Privacy Policy
Last Updated: November 1, 2025
1. Introduction
S.C. ORGO INFORMATICS SRL ("Orgo," "we," "us," or "our") operates Orgo.space, a multi-tenant SaaS cloud platform that enables organizations to manage and connect their members, volunteers, beneficiaries, and supporters.
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our website (orgo.space and docs.orgo.space), mobile applications, and services (collectively, the "Services").
Our Commitment:
- Registered in Romania: Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova
- Registration: J29/2796/2019
- Fiscal Code: 41650896
- Compliant with GDPR (EU), UK GDPR, CCPA (USA), COPPA, and international privacy standards
Our Business Model:
- We do NOT sell your personal data to third parties or data brokers
- We do NOT display advertisements to users
- We do NOT monetize your data through advertising networks
- Our revenue comes exclusively from subscription fees paid by organizations using our Services
This Privacy Policy is part of our Terms of Service. By using the Services, you agree to the practices described in this policy.
Which Terms Apply to You:
2. Important Distinctions: Data Controller vs. Data Processor
When Orgo is the Data Controller
We act as the Data Controller for:
- Visitors to our website (orgo.space)
- Prospective customers and demo requestors
- Organization administrators who register and manage accounts
- Newsletter subscribers
- Job applicants
When Your Organization is the Data Controller
When you create an organization on Orgo.space, your organization becomes the Data Controller for:
- Your members, volunteers, and beneficiaries
- Any personal data collected through your Orgo instance
- Content and communications within your community
In this case, Orgo acts as a Data Processor on behalf of your organization, as defined in our Data Processing Agreement (DPA). We process data only according to your instructions and the DPA.
Important: If you are a member of an organization using Orgo, please review that organization's privacy policy to understand how they handle your personal data. This Privacy Policy does not govern how organizations use the data they collect through our Services.
Your Rights:
Organization Responsibilities as Data Controller
When your organization acts as Data Controller, it is responsible for:
Data Protection Compliance
- Complying with GDPR, CCPA, COPPA, and all applicable data protection laws
- Obtaining valid consent or establishing another legal basis for processing member data
- Implementing appropriate technical and organizational security measures
- Having a privacy policy that informs members about data processing
Administrator Access and Confidentiality
- Ensuring all administrators with access to member data have:
- Signed confidentiality agreements or are bound by professional secrecy obligations
- Received appropriate training on data protection requirements
- Authorization and legitimate need to access the data
- Conducting background checks for administrators who have access to children's data (under 18, or under 16 in EU, or under 13 in US)
- Implementing access controls based on the "need-to-know" principle
- Revoking access immediately when an administrator's role ends
Data Security and Breach Response
- Monitoring for unauthorized access or misuse of member data
- Notifying affected members if a data breach occurs (as required by law)
- Taking corrective action if an administrator misuses member data
- Maintaining documentation of access controls and security measures
Children's Data Protection
If your organization serves children:
- Obtaining verifiable parental consent before collecting children's data
- Implementing age verification mechanisms
- Ensuring administrators with access to children's data have appropriate background checks and safeguarding training
- Responding promptly to parental requests to access, correct, or delete children's data
Member Rights
- Responding to member requests to access, correct, or delete their personal data
- Honoring opt-out requests for marketing communications
- Providing data portability when requested
For detailed contractual obligations, please see our Organization Terms of Service, Section 5.5 (Rights and Obligations of Organizations).
3. Information We Collect
3.1 Personal Information You Provide Directly
Registration and Profile Information
- Name, email address, phone number
- Organization name and role
- Profile photo and bio
- Location (city, country)
- Topics of interest
- Custom profile fields set by your organization
Social Media Integration
When you register or log in using Google, Microsoft, Apple, or LinkedIn:
- Profile information (name, photo)
- Email address
- LinkedIn/social media profile URL
Payment Information
- Credit card information (processed directly by Stripe - we do not store full card details)
- Billing address and VAT/tax identification
- Transaction history (last 4 digits of card, amount, date)
Communications
- Messages sent through contact forms
- Support tickets and customer service interactions
- Email correspondence
- Direct messages and discussions within organizations
- Comments, posts, and user-generated content
Events and Activities
- Event registrations and attendance
- RSVP responses
- Livestream participation (video/audio recordings when you agree to participate)
Documents and Files
- Uploaded documents, images, videos
- eSignatures and electronic document approvals
- Files stored in your organization's drive
Donations and Fundraising
- Donation amount and frequency
- Membership fee payments
- Event ticket purchases
3.2 Information We Collect Automatically
Device and Technical Information
- IP address
- Browser type and version
- Operating system
- Device type (mobile, tablet, desktop)
- Unique device identifiers
- Language preferences
Usage Information
- Pages visited and time spent
- Features used
- Links clicked
- Search queries
- Navigation paths
- Actions taken (posts, comments, votes, task completions)
- Login dates and times
Location Information
- Approximate location from IP address
- Precise GPS location (only if you enable location services in our mobile app)
Cookies and Similar Technologies
We use cookies, web beacons, local storage, and similar technologies to:
- Remember your preferences and settings
- Authenticate your session
- Analyze how you use our Services (using privacy-focused analytics)
- Improve service performance and reliability
See Section 12 (Cookies) for more details.
3.3 Information from Third Parties
Integrated Services (Optional - at your organization's choice)
Your organization may choose to connect third-party services (such as HubSpot, Google Tag Manager, Meta Pixel, SSO providers, webhooks, or custom API integrations). When your organization enables these integrations:
- Data shared according to your organization's integration settings
- Activity and engagement metrics (if configured by your organization)
- The integration and data sharing is controlled by your organization, not by Orgo
Public Sources
- Publicly available information for business prospecting
- Social media profiles (when you use social login)
Organization Administrators
If your organization administrator creates an account for you or imports your information:
- Data provided by the organization about you
4. How We Use Your Information
4.1 To Provide and Improve the Services
Service Delivery
- Create and manage your account
- Enable you to join and participate in organizations
- Facilitate communication between members
- Process payments and donations
- Deliver events, courses, and content
- Provide customer support
Personalization
- Customize your experience based on your interests and activity
- Recommend relevant content, groups, and members
- Tailor notifications and communications
Analytics and Improvement
- Understand how the Services are used (using privacy-focused analytics - Plausible)
- Identify usage trends and patterns
- Improve features and develop new functionality
- Conduct research and analysis
- Generate aggregated and anonymized statistics
4.2 Communications
Transactional Communications
- Account notifications
- Security alerts
- Payment receipts and invoices
- Service updates and changes
- Responses to your inquiries
Marketing Communications (with your consent where required)
- Newsletter and product updates
- Educational content and webinars
- Promotional offers and announcements
- Event invitations
You can opt out of marketing communications at any time (see Section 10).
4.3 Legal and Security Purposes
- Comply with legal obligations
- Enforce our Terms and Conditions
- Prevent fraud and abuse
- Protect rights, property, and safety
- Respond to legal requests and investigations
- Maintain appropriate records
4.4 With Your Consent
We will obtain your consent for processing when required by law, including for:
- Special categories of personal data (health, biometric, children's data)
- Marketing communications in certain jurisdictions
- Non-essential cookies
- Recording of video/audio in livestreams
5. How We Share Your Information
5.1 Within Your Organization
Organization Administrators
Your organization's administrators can access:
- Your profile information (name, email, custom fields)
- Your activity and engagement metrics
- Content you post or share
- Event registrations and attendance
- Payment and donation history
- Usage analytics (aggregated and individual)
Other Members
Depending on your organization's privacy settings (Public, Private, Secret):
- Public Organizations: All content and profile information is visible to anyone, including search engines
- Private Organizations: Content visible only to approved members
- Secret Organizations: Only invited members can find and access the organization
Search and Discovery
Members may search for you by:
- Name
- Location
- Topics of interest
- Custom profile fields
5.2 Service Providers (Subprocessors)
We share information with trusted third-party service providers who assist us with:
Infrastructure and Hosting
- AWS (Frankfurt, Germany) - Primary cloud hosting and data storage for all organization data
- Cloudflare - CDN for static application assets only (JavaScript, CSS, images). Organization data is NOT processed through Cloudflare CDN.
