Who we are
ORCA HQ Limited is a company registered in Scotland. We operate the ORCA intelligence platform and the website at www.orca-hq.com.
If you have any questions about this policy or how we handle your data, contact us at use the contact form.
What data we collect
We collect the following categories of personal data:
(a) Account data. Your name, email address, and organisation name — collected when you sign up for the platform or contact us.
(b) Usage data. Pages visited, browser type, and referring URL — collected via privacy-respecting analytics. We do not capture request or response bodies.
(c) Platform data. Knowledge entries you create within ORCA brains. This data is processed solely to provide the service to your organisation, in accordance with your organisation's data processing agreement.
(d) Contact form submissions. Your name, email address, and message content — collected when you use our contact form.
How we use your data
- To provide and maintain the ORCA platform.
- To respond to your enquiries and support requests.
- To send product updates and announcements (only with your consent).
- To improve the platform based on aggregated, anonymised usage patterns.
We do not use your platform data (brain entries) for marketing, for training AI models, or for any purpose other than providing the service to your organisation.
Legal basis (UK GDPR)
We process your personal data under the following lawful bases:
- Contract performance — processing necessary to provide the ORCA platform and fulfil our obligations to you.
- Legitimate interest — analytics to improve the platform, and security monitoring to protect the service and your data.
- Consent — marketing communications. You can withdraw consent at any time by contacting us or using the unsubscribe link in any email.
Data storage and security
All data is stored on Microsoft Azure infrastructure in the UK South region.
Brain entries are protected by a three-layer PII defence:
- Constitutional minimisation — the AI is instructed to use role descriptors rather than named individuals wherever identity is not operationally necessary.
- NER tokenisation — Named Entity Recognition detects and replaces personal identifiers (names, emails, phone numbers) with deterministic tokens before storage.
- AES-256-CBC envelope encryption — the token-to-identity mapping is encrypted at rest using envelope encryption with keys managed in Azure Key Vault.
Personal brains are encrypted and inaccessible to other users, including administrators.
Data sharing
We do not sell your data. We never have and we never will.
We do not share personal data with third parties except the following infrastructure providers, who process data on our behalf under appropriate data processing agreements:
- Microsoft Azure — infrastructure provider. Data is processed and stored in UK data centres.
- Anthropic — AI model provider. Prompts are processed to generate responses but are not stored by Anthropic for model training, per our data processing agreement.
Data retention
- Account data is retained while your subscription is active and for 90 days after cancellation.
- Platform data (brain entries) is exported to you on cancellation and deleted from our systems within 30 days.
- Contact form submissions are retained for 12 months, then deleted.
Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data.
- Portability — receive your data in a structured, machine-readable format.
- Restriction — request that we limit how we process your data.
- Objection — object to processing based on legitimate interest.
For platform data, Subject Access Requests are fulfilled via the deterministic token store, which allows us to locate and extract every reference to a specific individual.
To exercise any of these rights, contact us at use the contact form.
Cookies
We use essential cookies only. For full details on what cookies we set and why, see our Cookie Policy.
Changes to this policy
We will notify you by email of any material changes to this policy. Minor clarifications may be made without notice.
Last updated: April 2026.