Privacy Policy

Orderain LLC ("Orderain", "we", "us", or "our") operates the Orderain platform at https://orderain.com, the Orderain web application, the Orderain iOS app, and the Orderain Android app (together, the "Service"). This Privacy Policy explains what information we collect, how we use it, and the rights you have over it.

Orderain is a two-sided ecommerce platform. We serve two distinct groups: (1) merchants ("Vendors") who sign up with Orderain to build and operate online stores, and (2) the end-customers ("Shoppers") who buy from those stores. This policy covers both. Where a section applies only to one group, we say so.

We do not sell personal information to data brokers. We do not use your data for cross-app advertising tracking. We are not in the ad-targeting business. Our business model is direct: Vendors pay us a subscription to run their stores.

1. Information We Collect From Vendors

When you sign up as a Vendor and use Orderain to operate your store, we collect:

• Contact information: name, email address, phone number, business or physical address.

• Account credentials: account/user ID, password (stored as a one-way hash, never in plain text).

• Store configuration: country, currency, timezone, brand and design preferences.

• Subscription and billing status: which plan you are on, billing dates, and payment status. Subscription billing is processed by Stripe under their own terms. We do not store full payment card numbers.

• Communications: messages you send us through support, chat widgets, or email.

2. Information We Collect From Shoppers

When a Shopper places an order on a Vendor's Orderain-powered store, we process (on behalf of that Vendor):

• Contact and delivery details: name, email, phone, shipping address, billing address.

• Order history: products purchased, prices, dates, order status.

• Customer account details: if the Shopper creates an account with a Vendor store, their login credentials and profile.

• Payment information: handled directly by third-party payment processors (Stripe, PayPal, Safepay, RazorPay, PayFast, and other regional gateways the Vendor enables). Full card numbers and bank details are never stored on Orderain servers.

3. Information Collected Automatically

When anyone uses the Service (Vendor or Shopper), we automatically collect:

• Usage data: pages viewed, taps, clicks, scrolls, and how you interact with our features.

• Device and session data: device identifiers, session IDs, browser type, operating system, screen size, language.

• Network data: IP address and approximate location derived from IP. We use Cloudflare's CF-IPCountry header for regional pricing and routing.

We use two analytics tools to understand how people use Orderain so we can improve the Service:

Microsoft Clarity

We use Microsoft Clarity for usage analytics and session recording. Clarity records how visitors interact with our pages, including mouse movements, scrolls, clicks, and approximate session replays. Sensitive form fields (such as passwords and payment fields) are masked and never recorded. We use this data to find bugs, fix usability issues, and improve our pages. Clarity's own data handling is governed by Microsoft's privacy practices, available at https://privacy.microsoft.com.

Google Analytics

We use Google Analytics to measure aggregate website traffic, including which pages perform well, which referrers send visitors, and broad demographic categories. Google may set cookies in your browser. You can opt out by installing the Google Analytics Opt-out Browser Add-on. Google's data handling is governed by Google's privacy policy at https://policies.google.com/privacy.

We use information collected through the Service for the following purposes only:

• To provide, operate, and maintain the Service including hosting Vendor stores, processing Shopper orders, and serving the Orderain web and mobile apps.

• To process Vendor subscription billing and Shopper checkout through our third-party payment processors.

• To send transactional messages: order confirmations, invoices, password resets, security alerts, and important Service notices.

• To send product update emails to Vendors who have opted in to receive them. You can unsubscribe from these at any time.

• To improve the Service through analytics, debugging, and performance monitoring.

• To respond to support requests and customer feedback.

• To comply with legal obligations and enforce our Terms of Service.

We do not use your personal data for cross-app advertising tracking. We do not sell personal data to data brokers. We do not run an ad network.

We share information only with service providers that help us run Orderain, and only to the extent necessary for them to perform their function. These include:

• Payment processors: Stripe (subscriptions + checkout), PayPal, Safepay, RazorPay, PayFast, and other gateways Vendors enable. They process payment data under their own privacy policies.

• Cloud hosting and infrastructure: AWS and S3-compatible storage for application data and uploaded media; Cloudflare for content delivery, security, DDoS protection, and approximate geolocation.

• Analytics: Microsoft Clarity and Google Analytics, as described above.

• Email and transactional messaging providers, used to deliver order confirmations, password resets, and Service notifications.

• Customer support tools used by our team to respond to inquiries.

We may also disclose information when required by law, in response to lawful requests from authorities, to protect our rights or the safety of users, or in connection with a merger, acquisition, or sale of company assets. In such an event, we will notify users via the Service or by email before personal data is transferred and becomes subject to a different privacy policy.