Payment Processing
- Stripe - Payment processing and subscriptions
Analytics (Orgo-controlled)
- Plausible Analytics - Privacy-focused, GDPR-compliant analytics for our website and service usage (no personal data tracking, no cookies)
Communications
- AWS SES - Email service for transactional emails and notifications
- OneSignal - Mobile push notifications (optional, only if organization enables branded mobile app)
- Google Firebase Cloud Messaging - Web push notifications (optional, only if enabled)
Optional Integrations (at your organization's choice)
Your organization may choose to enable integrations with third-party services. When enabled, data sharing is controlled by your organization:
- SSO Providers (Google, Microsoft, Apple, LinkedIn) - For authentication only
- Marketing Tools (HubSpot, Google Tag Manager, Meta Pixel) - Only if your organization configures them
- Automation (Webhooks, n8n, custom APIs) - Only if your organization enables them
- OAuth Applications - Third-party apps authorized by your organization
Important:
- We enter into data processing agreements with all core service providers and limit their use of your data to the services they provide on our behalf
- Optional integrations are the responsibility of your organization - we act only as a processor to facilitate the connection
- A complete list of core subprocessors is available in our Subprocessors List document
5.3 Legal Requirements and Protection
We may disclose information when:
- Required by law (subpoena, court order, legal process)
- Responding to government or regulatory requests
- Enforcing our agreements and policies
- Protecting rights, property, or safety of Orgo, users, or the public
- Investigating fraud or security issues
- Defending legal claims
5.4 Business Transfers
If Orgo is involved in a merger, acquisition, asset sale, or bankruptcy:
- Your information may be transferred as part of that transaction
- We will notify you via email and/or prominent notice on our website
- Your privacy rights will continue to be protected
5.5 We Do Not Sell Your Personal Data
Important: Orgo does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.
What This Means:
- We do not sell your data to data brokers
- We do not sell your data to advertisers
- We do not sell your data to marketing companies
- We do not monetize your personal information through advertising
Our Revenue Model:
- We earn revenue exclusively through subscription fees paid by organizations
- We do not display advertisements to users
- We do not track you across the web for advertising purposes
CCPA "Sale" Definition:
Under California law (CCPA), "sale" has a broad definition that may include some data sharing. However:
- We do not engage in traditional data sales
- If your organization enables optional third-party integrations (like Meta Pixel), that may be considered a "share" under CCPA, but it is controlled by your organization, not by Orgo
- You can opt-out of any such sharing by disabling integrations or using Global Privacy Control (GPC)
5.6 With Your Consent
We will share information with third parties when you explicitly authorize us to do so.
5.7 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you:
- For research and analysis
- With business partners
- For public reporting
This data cannot be used to identify you and is not considered personal information.
6. Children's Privacy (COPPA Compliance)
Organizations Without Children
Most of our customers serve adult members. If your organization does not serve children under 13 (or under 16 in the EU), standard data protection practices apply.
Organizations Serving Children
Some organizations using Orgo (educational institutions, scouting organizations) serve children under 13 years old (USA - COPPA) or under 16 years old (EU - GDPR).
Special Protections for Children:
Under Age 13 (USA - COPPA)
- Organizations must obtain verifiable parental consent before collecting personal information from children under 13
- Organizations must provide parents with:
- Notice of data collection practices
- Ability to review their child's information
- Ability to request deletion
- Option to consent to collection but not to disclosure to third parties
Under Age 16 (EU - GDPR)
- Consent for data processing requires parental authorization for children under 16 (or younger, depending on EU member state)
Orgo's Responsibilities:
- We do not knowingly collect personal information from children without proper parental consent mechanisms in place
- Organizations serving children must implement appropriate consent mechanisms
- If we learn we have collected data from a child without proper consent, we will delete it promptly
Organization Administrator Responsibilities:
If your organization serves children, you must:
- Implement verifiable parental consent mechanisms
- Provide clear privacy notices to parents
- Enable parents to access, review, and delete their child's data
- Comply with COPPA, GDPR, and applicable children's privacy laws
- Clearly mark child accounts in your organization settings
Reporting: If you believe we have collected information from a child without proper consent, contact us immediately at privacy@orgo.space.
7. International Data Transfers
Our Infrastructure
Current Data Residency
- Primary Hosting: AWS Frankfurt, Germany (EU)
- All organization data is stored and processed in the EU
- Data remains in EU/EEA unless you explicitly choose otherwise
- CDN: Cloudflare (global network)
- Used only for static application assets (JavaScript, CSS, images)
- Organization data does NOT transit through Cloudflare
- Payment Processing: Stripe (EU and USA operations)
Future North American Data Residency (Planned)
For organizations based in North America, we plan to offer optional data hosting in the United States:
- AWS US regions (e.g., us-east-1 Virginia or us-west-2 Oregon)
- Organizations will choose their data residency location upon signup
- Data will remain in the chosen region and will not be transferred between regions without explicit consent
- This option will be available for organizations that prefer US-based data storage for latency or regulatory reasons
Your Control Over Data Location
- You choose where your organization's data is stored (EU or US, when available)
- Data residency is locked to your chosen region
- Cross-region transfers only occur with your explicit authorization
Transfers Outside the EU/EEA
When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards in accordance with GDPR Chapter V:
Standard Contractual Clauses (SCCs)
- We use the EU Commission's Standard Contractual Clauses (2021 version) with all non-EU service providers
- These clauses provide GDPR-level protection for your data
- We implement supplementary measures as required by the Schrems II decision
- We conduct Transfer Impact Assessments (TIAs) for all international transfers
Service Providers with International Operations
Some of our core service providers operate globally but have implemented GDPR-compliant safeguards:
| Service Provider |
Service |
Data Location |
Safeguard |
| AWS |
Hosting |
EU (Frankfurt) |
Data Processing Agreement, EU data residency |
| Cloudflare |
CDN (static assets only) |
Global network |
Data Processing Agreement, EU-US Data Privacy Framework |
| Stripe |
Payment processing |
EU and USA |
Data Processing Agreement, SCCs, EU-US Data Privacy Framework |
| Plausible Analytics |
Privacy-focused analytics |
EU |
GDPR-compliant by design, no personal data tracking |
EU-US Data Privacy Framework
- For transfers to the United States, we rely on service providers certified under the EU-US Data Privacy Framework where applicable
- We verify certification status regularly
- We implement SCCs as a backup safeguard mechanism
Adequacy Decisions
We transfer data to countries recognized by the EU Commission as providing adequate protection under Art. 45 GDPR.
Supplementary Measures
In addition to SCCs, we implement supplementary technical and organizational measures:
- Encryption in transit and at rest
- Access controls and authentication
- Data minimization
- Contractual obligations for data protection
- Regular security audits
Your Rights
- You may request copies of the Standard Contractual Clauses we use by contacting privacy@orgo.space
- You may request information about Transfer Impact Assessments for specific service providers
- You may object to specific international transfers where we rely on legitimate interests
8. Data Retention
How Long We Keep Your Data
Active Accounts
- We retain your information for as long as your account is active or as needed to provide Services
Organization Data
- Data within organizations is retained according to the organization's retention settings
- Enterprise plan customers can customize retention policies
After Account Deletion
- Most personal data is deleted within 90 days
- Some information may be retained longer for legal, security, or operational purposes:
- Transaction records: 10 years (accounting requirements)
- Fraud prevention: 5 years
- Legal claims: until the claim is resolved
- Backup systems: up to 90 days
Specific Retention Periods:
| Data Type |
Active Database |
Archive Period |
| Account information |
Duration of account |
90 days after deletion |
| Support tickets |
Until resolution |
5 years |
| Payment records |
Duration of relationship |
10 years (legal requirement) |
| Marketing contacts |
Until opt-out |
3 years from last interaction |
| Analytics data |
26 months |
Anonymized |
| Server logs |
12 months |
N/A |
| Content and messages |
Customizable by organization |
Per organization settings |
Edited and Deleted Content
- Standard: Only the most recent version is retained
- Enterprise plan: Organizations can choose to retain edit history
9. Your Privacy Rights
Rights for All Users
Access
- Request a copy of the personal data we hold about you
Correction
- Update or correct inaccurate information in your account settings
Deletion
- Request deletion of your account and associated data
- Some data may be retained for legal obligations (see Section 8)
Portability
- Request your data in a structured, machine-readable format
Object to Processing
- Object to certain types of processing (e.g., direct marketing)
Restrict Processing
- Request temporary restriction of processing
Withdraw Consent
- Withdraw consent at any time (does not affect prior lawful processing)
Additional Rights for EU/EEA/UK Residents (GDPR)
Legal Basis for Processing
We process your data based on:
- Contract: To provide Services you requested
- Legitimate Interest: To improve Services, prevent fraud, ensure security
- Consent: For marketing, special categories of data, non-essential cookies
- Legal Obligation: To comply with laws and regulations
Right to Lodge a Complaint
You may file a complaint with your local data protection authority:
- Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
- EU/EEA/UK: Your national data protection authority
EU Representative
For EU data protection matters, you may contact our EU representative (details available upon request).
Additional Rights for California Residents (CCPA/CPRA)
Right to Know
- Categories of personal information collected
- Purposes for collection
- Categories of sources
- Categories of third parties we share with
Right to Delete
Request deletion (subject to legal exceptions)
Right to Opt-Out
- Opt-out of "sale" or "sharing" of personal information for targeted advertising
- Orgo does not sell personal information in the traditional sense
- If your organization enables third-party tracking integrations (e.g., Meta Pixel), this may be considered a "share" under CCPA's broad definition
- You can opt-out by: (1) contacting your organization to disable integrations, (2) using Global Privacy Control (GPC), or (3) using browser cookie controls
Right to Non-Discrimination
We will not discriminate against you for exercising your privacy rights
Shine the Light
Request information about data shared with third parties for marketing purposes
See our California Privacy Notice for complete details.
Additional Rights for Other US State Residents
Residents of Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia have similar rights under state privacy laws. See our California Privacy Notice for details.
How to Exercise Your Rights
For Your Organization Account:
- Log in to your account settings to update, correct, or download your data
- Contact your organization administrator for data managed by them
For Orgo-Controlled Data:
- Email: privacy@orgo.space
- Write: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
Response Time:
- We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA)
Verification:
We may require verification of your identity before processing your request to protect your privacy.
10. Your Choices and Controls
10.1 Account Settings
Control your profile information, privacy settings, and preferences in your account dashboard.
10.2 Notification Preferences
Choose which notifications you receive:
- Email notifications
- Mobile push notifications
- In-app notifications
- Notification frequency and type
Customize in: Account Settings > Notifications
10.3 Email Communications
Marketing Emails
- Click "Unsubscribe" in any marketing email
- Update preferences in account settings
- Email privacy@orgo.space
Transactional Emails
You cannot opt out of essential service communications (receipts, security alerts, account notifications).
10.4 Mobile App Permissions
Location Services
- Disable in device settings: Settings > Apps > Orgo > Permissions
Push Notifications
- Disable in device settings or app notification settings
Camera/Microphone
- Required only for specific features (livestreams, video content)
- Disable in device settings
10.5 Cookie Controls
Browser Settings
- Configure cookie preferences in your browser
- Block all cookies (may affect functionality)
Cookie Preference Center
- Manage cookie preferences on our website
- See Section 12 for details
10.6 Do Not Track / Global Privacy Control
Do Not Track (DNT)
- Our Services do not currently respond to DNT browser signals due to lack of industry standard
Global Privacy Control (GPC)
- We honor GPC signals where required by law (e.g., California, Colorado)
- GPC is recognized as an opt-out of data "sales"
10.7 Third-Party Tracking Controls
Organization-Controlled Tracking
If your organization has enabled third-party tracking tools (Google Tag Manager, Meta Pixel, etc.):
- Contact your organization administrator to opt-out
- Use browser cookie controls to block third-party cookies
- Network Advertising Initiative: networkadvertising.org/choices
- Digital Advertising Alliance: aboutads.info/choices
- Your Online Choices (EU): youronlinechoices.eu
Orgo's Analytics
- We use Plausible Analytics, which is privacy-focused and does not track personal data
- Plausible does not use cookies and is GDPR-compliant by default
- No opt-out needed as we do not collect personally identifiable information for analytics
10.8 Social Media Integrations
Disconnect social media accounts in: Account Settings > Connected Accounts
10.9 Organization Visibility
Control how you appear to others in your organization settings (depending on organization type).
11. Security
Our Security Measures
Technical Safeguards
- Encryption in transit (TLS/SSL)
- Encryption at rest (AWS encryption)
- Regular security audits and penetration testing
- Intrusion detection and prevention
- DDoS protection (Cloudflare)
- Secure authentication (OAuth 2.0, SSO)
- Multi-factor authentication (MFA) available
Organizational Safeguards
- Access controls (least privilege principle)
- Employee training on data protection
- Confidentiality agreements with staff and contractors
- Security incident response plan
- Regular backups
Compliance
- ISO 27001 aligned practices
- GDPR-compliant data processing
- Regular compliance audits
Your Responsibilities
- Choose strong, unique passwords
- Enable multi-factor authentication
- Do not share login credentials
- Report security incidents immediately
- Log out from shared devices
No Absolute Security
No method of transmission or storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security.
Phishing and Fraud
We will never ask for your password via email. If you receive suspicious communications claiming to be from Orgo, report them to security@orgo.space.
Data Breaches
In the event of a data breach affecting your personal data:
- We will notify you within 72 hours (GDPR requirement)
- We will inform relevant authorities as required by law
- We will provide guidance on protective actions
For detailed security practices, see our Security Policy.
12. Cookies and Tracking Technologies
What Are Cookies?
Cookies are small text files stored on your device that help websites function and provide analytics.
Types of Cookies We Use
Essential Cookies (always active)
- Authentication and session management
- Security and fraud prevention
- Load balancing and performance
- Remember your preferences
Analytics Cookies
- Plausible Analytics - Privacy-focused, GDPR-compliant analytics (no cookies, no personal data tracking)
- Internal analytics - feature usage and performance
- A/B testing and optimization
Marketing Cookies (optional - only if your organization enables them)
- Google Tag Manager - Only if configured by your organization
- Meta Pixel (Facebook) - Only if configured by your organization
- Custom tracking pixels - Only if configured by your organization
- These cookies are controlled by your organization, not by Orgo
Third-Party Cookies (only when used)
- Social media plugins (LinkedIn, Facebook, Twitter) - Only if your organization enables social sharing
- Payment processing (Stripe) - Only during payment transactions
- Video embeds (YouTube, Vimeo) - Only when embedded by your organization
- Integrated services - Only if your organization configures them
Other Tracking Technologies
Web Beacons (Pixels)
- Email open tracking
- Page view tracking
- Ad impression tracking
Local Storage
- HTML5 local storage for app-like functionality
- Session data for mobile apps
Mobile SDKs
- In-app analytics
- Push notification delivery
- Crash reporting
Managing Cookies
Cookie Preference Center
- Available on our website footer
- Customize cookie categories
- Withdraw consent at any time
Browser Controls
- Chrome: Settings > Privacy and security > Cookies
- Firefox: Settings > Privacy & Security > Cookies
- Safari: Preferences > Privacy > Cookies
- Edge: Settings > Privacy > Cookies
All About Cookies
Visit allaboutcookies.org for detailed cookie management instructions.
Impact of Blocking Cookies
Blocking essential cookies may prevent you from using certain features:
- Cannot stay logged in
- Settings not remembered
- Some features may not work properly
For a complete list of cookies, see our Cookie Policy (separate document available upon request).
13. Third-Party Links and Integrations
Third-Party Websites
Our Services may contain links to external websites not controlled by Orgo:
- We are not responsible for their privacy practices
- Review their privacy policies before providing information
- Links do not imply endorsement
Examples: YouTube channels, external documentation, partner websites
Integrated Services
Orgo supports various integrations that your organization controls. When your organization enables these integrations:
- Your organization authorizes data sharing, not Orgo
- The third party's privacy policy governs their use of the data
- Your organization can disconnect integrations at any time
Core Integrations (Always Available):
- SSO Providers: Google, Microsoft, Apple, LinkedIn - For authentication only
- Stripe: Payment processing - Required for paid features
Optional Integrations (Your Organization's Choice):
- HubSpot - CRM and marketing (only if your organization configures it)
- Google Tag Manager - Analytics and marketing (only if your organization configures it)
- Meta Pixel - Facebook tracking (only if your organization configures it)
- Webhooks - Custom automation (only if your organization configures it)
- n8n - Workflow automation (only if your organization configures it)
- Custom OAuth Apps - Third-party applications authorized by your organization
- API Integrations - Custom API consumers authorized by your organization
What Gets Shared (When Your Organization Enables Integrations):
- Account information (name, email) - If configured by your organization
- Profile data - If configured by your organization
- Usage activity - If configured by your organization
- Organization membership - If configured by your organization
SSO Data We Receive:
- Profile information (name, photo)
- Email address
- Authentication tokens
Important:
- Orgo does not share your data with third parties unless (1) you use SSO authentication, (2) you make a payment via Stripe, or (3) your organization explicitly configures an integration
- Your organization is responsible for their choice of integrations and compliance with privacy laws
- Review your organization's privacy policy and integration settings for details
14. Social Sharing Features
Our Services include social sharing features:
- Share content to Facebook, Twitter, LinkedIn
- Invite members via social media
- Display social media feeds
Privacy Implications:
- Information shared is governed by the social media platform's privacy policy
- Your privacy settings on those platforms control visibility
- We do not control how social platforms use shared data
Check your privacy settings on social media platforms to control what information is shared.
