Privacy Policy
Last updated: 18/05/2026
Version: 1.0
Preamble
This privacy policy describes how ORKOM collects, uses, shares and protects the personal data of its users and visitors.
It applies:
-
to the public website https://orkom.fr and its subdomains (hereinafter "the Website");
-
to the application https://app.orkom.fr (hereinafter "the Application");
-
to any interaction with ORKOM in connection with the provision of its services.
ORKOM commits to processing your personal data in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and French Act No. 78-17 of 6 January 1978 as amended (French Data Protection Act).
ORKOM is data controller for the data it collects directly (user accounts, browsing data, etc.). This policy describes those processing activities.
ORKOM is processor within the meaning of Article 28 GDPR for the content uploaded by its customers (organizations) into the Application (invoices, contracts, files, etc.). The processing of this content is governed by a Data Processing Agreement (DPA) signed between ORKOM and each customer. Natural persons whose data appears in this content must contact the relevant customer organization to exercise their rights. See the "Content entrusted by customers" section.
1. Who are we?
ORKOM is a SAS (French simplified joint-stock company) with share capital of €1,000.00, registered with the Bordeaux Trade and Companies Register under SIREN number 993 033 943.
The controller of personal data processing is:
| Field | Value |
|---|---|
| Name | ORKOM |
| Legal form | SAS |
| SIREN | 993 033 943 |
| Registered office address | 22 RUE FRANÇOIS MAURIAC 33200 BORDEAUX |
| Legal representative | Rayan Azmatally, Managing Director |
| General contact email | contact@orkom.fr |
| GDPR contact email | support@orkom.fr |
2. Data collected
2.1 On the showcase website (https://orkom.fr)
When you visit our showcase website:
| Type of data | Details | Source |
|---|---|---|
| Browsing data | IP address (anonymized), pages visited, browser, operating system, visit duration | Automatic collection via Google Analytics 4, after your consent |
| Contact data | If you book a meeting via the "Book a call" button: first name, last name, email, optional message | Direct input by you via Google Calendar Appointment Schedules |
| Communications | If you write to contact@orkom.fr: content of the email, sender address | Direct input by you |
2.2 In the Application (https://app.orkom.fr)
When you create an account and use the Application:
| Type of data | Details |
|---|---|
| Identification data | First name, last name, professional email address |
| Authentication data | Password (encrypted and managed by Firebase, never accessible to ORKOM), MFA secret if enabled, hashed recovery codes |
| Organization data | Company name of your organization, role, team affiliation |
| Connection data | Account creation date, last login, active sessions |
| Billing data | Token balance, history of internal transactions (amounts, dates) |
| Preferences | Language (French / English) |
| Invitation data | If you are invited to join an organization: email address, proposed role, invitation token |
2.3 Content entrusted by customers (processor role)
When you use the Application as part of your work within a customer organization, you may upload documents, create extractions, tables, verification files. This content belongs to the customer organization, which is the data controller for it.
ORKOM processes this content solely on the instructions of the customer organization, under a Data Processing Agreement (DPA) signed with it. The content may include personal data of third parties (employees, clients, suppliers of the customer organization).
If you are a natural person whose data appears in content uploaded by an ORKOM customer, you must exercise your rights directly with that organization, which is the data controller. ORKOM assists its customers in the exercise of these rights in accordance with Article 28 GDPR.
3. Purposes of processing
The table below presents the purposes, legal bases and data concerned for each processing activity.
| Purpose | Data processed | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Creation and management of your user account | Identification, authentication, preferences | Performance of the contract (Art. 6.1.b) |
| Provision of the ORKOM service | Organization data, uploaded content (processor role), API keys | Performance of the contract (Art. 6.1.b) |
| Management of invitations between users | Email of the invitee, data of the inviter | Legitimate interest of ORKOM and the customer organization in building its teams (Art. 6.1.f) |
| Billing and accounting obligations | Billing data, invoices, contracts | Legal obligation (Art. 6.1.c — French Commercial Code) + Performance of the contract (Art. 6.1.b) |
| Transactional communications (email verification, password reset, notifications) | Email, first name | Performance of the contract (Art. 6.1.b) |
| Security and accountability (audit logs of sensitive actions, technical logs, fraud detection) | Technical identifiers, action metadata, server IP | Legitimate interest — application security (Art. 32) and demonstration of compliance (Art. 5.2) |
| Exercise of your GDPR rights | All data collected (depending on the request) | Legal obligation (Art. 12 to 22 GDPR) |
| Proof of acceptance of contractual documents | UserId, accepted versions of the Terms of Use and this policy, dates | Legitimate interest — contractual proof (Art. 6.1.f) |
| Audience measurement on the showcase website | Browsing data (Google Analytics 4) | Consent (Art. 6.1.a) — collected via the cookie banner |
| B2B commercial prospecting | Contact details of prospects, commercial notes, history of exchanges | Legitimate interest — B2B prospecting (Art. 6.1.f) |
| Internal administrative and legal management (customer/supplier contracts, legal documents) | Contractual identity, content of contracts | Legal obligation (Art. 6.1.c) + Legitimate interest (Art. 6.1.f) |
4. Processors and recipients
ORKOM uses trusted technical processors, acting as processors within the meaning of the GDPR, strictly necessary for the performance of the service. These processors are subject to contractual obligations of confidentiality and security in line with GDPR requirements (Article 28).