Vendors are the data controllers for the Shopper data flowing through their own stores. Orderain processes that data on the Vendor's behalf as a data processor. This means:

• Vendors are responsible for having their own privacy practices, cookie consent, and customer-facing privacy policy on their stores.

• Vendors are responsible for honoring data access, correction, and deletion requests from their Shoppers.

• Vendors must comply with applicable data protection laws in the regions they sell to (GDPR, CCPA, and others).

• Orderain provides tools to help Vendors comply, including data export and customer-deletion features in the dashboard.

We use cookies and similar technologies (local storage, session tokens) for several purposes:

Types of cookies we use

We use the following categories:

• Essential cookies: required for the Service to function (login sessions, security tokens, language preferences). These cannot be disabled.

• Analytics cookies: set by Microsoft Clarity and Google Analytics to measure how people use our pages.

• Performance cookies: help us tune page speed and detect errors.

Managing cookies

You can control cookies through your browser settings. Disabling essential cookies may make parts of the Service unusable (for example, you may not be able to stay logged in). Analytics cookies can be opted out of using the tools mentioned in the Analytics section above.

We retain personal data only as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements:

• Vendor account data: retained for the life of the account. When a Vendor deletes their account, their personal data is removed from our active systems within 30 days, except where retention is required for legal, tax, fraud-prevention, or regulatory reasons.

• Shopper data on Vendor stores: retained according to each Vendor's own retention policy. Vendors can delete Shopper data through the dashboard at any time.

• Order and transaction records: retained for the period required by applicable tax and financial regulations, typically 7 years.

• Backups: Orderain maintains rolling encrypted backups of the platform for disaster recovery. Backup data ages out automatically. Deleted account data may persist in backup storage for a limited period before being permanently removed.

• Analytics data: aggregated and retained for up to 26 months under Google Analytics defaults and 1 year under Microsoft Clarity defaults. Session recordings are retained for 30 days by default.

You have the following rights with respect to your personal data, regardless of where you live. We extend the substantive protections of GDPR (European Economic Area, United Kingdom, Switzerland) and CCPA / CPRA (California) to all users globally:

• Right to access: request a copy of the personal data we hold about you.

• Right to correction: ask us to fix data that is inaccurate or incomplete.

• Right to deletion: request that we delete your account and personal data. Vendors can also delete their account directly from the Orderain dashboard, which triggers our deletion workflow including an email OTP confirmation.

• Right to data portability: request an export of your data in a structured, machine-readable format.

• Right to object: ask us to stop processing your data for specific purposes such as marketing emails.

• Right to restrict processing: ask us to limit how we use your data while a complaint or correction is being resolved.

• Right to opt out of sale: we do not sell personal data, so this is the default for all users.

To exercise any of these rights, email hello@orderain.com from the email address associated with your account. We respond to verified requests within 30 days. If you are a Shopper on a Vendor's store, contact that Vendor directly. If they do not respond, you can escalate to Orderain at the same address.

You can delete your Orderain account at any time. To delete your account:

• Web: sign in at app.orderain.com, open Settings, and choose Delete Account.

• iOS / Android: sign in to the Orderain app, open Settings, and choose Delete Account.

• You will receive a one-time confirmation code by email. Enter it to confirm the deletion.

• Once confirmed, your personal data is removed from active systems within 30 days. Order and transaction records required for tax and regulatory compliance are retained for the legally required period.

Orderain is based in the United States and uses cloud infrastructure that may store and process data in multiple countries. By using the Service, you understand that your data may be transferred to and processed in jurisdictions different from your own. Where required, we rely on Standard Contractual Clauses and equivalent mechanisms to provide appropriate safeguards for international transfers under GDPR and similar frameworks.

We use industry-standard security measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) on all connections.

• Encryption at rest for application data and backups.

• Passwords stored using one-way hashing with salting; we never have access to your plaintext password.

• Network-level protection via Cloudflare against DDoS, bot, and intrusion attacks.

• Role-based access control internally so only authorized staff can access production systems.

• Regular security review of dependencies and infrastructure.

No system is 100% secure. If we ever experience a security incident affecting your personal data, we will notify affected users without undue delay as required by applicable law.

Orderain is not directed to children under 13 (or under 16 in some EEA jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at hello@orderain.com and we will delete that data promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in-app or by email. Continued use of the Service after changes take effect means you accept the updated policy.

Questions about this Privacy Policy or our data practices? Email hello@orderain.com.

Orderain LLC

30 N Gould St # 43445, Sheridan, WY 82801, United States