15. AI and Automated Decision-Making
AI Features
Orgo offers AI-powered features:
- Chat with your database
- Content recommendations
- Search and discovery
- Analytics and insights
- Smart content generation and summarization
- Predictive analytics
How We Use AI
Current AI Processing (Inference Only)
- Process relevant information to generate real-time responses
- Personalize your experience based on your activity
- Improve search results and content discovery
- Provide intelligent recommendations
Third-Party AI Providers
- AI providers (e.g., OpenAI, Anthropic) process data securely for inference only
- They do not store, retain, or log your data for training purposes
- No personal data is used for training, fine-tuning, or improving third-party AI models
- Data is transmitted securely and deleted immediately after processing
Future AI Model Training (With Your Consent)
We may develop proprietary AI models trained on aggregated Orgo platform data to improve our Services. If we do so:
Opt-In Only for Identifiable Data
- We will NEVER use your identifiable personal data for AI training without your explicit opt-in consent
- You will have clear controls in your organization settings to opt-in or opt-out
- Default setting: Opt-out (your data is NOT used for training)
Anonymized and Aggregated Training Data
We may use anonymized, aggregated, and de-identified data for AI model training without additional consent:
- Data that cannot reasonably identify you or your organization
- Aggregated usage patterns and trends
- General content structures and templates
- This data helps us improve features for all users
What Training May Include (If You Opt-In)
- Community engagement patterns
- Content types and structures
- Communication styles
- Organizational workflows
- Event management patterns
- Fundraising strategies
What Training Will NEVER Include
Even with opt-in consent, we will never use for training:
- Payment information or financial data
- Children's personal data (under 18, or under 16 in EU, or under 13 in US)
- Health or medical information
- Biometric data
- Social security numbers or government IDs
- Passwords or authentication credentials
- Private messages marked as confidential
Your Control Over AI Training
- Organization administrators can control AI training participation in: Settings > Privacy > AI & Machine Learning
- Individual members can opt-out regardless of organization settings
- You can withdraw consent at any time (does not affect prior training)
- We will provide transparency reports on how your data is used
Benefits of Opting In
Organizations that opt-in to AI training may receive:
- Early access to new AI features
- More accurate and relevant recommendations
- Industry-specific insights and benchmarks
- Improved content suggestions tailored to your sector
Security and Privacy Safeguards for AI Training
- Differential privacy techniques to protect individual privacy
- Data minimization (only necessary data used)
- Access controls (limited to authorized ML engineers)
- Regular audits and privacy impact assessments
- Compliance with GDPR Article 22 (automated decision-making)
Automated Decision-Making
No Significant Automated Decisions Without Human Oversight
We do not use automated decision-making that produces legal or similarly significant effects without human oversight.
Limited Automated Decisions
We may use automated systems for:
- Spam and abuse detection
- Content moderation (flagging for human review)
- Fraud prevention
- Security threat detection
Your Rights
Under GDPR Article 22, you have the right to:
- Not be subject to decisions based solely on automated processing that significantly affects you
- Request human review of automated decisions
- Contest automated decisions
Explainability
For AI-powered features, we strive to provide:
- Clear explanations of how AI recommendations are generated
- Transparency about what data influences AI outputs
- Options to provide feedback and correct AI behavior
16. Changes to This Privacy Policy
Updates
We may update this Privacy Policy to reflect:
- Changes in our practices
- Legal or regulatory requirements
- New features or services
- User feedback
Notification
When we make material changes:
- Update the "Last Updated" date at the top
- Notify you via email (for significant changes)
- Post a notice on our website
- May require re-acceptance for material changes
Review Regularly
We encourage you to review this policy periodically to stay informed about how we protect your privacy.
Previous Versions
Contact privacy@orgo.space to request previous versions of this policy.
17. Contact Us
Privacy Questions
For questions about this Privacy Policy or our privacy practices:
Email: privacy@orgo.space
Data Protection Officer: Vasile Varzariu-Darie
Mail:
S.C. ORGO INFORMATICS SRL
Str. Gheorghe Grigore Cantacuzino nr 14, Ploiești, județul Prahova, Romania
J29/2796/2019
Data Subject Requests
To exercise your privacy rights (access, deletion, portability):
- Email: privacy@orgo.space
- Subject line: "Data Subject Request - [Your Request Type]"
- Include: Your name, email, organization (if applicable), and specific request
Security Issues
Report security concerns or incidents:
Support
For general support questions:
We aim to respond to all inquiries within 48 hours (business days).
