve performance and provide support.

We do not collect sensitive categories of data (e.g., health, biometric, or government identifiers) or store payment details. Payments are handled byStripe. We also do not store passwords in plain text; they are processed securely.

3. How We Use Your Personal Data and Legal Bases

Under the General Data Protection Regulation (GDPR), we rely on the following lawful bases:

• Performance of a Contract (GDPR Art. 6(1)(b)):
  We process your name and email address to provide the Service (e.g., creating your account, managing access).
• Legitimate Interests (GDPR Art. 6(1)(f)):
  We may process log data to ensure the security and performance of our Service, provided it does not override your fundamental rights.
• Consent (GDPR Art. 6(1)(a)) (if applicable):
  If we introduce marketing communications or optional analytics cookies, we will seek your explicit opt-in consent. Currently, we only use session cookies that are necessary for login.

4. Data Retention

We retain your personal data for as long as your account remains active. If youclose your account, we will delete your data automatically afterone year or immediately upon your explicit request.

We may retain anonymized or aggregated information (which does not identify you personally) for statistical and service-improvement purposes.

5. Where and How Your Data Is Stored

• Primary Servers: Located in Europe.
• Read Replicas: Our databases (MongoDB Atlas on AWS) may replicate data to servers in the U.S. and Singapore to provide better service performance (load balancing, lower latency, etc.).
• Security Measures: We use encryption in transit (HTTPS/SSL) and at rest, and employ role-based access controls to prevent unauthorized access.
• International Data Transfers: Because we are based in the U.S. and also have replicas in the U.S. and Singapore, your data may be transferred outside the European Economic Area (EEA). We rely on appropriate safeguards (e.g., standard contractual clauses) to ensure data protection as required by GDPR.

6. Sharing Your Data with Third Parties

We do not sell personal information to third parties for their own marketing. The only external data processing involves:

• Payment Processing: Handled byStripe.
• Hosting and Database: Provided via MongoDB Atlas and AWS.

These providers process data on our behalf and under GDPR-compliant agreements. We ensure they meet the same level of data protection we commit to.

7. Cookies and Similar Technologies

We use strictly necessary cookies for session management (e.g., to keep you logged into your account). We do not use third-party tracking or analytics cookies at this time. If we introduce non-essential cookies in the future, we will first obtain your explicit opt-in consent, particularly if you are in the EEA.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct inaccurate or incomplete data.
• Erasure (“Right to be Forgotten”): Request deletion of your data under certain conditions.
• Restriction of Processing: Ask us to limit how we process your data, under certain scenarios.
• Data Portability: Receive your data in a structured, commonly used format so you can move it elsewhere.
• Object: Object to processing based on our legitimate interests or direct marketing.
• Lodge a Complaint: You can file a complaint with your local Data Protection Authority if we have not addressed your concerns adequately.

To exercise these rights, please contact us atanthony@getorchestra.com.

9. Data Breach Notification

We have procedures in place to detect, investigate, and respond to personal data breaches. If a breach occurs that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law. We will explain what happened and the steps taken to address the issue.

10. Children’s Data

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we discover that we have inadvertently collected such data, we will promptly delete it.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. If any material changes occur, we will notify you via email or post a notice in the Service before the changes take effect. Please review this Policy periodically for the latest information on our privacy practices.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please reach out to us at: