Privacy Policy

1. What We Collect

Ordica LLC ("Ordica," "we," "us," "our") operates the Ordica prompt compression service at ordica.ai. This Policy describes what personal information we collect, how we use it, and your rights.

Access request information: When you request access to the Service, we collect your email address, company or organizational affiliation (if provided), selected service tier, and a brief description of your intended use case.

Account information: For paid accounts, we collect your email address and payment-related information processed through Stripe. We do not receive or store full payment card numbers.

Usage metadata: We collect anonymous, aggregated operational metrics including token counts, compression savings percentages, API provider selections, and request latency. This metadata does not contain the content of any prompt or response.

Technical identifiers: For security and rate-limiting purposes, we may process hashed IP addresses and basic request metadata. We do not store full IP addresses beyond what is retained in standard infrastructure access logs (typically 30 days).

Communications: If you contact us by email, we retain that correspondence as necessary to respond and for our records.

2. What We Do Not Collect

Specifically, we do not:

• Store or log the text of your prompts or LLM responses
• Use your prompt content to train, fine-tune, or improve our compression models
• Sell, rent, or share prompt content with any third party
• Collect biometric data, precise geolocation, or sensitive personal categories
• Use tracking pixels, behavioral advertising cookies, or cross-site tracking

Disclosure regarding LLM providers: To provide the Service, compressed prompts are forwarded to your designated LLM provider (e.g., Anthropic or Google). That provider receives the compressed prompt content and is subject to its own privacy policy. You are responsible for ensuring your use of any LLM provider complies with your obligations to data subjects.

3. How We Use Data

We use the information we collect for the following purposes:

• Service delivery: To process access requests, provision accounts, authenticate users, and route API requests
• Billing: To process payments, generate invoices, and manage subscriptions via Stripe
• Communications: To send transactional emails including verification codes, access approvals, billing confirmations, and service notices
• Security and fraud prevention: To detect, investigate, and prevent abuse, unauthorized access, and fraudulent activity
• Service improvement: To analyze aggregated, anonymized performance metrics and improve the Service
• Legal compliance: To comply with applicable law, respond to lawful requests, and enforce our Terms of Service

We do not use your data for advertising, profiling, or behavioral targeting, and we do not sell personal data to any party.

4. Third Parties We Share Data With

We share personal data only with the following categories of third parties, for the stated purposes. We do not share with advertising networks, data brokers, or analytics platforms.

We may also disclose information: (a) if required by applicable law, regulation, or legal process; (b) to protect the rights, property, or safety of Ordica, our users, or the public; or (c) in connection with a merger, acquisition, or sale of all or substantially all of our assets, with notice to affected users.

5. Data Retention

We retain different categories of data for different periods:

• Prompt content: Never stored. Discarded within the request lifecycle.
• Usage metadata (anonymous, aggregated): Retained for up to 90 days in identifiable form, then aggregated and retained indefinitely in anonymized form for performance analysis.
• Account information: Retained for the duration of your account relationship, plus any period required by law (typically up to 7 years for financial records).
• Access request data: Retained for up to 12 months after a request is processed.
• Infrastructure access logs: Retained for up to 30 days, then deleted.

You may request deletion of your account and associated personal data at any time by contacting privacy@ordica.ai. We will respond within 30 days. We may retain certain data where required by law or to resolve disputes.

6. Data Location and Security

The Service is hosted and operated on infrastructure located in the United States. All data we store is processed and retained in the US. If you are located outside the US, your information will be transferred to and processed in the US.

We implement technical and organizational measures to protect your personal information, including:

• Encryption of data in transit and at rest
• Access controls limiting personnel access to personal data on a need-to-know basis
• Audit logging of access to sensitive systems
• Hardware-level security controls for our production infrastructure
• Regular security reviews

We are working toward SOC 2 Type II compliance. A summary of our security posture is available on request for Enterprise and Government customers. We do not publish specific implementation details about our security architecture on public-facing channels.

No security measure is infallible. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

7. Your Rights

Depending on your jurisdiction and the nature of the data, you may have the following rights regarding your personal information:

• Access: Request a copy of personal data we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal data (subject to legal retention obligations)
• Portability: Receive your personal data in a structured, machine-readable format where technically feasible
• Objection: Object to certain processing activities
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@ordica.ai. We will respond within 30 days. We may verify your identity before processing requests. We will not discriminate against you for exercising your privacy rights.

8. Cookies

Our website uses cookies and similar technologies only for functional purposes essential to operating the Service:

• Session cookies: To maintain your authenticated session while using the web interface
• CSRF protection tokens: Security cookies to prevent cross-site request forgery

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Infrastructure providers (including Cloudflare) may set security-related cookies as part of their bot management and DDoS protection services. These are functional, not tracking, cookies.

You can disable cookies in your browser settings, but doing so may impair your ability to use authenticated features of the Service.

9. Children

The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If we learn that we have collected personal information from a child under 18 without parental consent, we will delete that information promptly. If you believe we have collected information from a child under 18, contact us at privacy@ordica.ai.

10. California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: The categories and specific pieces of personal information we have collected about you, the sources of collection, our business purposes for collecting it, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. This right is not applicable to our current practices.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California rights, submit a verifiable consumer request to privacy@ordica.ai. We will respond within 45 days. You may designate an authorized agent to make requests on your behalf.

Your Privacy Choices

Ordica does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ad), (ah)). Because we do not engage in those activities, no "Do Not Sell or Share" opt-out is required. California residents retain all other CCPA rights (to know, to delete, to correct, to limit use of sensitive personal information, and to non-discrimination) and may exercise them by emailing privacy@ordica.ai. We will respond within 45 days as required by Cal. Civ. Code § 1798.130(a)(2).

11. EU and UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following additional provisions apply. Ordica LLC acts as a data controller for personal data collected during account registration and access requests, and as a data processor for any personal data contained in prompts you route through the Service.

Legal basis for processing:

• Contract performance — processing necessary to provide the Service you have requested
• Legitimate interests — security monitoring, fraud prevention, and service improvement, where our interests are not overridden by your rights
• Legal obligation — compliance with applicable law
• Consent — where we request your consent for specific optional processing activities

International transfers: Your personal data may be transferred to and processed in the United States. Where we transfer data from the EEA or UK to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms. A Data Processing Agreement (DPA) incorporating SCCs is available at dpa.html or upon request from legal@ordica.ai.

Right to lodge a complaint: You have the right to lodge a complaint with your national or local data protection supervisory authority if you believe our processing of your personal data violates applicable law.

Data Protection Officer: We do not currently have a designated DPO. Privacy inquiries should be directed to privacy@ordica.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a notice on our website, at least 30 days before the changes take effect. The "Effective date" at the top of this Policy reflects the most recent revision.

Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated Policy. If you do not agree to updated terms, you may delete your account and stop using the Service.

13. Contact

For privacy-related inquiries, to exercise your rights, or to request a copy of our Data Processing Agreement:

Ordica LLC
Sacramento, California
privacy@ordica.ai

For general support: support@ordica.ai

For legal and compliance matters: legal@ordica.ai