Orderly Hub
Legal

Privacy Policy

Last updated: March 21, 2026

Vextria Atlas Group Limited, operating as Orderly ("Orderly," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform, website, APIs, and related services (collectively, the "Service").

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, organization name, and authentication credentials. If you sign up through a third-party provider (such as Google), we receive your name and email from that provider.

Organization Data

When you connect integrations ("Bridges") to the Service, we process data from your connected platforms, including but not limited to:

  • Order information (order IDs, line items, amounts, customer details)
  • Shipment and tracking data (carrier, tracking numbers, delivery status)
  • Product and inventory information
  • Customer names and shipping addresses from your connected platforms

This data belongs to your organization. We process it solely to provide the Service to you.

Embed End User Data

If you use our Embed system to white-label Orderly features in your application, we process data about your end users including the external user ID you provide, optional name and email, session activity, and any action requests they submit. You are responsible for providing appropriate privacy disclosures to your end users.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, API calls made, IP addresses, browser type, device information, and timestamps.

AI Agent Interactions

If you use the Orderly AI Agent, we process your chat messages, queries, and the agent's responses. The agent may store memory items (preferences, patterns) to improve its assistance over time. You can view and delete agent memories at any time.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Synchronize and normalize data across your connected platforms
  • Execute operations, dispatchers, and transformations you configure
  • Process action requests from your embed end users
  • Send transactional notifications (webhooks, alerts, status updates)
  • Provide AI-powered assistance through the Orderly Agent
  • Monitor and improve Service performance, reliability, and security
  • Generate aggregated analytics, benchmarks, and industry insights (see Section 3)
  • Train and improve machine learning models (see Section 3)
  • Respond to support requests and communicate with you
  • Comply with legal obligations

3. Aggregated Data, Analytics & Model Training

Aggregated Analytics & Benchmarking

We aggregate and anonymize operational data from across the platform to generate industry insights, performance benchmarks, and analytics products. This includes metrics such as carrier delivery performance, average transit times, dwell times, late delivery rates, regional shipping patterns, and fulfillment benchmarks.

Aggregated data is stripped of all personal identifiers (names, addresses, email addresses) and cannot be used to identify any individual or organization. We may share or sell these aggregated, anonymized insights to third parties.

Machine Learning & Model Training

We use anonymized and aggregated operational data to train machine learning models that power features within the Service and may be offered as separate products. These models may be used for delivery time prediction, carrier performance scoring, anomaly detection, routing optimization, and similar logistics intelligence purposes.

We do not use your personal data (names, addresses, contact information) to train models. Model training uses only anonymized, aggregated operational metrics.

4. Data Sharing and Disclosure

We share information in these circumstances:

  • Connected Platforms: When you configure a Bridge, we transmit data to and from that platform as necessary to perform the integration tasks you've configured (e.g., pushing fulfillment status back to Shopify).
  • Aggregated Data: We may share or sell aggregated, anonymized data and insights derived from platform-wide operational data. This data does not contain personal information or identify individual users or organizations.
  • Service Providers: We use third-party providers to host infrastructure (Vercel, Google Cloud, Supabase), process background jobs (Upstash), and deliver webhooks. These providers process data on our behalf under contractual obligations.
  • AI Processing: AI Agent queries are processed by our AI service infrastructure. Your identifiable data is not used to train third-party AI models.
  • Legal Requirements: We may disclose information if required by law, court order, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Lawful Basis for Processing (GDPR)

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), we process personal data on the following legal bases:

  • Contract: Processing necessary to provide the Service to you (account management, data synchronization, order processing, Bridge operations)
  • Legitimate Interest: Processing for analytics, benchmarking, model training using anonymized data, Service improvement, fraud prevention, and security monitoring. We conduct balancing tests to ensure our interests do not override your rights.
  • Consent: Where required, such as for optional marketing communications. You may withdraw consent at any time.
  • Legal Obligation: Processing required to comply with applicable laws and regulations.

6. Data Retention

We retain your account data for as long as your account is active. Organization data (orders, shipments, operations) is retained for the duration of your subscription. When you delete your account or organization, we delete associated data within 30 days, except where retention is required by law.

Embed session tokens expire after their configured TTL (default: 1 hour). Embed event logs are retained for 90 days. Agent memory items are retained until you delete them or they expire based on their configured lifecycle.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS) and at rest
  • Row-level security (RLS) ensuring strict tenant isolation in our database
  • API key and session token hashing (bcrypt)
  • Scoped permissions and role-based access control
  • Regular security reviews and monitoring

8. Your Rights Under GDPR

If you are located in the United Kingdom or European Economic Area, you have the following rights under the UK GDPR and EU GDPR:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing
  • Right to Data Portability: Receive your personal data in a structured, machine-readable format
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Object: Object to processing based on legitimate interest
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint: File a complaint with the UK Information Commissioner's Office (ICO) or your local data protection authority

To exercise these rights, contact us at legal@vextria.tech. We will respond within 30 days (or one calendar month as required by GDPR).

9. Cookies and Tracking

We use essential cookies for authentication and session management. We use analytics to understand Service usage patterns. We do not use third-party advertising trackers.

10. International Data Transfers

Our Service infrastructure is hosted in the United States and European Union. Data may be transferred between these regions as necessary to provide the Service. For transfers of personal data outside the UK and EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) where applicable.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Data Controller

The data controller for the purposes of GDPR is:

Vextria Atlas Group Limited
Email: legal@vextria.tech

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, contact us at the address above. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.