Privacy Policy
How we handle your data
Last updated: 3 April 2026
1. Who we are
Ordana Labs is a trade name of Ordana Labs FZ-LLC, established in Dubai, United Arab Emirates. We build custom software for service businesses across the European Union and the Middle East, including the Netherlands, Belgium, the United Kingdom, Germany, France and the UAE.
Contact for privacy questions:
Email: [email protected]
Website: ordanalabs.com
Because we offer services to individuals in the European Union, the General Data Protection Regulation (GDPR) applies to our processing of personal data, regardless of your country of residence within the EU.
EU representative (Art. 27 GDPR):
De Wit, Netherlands
Email: [email protected]
Our EU representative is the point of contact for data subjects and supervisory authorities across all EU member states.
2. What data we collect
We process the following categories of personal data:
| Category | Examples |
|---|---|
| Contact details | Name, email, phone number, business name |
| Messages | WhatsApp messages, chat conversations, contact forms |
| Business details | Industry, location, revenue (via calculator tool), website data |
| Technical data | IP address, browser type, device data (via cookies) |
| Public data | Business information from public directories (e.g. Gouden Gids NL/BE, Google Maps) |
| Website performance | Performance scores and screenshots of your business website via Google PageSpeed Insights (publicly available) |
3. What we use your data for
| Purpose | Legal basis (GDPR) | Retention |
|---|---|---|
| Answering your questions (contact form, chat) | Consent (Art. 6.1a) | 12 months after last contact |
| Delivering our services (portal, WhatsApp agent) | Contract (Art. 6.1b) | Duration of contract + 12 months |
| Commercial communications (B2B outreach) | Legitimate interest (Art. 6.1f) | 90 days after no response |
| Website analytics and advertising (Meta Pixel) | Consent (Art. 6.1a) | Until consent is withdrawn |
| Improving our AI services | Legitimate interest (Art. 6.1f) | Anonymised after 6 months |
4. B2B outreach and public data
We contact service businesses (sole traders and small companies) in the European Union based on publicly available business data. We do so under our legitimate interest (Art. 6.1f GDPR), respecting the national ePrivacy rules of each country.
Sources of business data:
- Public business directories (Gouden Gids NL/BE, Google Maps, Google Business Profiles)
- Business websites (publicly available contact details)
- Google PageSpeed Insights (publicly available website performance and screenshots)
We do not use data from:
- The Belgian Crossroads Bank for Enterprises (KBO/BCE) for direct marketing purposes
- Non-public registers or databases
- Personal data of employees — only business contact details
Our Legitimate Interest Assessment:
- We only contact business contact details, never private individuals
- Messages are relevant to the recipient (same industry)
- Every message contains a clear opt-out option
- Data of uninterested parties is deleted within 90 days
- We document the source of every contact detail
Information duty (Art. 14 GDPR): When we have not obtained your data directly from you, we inform you within one month about the processing, the source of the data, and your rights.
Your right to object: You can object to this communication at any time. Reply to the message with "stop" or email [email protected]. We delete your data within 72 hours. This right is absolute — no balancing test is needed (Art. 21(2) GDPR).
5. AI processing
Our chatbot and WhatsApp assistant are powered by AI (Claude, Anthropic Inc.). When you communicate with our AI:
- Your messages are processed by Anthropic to generate a response
- We store the conversation to improve service delivery
- Your data is not used to train AI models (under Anthropic's commercial API terms)
We have a Data Processing Agreement (DPA) with Anthropic Inc. under Art. 28 GDPR.
6. Cookies and tracking
We use the following cookies:
| Cookie | Type | Purpose |
|---|---|---|
| ordana_cookie_consent | Functional | Remembers your cookie choice |
| ordana_admin_auth | Functional | Session authentication for the portal |
| Meta Pixel (_fbp, _fbc) | Marketing (only with consent) | Ad analytics and retargeting |
The Meta Pixel only loads after you have given consent via our cookie banner. You can change your choice at any time by clearing your browser data.
7. Who we share your data with
We share personal data with the following processors:
| Party | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting | EU (Frankfurt) |
| Anthropic Inc. | AI chat processing | US (EU SCCs apply) |
| Meta Platforms Inc. | WhatsApp Business API, advertising | US/EU (EU SCCs apply) |
| Hetzner Online GmbH | Server hosting | EU (Germany) |
| Amazon Web Services (AWS) | Email delivery (SES) | EU (Ireland) |
| Google LLC | PageSpeed Insights (website analysis) | US (EU SCCs apply) |
We have a Data Processing Agreement with each processor. For transfers outside the EU, EU Standard Contractual Clauses (SCCs) apply.
8. Your rights
Under the GDPR, you have the following rights:
- Access — You can request which data we process about you
- Rectification — You can have incorrect data corrected
- Erasure — You can request deletion of your data
- Restriction — You can request that processing be restricted
- Portability — You can receive your data in a structured format
- Objection — You can object to processing based on legitimate interest
- Withdraw consent — You can withdraw previously given consent at any time
Send your request to [email protected]. We respond within 30 days.
Not satisfied with how we handled it? You have the right to lodge a complaint with the supervisory authority in your country:
- Netherlands: Autoriteit Persoonsgegevens (AP)
- Belgium: Gegevensbeschermingsautoriteit (GBA)
- United Kingdom: Information Commissioner's Office (ICO)
- Germany: The Landesdatenschutzbeauftragte of your federal state
- France: Commission Nationale de l'Informatique et des Libertés (CNIL)
9. Security
We take appropriate technical and organisational measures to protect your data, including:
- Encrypted connections (TLS/HTTPS) on all services
- Role-based access control (Row-Level Security)
- Regular updates and security patches
- Minimal data storage (only what is necessary)
10. Changes
We may update this privacy policy from time to time. For material changes we will inform you via our website. The most recent version is always on this page.