Orkly.app

Privacy Policy

Last updated: March 2026 · Effective date: March 2026

    This Privacy Policy explains how Orkly collects, uses, stores and protects your personal data. It applies to all users of orkly.app and complies with the EU General Data Protection Regulation (GDPR) and applicable Spanish data protection law (LOPDGDD).
  

1. Data controller

The data controller responsible for your personal data is:

Name: Jorge Carlos Vinagre Triguero
Country: Spain
Contact: jorgecdev444@gmail.com

You may contact us at any time regarding your personal data at the email address above.

2. What data we collect and why

Data	Source	Purpose	Legal basis
Email address, name, profile picture	Google Sign-In (OAuth 2.0)	Account creation and authentication	Contract performance (Art. 6.1.b GDPR)
IP address	Automatically from your browser	Rate limiting and abuse prevention	Legitimate interest (Art. 6.1.f GDPR)
Content you create (posts, client names, brand voice)	Entered by you	Providing the Orkly service	Contract performance (Art. 6.1.b GDPR)
Usage data (generated posts, styles used)	Automatically generated	Service analytics and improvement	Legitimate interest (Art. 6.1.f GDPR)
Feedback text	Voluntarily submitted by you	Product improvement	Consent (Art. 6.1.a GDPR)

We do not collect sensitive personal data (health, financial, political or religious information). We do not sell your data to third parties.

3. Third-party services we use

Orkly integrates with the following third-party services to operate. Each has its own privacy policy:

Google OAuth 2.0 (Google LLC) — used for authentication. When you sign in with Google, we receive your name, email address and profile picture from Google. We do not receive your Google password. Google Privacy Policy

When you sign in with Google, we receive the following information from Google: your name, email address and profile picture. We use this information solely to create and manage your Orkly account. We do not receive your Google password, payment information or any other sensitive data. You can revoke Orkly's access to your Google account at any time from your Google Account settings.
OpenAI API (OpenAI, L.L.C.) — the text you submit for improvement is sent to OpenAI's API to generate AI suggestions. OpenAI may use this data according to their API usage policy. We recommend not including sensitive personal information in posts you generate. OpenAI Privacy Policy
Supabase (Supabase Inc.) — your account data, client data and generated content history are stored in Supabase's hosted PostgreSQL database. Data is stored in the EU (Frankfurt region). Supabase Privacy Policy
Cloudflare (Cloudflare Inc.) — used for DNS, CDN and frontend hosting. Cloudflare processes IP addresses and request metadata to serve the application. Cloudflare Privacy Policy
Google Cloud Platform (Google LLC) — used to host the backend API. Google Cloud Privacy Notice

4. How long we keep your data

Data type	Retention period
Account data (email, name)	Until you delete your account
Generated content history	Until you delete your account or the specific records
IP-based rate limit records	Automatically deleted after 30 days
Feedback submissions	Up to 12 months, then anonymised

5. International data transfers

Some of the third-party services listed above (OpenAI, Supabase, Google) may transfer and process your data outside the European Economic Area (EEA). Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data is protected to the same standard as within the EU.

6. Your rights under GDPR

As a data subject under GDPR, you have the following rights:

Right of access — you can request a copy of the personal data we hold about you.
Right to rectification — you can ask us to correct inaccurate or incomplete data.
Right to erasure — you can ask us to delete your personal data ("right to be forgotten").
Right to restriction — you can ask us to restrict how we process your data in certain circumstances.
Right to data portability — you can request your data in a structured, machine-readable format.
Right to object — you can object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at jorgecdev444@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.

7. Cookies and local storage

Orkly uses browser localStorage to store your theme preference (light/dark mode) and authentication session token. No third-party tracking cookies are set by Orkly itself.

Third-party services integrated in the platform (Google, Cloudflare) may set their own cookies subject to their respective privacy policies.

8. Security

We take reasonable technical and organisational measures to protect your personal data, including:

HTTPS encryption for all data in transit (enforced by the .app domain)
Row-level security (RLS) in our database, ensuring each user can only access their own data
No storage of passwords — authentication is handled entirely by Google OAuth
API keys and secrets stored as environment variables, never in source code

No method of transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify affected users and the AEPD within 72 hours as required by GDPR.

9. Children's privacy

Orkly is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at jorgecdev444@gmail.com and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered users by email. Your continued use of Orkly after changes are posted constitutes your acceptance of the updated policy.

11. Contact

For any questions, requests or complaints regarding your personal data or this Privacy Policy, please contact:

Jorge Carlos Vinagre Triguero
Email: jorgecdev444@gmail.com