Skip to content
Order Management
Close the order-to-approval gap.
Procurement
Source-to-pay without spreadsheets.
Inventory Control
Live stock across every warehouse.
OPEX Intelligence
Real-time budget vs actual.
Integrations
40+ native connectors, 2-hour setup.
AI Modules2026
Predictive reorder, risk, anomaly.
Manufacturing
BOM-aware procurement, multi-plant stock.
Retail & CPG
Shelf-to-supplier visibility at SKU depth.
Healthcare
HIPAA-aligned, lot-tracked, audit-ready.
Logistics
Fleet-aware procurement tied to route P&L.
Energy & Utilities
CapEx + OPEX unified for regulator review.
CustomersPricingResources
Sign in
Book a Demo
LEGAL · PRIVACY POLICY

Privacy Policy

How we collect, use, share, and protect personal data across the ORDENTRA platform and services.
Last updatedApril 11, 2026
EffectiveApril 1, 2026
Version2.4
Sample policy — not legal advice

This is a sample policy for ORDENTRA's marketing site and does not constitute legal advice. Real enterprise agreements are provided separately by our legal team.

1. Introduction

ORDENTRA B.V. (“ORDENTRA,” “we,” “us,” or “our”) is the operational ledger of record for 200+ Global 2000 enterprises. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when customers, their authorized users, and visitors to our websites interact with the ORDENTRAplatform and related services (the “Services”).

ORDENTRA is headquartered at Herengracht 412, 1017 BZ Amsterdam, Netherlands, and is incorporated under Dutch law. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, ORDENTRA acts as a data controller for personal data processed through our marketing websites and commercial relationships, and as a data processor for personal data our customers submit to the platform in the course of their own operations. When ORDENTRA acts as a processor, the terms of our Data Processing Addendum govern that relationship in addition to this Policy.

This Policy covers ordentra.com and any sub-domain that links to it, the ORDENTRA web application, our APIs, the marketing communications we send, and any in-person interactions at events we host or attend. It does not apply to third-party services our customers choose to connect to the platform, whose processing of personal data is governed by their own agreements and privacy notices.

2. Information we collect

We collect personal data in three broad categories, described below. Where a customer's use of the platform results in personal data being submitted to ORDENTRAas a processor, that data is handled strictly in accordance with the customer's documented instructions under the DPA.

2.1 Information you provide to us

When you create a ORDENTRA account, request a demo, purchase a subscription, contact support, or apply for a role, you provide information directly. This typically includes name, business email address, job title, company name, billing address, tax identifier, phone number, and the content of any messages you choose to send us.

  • Account data — username, password hash, authentication factors, role assignments, and workspace membership.
  • Billing data — legal entity, billing contact, purchase order numbers, VAT identifier, and the last four digits and expiry of any card you register through our payment processor.
  • Support data — the content of tickets, chat sessions, call recordings (where you have been notified), and attachments you provide to our customer success team.
  • Recruiting data — curriculum vitae, cover letter, interview notes, and work-authorization status for applicants to open roles.

2.2 Information we collect automatically

When you use the Services or visit our websites, we collect certain information automatically through standard logging, cookies, and analytics technologies. This allows us to operate the platform, detect abuse, and improve product quality.

  • Device and browser data — IP address, approximate geolocation derived from IP, device type, operating system, browser version, language, and referring URL.
  • Usage data — pages viewed, features used, clicks, scroll depth, search queries you enter into our product, and timestamps of each action.
  • Telemetry and log data — application errors, performance metrics, API request latency, and security-relevant events such as failed login attempts.
  • Cookies and similar technologies — see Section 12 for the categories of cookies we set and how to control them.

2.3 Information from third parties

We receive limited personal data from business partners and integration providers in order to deliver the Services you have requested or to maintain the security and integrity of the platform. This includes identity and single sign-on data from Okta, Microsoft Entra ID, and Google Workspace when a customer enables SSO; firmographic enrichment from vetted B2B data providers to validate commercial contacts; and transaction and master-data records from ERP systems your organization has connected to ORDENTRA.

We do not buy personal data from data brokers for marketing purposes, and we do not sell personal data. We do not process special categories of data (such as health data or data revealing racial or ethnic origin) except where our customers expressly instruct us to handle such data under a DPA and an appropriate legal basis applies.

