Information we collect
We collect the following categories of information:
- Account registration data — name, email address, password hash, organization, and role of users who sign up or are invited to an OrderLock.
- Uploaded files and documents — purchase orders, spec sheets, BOMs, artwork, sample photos, production updates, shipping documents, and any other files added to an OrderLock.
- Production records and approval history — timelines, milestones, approvals, rejections, change requests, comments, and timestamps recorded as the order moves forward.
- Usage analytics — device type, browser, IP address, pages viewed, and actions taken inside the application.
- Communications — messages exchanged with our team for support, sales, or feedback.
How we use information
We use the information above to:
- Provide, operate, and improve the OrderLocks service.
- Record approvals, changes, and milestones as part of the production evidence package between a buyer and supplier.
- Send transactional notifications such as milestone reminders, change requests, and security alerts.
- Detect, prevent, and respond to abuse, fraud, and security incidents.
- Comply with legal obligations and enforce our Terms.
We do not sell personal information, and we do not use customer order content for advertising.
Cookies and analytics
OrderLocks uses a small number of strictly necessary cookies to keep users signed in and to protect against abuse. We use privacy-respecting product analytics to understand aggregate usage patterns — which features are used, where users encounter friction, and where performance can be improved.
Analytics events are tied to an internal user identifier, not to advertising profiles. You can clear cookies through your browser at any time.
Security practices
Data is transmitted over TLS and stored encrypted at rest with our infrastructure providers. Access to production systems is restricted to authorized personnel, protected by multi-factor authentication, and logged. We follow least-privilege access principles, perform regular dependency and configuration reviews, and maintain backup and disaster-recovery procedures so that production records remain available.
Third-party services
We rely on a limited set of vetted infrastructure providers to deliver the service. They process data on our behalf under contractual confidentiality and security commitments and are not permitted to use customer data for their own purposes:
- Stripe — payment processing and subscription billing. Card details are submitted directly to Stripe and never stored on OrderLocks servers.
- Supabase — managed database, authentication, and file storage for account and production data.
- Postmark — transactional email delivery for notifications, supplier invitations, and account messages.
- Vercel — application hosting, edge delivery, and serverless function execution.
Data retention
Production records, files, and timeline events are retained for as long as the associated organization maintains an active account, so that the evidence package remains available for the lifecycle of the order and any downstream dispute resolution.
If an account is closed, data is retained for a reasonable period to allow export, then deleted or anonymized on a defined schedule, except where retention is required by law or to resolve outstanding obligations.
Your rights
Account administrators can update or remove user records, export order data, and request deletion of organizational data. Individual users may request access to, correction of, or deletion of their personal information at any time. Where applicable law provides additional rights — such as data portability or the right to object to certain processing — we will honor those rights upon verified request.
Contact
Privacy questions, access requests, and data deletion requests can be sent to support@orderlocks.com.
Get in touch
For anything related to this policy, write to support@orderlocks.com. We respond to all inquiries from operations, legal, and security teams.
