Orca Suite › Privacy
Privacy Notice
Last updated: 28 May 2026
Orcavera builds software for European importers. This notice explains what personal data we collect, why we collect it, how we protect it, and the rights you have under the EU GDPR and the Swiss Federal Act on Data Protection (FADP).
1. Who we are
"Orcavera" (we / us / our) is the operator of the Orca Suite of products — TradeShield (trade.orcavera.com), Flow (flow.orcavera.com), and ORCA D&D. Orcavera is based in Basel, Switzerland. Founder and data-protection contact: Umut Bakin.
For any privacy question or rights request, write to [email protected]. We answer every message ourselves; there is no ticket queue.
2. What we collect and why
2.1 Account data
When you or your colleague creates an account we collect name, work email, employer (company name and domain), and authentication metadata (Clerk session, login timestamps, IP for fraud signals). We need this to identify you, scope what you can see, and let your team collaborate inside one tenant.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
2.2 Business data you put into the products
You and your colleagues enter trade-operational data: HS codes, supplier details (including supplier contact names and emails), trade lanes, calculation inputs, freight contracts, fee schedules, and uploaded documents (invoices, packing lists, certificates of origin). Some of this contains personal data of your suppliers' or counterparties' employees — typically names, work emails, and signatures on documents.
You are the controller of the personal data you upload; Orcavera processes it on your behalf as a processor under a Data Processing Agreement (incorporated by reference into our Terms of Service).
Legal basis: performance of a contract with you (Art. 6(1)(b)); your suppliers' data is processed on your documented instructions under Art. 28.
2.3 Billing data
If you subscribe to a paid plan, payments are processed by Stripe. Stripe collects card details directly — we never see or store full card numbers. We retain invoice metadata (amount, plan, VAT ID, billing address) for tax-record obligations.
Legal basis: contract performance and legal obligation (Art. 6(1)(b) and (c)).
2.4 Product analytics and logs
We use PostHog (EU region) to understand which features get used, where users get stuck, and what's worth building next. Events include page views, feature interactions, and error states, attached to your user ID and tenant ID. We do not run advertising trackers, third-party retargeting pixels, or any cross-site fingerprinting.
Server logs (request URL, status, latency, anonymised IP) and error traces (Sentry) are retained up to 30 days for security and reliability.
Legal basis: legitimate interest in running and improving the service (Art. 6(1)(f)); you can opt out of product analytics by emailing us.
2.5 Public marketing site
The marketing pages at orcavera.com are statically served from Vercel. Vercel maintains short-lived edge access logs for abuse protection. We do not set marketing cookies on the public site.
3. Sub-processors
We use a small set of vetted providers to operate the suite. Personal data may be transferred to or stored by these providers only as needed to deliver the service.
| Provider | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Application and database hosting | Germany (EU) |
| Vercel Inc. | Frontend / marketing site hosting + CDN | EU edge |
| Cloudflare, Inc. | DNS, TLS, edge protection | Global edge |
| Clerk, Inc. | Authentication, session management | EU |
| Stripe, Inc. | Subscription billing | EU / global |
| PostHog, Inc. | Product analytics | EU (Frankfurt) |
| Sentry (Functional Software, Inc.) | Error monitoring | EU |
| Mistral AI | Document extraction (LLM) | EU (France) |
| Anthropic, PBC | LLM-assisted summaries and Q&A | EU/US — see §5 |
Where a provider is outside the EEA, transfers rely on EU Standard Contractual Clauses and, where applicable, supplementary technical measures (encryption in transit and at rest).
4. How long we keep your data
- Account and tenant data — for as long as your account is active, plus 30 days after deletion to allow recovery of accidental deletions.
- Calculation history, lanes, documents — same as the account; you can delete individual items at any time inside the product.
- Invoices and tax records — 10 years, as required by Swiss and EU tax law.
- Server logs — 30 days.
- Error traces (Sentry) — 30 days.
5. International transfers
The core production stack (database, application, document store) runs on Hetzner servers in Germany. Some sub-processors operate globally. Where data is transferred outside the EEA / Switzerland we rely on the European Commission's Standard Contractual Clauses and, where the recipient is in a country without an adequacy decision, supplementary measures.
The Anthropic API is accessed via Anthropic's EU endpoint where available; specific requests may route to US infrastructure under SCCs.
6. Your rights
Under the GDPR and FADP you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectify inaccurate data — you can edit most of it yourself inside the product; for the rest, email us.
- Delete — close your account and have your personal data deleted, subject to retention obligations in §4.
- Restrict or object to processing based on legitimate interests.
- Portability — receive your data in a structured, machine-readable format.
- Lodge a complaint with the Swiss FDPIC or your local EU supervisory authority.
Send rights requests to [email protected]. We respond within 30 days.
7. Security
TLS 1.2+ on all endpoints. Encryption at rest for production databases. Row-level tenant isolation enforced at the database role level (Postgres RLS) for products that have shipped that retrofit. Daily encrypted database backups retained for 30 days in a separate region. Sentry alerts on any unhandled error. Authentication via Clerk's RS256 JWT with rotating signing keys; no passwords are stored on our infrastructure.
If we become aware of a personal-data breach that creates a risk to your rights and freedoms, we will notify affected customers without undue delay and the competent supervisory authority within 72 hours, as required by Art. 33 GDPR.
8. Cookies
Inside the product we use a single first-party session cookie (set by Clerk) for authentication, plus localStorage for UI preferences. We do not use marketing or advertising cookies. The public marketing site at orcavera.com does not set cookies.
9. Children
Orca Suite is built for business users. We do not knowingly collect data from anyone under 16.
10. Changes to this notice
We will update this page when we add a sub-processor, change a retention period, or otherwise materially change how we handle data. The "Last updated" date at the top reflects the most recent change. For material changes that affect your rights, we will notify account owners by email.
11. Contact
For any question about this notice, your data, or to exercise your rights, email [email protected].