| Processor | Service | Data concerned | Location | Safeguards |
|---|---|---|---|---|
| Google LLC | Application hosting (infrastructure and stored data), Vertex AI Gemini | All user data and data uploaded by the user (documents) | EU | Data Privacy Framework, Standard Contractual Clauses (SCC), Data Processing Addendum |
| Google LLC | Firebase Authentication, Google Analytics, Google Workspace (Gmail, Drive, Sheets, Calendar) | Connection, browsing and prospecting data | USA | Data Privacy Framework, Standard Contractual Clauses (SCC), Data Processing Addendum |
| Anthropic, PBC | Claude API – AI processing of content, used when the customer organization selects Anthropic as the model provider in its settings | Content of documents when this option is selected | USA | Standard Contractual Clauses (SCC), Data Processing Addendum, Data is not used for training |
| Plus Five Five, Inc. (Resend) | Sending of transactional emails (email verification, password reset, invitations, notifications) | Email, content of notifications | USA | EU-US Data Privacy Framework, Standard Contractual Clauses, signed DPA |
AI processing is not automatically performed by Anthropic. It is possible to choose on the platform a model hosted in Europe.
This list may evolve. Any change will be reflected in an update of this policy.
ORKOM may be required to disclose your data to the competent authorities (tax administration, judicial authorities) in connection with a legal obligation or judicial request.
ORKOM never sells, rents or transfers your personal data to third parties for commercial purposes.
5. Transfers outside the European Union
Some of our processors are established in the United States. Transfers involving them are strictly limited as follows:
- Resend (sending of transactional emails): only basic identification data is concerned (name, first name, email address of the recipient). No data from the Customer Content (documents, end-customer data) is transmitted to Resend.
- Google LLC (authentication via Firebase and audience measurement via Google Analytics): only account and browsing data is concerned. No data from the Customer Content is transmitted in this context — the hosting and storage of the Customer Content are carried out within the European Union (region europe-west4).
- Anthropic (AI processing of the Customer Content): this transfer only takes place if the customer organization explicitly activates this option in its settings. By default, AI processing is carried out within the European Union, and no data is transmitted to Anthropic.
These transfers are governed by the following safeguards:
-
EU-US Data Privacy Framework (DPF), adequacy mechanism recognized by the European Commission on 10 July 2023.
-
Standard Contractual Clauses (SCC) adopted by the European Commission (Implementing Decision EU 2021/914), incorporated into the DPAs of all our US processors.
You may obtain a copy of the applicable safeguards by contacting us at support@orkom.fr.
6. Retention periods
Retention periods are set by purpose, in accordance with the principle of storage limitation (Art. 5.1.e GDPR).
| Data category | Retention period | Basis |
|---|---|---|
| User account (identification, authentication) | As long as the account is active or attached to an active organization. Deletion on request at any time via support@orkom.fr or manually on the platform. | Performance of the contract |
| Organizational content (Application) | As long as the customer organization is active, according to the instructions of the data controller | Customer DPA |
| Billing data and issued invoices | 10 years from the close of the accounting year | Legal obligation — French Commercial Code, Art. L.123-22 |
| Commercial contracts (customers, suppliers) | Duration of the contract + 5 years after its end | Civil prescription — French Civil Code, Art. 2224 |
| Audit logs (sensitive actions in the Application) | 2 years | Application security (Art. 32) |
| Technical application logs | 30 days | Security and maintenance |
| Database backups | 14 days (full backups) + 7 days (Point-in-Time Recovery) | Security and continuity |
| Audience measurement cookies (_ga, _ga_*) | 13 months | CNIL recommendation |
| Prospect data (commercial CRM) | 3 years from the last contact | CNIL recommendation — B2B prospecting |
| Proof of acceptance of the Terms of Use and this policy | Duration of the contract + 5 years (anonymized after deletion of the account) | Civil prescription |
At the end of these periods, your data is permanently deleted or anonymized. Upon deletion of your account, references to your identity in audit logs and legal acceptances are anonymized (your identifier is removed, technical traces are kept for accountability purposes).
7. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
| Right | What it means | How to exercise it |
|---|---|---|
| Right of access (Art. 15) | Obtain confirmation that your data is being processed and receive a copy of it | Email to support@orkom.fr |
| Right to rectification (Art. 16) | Correct inaccurate or incomplete data | Modify directly from your account (settings) or email to support@orkom.fr |
| Right to erasure (Art. 17) | Request the deletion of your data | Self-service deletion of your account (Settings > User > Delete my account) or email to support@orkom.fr |
| Right to restriction (Art. 18) | Request the temporary suspension of a processing activity | Email to support@orkom.fr |
| Right to data portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format (JSON) | Self-service export (Settings > User > Export my data) |
| Right to object (Art. 21) | Object to a processing activity based on legitimate interest (in particular prospecting) | Email to support@orkom.fr or unsubscribe link in our commercial emails |
| Withdrawal of consent | Withdraw your consent at any time (cookies in particular) | Via the "Manage cookies" button in the footer of the showcase website |
| Post-mortem directives | Define directives concerning your data after your death | Email to support@orkom.fr |
Response time: ORKOM commits to responding to your requests within a maximum of one month from receipt, in accordance with Article 12.3 GDPR. This period may be extended by two months in case of a complex request, in which case you will be informed.
Identity verification: for security reasons, ORKOM may ask you to justify your identity before processing your request.
Special case — Persons mentioned in customer content: if you are a natural person whose data appears in documents uploaded by an ORKOM customer (e.g. employee, service provider, contact of a firm using ORKOM), you must exercise your rights directly with that organization, which is the data controller for this content. ORKOM will assist the organization in processing your request in accordance with Article 28 GDPR.
Right to lodge a complaint with the CNIL
If you consider that your rights are not respected, you may lodge a complaint with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés — CNIL):
Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy — TSA 80715 75334 PARIS CEDEX 07 Phone: +33 (0)1 53 73 22 22 Website: www.cnil.fr
8. Security of your data
ORKOM implements appropriate technical and organizational measures to ensure the security of your data (Article 32 GDPR):
Technical measures:
-
Encryption of data at rest (AES-256) on all databases and storage
-
Encryption of data in transit (TLS 1.2+ for all communications)
-
Two-factor authentication (MFA) available for all user accounts, recommended for administrators
-
Hashed passwords (never stored in clear by ORKOM)
-
Hosting in the European Union (Google Cloud, region europe-west4)
-
Daily automatic backups + Point-in-Time Recovery (7 days)
-
Strict data isolation by customer organization (multi-tenant architecture)
-
Audit log of sensitive actions
-
Access monitoring and anomaly detection
Organizational measures:
-
Data access limited to authorized personnel, based on the principle of least privilege
-
Confidentiality commitments signed by employees
-
Training of teams in security best practices and the GDPR
-
Documented procedures in case of incident
-
Rigorous selection of processors with contractual requirements for equivalent safeguards
In the event of a data breach likely to entail a risk to your rights and freedoms, ORKOM commits to notifying the CNIL within 72 hours and, if the risk is high, to inform you directly (Articles 33 and 34 GDPR).
9. Cookies and trackers
9.1 Cookies on the showcase website (https://orkom.fr)
The showcase website uses the following cookies:
| Cookie | Type | Purpose | Duration | Consent |
|---|---|---|---|---|
| orkom-consent | Strictly necessary | Remember your choice regarding cookies | 13 months | Not required |
| _ga, _ga_* | Audience measurement | Traffic statistics via Google Analytics 4 | 13 months | Required (explicit opt-in) |
No audience measurement cookie is set until you have explicitly consented via the cookie banner. You can change your choice at any time via the "Manage cookies" button in the footer.
9.2 Cookies in the Application (https://app.orkom.fr)
The Application uses only cookies that are strictly necessary for its operation (authentication session management). No analytics or advertising cookie is set.
10. Automated decisions and profiling
ORKOM uses artificial intelligence models to process documents uploaded into the Application. However:
-
As data controller of your user account, ORKOM does not make any automated decision producing legal effects concerning you within the meaning of Article 22 GDPR.
-
As processor for the content uploaded by customers, if a feature (for example the file verification module) produces an automated assessment, the final decision is always made by a human within the customer organization. The information about this assessment and the right to obtain human intervention are the responsibility of the customer (data controller).
11. Updates to this policy
ORKOM reserves the right to modify this privacy policy at any time to reflect legal, technical or organizational changes.
In the event of a substantial modification, ORKOM will inform you by email (for users of the Application) or via a visible information banner on the website, before the changes take effect. The date of the last update appears at the top of this document.
Version history is available on request at support@orkom.fr.
12. Contact us
For any question relating to this policy or the exercise of your rights:
-
GDPR email: support@orkom.fr
-
General email: contact@orkom.fr
-
Postal address: 22 Rue François Mauriac 33200, Bordeaux
ORKOM Privacy Policy — Version 1.0 — 18/05/2026