Privacy Policy - Oryn Inventory

1 Introduction

Oryn Systems LLC ("Company," "we," "our," or "us") operates the Oryn Inventory Management System ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, you must not access or use the Service.

This Privacy Policy applies to all users of the Service, including individual account holders, organizational administrators, team members, and any person who accesses or uses the Service in any capacity.

2 Information We Collect

2.1 Account Information

When you register for an account, we collect:

Username — Your chosen identifier for the platform
Email Address — Used for account verification, password reset, notifications, and service communications
Password — Stored in encrypted (hashed) form using industry-standard algorithms; we never store or have access to plain-text passwords
Name — First and last name for personalization and display purposes
Role Information — Your assigned role within your organization (e.g., admin, manager, employee, scanner)
Profile Photo — Optional profile image you choose to upload

2.2 Organization Data

For multi-tenant functionality, we collect:

Company Name — Your organization's legal or operating name
Company Code — Unique identifier for your organization's tenant
Subscription Tier — Your service plan level and billing information
Department and Team Information — Organizational structure data you provide
Custom Fields — Any custom data fields your organization configures

2.3 Inventory and Operational Data

To provide our core service, we collect and store:

Box/Item Information — Names, descriptions, SKUs, quantities, status, custom field values, and perishability data
Location Data — Warehouse locations, zones, aisles, shelves, bins, and floor plan maps
Category Information — Product categories and classifications
QR Codes and Barcodes — Generated codes associated with your inventory items
Transfer Records — Inventory movement, transfer, and assignment history
Purchase Orders — Vendor purchase orders, receiving records, and procurement data
Sales Orders — Customer orders, shipments, and fulfillment data
Photos — Location photos and item images you upload
Vendor Information — Vendor names, contact information, and performance data

2.4 Technical and Usage Data

We automatically collect:

Data Type	Purpose	Retention
IP Address	Security, abuse prevention, audit logging	90 days
User Agent / Browser Info	Compatibility, troubleshooting, security	90 days
Timestamps	Activity tracking, audit trails	Duration of account
Scan History	Inventory tracking, analytics, productivity metrics	Duration of account
Search Queries	Improving search functionality, recent searches feature	90 days
Activity Logs	Audit trails, security monitoring, compliance	1 year
Labor / Task Data	Productivity tracking, workforce management	Duration of account
Alert / Notification Data	System alerts, threshold monitoring	90 days
Device Fingerprint Data	Fraud prevention, session validation, device recognition	90 days
Screen Resolution / Viewport	Responsive design optimization, UI rendering	Session only
Referring URL	Understanding traffic sources, security analysis	30 days
Timezone / Locale Settings	Localization, scheduling, report timing	Duration of account

2.5 Crash Reports and Diagnostics

To improve service reliability, we may collect:

Error Logs — JavaScript errors, server-side exceptions, and stack traces (scrubbed of personal data before storage)
Performance Metrics — Page load times, API response times, and resource utilization data used to optimize service delivery
Feature Usage Telemetry — Anonymized, aggregated data about which features are used and how frequently, to inform product development priorities. This data cannot be linked back to individual users

Minimization Principle: We adhere to the principle of data minimization. We collect only the data that is strictly necessary to provide, secure, and improve the Service. We do not collect data speculatively or for undefined future purposes.

3 How We Use Your Information

We use collected information for the following purposes. For each purpose, we identify the corresponding lawful basis under GDPR:

Purpose	Description	Lawful Basis
Service Provision	Operating, maintaining, and improving the inventory management platform and its features	Contract Performance
Authentication & Security	Verifying your identity, securing your account, multi-factor authentication, and preventing unauthorized access	Contract / Legitimate Interest
Communication	Sending password reset emails, scheduled reports, system alerts, service degradation notifications, and essential service communications	Contract Performance
Analytics & Reporting	Providing dashboards, reports, heat maps, dwell time analysis, vendor scorecards, demand forecasting, and productivity metrics	Contract Performance
Security & Fraud Prevention	Detecting and preventing fraud, unauthorized access, abuse, credential stuffing, and other harmful activities including automated threat detection	Legitimate Interest
Legal Compliance	Meeting legal obligations, regulatory requirements, tax reporting, audit requirements, and responding to lawful government requests	Legal Obligation
Service Improvement	Enhancing service functionality, user experience, A/B testing of UI improvements, and developing new features based on aggregated usage patterns	Legitimate Interest
Customer Support	Responding to inquiries, troubleshooting issues, providing technical assistance, and maintaining support ticket history	Contract Performance
Backup & Disaster Recovery	Creating encrypted backups to ensure business continuity and data recovery in the event of system failure or data loss	Legitimate Interest
Aggregated Analytics	Creating anonymized, aggregated statistical data that cannot identify individuals, used for benchmarking, product planning, and industry reporting	Legitimate Interest

