Privacy Policy

Privacy Policy

This privacy policy sets out how we use and protect any information that you give Orlo when you use this website. Orlo is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement. Orlo may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from the 18th Dec 2017.

What we Collect

When you register for Orlo we ask for information such as;

Platform Related

  • Your name and email address and other contact details.
  • The geographic area where you use your computer and mobile devices using your IP address.
  • Other optional information as part of your account profile.
  • Other information submitted by you or your organizational representatives via various methods (phone, email, online forms, surveys, in-person meetings, etc.).

In Supporting You

  • Your billing address and any necessary other information to complete any financial transaction, and when making purchases through the Services.
  • Information we may receive relating to communications you send us, such as queries or comments concerning our Services
  • In Using our Platform-User-generated content (such as messages, posts, comments, pages, profiles, images, feeds or communications exchanged on the Supported Platforms)
  • Images or other files that you may publish via our Services (including the services)

How we use the Data

  • To identify you when you login to your Orlo account.
  • To enable us to operate Orlo Services and provide them to you.
  • To verify security, and authentication (including security tokens for communication with installed Third-Party Apps).
  • To contact you about your account and provide customer service support, including responding to your comments and questions.
  • To keep you informed about the Services, features, surveys, newsletters, offers, contests and events we think you may find useful or which you have requested from us.
  • To sell or market Orlo products and services to you.
  • To better understand your needs and the needs of users in the aggregate, diagnose problems, analyze trends, improve the features and usability of the Services, and better understand and market to our customers and users.
  • To keep the Services safe and secure.

Information Sharing

The information we collect is used to improve the content of our Web pages and the quality of our service, and is not shared with or sold to other organizations for commercial purposes, except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

It is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Terms of Service, or as otherwise required by law.

We transfer information about you if Orlo is acquired by or merged with another company. In this event, Orlo will notify you before information about you is transferred and becomes subject to a different privacy policy.

Tracking Services Metrics and Analytics:

Orlo collects information about accesses (such as clicks) of every Link created through the Services. This information includes, but is not limited to: (i) the IP address and physical location of the devices accessing the Link; (ii) the referring websites or services; (iii) the time and date of each access; and (iv) information about sharing of the Link on Third Party Services such as Twitter and Facebook. This information is used by Orlo to improve their websites and services by, for example, providing value-added features, and to analyze clicks on Links, for example to understand how, when and where Links are clicked. Information Collected Automatically:

  • Orlo automatically receives and records information from your web browser when you interact with the Services
  • Orlo also automatically receives and records information that your mobile device transmits when you access the Services, like a device identifier, device settings, and operating system.
  • Generally, the Services automatically collect Site usage information, such as the number and frequency of visitors to the Site. Orlo may use this data in aggregate form, that is, as a statistical measure. This type of aggregate data enables us to figure out how often individuals use parts of the Site so that we can analyze and improve them.
  • We will collect information about your general location (such as your city and state, which is derived from your IP address) when you visit a Link Cookies:

Orlo Links use cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to gather demographic information about our user base as a whole.

  • Cookies are pieces of text that may be provided to your computer through your web browser when you access a website. Your browser stores cookies in a manner associated with each website you visit. We use cookies to enable our servers to recognize your web browser and tell us how and when you visit our Site and use the Services through the web.
  • cookies also allow Orlo to track when you have clicked on a Link. Each click of a Link is tracked using a unique identifier assigned to you in one or more cookies stored by your web browser and associated with We may associate the unique identifier in our cookies with the other information we automatically collect when you use the Services, as described above, including your IP address, Links you click and information with your Account if you have one.
  • Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allowing you to decide on acceptance of each new cookie in a variety of ways. If you disable cookies, you will not be able to use some features of the Services.
  • You may also ask Orlo not to place cookies on your web browser by navigating your browser to
  • When cookies are disabled in this manner, clicks on Links are not tied back to or associated with your web browser. However, we will still automatically collect the IP addresses of computers or mobile devices that click on Links.


A cookie is a small amount of data, which often includes an anonymous unique identifier, that is sent to your browser from a web site’s computers and stored on your computer’s hard drive.

Cookies are required to use the Orlo service.

We use cookies to record current session information, but do not use permanent cookies. You are required to log-in to your Orlo Site after a certain period of time has elapsed to protect you against others accidentally accessing your account contents.

