GDPR compliant

Privacy Policy

Last updated: 11 June 2026 · Applicable to all Ordops users

🔒 Ordops only processes personal data that is necessary for the provision of the service. We never sell your data to third parties and do not use it for third-party marketing purposes.

Table of Contents

  1. Who we are
  2. What data we collect
  3. Why we process data
  4. Legal basis
  5. Retention periods
  6. Sharing with third parties
  7. Third-party calendar integration
  8. Cookies
  9. International transfers
  10. Security
  11. Your rights
  12. Complaints
  13. Changes

1Who we are

Data controller:
Ordops (trade name)
Sole proprietorship registered with the Chamber of Commerce, the Netherlands
Chamber of Commerce (KvK): 42078127
VAT number: NL005488124B36
Email: privacy@ordops.com
Website: ordops.com

Ordops is a Software-as-a-Service platform for contractors in Europe. As data controller, we determine the purpose and means of processing your personal data.

For the personal data of third parties that you enter into Ordops (your employees, clients, subcontractors), you are yourself the data controller and we act as processor. A data processing agreement (DPA) is available on request.

2What data we collect

Account data

Usage data (entered by you)

Technical data

Payment data

Payments are processed by Mollie B.V. We do not store complete payment details. We only receive a payment status and a payment reference from Mollie.

3Why we process your data

PurposeDescription
Service deliveryCreating account, granting access, storing and displaying data
CommunicationConfirmation emails, team member invitations, quote emails
PaymentProcessing subscription, invoice administration
SecurityPreventing fraud, detecting unauthorised access
ImprovementAnonymous usage statistics via Google Analytics 4 and behaviour analytics on public website pages via Microsoft Clarity, only with analytics consent, for product and conversion improvement
Legal obligationsFiscal retention requirements, GDPR requirements

4Legal basis for processing

5Retention periods

CategoryRetention periodReason
Account dataUp to 90 days after account deletionRecovery option
Projects, tasks, quotesUp to 90 days after account deletionUsage data
Invoice data7 yearsFiscal retention requirement
Technical logs90 daysSecurity and debugging
Emails sent from platform30 days (logs)Error handling

6Sharing with third parties

We share your data exclusively with the following categories of processors and only to the extent necessary:

PartyPurposeCountry
One.comApplication and data hostingEU (DK)
Mollie B.V.Payment processingNetherlands
CloudflareDNS, SSL, DDoS protectionEU proxy
Microsoft ClarityBehaviour analytics, heatmaps and session recordings on public website pages, only after analytics consentEU / US with appropriate safeguards

We never sell your personal data to third parties. We do not share your data with advertisers or other commercial parties.

Data processing agreements compliant with GDPR requirements have been concluded with all processors.

7Third-party calendar integration (Google & Microsoft)

Ordops allows users to optionally connect their Google Calendar or Microsoft Outlook Calendar to improve project planning and prevent scheduling conflicts. If you choose to authorise this connection, Ordops requests read-only access (such as calendar.readonly for Google or Calendars.Read for Microsoft) to your selected calendar.

How we use and handle this data

AspectDetail
UseWe use this read-only access strictly to align your personal availability with the Ordops project calendar. We only read availability data to prevent double-booking. We cannot edit, create, or delete your personal events.
Storage & sharingYour calendar data is securely processed solely to determine availability. It is never shared with, sold to, or transferred to any third-party services, data brokers, or advertising platforms.
Limited use complianceOrdops's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Similarly, data obtained via Microsoft Graph APIs complies with Microsoft Entra ID privacy policies and is restricted to the minimum scopes necessary for synchronisation.

8Cookies

What are cookies

Cookies are small text files stored on your device when you visit our website.

Which cookies we use

Ordops uses Google Analytics 4 and Google Tag Manager from Google LLC (US), and may use Microsoft Clarity from Microsoft Corporation for heatmaps and session recordings on public website pages. Analytics data is used to understand website conversion and improve the service. Clarity is configured with masking and is not used to record authenticated app pages in this first setup. More info: Google Privacy Policy and Microsoft Privacy Statement.

CookieTypePurposeRetention
ordops_sessionFunctional (necessary)Stay logged inSession
ordops_langFunctional (necessary)Remember language preference1 year
ordops_cookie_consentFunctional (necessary)Store cookie consent1 year
_gaAnalyticalDistinguish unique visitors (anonymised)2 years
_ga_*AnalyticalTrack session status2 years
_gtmFunctionalTag management for analyticsSession
_clckAnalyticalMicrosoft Clarity visitor and heatmap analytics on public pagesUp to 1 year
_clskAnalyticalMicrosoft Clarity session analytics on public pagesUp to 1 day

Google Analytics is configured with IP anonymisation. Microsoft Clarity is used only for analytics such as heatmaps and session recordings on public website pages and is configured to mask sensitive content. No personal data is shared with Google or Microsoft for advertising purposes. You can refuse analytics cookies via the cookie banner on your first visit.

You can refuse or delete cookies via your browser settings. Functional cookies are required for the correct functioning of the service.

9International transfers

Your data is stored on servers within the European Economic Area (EEA). We do not transfer your personal data to countries outside the EEA without appropriate safeguards.

Cloudflare processes traffic data via servers worldwide but does not store personal data outside the EEA. Cloudflare is certified under the EU-US Data Privacy Framework.

10Security

We take appropriate technical and organisational measures to secure your personal data:

In the event of a data breach that poses risks to data subjects, we will notify the Dutch Data Protection Authority within 72 hours and data subjects as soon as possible.

11Your rights under the GDPR

Access

You have the right to access the personal data we process about you.

Rectification

You can request correction of inaccurate or incomplete data.

Erasure

You can request deletion of your data ("right to be forgotten").

Restriction

You can request restriction of the processing of your data.

Portability

You can request your data in a machine-readable format.

Objection

You can object to processing based on legitimate interest.

To exercise your rights, please send a request to privacy@ordops.com. We will respond within 30 days. We may ask you to verify your identity.

12Complaints

If you believe that we are not processing your personal data correctly, we ask you to first contact us via privacy@ordops.com.

You also have the right to lodge a complaint with the supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority):

Autoriteit Persoonsgegevens
PO Box 93374, 2509 AJ The Hague, Netherlands
autoriteitpersoonsgegevens.nl
Tel: +31 88 1805 250

13Changes

We reserve the right to amend this Privacy Policy. In the event of material changes, we will inform you by email at least 30 days before the effective date.

The most recent version is always available at ordops.com/privacy.html.