18. Jurisdiction-Specific Information
European Union / EEA / UK
GDPR Compliance
This policy complies with GDPR and UK GDPR requirements.
Legal Basis:
- Contract (Art. 6(1)(b)) - to provide Services
- Legitimate Interest (Art. 6(1)(f)) - to improve Services, prevent fraud
- Consent (Art. 6(1)(a)) - for marketing, special categories of data
- Legal Obligation (Art. 6(1)(c)) - to comply with laws
Supervisory Authority (Romania):
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București
www.dataprotection.ro
EU Representative: Available upon request
United States
California (CCPA/CPRA)
See our California Privacy Notice for complete CCPA disclosures.
Other States:
Colorado, Connecticut, Montana, Oregon, Texas, Utah, Virginia residents should review our California Privacy Notice for applicable rights.
COPPA (Children under 13)
See Section 6 for children's privacy protections.
Nevada
Orgo does not sell personal information as defined by Nevada law. We do not engage in the sale of covered information for monetary consideration. If you have questions, contact privacy@orgo.space.
Canada
PIPEDA Compliance
We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
Canadian Office of the Privacy Commissioner:
www.priv.gc.ca
Other Jurisdictions
We strive to comply with privacy laws in all jurisdictions where we operate. Contact us for jurisdiction-specific questions.
19. Dispute Resolution
Disputes with Organizations
If you have a privacy dispute with an organization using Orgo:
- Contact the organization directly (they are the Data Controller)
- If unresolved, contact us at privacy@orgo.space and we will facilitate
Disputes with Orgo
- First contact privacy@orgo.space
- We will work to resolve disputes informally
- EU residents may contact their data protection authority
- California residents may contact the California Attorney General
Arbitration
Dispute resolution provisions in our Terms and Conditions may apply.
20. Definitions
Personal Data/Personal Information: Any information relating to an identified or identifiable person.
Special Categories of Personal Data: Data revealing racial/ethnic origin, political opinions, religious beliefs, health information, biometric data, sexual orientation.
Processing: Any operation on personal data (collection, storage, use, disclosure, deletion).
Data Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: An entity that processes personal data on behalf of a Data Controller.
Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.
Subprocessor: A third-party service provider that processes data on behalf of a Data Processor.
Aggregated Data: Data combined in summary form for statistical analysis, with personal identifiers removed.
Anonymized Data: Data that can no longer identify an individual, even with additional information.
Pseudonymization: Processing data so it cannot identify an individual without additional information kept separately.
Appendix: Summary of Privacy Practices
What We Collect
- Name, email, profile information
- Payment and billing information
- Communications and content
- Usage and device information (via Plausible Analytics - no personal tracking)
- Location data (with permission)
Why We Collect It
- Provide and improve Services
- Process payments
- Communicate with you
- Ensure security
- Comply with laws
Who We Share With
- Your organization administrators - They control your member data
- Other members - Based on privacy settings (Public/Private/Secret)
- Core service providers:
- AWS Frankfurt (hosting - all organization data stays in EU)
- Cloudflare (static assets only - NOT organization data)
- Stripe (payment processing)
- Plausible (privacy-focused analytics - no personal data)
- Optional integrations - Only if YOUR ORGANIZATION enables them (HubSpot, Google Tag Manager, Meta Pixel, webhooks, etc.)
- Legal authorities - When required by law
Key Privacy Protections
- We do NOT sell your data: No data sales to brokers, advertisers, or third parties
- No advertisements: We do not display ads or monetize through advertising
- EU data residency: All organization data stored in AWS Frankfurt (Germany)
- Privacy-focused analytics: Plausible (no cookies, no personal tracking)
- Organization control: Integrations are opt-in by your organization
- Transparent processing: Clear Controller/Processor roles
- Subscription-based: Revenue from subscriptions, not from your data
Your Rights
- Access your data
- Correct inaccuracies
- Delete your account
- Export your data
- Opt-out of marketing
- Object to processing
How to Contact Us
privacy@orgo.space
This Privacy Policy was last updated on November 1, 2025.
Document Version: 2.1