3. How we use your information

We use personal data only for the purposes described in this Policy or that we notify you of at the time of collection. Specifically, we use personal data to:

  • Deliver the Services — authenticate users, provision workspaces, execute the functionality the customer has purchased, and maintain the availability of the platform.
  • Billing and account management — process subscription fees, issue invoices, manage renewals, and administer purchase orders in accordance with agreed payment terms.
  • Customer support — respond to tickets, escalate incidents, run root-cause analysis when something breaks, and maintain a historical support record.
  • Security and abuse prevention — detect anomalous access, investigate suspected breaches, prevent fraud, enforce our acceptable-use policy, and protect the rights and safety of our customers and staff.
  • Product research and improvement — analyze aggregated usage patterns, measure feature adoption, prioritize engineering work, and evaluate the quality of releases before we ship them broadly.
  • Legal and compliance obligations — respond to lawful requests, defend legal claims, comply with tax, accounting, and export-control requirements, and satisfy audit obligations imposed on us by customers or regulators.
  • Communications — send you service-related messages (outage notices, security advisories, invoices), respond to your inquiries, and, where permitted, send marketing communications about products and events we believe may be relevant to your role.

We do not train foundation models on customer data, and we do not use personal data submitted to the platform as a processor for any marketing or research purpose outside the narrow scope documented in the applicable DPA.

4. Legal bases for processing

Under the GDPR, the UK GDPR, and equivalent laws in other jurisdictions, we process personal data only where we have a valid legal basis to do so. Depending on the activity, we rely on one or more of the following bases.

Performance of a contract
We process account, billing, and usage data to provide the Services you have purchased and to meet our obligations under the Master Subscription Agreement or order form you have signed with us.
Legitimate interests
We rely on our legitimate interests to secure the platform, prevent fraud, measure product quality, and maintain direct business relationships with our commercial contacts. We conduct a balancing test before processing on this basis and document the outcome in our records of processing.
Consent
Where required by law, we rely on your consent — for example, to set non-essential cookies, to send marketing emails to contacts in jurisdictions that require opt-in, or to process any special category of data on behalf of a customer. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation
We process personal data where necessary to comply with applicable law, including tax, accounting, employment, anti-money-laundering, sanctions, and export-control regulations, and to respond to lawful requests from supervisory authorities.

5. How we share your information

We share personal data only where necessary to operate the Services, comply with law, or carry out a business transaction, and always under appropriate contractual and technical safeguards. The main categories of recipients are listed below.

  • Sub-processors — we engage vetted vendors for hosting, analytics, customer communications, identity, and payment processing. A current list, with the category of processing and regional location of each sub-processor, is published at /subprocessors. Each sub-processor is bound by written terms at least as protective as this Policy and our DPA.
  • Professional advisors and auditors — accountants, lawyers, insurers, and external auditors who are bound by professional confidentiality obligations.
  • Legal and regulatory authorities — where compelled by a valid legal process, court order, or regulatory investigation. We challenge overly broad requests and notify affected customers unless we are legally prohibited from doing so.
  • Business transfers — in the event of a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to the acquirer agreeing to honor the commitments in this Policy.
  • With your consent — any other party you explicitly direct us to share your information with, such as a mutual customer reference you have approved.

6. International data transfers

ORDENTRA operates primary infrastructure in the European Union, the United Kingdom, the United States, and the Asia-Pacific region. By default, production data for EU and UK customers is hosted exclusively in EU data centers operated by our hosting sub-processors. For customers on our Sovereign tier, we operate single-tenant deployments pinned to a specific region, and data does not leave that region except under customer-authorized support actions.

Where personal data is transferred outside the European Economic Area, the United Kingdom, or another jurisdiction with recognized data protection standards, we rely on a valid transfer mechanism. These include the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor; Module Three, Processor-to-Processor) adopted on 4 June 2021, the UK International Data Transfer Addendum, and, where applicable, adequacy decisions recognized by the European Commission.

For each non-adequate destination, we conduct a Transfer Impact Assessment in accordance with the European Data Protection Board's Recommendations 01/2020 and implement supplementary technical and organizational measures — including encryption in transit and at rest, tenant isolation, pseudonymization where feasible, and documented challenge procedures for government access requests.

7. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting obligations. The tables below summarize our default retention periods; specific customers may contractually require shorter retention, and we honor those terms when they conflict with the defaults.

  • Customer content — retained for the duration of the subscription and for 30 days following termination to allow for export. After 30 days, all customer content is irreversibly deleted within a further 60 days from primary storage and all replicas and backups.
  • Account and billing records — retained for seven years after the end of the commercial relationship to satisfy Dutch tax and accounting requirements.
  • Security and audit logs — retained for 13 months in hot storage and archived for up to 24 months for forensic investigation of security incidents.
  • Support records — retained for three years after the ticket is closed to enable recurrence analysis and knowledge-base construction.
  • Marketing data — retained until you opt out or after 24 months of inactivity, whichever comes first.
  • Recruiting data — retained for 12 months after a recruiting cycle closes, unless you consent to a longer retention so we can consider you for future roles.

