Privacy notice

This notice explains how Orkestra SAS ("Orkestra", "we") processes personal data when you use our website and our regulatory intelligence platform. It is issued under Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).

1. Controller and contact

Controller: Orkestra SAS, Paris, France. For privacy enquiries and to exercise your rights, contact us at privacy@orkestra.eu. Our Data Protection Officer is reachable at dpo@orkestra.eu.

2. Categories of personal data

On the marketing site we process contact data you submit voluntarily (name, work email, company, archetype, message) and minimal technical data (IP, user agent, referrer, timestamps) via first party logs.

Inside the platform, acting as processor on behalf of our regulated customers, we process identifiers of authorised users, their queries, the answers produced, citations, and operational metadata (model, token counts, timestamps). We do not seek, and advise customers not to submit, special category data or data about identified natural persons inside analyst queries.

3. Purposes and legal bases

Contact form: performance of pre contractual steps at your request, Article 6(1)(b). Product operation: performance of the customer contract, Article 6(1)(b), with the customer as controller and Orkestra as processor. Audit and supervisory logs: legitimate interests of the customer and of Orkestra in providing a traceable and supervisable service, Article 6(1)(f). Security and anti abuse: Article 6(1)(f). Compliance with legal obligations: Article 6(1)(c).

4. Recipients and subprocessors

We disclose personal data to the subprocessors listed on our Subprocessors page, strictly for the purposes set out above and under written processing agreements that include EU Standard Contractual Clauses where applicable. Public authorities may receive data where we are legally required to provide it.

5. International transfers

The platform and all customer data are hosted in the European Union. Limited inference traffic is routed to Anthropic PBC under Module 3 Standard Contractual Clauses and supplementary measures, including Zero Data Retention, TLS in transit, and input minimisation.

6. Retention

Marketing enquiries: up to twenty four months from last interaction. Platform audit trail: retained per customer contract, default three years, aligned with general supervisory retention expectations. Security logs: twelve months.

7. Your rights

Subject to GDPR you have rights of access, rectification, erasure, restriction, portability, and objection, as well as the right to lodge a complaint with your supervisory authority (in France, CNIL). Exercise your rights by writing to privacy@orkestra.eu. For data we process as a processor, requests should generally be directed to your employer or the Orkestra customer on whose behalf we process.

8. Automated decisions and model use

Orkestra uses large language models to summarise regulatory content. Outputs are advisory and cited. Orkestra does not take automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.

9. Changes

Material changes will be notified on the site at least thirty days in advance of taking effect.