We do not use your data for advertising purposes. We do not sell, rent, or trade your personal information to third parties for marketing, advertising, or profiling purposes. We do not engage in cross-context behavioral advertising. We do not create advertising profiles from your data.

4 Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data under the following lawful bases:

Contract Performance — Processing necessary to perform our agreement with you (e.g., providing the Service, account management)
Legitimate Interests — Processing necessary for our legitimate business interests (e.g., security, fraud prevention, service improvement), where those interests are not overridden by your rights
Legal Obligation — Processing necessary to comply with applicable laws and regulations
Consent — Where you have given explicit consent to process your data for a specific purpose (e.g., optional marketing communications)

5 Multi-Tenant Data Isolation

Important: We operate a multi-tenant architecture with strict data isolation. Your organization's data is completely separated from other organizations' data at the database level. Users from one tenant cannot access data belonging to another tenant.

Each tenant (organization) has:

A unique, cryptographically-generated tenant identifier
Complete logical data isolation from other tenants at the database level
Independent user management, roles, and permissions
Isolated configuration, custom fields, and settings

6 Data Sharing and Disclosure

We do not sell your personal information. We may share data only in the following limited circumstances:

Within Your Organization — Data is shared among authorized users within your tenant based on their assigned roles and permissions as configured by your organization's administrator
Service Providers — We use third-party services strictly for infrastructure purposes: hosting (e.g., Railway), email delivery (SMTP providers), database management, and payment processing (e.g., Stripe). These providers are contractually bound to protect your data and process it only as instructed by us
Legal Requirements — When required by law, subpoena, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request
Business Transfers — In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy, in which case your data may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service of any change in ownership or uses of your personal information
Protection of Rights — To enforce our Terms of Service, protect the security or integrity of our Service, or protect the rights, property, or safety of Oryn Systems LLC, our users, or the public
With Your Consent — We may share your information with third parties when you have given us explicit consent to do so
Aggregated/De-identified Data — We may share aggregated or de-identified data that cannot reasonably be used to identify you, for industry analysis, benchmarking, or research purposes

6.1 Categories of Recipients

Recipient Category	Purpose	Data Shared	Safeguards
Cloud Infrastructure Provider	Application hosting, database storage	All Service data (encrypted)	DPA, SOC 2, encryption at rest
Payment Processor (Stripe)	Subscription billing	Billing name, email, payment token	PCI DSS Level 1, DPA
Email Delivery Service	Transactional emails, alerts	Email address, name, notification content	DPA, TLS encryption
CDN / Font Provider (Google Fonts)	Typography rendering	IP address (automatic by browser)	Google Privacy Policy

6.2 Law Enforcement Request Procedures

When we receive a request from law enforcement or a government agency for user data:

We evaluate each request for legal validity, proper jurisdiction, and scope appropriateness
We narrow or challenge requests that are overly broad, vague, or legally deficient
We notify the affected user before disclosure unless legally prohibited from doing so (e.g., by a valid court order, gag order, or applicable law)
We provide only the minimum data necessary to comply with the specific request
We maintain an internal log of all government data requests received, which may be disclosed in an annual transparency report
We will not provide government agencies with bulk access to your data or direct access to our servers

7 Data Security

We implement comprehensive administrative, technical, and physical security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction:

7.1 Technical Safeguards

Encryption at Rest — All stored data is encrypted using AES-256 encryption. Database backups are similarly encrypted before storage
Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher with strong cipher suites. We enforce HTTPS on all connections and implement HTTP Strict Transport Security (HSTS)
Password Security — Passwords are hashed using bcrypt with per-user salts. We never store, log, or transmit plain-text passwords. Password complexity and rotation policies are configurable by organization administrators
Access Controls — Role-based access control (RBAC) restricting data access on a need-to-know basis, with granular permissions configurable by organization administrators
Session Management — Secure session handling with configurable timeouts, automatic expiration, and server-side session invalidation on logout
Rate Limiting — Algorithmic protection against brute force attacks, credential stuffing, API abuse, and distributed denial-of-service attacks
CSRF Protection — Cryptographic cross-site request forgery tokens on all state-changing operations
Input Validation — Server-side validation and sanitization of all user inputs to prevent SQL injection, XSS, command injection, and path traversal attacks
Content Security Policy — Strict CSP headers to mitigate cross-site scripting and data injection attacks
Dependency Management — Regular automated scanning of software dependencies for known vulnerabilities with priority remediation timelines

7.2 Administrative Safeguards

Employee Access — Access to production systems and customer data is limited to authorized personnel who require it for their job function. All access is logged and auditable
Background Checks — Employees with access to customer data undergo background verification prior to being granted access
Security Training — All employees receive security awareness training upon hire and annually thereafter, covering phishing, social engineering, data handling, and incident response
Confidentiality Agreements — All employees, contractors, and subprocessors are bound by confidentiality and non-disclosure agreements
Incident Response Plan — We maintain a documented incident response plan that is tested and updated at least annually

7.3 Monitoring and Audit

Activity Monitoring — Comprehensive audit logging of all user actions, system events, and administrative changes with tamper-evident log storage
Anomaly Detection — Automated systems monitor for unusual access patterns, impossible travel scenarios, and other indicators of compromise
Vulnerability Management — Regular vulnerability assessments and penetration testing of our infrastructure and application. Critical vulnerabilities are remediated within 24 hours of discovery

Compliance Posture: Our security practices are designed to align with industry standards including SOC 2 Type II, ISO 27001, and OWASP Top 10. We are committed to maintaining and improving our security posture through regular assessment, testing, and continuous improvement.

No Absolute Guarantee: While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security and shall not be liable for any unauthorized access, use, or disclosure of your data that is beyond our reasonable control.

8 Data Retention Schedule

We retain your data according to the following detailed schedule. Retention periods begin from the date of collection or creation unless otherwise noted:

Data Category	Retention Period	Post-Deletion Handling
Account & Profile Data	Life of account + 90 days	Permanently deleted; purged from active databases and removed from backups within 30 days of backup rotation
Inventory & Operational Data	Life of account + 30-day export window	Exportable via CSV/JSON during grace period; permanently deleted thereafter
Activity & Audit Logs	12 months from creation	Automatically purged; may be retained longer if subject to legal hold
Technical Logs (IP, UA)	90 days	Automatically purged from log rotation
Financial/Billing Records	7 years from transaction date	Required by tax law (IRS, state revenue); stored in encrypted, access-restricted archive
Encrypted Backups	30 days (rolling)	Oldest backup automatically destroyed when new backup is created
Support Tickets	3 years from resolution	Retained for recurring issue resolution; deleted upon request
Crash Reports / Diagnostics	90 days	Automatically purged; personal data scrubbed before storage
Consent Records	Life of account + 5 years	Retained as evidence of consent under GDPR Article 7(1)

We may retain certain information for longer periods if required by applicable law, regulation, legal proceedings, or if retention is necessary for the establishment, exercise, or defense of legal claims. When data reaches the end of its retention period, it is either permanently deleted or irreversibly anonymized.

Legal Hold: In the event of pending or anticipated litigation, government investigation, or regulatory inquiry, we may preserve relevant data beyond normal retention periods as required by law. Affected users will be notified when legally permissible.

9 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of Access — Request a copy of the personal data we hold about you
Right to Rectification — Request correction of inaccurate or incomplete data via your account settings or by contacting us
Right to Erasure — Request deletion of your account and all associated personal data
Right to Data Portability — Export your inventory data via CSV export functionality; request a machine-readable copy of your personal data
Right to Restriction — Request limitation of processing of your personal data under certain circumstances
Right to Object — Object to processing of your personal data based on legitimate interests
Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

To exercise these rights, contact your organization's administrator or reach out to us directly at [email protected]. We will respond within 30 days of receiving your request.

