Privacy Policy

Last Updated: December 2, 2025

1. Introduction and Scope

Welcome to Orcanomic ("we," "our," or "us"). We operate orcanomic.com (the "Service"), providing professional digital design and low-code development services. We are committed to protecting your privacy and demonstrating rigorous compliance with global data protection frameworks and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

This Policy details how we collect, use, safeguard, and, where applicable, transfer your Personal Data, and explicitly outlines your rights regarding this data. By accessing or using our Service, you acknowledge that you have read and understood the practices described in this Privacy Policy.

2. Definitions

  • Personal Data (or PII): Data about an identified or identifiable living individual (e.g., name, email, billing information).
  • Sensitive Personal Information (SPI) (CPRA): Specific categories of PII that require heightened protection, such as government IDs or health data. We generally do not collect SPI.
  • Usage Data: Data collected automatically, generated by the use of the Service or from the Service infrastructure itself (e.g., duration of page visit, browser type, IP address).
  • Controller: The entity that determines the purposes and means of processing Personal Data. Orcanomic is the Controller for the data collected directly through the Service.
  • Processor: The entity that processes Personal Data on behalf of the Controller. Orcanomic may act as a Processor when handling client data during service fulfillment.
  • Sharing (CPRA): Disclosing, disseminating, or making available a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration.

3. Information We Collect

We collect data necessary for providing and improving our professional services and managing your subscription.

A. Personal Data Collected Directly

We may collect personally identifiable information provided directly by you, including:

  • Email address
  • First name and last name
  • Billing Address (processed by our payment provider)
  • Account credentials (if applicable)

B. Usage Data and Tracking

We collect Usage Data automatically when you interact with the Service. This includes:

  • Internet Protocol (IP) address
  • Browser type and version
  • Time and date of your visit
  • Time spent on specific pages
  • Device identifiers and operating system details

4. Integrated Cookie Policy and Active Consent Framework

We use cookies and similar tracking technologies (pixels, web beacons) to track activity, hold preferences, and deliver targeted advertising.

We categorize the cookies as follows:

Essential Cookies

Strictly necessary for core website function (e.g., login, security).

No consent required (Strictly Necessary Exception).

Analytics Cookies

Measure website performance and analyze user interaction to improve the service.

Active Consent Required

Marketing Cookies

Track activity across websites to build behavioral profiles and display relevant, targeted advertisements. These constitute "Sharing" under CPRA.

Active Consent Required

CPRA Opt-Out of Sharing and GPC Recognition

The use of Marketing Cookies for cross-context behavioral advertising constitutes "Sharing" under the CPRA. You have the right to opt-out of this activity.

  1. "Do Not Sell or Share My Personal Information" Link: A clear, conspicuous, and dedicated link is available on our website to facilitate this opt-out: [INSERT LINK TO OPT-OUT MECHANISM]
  2. Global Privacy Control (GPC): We are configured to automatically respect and honor the Global Privacy Control (GPC) signal transmitted by your browser, treating it as a valid, first-layer request to opt out of the sale or sharing of your Personal Information.

5. How We Use Your Data

We use the collected data for the following specific purposes:

  • To provide, maintain, and support our Service, including subscription fulfillment.
  • To notify you about changes to our Service.
  • To gather analysis and monitoring data to detect, prevent, and address technical issues and improve service delivery.
  • To send you news, special offers, and general information about other goods, services, and events, provided this aligns with your communication preferences and consent status.

6. Data Retention and Security of Data

A. Data Retention

We retain your Personal Data only for as long as is necessary to fulfill the purposes set out in this Policy, or as required by law.

  • Contractual Data: Retained for the duration of your account activity, and then retained for an additional period (typically 6-7 years) to comply with legal, tax, and accounting obligations.
  • Usage Data/Logs: Retained for security and debugging purposes, typically for a period not exceeding one year.
  • Consent Data: Records of user consent (for marketing and non-essential cookies) are retained until consent is explicitly withdrawn.

B. Security of Data (Technical and Organizational Measures - TOMs)

We implement appropriate technical and organizational measures (TOMs) to protect your Personal Data against unauthorized access, disclosure, alteration, or destruction.

  • Encryption in Transit: Data is encrypted during transmission using robust protocols, specifically TLS 1.2+ encryption.
  • Encryption at Rest: Personal Data stored on servers (including databases managed by our hosting provider) is encrypted using AES 256 standards.
  • Payment Security: Payment processing is handled by Stripe, a third-party processor, ensuring that raw credit card data is not stored by Orcanomic. Stripe maintains compliance with the PCI DSS (Payment Card Industry Data Security Standard).
  • Access Control: We maintain strict access controls and conduct regular security monitoring to prevent unauthorized access.

7. Third-Party Services and Sub-processors

We engage third-party companies and individuals to facilitate our Service ("Sub-processors"). These parties are obligated by legally required Data Processing Agreements (DPAs) not to disclose or use the data for any other purpose.

  • International Data Transfer: For the transfer of EU/EEA data to non-adequate jurisdictions (like the US), our DPAs incorporate Standard Contractual Clauses (SCCs) to legitimize the transfer.

Stripe

Payment processing & Billing

Billing Address, Transaction data, Payment identifiers

PCI DSS Compliant; DPA/SCCs required

Google Analytics

Usage & Site Analysis, Advertising

IP Address, Usage Data, Browser Info

Active User Consent (GDPR); DPA/SCCs required

Hosting Provider (e.g., Webflow, AWS)

Website hosting, data storage

Usage Data, Log Data, User Account Data

DPA/SCCs required; Encryption at Rest

Marketing Platforms (e.g., Meta/Google Ads)

Cross-Context Behavioral Advertising

Hashed Identifiers, Behavioral data

Active User Consent (GDPR); Opt-Out (CPRA); DPA/SCCs required

8. Data Processing Role: Controller vs. Processor

Orcanomic operates in a dual capacity:

  • Data Controller: When collecting data from our own website users, managing subscriptions, and handling direct marketing. This entire policy covers our obligations as a Controller.
  • Data Processor: When providing professional services to clients (e.g., building a client’s e-commerce site or managing a client's CRM integration), we may access or manage Personal Data belonging to the client's users. In this scenario, Orcanomic acts solely on the client's documented instructions. Clients engaging Orcanomic in work that requires PII management must enter into a separate Data Processing Agreement (DPA) with Orcanomic.

9. Your Rights CCPA/CPRA

You have the right:

  • Right to Know: To request disclosure of the specific pieces and categories of Personal Information we have collected, the sources, purposes, and third parties involved in sharing.
  • Right to Delete: To request the deletion of Personal Information collected from you, subject to certain legal exceptions.
  • Right to Opt-out of Sale or Sharing: The right to direct us not to sell or share your Personal Information. We do not sell your personal data for monetary consideration. However, the use of Marketing Cookies (like Facebook Pixel and Google Ads) for cross-context behavioral advertising constitutes "Sharing" under CPRA. To exercise this right, you must use the designated link below: [INSERT LINK TO OPT-OUT MECHANISM]

We are also configured to respect and honor the Global Privacy Control (GPC) signal, treating it as a valid request to opt out of the sale or sharing of your personal information.

  • Right to Correct: The right to request the correction of inaccurate Personal Information that we maintain about you.
  • Right to Limit Use of Sensitive Personal Information: The right to limit the use and disclosure of your Sensitive Personal Information (SPI).
  • Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your CCPA/CPRA privacy rights.

To exercise these rights, please contact us at privacy@orcanomic.com or use the designated opt-out link.

10. Children's Privacy

Our Service does not knowingly address anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children have provided us with Personal Data, please contact us.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

By email: privacy@orcanomic.com