Privacy Policy

Effective date: 30 March 2026

1. Introduction

This Privacy Policy explains how Orlo (available at getorlo.app), operated by Mearovate (mearovate.cloud), collects, uses, stores, and protects your personal information when you use our service.

We are committed to protecting your privacy and ensuring that your personal data is handled responsibly and in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and name. This information is used to identify you within the platform and to communicate with you about your account and the service.

2.2 Documents You Upload

When you upload documents to Orlo, they are stored securely in private storage buckets. Your documents are private to your account and are not accessible to other users or the public.

2.3 Extracted Data

When our AI processes your documents, the extracted information (such as dates, amounts, names, and other key data points) is stored in association with your account. This data is used to provide you with structured document summaries and reminders.

2.4 Usage Data

We collect anonymised usage data, including page views, feature usage, and general interaction patterns. This data helps us understand how the service is used and identify areas for improvement.

2.5 Billing Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or other sensitive payment details on our servers. We may store your Stripe customer identifier and subscription status for account management purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the service: To operate your account, store your documents, and deliver the core functionality of Orlo.
  • AI document extraction: To process your uploaded documents using AI and extract relevant information for your use.
  • Sending reminders: To notify you about important dates extracted from your documents, such as renewal dates and expiry dates.
  • Improving the product: To analyse usage patterns and feedback in order to improve the service, fix issues, and develop new features.
  • Billing: To manage your subscription, process payments through Stripe, and communicate about billing matters.

4. Data Storage and Security

We take the security of your data seriously and employ a range of technical and organisational measures to protect it:

  • Hosting: Our database, authentication, and file storage are hosted on Supabase, with EU-available regions to support data residency requirements.
  • Private storage: All uploaded documents are stored in private storage buckets that are not publicly accessible.
  • Row-level security: Our database implements row-level security (RLS) policies to ensure that users can only access their own data.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
  • No public access: Your documents are never made publicly available and can only be accessed through authenticated requests linked to your account.

5. Third-Party Services

We use the following third-party services to operate Orlo. Each service processes data in accordance with their own privacy policies:

  • Supabase: Database, authentication, and file storage. Supabase hosts your account data, documents, and extracted information.
  • OpenAI: Document analysis and data extraction. When you upload a document for processing, the document content is sent to OpenAI for AI-powered analysis. OpenAI processes this data in accordance with their data usage policies.
  • Stripe: Payment processing. Stripe handles all payment transactions securely. We do not store your card details.
  • Resend: Email delivery. Resend is used to send transactional emails such as reminders, account notifications, and billing receipts.
  • Vercel: Hosting. The Orlo web application is hosted on Vercel's platform.

6. Data Retention

Your documents and extracted data are kept for as long as your account is active and you choose to retain them. You may delete individual documents at any time, and they will be removed from our active systems.

If you delete your account, all of your data, including uploaded documents, extracted information, account details, and preferences, will be permanently removed from our active systems.

Backups that include your data may be retained for up to 30 days following deletion for disaster recovery purposes. After this period, all copies of your data will be permanently purged.

7. Your Rights

Under the UK GDPR and applicable data protection legislation, you have the following rights regarding your personal data:

  • Right to access: You have the right to request a copy of the personal data we hold about you.
  • Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data.
  • Right to erasure: You have the right to request the deletion of your personal data in certain circumstances.
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object: You have the right to object to the processing of your personal data in certain circumstances.
  • Right to withdraw consent: Where processing is based on consent, you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact our Data Protection Officer at hello@getorlo.app. We will respond to your request within 30 days.

8. Cookies

Orlo uses minimal cookies. We use authentication session cookies that are essential for the operation of the service, allowing you to remain signed in as you navigate the platform. We do not use tracking cookies, advertising cookies, or any third-party cookies for marketing purposes.

9. Children's Privacy

Orlo is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as promptly as possible. If you believe that a child under 16 has provided us with personal data, please contact us at hello@getorlo.app.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the effective date at the top of this page. Where changes are significant, we will notify you by email or through the platform. Your continued use of Orlo after the updated policy takes effect constitutes your acceptance of the changes.

11. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us: