Privacy Policy

Last updated: January 15, 2026

At Ordiva, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, organization name, and password when you register
  • Workflow Data: Workflow definitions, case data, and evidence references you create
  • Documents: Only if you opt into Document Custody Mode
  • Communications: When you contact us for support or inquiries

1.2 Information Collected Automatically

  • Usage Data: Actions taken within the service, features used, timestamps
  • Device Information: Browser type, operating system, IP address
  • Cookies: Session cookies for authentication and preferences

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process your transactions and manage your subscription
  • Generate audit trails and compliance reports
  • Send you service-related communications
  • Respond to your inquiries and provide customer support
  • Monitor and analyze usage patterns to improve user experience
  • Protect against unauthorized access and security threats

3. Evidence Mode and Data Handling

3.1 Evidence Only Mode (Default)

In Evidence Only Mode, we do not store your documents. We only store:

  • References to documents (filenames, URLs, identifiers)
  • Your attestations about document contents
  • Audit trail of actions taken

Your documents remain in your own systems. We have no access to the actual document contents.

3.2 Document Custody Mode

If you explicitly opt into Document Custody Mode, we store your uploaded documents with:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Access controls based on your organization's settings
  • Retention policies as configured by your organization

4. Information Sharing

We do not sell your personal information. We may share information only in these circumstances:

  • Service Providers: With trusted third parties who help us operate our service (e.g., cloud hosting, payment processing)
  • Legal Requirements: When required by law, subpoena, or court order
  • Protection: To protect the rights, property, or safety of Ordiva, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice)

5. Data Security

We implement industry-standard security measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance
  • Access controls and authentication requirements
  • Regular backups and disaster recovery procedures

6. Data Retention

We retain your data for as long as your account is active or as needed to provide you services. Audit logs are retained for a minimum of 7 years to support compliance requirements. You may request deletion of your data, subject to legal retention requirements.

7. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal requirements)
  • Portability: Export your data in a machine-readable format
  • Objection: Object to certain data processing activities

To exercise these rights, contact us at privacy@ordiva.com.

8. International Data Transfers

Our servers are located in the United States. If you are accessing the Service from outside the US, please be aware that your information may be transferred to, stored, and processed in the US. We use Standard Contractual Clauses and other safeguards for international data transfers.

9. GDPR Compliance

For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR). Our lawful bases for processing include:

  • Contract performance (to provide the Service)
  • Legitimate interests (to improve and secure the Service)
  • Consent (for marketing communications)
  • Legal obligations (for compliance and tax records)

10. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA), including:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising privacy rights

11. Cookies

We use cookies for:

  • Essential cookies: Required for authentication and security
  • Functional cookies: Remember your preferences
  • Analytics cookies: Help us understand how you use the Service

You can control cookies through your browser settings, though some features may not work properly without them.

12. Children's Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: hello@mmekeservices.com
Address: Mohalalitoe, Maseru, Lesotho
Data Protection Officer: hello@mmekeservices.com