Privacy Policy
Effective: 2 April 2026
1. Who we are
Ordestra is operated by Daliah Group B.V., a company registered in the Netherlands (KvK 99584891). We are the data controller for the personal data described in this policy.
Registered address: Binnendelta 11M, 1261 WZ Blaricum, Netherlands.
Contact: hello@ordestra.com
We have not appointed a Data Protection Officer because our processing does not meet the criteria under Art. 37 GDPR. If our processing changes, we will update this policy and appoint a DPO if required.
2. What Ordestra does
Ordestra converts evidence-based scientific publications (PDFs) into compliance-constrained audio summaries with citation-anchored transcripts. It serves professionals in medical affairs, academia, policy research, and other evidence-based domains.
3. Personal data we collect
Account data
- Email address, name (from signup or Google OAuth)
- Hashed password (email/password accounts only)
- Organisation name (if provided)
Usage data
- Papers uploaded and generated outputs (metadata, not content of your papers beyond what is needed for processing)
- Credit usage and generation history
- Summary configuration choices
Payment data
- Billing name, payment method, and transaction history (processed by Stripe; we do not store card numbers)
Technical data
- IP address and user agent (used for security, rate limiting, audit logs, and abuse prevention)
- Error logs and performance metrics (collected by Sentry, EU region; no personally identifiable information is included)
- Authentication session cookies (see Section 10)
- Bot-detection signals from Cloudflare Turnstile during signup and login (no cross-site tracking)
Uploaded content
- PDF files you upload may contain author names, institutional affiliations, and other metadata. This content is processed for evidence extraction only and is deleted after generation (see Section 7 for retention details).
4. Why we process your data and our legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the service (account management, PDF processing, audio generation) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Maintaining audit logs for compliance and evidence traceability | Legitimate interest (Art. 6(1)(f)) — regulatory accountability and evidence integrity |
| Error monitoring and service reliability | Legitimate interest (Art. 6(1)(f)) — ensuring service stability |
| Sending transactional emails (account confirmations, password resets, billing receipts) | Performance of contract (Art. 6(1)(b)) |
| Sending marketing communications (only with your explicit opt-in) | Consent (Art. 6(1)(a)) |
We do not sell your personal data. We do not use profiling or automated decision-making that produces legal effects or similarly significant effects on you.
5. Who we share data with
We use the following third-party processors to deliver the service. Each operates under a data processing agreement.
| Processor | Purpose | Data region | What is shared |
|---|---|---|---|
| Supabase | Authentication, database, file storage | EU (Frankfurt) | Account data, papers metadata, generated outputs, uploaded PDFs |
| Anthropic (Claude API) | Text extraction and script generation | EU | Extracted text content from uploaded PDFs (no account data). Anthropic does not train on data sent via the API. |
| ElevenLabs | Voice synthesis | Zero Retention Mode enabled (see Section 6) | Generated script text only. No personal data is sent to ElevenLabs. |
| Stripe | Payment processing | EU | Billing name, payment method, subscription status |
| Sentry | Error monitoring | EU | Error logs and performance data (no personally identifiable information) |
| Vercel | Hosting and edge delivery | Global edge network | Application hosted on Vercel (Frankfurt region). Static assets served via Vercel's CDN. No PII stored by Vercel. |
| Cloudflare Turnstile | Bot detection on signup / login forms | Global edge network | Browser fingerprint signals at the moment of signup or login. Turnstile does not set cross-site tracking cookies and does not collect PII. |
6. International data transfers
We store and process all persistent data within the European Union. Our database, authentication, and storage infrastructure is hosted in the EU (Frankfurt).
ElevenLabs (voice synthesis): We use ElevenLabs with Zero Retention Mode enabled, meaning ElevenLabs does not store input or output data after delivery. Only generated script text (which contains no personal data) is sent for synthesis. Processing may transiently route through non-EU infrastructure, but no data is persisted outside the EU.
Vercel:Serverless functions run in the Frankfurt (EU) region. Static assets are served via Vercel's global CDN for performance. No personal data is persisted by Vercel outside the EU.
Where any processing occurs outside the EU/EEA, it is covered by appropriate safeguards including Standard Contractual Clauses (SCCs) or adequacy decisions under the GDPR.
7. How long we keep your data
Retention periods depend on your subscription tier and the type of data:
| Tier | Audio | Transcript | Uploaded PDF | Audit logs |
|---|---|---|---|---|
| Free | Not stored | Not stored | Deleted after generation | 3 years |
| Starter | 30 days | 30 days | Deleted after generation | 3 years |
| Plus / Pro | 90 days | 90 days | Deleted after generation | 3 years |
| Team | 1 year | 1 year | Deleted after generation | 3 years |
Account data is retained for the duration of your account. If you delete your account, we erase your personal data within 30 days, except where we are legally required to retain specific records (see below).
Audit logs are retained for 3 years for all tiers. These are append-only records that ensure evidence traceability and regulatory accountability. They do not contain the content of your papers or audio outputs.
Billing and tax records (invoices, payment records) are retained for 7 years as required by Dutch tax law (Art. 52 AWR).
Limitation-period records. We may retain a minimal record of your account identifier and termination date for as long as claims may be brought under applicable limitation periods (typically up to 5 years under Dutch law), solely for the purpose of defending legal claims.
8. Your rights under the GDPR
As a data subject, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your personal data ("right to be forgotten")
- Restriction — ask us to restrict processing of your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
You can delete your account at any time from your account settings. This permanently erases your papers, generations, and audio within 30 days. To exercise any other right, email hello@ordestra.com. We will respond within 30 days.
9. Right to complain
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 85 00
10. Cookies
Ordestra uses only essential cookies required for the service to function:
- Authentication session cookie — an httpOnly cookie that maintains your login session. This is strictly necessary and does not require consent under the GDPR ePrivacy Directive.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use cookie consent banners because we do not use any cookies that require consent.
11. Children
Ordestra is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at hello@ordestra.com and we will delete it promptly.
12. Data breach notification
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to you, we will notify you directly without undue delay.
13. Security
We apply appropriate technical and organisational measures to protect your personal data, including: TLS encryption in transit, encryption at rest for databases and storage, row-level security on every database table, audit logging for sensitive operations, password hashing (bcrypt), short-lived session tokens with rotation, and rate limiting on authentication endpoints. No system is perfectly secure; we review our controls regularly.
14. Changes to this policy
We may update this policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by email or by a prominent notice on the service before the changes take effect. The "Effective" date at the top of this page indicates when the policy was last updated.