10 Cookies and Tracking Technologies

We use essential cookies and similar technologies for the following purposes:

Session Management — Maintaining your logged-in state and session security
Security — CSRF (Cross-Site Request Forgery) protection tokens
Preferences — Storing UI preferences (e.g., sidebar state, theme, language)

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track you across other websites.

For full details, please see our Cookie Policy.

11 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

Right to Know — You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share your information
Right to Delete — You have the right to request deletion of your personal information, subject to certain legal exceptions
Right to Correct — You have the right to request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights
Right to Limit Use of Sensitive Personal Information — You may limit the use and disclosure of sensitive personal information to what is necessary to perform the Service

To submit a verifiable consumer request, email [email protected] with the subject line "CCPA Request." We will verify your identity before fulfilling your request and respond within 45 days.

12 European Data Protection Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

Data Controller — Oryn Systems LLC acts as the data processor on behalf of your organization (the data controller) for inventory and operational data. For account data provided directly to us, Oryn Systems LLC is the data controller
Data Processing Agreements — Enterprise and business customers may request a Data Processing Agreement (DPA) by contacting [email protected]
International Transfers — Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection
Supervisory Authority — You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights

13 Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we have collected information from a child under 16, please contact us immediately at [email protected].

14 International Data Transfers

Your data may be processed and stored in countries outside your jurisdiction, including the United States. By using our Service, you acknowledge and consent to such transfers. We ensure appropriate safeguards are in place when transferring data internationally, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Binding Corporate Rules where applicable
Compliance with adequacy decisions by relevant data protection authorities
Contractual obligations imposed on service providers to maintain equivalent data protection standards

15 Data Subject Access Request (DSAR) Procedures

We have established formal procedures for handling data subject access requests in compliance with GDPR, CCPA/CPRA, and other applicable privacy regulations:

15.1 How to Submit a Request

Email [email protected] with subject line "DSAR — [Request Type]"
Include your full name, email address associated with your account, organization name, and the specific right you wish to exercise
Organization administrators may submit requests on behalf of their users

15.2 Identity Verification

To protect your data from unauthorized access, we must verify your identity before fulfilling any DSAR. Verification may include:

Confirmation from the email address on file for your account
Multi-factor authentication challenge if you are logged in
For requests from non-account holders or authorized agents: government-issued photo ID and a signed authorization letter

15.3 Response Timelines

Regulation	Initial Response	Maximum Extension
GDPR (EEA/UK)	30 days	+60 days (complex requests)
CCPA/CPRA (California)	45 days	+45 days (one extension)
Other US State Laws	45 days	Varies by jurisdiction

15.4 Request Fees

We process DSARs free of charge. However, if requests are manifestly unfounded, excessive, or repetitive, we reserve the right to charge a reasonable fee based on administrative costs or refuse the request, in accordance with applicable law.

16 Subprocessor List

We engage the following categories of subprocessors to help deliver our Service. Each subprocessor is bound by a Data Processing Agreement (DPA) and is required to maintain security measures at least as protective as those described in this Privacy Policy:

Subprocessor Category	Purpose	Data Processed	Location
Cloud Infrastructure (Railway / AWS)	Application hosting, compute, database storage	All Service data	United States
Payment Processing (Stripe)	Subscription billing, invoice management	Name, email, payment method token	United States
Email Delivery (SMTP Provider)	Transactional emails, password resets, alerts	Email address, name, message content	United States
CDN / Font Delivery (Google Fonts)	Typography rendering, asset delivery	IP address (automatic)	Global
Shipping Carrier APIs	Label generation, rate shopping, tracking	Ship-to address, package dimensions, weight	United States

We will notify customers of any new subprocessor additions at least 30 days before the subprocessor begins processing data, via email to the organization administrator. Customers who object to a new subprocessor may terminate their subscription without penalty within the notice period.

