Ordo← Back to Home

Privacy Policy

Last Updated: November 6, 2025

1. Introduction

Ordo ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our security scanning service (the "Service").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (from OAuth provider)
  • Name (from OAuth provider)
  • OAuth provider ID (Google or GitHub)
  • Profile information from your OAuth provider

2.2 Usage Data

When you use the Service, we collect:

  • Scan metadata (number of files scanned, timestamps, project names)
  • Vulnerability types and severity levels found
  • API usage statistics (requests, quotas, rate limits)
  • Subscription tier and billing information
  • IP addresses and device information for security purposes

2.3 Code Data

🔒 Code Privacy

We process code snippets temporarily to perform security analysis but do not permanently store your source code. Code may be sent to third-party AI services (e.g., OpenAI) for analysis, subject to their privacy policies.

  • Code snippets are processed in memory and discarded after analysis
  • Vulnerability locations (file paths and line numbers) are stored
  • We do not access or store your private repositories or credentials

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information. We receive limited payment data from Stripe (customer ID, subscription status, last 4 digits of card) to manage your subscription.

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process security scans and generate vulnerability reports
  • Manage your account and subscriptions
  • Send important service updates and security notifications
  • Improve the Service and develop new features
  • Prevent fraud, abuse, and security threats
  • Comply with legal obligations
  • Analyze usage patterns to improve accuracy and performance

4. How We Share Your Information

We may share your information with:

4.1 Third-Party Services

  • OpenAI: For AI-powered code analysis and vulnerability detection
  • Supabase: For authentication and database hosting
  • Stripe: For payment processing
  • Vercel: For hosting and infrastructure
  • Resend: For transactional emails

4.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to:

  • Protect our legal rights and safety
  • Prevent fraud or security threats
  • Comply with legal processes

4.3 Business Transfers

If Ordo is acquired or merged with another company, your information may be transferred to the new entity.

5. Data Retention

  • Account data is retained until you delete your account
  • Scan metadata and vulnerability reports are retained for analytics and historical purposes
  • Code snippets are not permanently stored and are discarded after processing
  • Payment records are retained as required by law (typically 7 years)

6. Data Security

We implement industry-standard security measures to protect your data:

  • HTTPS/TLS encryption for all data in transit
  • Encrypted database storage
  • API key authentication for CLI access
  • Row-level security policies in our database
  • Regular security audits and updates

However, no system is completely secure. We cannot guarantee absolute security of your data.

7. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Export: Download your scan history and data
  • Opt-out: Unsubscribe from marketing emails (transactional emails cannot be opted out)
  • Object: Object to certain data processing activities

To exercise these rights, contact us at privacy@tryordo.dev

8. Cookies and Tracking

We use cookies and similar technologies for:

  • Authentication and session management
  • Analytics (e.g., Vercel Analytics) to understand usage patterns
  • Security and fraud prevention

You can control cookies through your browser settings, but disabling them may affect Service functionality.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards are in place for such transfers.

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal data we collect and how it's used
  • Right to delete your personal data
  • Right to opt-out of the "sale" of personal data (we do not sell your data)
  • Right to non-discrimination for exercising your rights

12. European Privacy Rights (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation:

  • Legal basis for processing: Consent, contract performance, legitimate interests
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority
  • Right to data portability

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or data practices, contact us at:

By using Ordo, you acknowledge that you have read and understood this Privacy Policy.