8. Your rights

Depending on where you live, you may have the following rights in relation to the personal data we hold about you. In the European Economic Area and the United Kingdom, these rights are set out in Articles 15 to 22 of the GDPR. We extend equivalent rights to all individuals worldwide where we act as a controller, regardless of local law.

  • Right of access — obtain confirmation of whether we process your personal data, and a copy of that data in a standard format.
  • Right to rectification — have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (“right to be forgotten”) — request deletion of your personal data where one of the grounds in Article 17 GDPR applies.
  • Right to restriction of processing — ask us to stop actively processing your data while a dispute or accuracy question is being resolved.
  • Right to data portability — receive the personal data you have provided in a structured, commonly used, and machine-readable format and transmit it to another controller.
  • Right to object — object to processing based on our legitimate interests, including profiling, and to direct marketing at any time.
  • Right to withdraw consent — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal.
  • Right to lodge a complaint — lodge a complaint with a supervisory authority, in particular the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the authority in your country of residence.

9. How to exercise your rights

You can exercise any of the rights described in Section 8 by emailing our Data Protection Officer at dpo@ordentra.com. To protect your personal data, we will verify your identity before acting on your request — this may involve asking you to confirm information already on file or, for platform users, to authenticate through your existing workspace.

We will respond to your request within one month of receipt, as required by Article 12(3) GDPR. If your request is particularly complex or if we receive a large number of requests, we may extend that period by up to two additional months and will notify you of the extension within the first month. There is no fee for exercising your rights, except where a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request.

If your personal data is processed by ORDENTRA as a processor on behalf of one of our customers, we will forward your request to that customer and cooperate with them as required to honor your rights. In most cases, the customer is the appropriate party to fulfill the request.

10. Children's data

The ORDENTRA platform is an enterprise tool intended solely for use by business customers and their authorized users. The Services are not directed at children, and we do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected personal data from a child under 18 without verified parental consent, we will promptly delete that information.

11. Security

ORDENTRA maintains a comprehensive information security program aligned to ISO/IEC 27001, SOC 2 Type II, and the Cloud Security Alliance CCM. We apply encryption in transit (TLS 1.2 or higher) and at rest (AES-256), enforce least-privilege access with mandatory multi-factor authentication, perform continuous vulnerability management, and maintain a 24/7 on-call incident response program.

A full description of our security controls, current certifications, penetration-test summaries, and sub-processor audits is available under NDA through our Trust Center at /trust. No security program can eliminate all risk; in the event of a personal data breach affecting you, we will notify you in line with our obligations under Articles 33 and 34 GDPR and the commitments in our DPA.

12. Cookies and tracking technologies

We use cookies and similar technologies to operate our websites, remember your preferences, measure traffic, and — with your consent — support limited marketing analytics. We group cookies into four categories:

  • Strictly necessary — required to deliver the website and platform (session, authentication, CSRF protection). Cannot be disabled.
  • Preferences — remember language, region, and UI settings so you do not have to re-enter them on each visit.
  • Analytics — first-party product analytics and privacy-preserving web analytics that tell us which pages and features are used. Set only with consent in jurisdictions that require it.
  • Marketing — a small number of third-party cookies used to measure campaign attribution on ORDENTRA.com. Set only with consent.

You can manage your cookie preferences through the consent banner on our websites or through your browser settings. Blocking strictly necessary cookies will prevent core parts of the platform from working. We respect the Global Privacy Control (GPC) signal and treat it as a valid opt-out of non-essential tracking.

13. Changes to this policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or feedback from customers and regulators. When we make a material change, we will update the “Last updated” date at the top of this page, increment the version number, and, where a change materially affects how we process personal data, provide advance notice by email to workspace administrators and a banner notice in the ORDENTRA application at least 30 days before the change takes effect.

Prior versions of this Policy are available on request from our Data Protection Officer. By continuing to use the Services after an updated Policy takes effect, you acknowledge the revised Policy.

14. Contact information

We have appointed a Data Protection Officer to oversee compliance with this Policy and applicable data protection laws. For any privacy-related question, request, or complaint, please contact us using the details below.

Data Protection Officer

Our DPO is independent and reports directly to the Chief Legal Officer. Use this channel for rights requests, breach notifications, or to raise a privacy concern.

dpo@ordentra.com
ORDENTRA B.V.
Attn: Data Protection Officer
Herengracht 412
1017 BZ Amsterdam
Netherlands

EU customers may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl. UK customers may contact the Information Commissioner's Office at ico.org.uk.

Related policies

Browse the rest of the legal library

Terms of Service

Customer contract governing use of the platform.

Data Processing Addendum

GDPR-aligned DPA and transfer safeguards.

Sub-processors

Current list of authorized sub-processors.

Accessibility Statement

Our WCAG 2.2 AA commitment and audit history.