17 Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we commit to the following notification procedures:

17.1 Regulatory Notification

GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
US State Laws: We will notify affected individuals and applicable state attorneys general "without unreasonable delay" and within the time periods required by applicable state breach notification laws (e.g., Michigan Identity Theft Protection Act)
CCPA/CPRA: California residents will receive specific notice as required under Cal. Civ. Code § 1798.82

17.2 User Notification

When a breach is likely to result in a high risk to your rights and freedoms, we will:

Notify affected users via email to the address on file
Post a prominent notice on our Service if email notification is not feasible
Describe the nature of the breach, the categories of data affected, and the approximate number of records involved
Describe the likely consequences of the breach
Describe the measures taken or proposed to address the breach, including mitigation steps
Provide contact information for our privacy team for follow-up questions

17.3 Organization Administrator Notification

Organization administrators will receive additional technical details including the timeline of the breach, root cause analysis (when available), and specific remediation steps taken. Enterprise customers with an active SLA will receive notification according to the severity and timeline commitments in their agreement.

18 Automated Decision-Making and Profiling

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects on you.

No Automated Legal Decisions: We do not make any automated decisions about you that produce legal effects or similarly significantly affect you without human involvement
Inventory Suggestions: Our Service may provide automated suggestions (e.g., reorder point recommendations, demand forecasts, vendor scoring). These are informational tools only and do not constitute binding decisions
Security Automation: We use automated systems for security purposes such as detecting unusual login patterns, rate limiting, and blocking known attack vectors. These automated security measures may temporarily restrict access to protect your account, but you may contact support for human review of any automated security action
No Profiling for Marketing: We do not profile users for targeted advertising, credit scoring, employment decisions, or any other purpose outside of providing and securing the Service

You have the right to request human review of any automated decision that affects your access to the Service. Contact [email protected] to exercise this right.

19 Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we disclose our practices as follows:

We do not track users across third-party websites or services
We do not use third-party tracking cookies or advertising pixels
We do not sell or share personal information for cross-context behavioral advertising
Our data collection practices remain the same regardless of DNT signal status, because our data collection is already limited to what is necessary for Service operation

This disclosure is provided in compliance with the California Online Privacy Protection Act (CalOPPA) and similar state requirements.

20 Additional US State Privacy Rights

In addition to the California-specific rights described in Section 11, residents of the following states may have additional privacy rights:

20.1 Virginia (VCDPA)

Right to access, correct, delete, and obtain a portable copy of your personal data
Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of automated decisions
Right to appeal our decision regarding a privacy request by emailing [email protected] with subject "VCDPA Appeal"

20.2 Colorado (CPA)

Right to access, correct, delete, and obtain a portable copy of your personal data
Right to opt out of targeted advertising, sale of personal data, and certain profiling
We honor universal opt-out mechanisms recognized under the CPA

20.3 Connecticut, Utah, Texas, Oregon, Montana & Other States

Residents of states with comprehensive privacy laws (including but not limited to Connecticut, Utah, Texas, Oregon, and Montana) have rights similar to those described above. We process requests from residents of all states in a manner consistent with the most protective applicable standard. To exercise your rights, contact [email protected].

21 Third-Party Services

Our Service may integrate with or link to third-party services. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our platform. Third-party services we may integrate with include:

Payment processors (e.g., Stripe) for subscription billing
Email service providers for transactional emails and notifications
Cloud infrastructure providers for hosting and data storage
Shipping carrier APIs for label generation and tracking
Barcode/QR code generation libraries for inventory labeling

We conduct reasonable due diligence on the privacy and security practices of third-party service providers before engagement. However, we do not control and are not responsible for the privacy policies or practices of any third party. Any information you provide directly to a third-party service is governed by that party's privacy policy.

22 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes:

We will post the updated Privacy Policy on this page with a new "Last Updated" date
We will notify you via email or in-app notification for significant changes
We will provide at least 30 days' notice before material changes take effect
We will maintain an archive of prior versions accessible upon request

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service and may request account deletion. Non-material changes (e.g., clarifications, formatting) may be made without prior notice.

23 Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Michigan, United States, without regard to its conflict of law provisions. Any disputes arising under or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in Michigan.

If you are located in the European Economic Area, United Kingdom, or Switzerland, nothing in this section limits your rights under GDPR or your right to lodge a complaint with your local supervisory authority.

24 Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Entity: Oryn Systems LLC
Email: [email protected]
Data Processing Agreement: View DPA

We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days. For GDPR-related requests, we commit to responding within the timeframes required by applicable law.