1. Orensio as Data Processor
Under both the European Union General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR), read alongside the UK Data Protection Act 2018 (DPA 2018), Orensio AI acts primarily as a Data Processor for the B2B contact lists and prospect communications managed by our clients (who act as the Data Controllers).
As a Processor, Orensio only handles personal data strictly following the instructions of the Controller. Our automated campaigns, sequences, and lead enrichment pipelines are structured to comply with both EU and UK standard contractual data processing clauses, ensuring seamless and legally compliant international data operations.
2. Data Minimization & B2B Scope
Orensio enforces a strict data minimization model:
- We only collect and enrich professional, business-to-business (B2B) information (e.g. work email addresses, professional job titles, public business LinkedIn profiles, and company firmographics).
- We do not collect, process, or enrich private, personal, or highly sensitive user characteristics (such as medical data, race, religion, sexual orientation, or political beliefs).
- Our AI personalisation models read prospect profiles dynamically during active outbound generations, with zero permanent storage of unused profiles.
3. Right to Erasure (Opt-Out)
The GDPR guarantees individuals the "Right to be Forgotten" (Article 17). Orensio implements direct tools to enforce this right instantly:
- Instant Unsubscribe: Outbound emails sent by the platform can support direct opt-out headers or unsubscribe links.
- Global Suppression Lists: When a prospect opts out or unsubscribes, the system instantly logs their email in your suppression list, automatically pausing any future sequences.
- Data Erasure Request: Leads can request complete deletion of their profile from your dashboard tables by emailing hello@orensio.com. All erasure requests are cascadingly processed within 7 business days.
4. International Data Transfers
If you reside in the European Economic Area (EEA), your information may be processed on servers located outside the EEA (such as in the United States). Orensio safeguards these transfers:
- We contractually execute Standard Contractual Clauses (SCCs) with our subprocessors (e.g. Supabase, Stripe) to ensure equivalent levels of protection.
- Subprocessors maintain robust SOC 2 certifications and utilize encrypted storage pipelines.
5. Data Processing Agreement (DPA)
Enterprise clients (Scale & Agency plan holders) can execute a comprehensive Data Processing Agreement (DPA) with Orensio.
The DPA establishes legally binding GDPR safeguards, defining Orensio’s specific obligations regarding encryption, subprocessor management, data breach notifications, and audit rights. To execute a DPA, please contact your dedicated Customer Success Manager (CSM) or email concierge@orensio.com.