1. Introduction
Ordumo ("we", "us", or "our") operates a multi-agent AI platform featuring specialized expertise layers including QuantSage, MarCo, Peddl, Lumina, and other expertise layers we may introduce (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
2. Information We Collect
2.1 Information You Provide to Us
We collect information that you voluntarily provide when you:
| Category | Data Collected | Purpose |
|---|---|---|
| Account Registration | Email, password, first name, last name, company name | Create and manage your account |
| Profile Information | Profile picture, phone number, preferences | Personalize your experience |
| Payment Information | Credit card details (via Stripe), billing address | Process subscriptions and payments |
| Communications | Email content, support tickets, feedback | Respond to inquiries and improve service |
| User Content | Portfolio data, watchlists, custom configurations | Provide personalized features |
2.2 Information Automatically Collected
When you access our Service, we automatically collect certain information:
- Device Information: IP address, browser type, operating system, device identifiers
- Usage Data: Pages visited, features used, time spent, click patterns
- Location Data: Approximate location based on IP address
- Session Data: Login times, session duration, authentication tokens
- API Usage: API calls made, endpoints accessed, response times
2.3 Information from Third Parties
We may receive information from:
- Payment Processors: Stripe provides transaction status and payment verification
- Analytics Providers: Usage statistics and performance metrics
- Data Providers: Market data for the QuantSage platform
2.4 Connected Advertising & Marketing Platform Data
With your explicit authorization, our MarCo marketing-intelligence layer connects to third-party advertising and marketing platforms — including Meta (Facebook and Instagram) Ads, Google Ads, TikTok, and LinkedIn — through those platforms' official APIs (for example, the Meta Marketing API using the ads_read permission). You initiate and control these connections and can disconnect them at any time.
From these platforms we receive account-level advertising data — such as campaigns, ad sets, ads, creatives, spend, impressions, clicks, conversions, and performance metrics — together with the API access token required to retrieve it. This is business advertising-account data; we do not collect the personal profile data of an advertising platform's individual end users through these connections.
We use this data solely to provide the connecting business or agency with analytics, reporting, and AI-generated insights about its own marketing performance, and to produce aggregated, anonymized industry benchmarks. We handle all data received from these platforms in accordance with each platform's developer terms and policies, including the Meta Platform Terms and Developer Policies. We do not sell this data or use it to target the platform's users.
Data minimization. We keep your detailed advertising data only as long as it is needed to provide your analytics and reporting. Any benchmarks we publish use aggregated, anonymized figures that do not identify any individual business, and we do not retain your identifiable advertising data longer than necessary for these purposes.
3. How We Use Your Information
We use the collected information for various purposes:
3.1 Service Delivery
- Create and maintain your account
- Process your subscriptions and payments
- Provide personalized features and recommendations
- Send service-related communications
- Respond to your requests and support inquiries
3.2 Service Improvement
- Analyze usage patterns to improve features
- Monitor and analyze performance and reliability
- Develop new features and services
- Conduct research and analytics
3.3 Security and Compliance
- Detect and prevent fraud and abuse
- Enforce our Terms of Service
- Comply with legal obligations
- Protect the rights and safety of users
3.4 Marketing (With Your Consent)
- Send promotional emails about new features
- Notify you about special offers and updates
- Conduct surveys and gather feedback
Note: You can opt out of marketing communications at any time through your account settings.
4. Information Sharing and Disclosure
4.1 We Do Not Sell Your Data
4.2 Service Providers
We share information with third-party service providers who perform services on our behalf:
- Stripe: Payment processing (PCI-DSS compliant)
- Resend: Email delivery service
- Infisical: Secure secrets management (including encrypted storage of platform access tokens)
- Cloud Hosting (Hetzner, EU): Infrastructure and data storage
- Cloudflare: Content delivery, security, and DDoS protection
- Anthropic: AI/LLM processing to generate marketing insights from connected platform data
These providers are contractually obligated to protect your information and use it only for the services they provide to us.
4.3 Legal Requirements
We may disclose your information if required to do so by law or in response to:
- Court orders or legal process
- Law enforcement requests
- Government investigations
- Protection of our legal rights
4.4 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership.
4.5 Aggregated Data
We may share aggregated, anonymized data that does not personally identify you with third parties for research, marketing, or analytics purposes.
5. Data Security
5.1 Security Measures
We implement comprehensive security measures to protect your information:
- Encryption: HTTPS/TLS for data in transit, AES-256 for sensitive data at rest
- Authentication: JWT tokens, bcrypt password hashing, optional 2FA
- Access Controls: Role-based access, principle of least privilege
- Monitoring: Continuous security monitoring and logging
- Updates: Regular security patches and updates
- Audits: Periodic security assessments
5.2 Your Responsibility
While we take extensive measures to protect your data, you also play a role in security:
- Use a strong, unique password
- Enable two-factor authentication
- Keep your credentials confidential
- Log out after using shared devices
- Report suspicious activity immediately
5.3 Data Breach Notification
In the event of a data breach that affects your personal information, we will notify you within 72 hours via email and through the Service, as required by applicable laws.
6. Data Retention
We retain your personal information for as long as necessary to:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | While account is active + 90 days | Provide service, account recovery |
| Payment Records | 7 years | Tax and legal compliance |
| Session Logs | 90 days | Security and fraud prevention |
| Support Tickets | 3 years | Customer service, legal protection |
| Usage Analytics | 18 months (aggregated) | Service improvement |
After the retention period, we will securely delete or anonymize your information.
7. Your Rights and Choices
7.1 GDPR Rights (EU/EEA Users)
If you are located in the European Economic Area, you have the following rights:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restriction: Request limitation of data processing
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to certain processing activities
- Right to Withdraw Consent: Withdraw consent for data processing
7.2 CCPA Rights (California Users)
If you are a California resident, you have the right to:
- Know what personal information is collected
- Know if your information is sold or disclosed
- Say no to the sale of personal information
- Access your personal information
- Request deletion of your personal information
- Not be discriminated against for exercising your rights
7.3 How to Exercise Your Rights
To exercise any of these rights, please:
- Email us at [email protected]
- Request data export or deletion by emailing [email protected]
- Contact our Data Protection Officer
We will respond to your request within 30 days.
7.4 Marketing Preferences
You can opt out of marketing emails by:
- Clicking the "unsubscribe" link in any marketing email
- Updating your preferences in account settings
- Contacting support
8. Cookies and Tracking Technologies
8.1 What Are Cookies?
Cookies are small text files placed on your device to store data. We use cookies and similar technologies (localStorage, sessionStorage) to enhance your experience.
8.2 Types of Cookies We Use
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, session management | Session/7 days |
| Functional | Remember preferences, theme, language | 1 year |
| Analytics | Understand usage, improve service | 2 years |
| Marketing | Track campaign effectiveness (with consent) | 90 days |
8.3 Managing Cookies
You can control cookies through:
- Browser settings (disable/delete cookies)
- Our cookie consent banner
- Privacy settings in your account
Note: Disabling essential cookies may affect service functionality.
For more details, see our Cookie Policy.
9. Third-Party Services
Our Service may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.
9.1 Third-Party Data Providers
We use third-party data providers for market information. These providers have their own privacy policies governing the data they provide.
9.2 Social Media
If we add social media features in the future, those platforms may collect information about your interactions. Please review their privacy policies.
10. Children's Privacy
Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.
If we learn that we have collected information from a child under 18, we will delete that information immediately. If you believe we have collected information from a child, please contact us at [email protected].
11. International Data Transfers
Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws.
11.1 EU-US Data Transfers
For users in the European Economic Area, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Other approved transfer mechanisms
11.2 Data Location
Your data is primarily stored on servers located in:
- Primary: Hetzner (Germany/EU) - GDPR compliant
- Backup: Cloud storage with encryption
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last Updated" date
- We will notify you via email for material changes
- We will post a notice on the Service
- You will have 30 days to review before changes take effect
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
13. Contact Us
13.1 General Inquiries
If you have questions about this Privacy Policy or our privacy practices:
- Email: [email protected]
- Support: [email protected]
13.2 Data Protection Officer
For GDPR-related requests, contact our Data Protection Officer:
- Email: [email protected]
13.3 Supervisory Authority
If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.