2. Data Collection and Usage

We collect and process personal data and business data needed to operate OrionCast, including names, email addresses, organization names, account and permission data, usage metrics, uploaded forecasting data, and Shopify store data when a merchant connects Shopify.

We use account and contact data to provide, secure, support, analyze, and improve the platform. We may use business contact details for marketing only where permitted or requested; we do not use uploaded forecasting data or Shopify store data for marketing, advertising, profiling, or targeted segments.

We do not use your uploaded historical sales data or Shopify-derived product/order data for model training, external analytics, marketing, advertising, sale, or disclosure to independent third parties. It is processed only to provide forecasting, inventory planning, support, security, and integration functions.

We process this data based on the necessity to perform our contract with you and our legitimate interest in improving our services.

3. Data Sharing and Third Parties

We do not sell personal data. We share or transfer data only with service providers acting on our behalf, with the merchant or user who supplied or configured the data, when required by law, or with explicit instruction or consent. Service providers may include email delivery and technical infrastructure providers.

4. Data Security

We take data security seriously and have implemented the following measures:

• All customer data is encrypted both during transmission (TLS/SSL) and when stored.
• Data is securely managed on cloud platforms with the highest security standards.
• Access to production environments and model code is restricted to authorized personnel only.

We comply with the General Data Protection Regulation (GDPR).

5. Data Retention and Deletion

We retain account, usage, project, and Shopify integration data for as long as needed to provide the service, maintain security, comply with legal obligations, or resolve disputes. Shopify connection data, imported product data, order-derived sales history, sync metadata, and logs are retained while the integration or account is active or until deletion is requested, unless a longer period is legally required. If you request deletion, your data will be deleted or anonymized from active systems promptly and from backups according to normal backup cycles.

6. Cookies

We use a minimal number of cookies to ensure the website functions correctly and to improve your user experience. We do not use cookies for advertising, profiling, or behavioral tracking.

• Session Cookie (Authentication): A strictly necessary cookie used by our system (Flask-Login) to keep you logged in during your visit and to secure your session. This is typically deleted when you close your browser.
• Language Preference (lang): A functional cookie that remembers your preferred language (Swedish or English) across the website and dashboard. This cookie is stored for up to one year.

You can choose to disable cookies through your browser settings; however, please note that doing so will prevent you from logging in or using the service's core features.

7. Your Rights and Controls

You may at any time:

• Request access to the data we hold about you.
• Request correction, deletion, or restriction of how we process your data.

Please contact us directly at support@orioncast.ai for any data-related inquiries or requests, including requests about merchant or buyer data processed through Shopify.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten).

8. Age Restrictions

You must be at least 16 years old to use our platform. We do not knowingly collect or solicit personal information from children under the age of 16. If you are under 16, please do not use our Service or submit any personal information to us. If we become aware that we have collected personal information from a child under the age of 16, we will take steps to delete such information as soon as possible.

9. International Data Transfers

OrionCast AB is established in Sweden. We store and process personal data in the EU/EEA whenever possible. If a provider or processing location outside the EU/EEA is used, we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, or equivalent lawful transfer mechanisms.

10. Account Data

To create and administer user accounts, we process account-related information such as email address, display name, company affiliation, country (if provided), password hashes, login timestamps, admin permissions, and project access or sharing metadata.

We use this information to authenticate users, manage permissions, secure accounts, and provide access to the relevant company workspace and forecasting data.

11. Contact Forms

If you contact us through the website, we process the information you submit, such as your name, email address, phone number, company, role, and message.

We use this information to respond to your inquiry, follow up on demo or partnership requests, and send relevant confirmations or replies.

12. Third-Party Providers

We use selected third-party service providers where necessary to operate the service, for example for email delivery and technical infrastructure. These providers process data only on our behalf and only for the purposes required to deliver the service.

For example, contact form emails, password reset emails, and certain service communications may be sent through Mailgun or equivalent email delivery infrastructure.

13. Shopify Integration

If you connect a Shopify store, we collect through Shopify's Admin APIs and webhooks only the data needed for forecasting and inventory planning: shop domain and app context, OAuth access tokens, product IDs, titles, status, inventory totals and basic product metadata, plus order IDs, timestamps, cancellation status, line-item product references, and quantities. We also process merchant-provided store URLs, connection settings, sync status, and sync logs.

We use Shopify data only to sync products, calculate product-level sales history, forecast demand, plan inventory, troubleshoot, secure the integration, and, if configured by the merchant, forward webhook payloads to the merchant's endpoint. We do not use Shopify data for advertising, profiling, model training, sale, or external analytics. We do not place cookies or tracking on merchant storefronts and do not request buyer contact, address, payment, or browsing data through our API queries.

14. CRM and Admin Data

Within our admin and CRM workflows, we may process business contact and relationship data such as company names, contact persons, email addresses, phone numbers, internal notes, ownership, status history, activity entries, and qualification or suitability fields.

This information is used for customer administration, sales follow-up, onboarding, support, and internal coordination. Access is restricted to authorized users with the relevant permissions.

15. Security Measures and Rate Limiting

We use a range of technical and organizational safeguards, including encrypted transport (TLS/SSL), restricted access to production environments, password hashing, hashed password reset tokens, upload size restrictions, and logging needed for security and reliability.

We also use Redis-backed rate limiting and abuse protection on selected endpoints. This may involve temporary processing of technical data such as IP addresses and request counters to prevent misuse and protect the service.

16. Updates to this Policy

We may update this policy periodically. Any significant changes will be communicated clearly on our website.

For questions, please contact us at support@orioncast.ai