Privacy Policy

Zendo Works is the data controller for personal data processed through the Orangey platform. We are based in the United Kingdom.

Contact: hello@orangey.co

Orangey serves two types of users with different data relationships:

• Clients — professionals (mortgage brokers, accountants, insurance advisors, etc.) who create document requests and review submissions. Clients create accounts and are subject to our Terms of Service.
• Customers — individuals who receive a unique link from a client and submit documents or information. Customers do not create accounts. Their data is processed on behalf of the client who sent them the link.

Clients

• Name, email address, and company name (provided at sign-up)
• Authentication data managed via Clerk (passwordless magic-link)
• Billing and payment information managed via Stripe (we do not store card details directly)
• Usage data: requests created, requirements defined, submission activity

Customers

• Name, email address, and phone number (provided by the client when creating a request)
• Documents and files uploaded in response to a request (may include identity documents, financial records, and other sensitive personal data)
• Text responses, dates, and answers provided in response to a request

Automatically Collected

• IP address and browser/device information (standard server logs)
• Cookies set by Clerk for authentication sessions

• To provide the Orangey platform and its features to clients and their customers
• To send magic-link authentication emails to clients
• To send submission link emails and document-related notifications to customers on behalf of clients
• To process subscription payments and manage billing
• To run AI-based document verification on uploaded files (Pro plan only) using Anthropic's Claude and Mistral AI as a fallback
• To comply with our legal obligations

• Contract — processing client data is necessary to provide the service under our Terms of Service
• Legitimate interests — operating and improving the platform, preventing fraud, and maintaining security
• Legal obligation — where we are required to process data by law
• Consent — where we have obtained your consent (e.g. marketing communications, if applicable)

For customer data, the client acts as a separate data controller in respect of their customer relationships. Orangey acts as a data processor on the client's behalf for the purpose of document collection.

We use the following third-party services to operate the platform. Each has been assessed for UK GDPR compliance:

Files uploaded by customers are stored encrypted in Microsoft Azure Blob Storage (UK South region). On the Pro plan, uploaded files are temporarily sent to Anthropic (Claude) or Mistral AI for automated document verification — checking that the file matches the stated requirement. Files are transmitted over encrypted connections and are not stored or used for training by these providers under our agreements with them.

AI verification results (passed/failed, reason, confidence level) are stored alongside the submission record and are visible to the client.

• Client account data is retained for the duration of the account and for up to 2 years after account closure
• Submitted documents and responses are retained until the client deletes them or closes their account
• Billing records are retained for 7 years to comply with UK financial record-keeping requirements
• Server logs are retained for up to 90 days

Under UK GDPR, you have the following rights:

• Access — request a copy of your personal data
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data in certain circumstances
• Portability — request your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request we restrict processing in certain circumstances

To exercise any of these rights, contact us at hello@orangey.co. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Orangey uses the following cookies:

• Authentication cookie — set by Clerk to maintain client sessions. HTTP-only, Secure, expires after 7 days. Essential for the platform to function.

We do not use advertising or analytics cookies. We do not track customers across other websites.

We implement appropriate technical and organisational measures to protect personal data, including encrypted storage, HTTPS-only transmission, HTTP-only secure cookies, access controls, and rate limiting. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

We may update this policy from time to time. We will notify clients of material changes by email. The date at the top of this page reflects the most recent revision. Continued use of the platform after changes constitutes acceptance of the updated policy.