Data Storage

Orlo uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run Orlo. Although Orlo owns the code, databases, and all rights to the Orlo application, you retain all rights to your data. We’re serious about our privacy policy and never disclose or sell any personally identifiable information. We do use cookies only in the same, widely-accepted way that Twitter, Facebook and Google use them: to improve our analytics and the tools we can offer our users. For example, we need to distinguish between total clicks links and total unique users – a distinction we can’t make without cookie data.

If you would like to revoke your YouTube access in the platform please click here, for more information please review Google’s Privacy Policy here.


Orlo may disclose personally identifiable information under special circumstances, such as to comply with subpoenas or when your actions violate the Terms of Service.

Email Preferences

You can manage your email preferences, such as opt-out or unsubscribe from emails sent by Orlo, by adjusting your preferences in your account settings. You can also opt-out or unsubscribe from any future email communications from within each email correspondence that we send you.

Policy Changes

Orlo may periodically update this policy. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your Orlo primary account holder account or by placing a prominent notice on our site.

General Data Protection Regulation (GDPR) Readiness

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. In line with the GDPR and to continue the provision of secure, reliable and compliant services, we have created these FAQs which set out our privacy obligations – both legal and contractual.

1. How is Orlo structured to ensure data protection compliance?

The protection of our clients’ data is at the heart of our business. We have a strong culture of compliance, which is embedded within our software, systems and processes.

We have worked hard to establish a GDPR compliance framework with internal policies and procedures that are kept under review. Our personnel are trained to understand the importance of data protection and to apply its principles within their roles.

We have a designated privacy officer to guide our business on compliance and have specialist external advisers that we can call on for additional support.

Compliance is monitored through various activities, including internal auditing and analysis of incidents. We maintain records of our processing activities in compliance with Article 30 of the GDPR.

2. What is Orlo’s role in respect of our data?

You are the data controller of all personal data held in our application under your account and Orlo is merely your data processor in respect of all the services provided to you. Our processing of your personal data is only on your documented instructions as set out in the contract between us. We do not use any of your personal data for anything that is not in the contract.

3. What personal data is stored within the Orlo application?

Our application only holds basic information about your authorised users, this being name, email address, password, last login, IP address, browser and device details. If you opt for two-factor authentication, we will also store the user’s mobile phone number.

Your social media followers may include any type of information (including personal data, images and videos) in their messages to you and your users can add free text to social contacts and messages. We don’t use any of this information for any of our own purposes other than to create aggregated statistics, which do not identify any individuals. Our system is merely a place to store their messages to you and to enable you to manage and retrieve them. You are the data controller of your followers’ messages and your users’ free- text additions. As such, it is your responsibility to ensure you use these in compliance with data protection and other laws.

4. Is our data held separately from that of other Orlo clients?

Data is not physically separated within the Orlo application but it is logically separated. We have security policies and code that is automatically tested with every deployment to ensure that your data is not mixed with other clients’ data.

5. Are the systems used by Orlo GDPR compliant?

We carried out a Privacy Impact Assessment of our software, systems and services and have made changes to ensure we meet and, in some cases, exceed GDPR requirements.

Our system architecture was developed with data protection and data security in mind. The databases in which your personal data is stored are only accessible by a small division of the internal development team who are internally vetted and have worked for us for a substantial amount of time. We do not use live data for testing and it is never stored on local machines.

6 What does Orlo do to protect login credentials?

We offer a number of log-in options:

  • SAML (Security Assertion Markup Language) – this allows you to use SAML authentication single log in services such as OKTA and One Login. On request we can add other providers
  • Two Factor Authentication (2FA) – this requires users to enter a code sent to them by SMS when logging into the system
  • Google Account Login (Single Sign On / SSO) – this allows users to log in via Google Accounts if your organisation is using Google Business apps to manage its email accounts. Using this option allows your users to utilise Google’s own security around the log-in procedure.

Ultimately, you are responsible for ensuring your users keep your account log-in credentials secure and for any activities or actions occurring under your account. Our application offers the ability to require “strong” passwords (passwords that use a combination of upper and lower case letters, numbers and symbols) for your account. Administrators can disable email/password as a means of logging into the application and force one of the above options instead.

7. What does Orlo do to keep customer data secure?

We have a suite of security measures in place. These are kept under review and, wherever we consider it appropriate, they are enhanced. These are:

  • Encryption. Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used. Data in transit is always encrypted to a minimum standard of 256 bit.

We use Cloud KMS (a cloud-hosted key management service), which lets us manage encryption keys for our services. This allows us to generate, use, rotate and destroy AES256 encryption keys.

For all administration based services, 2FA is enabled.

  • Resilence. Orlo’s infrastructure is designed to be as resilient as possible. Our main database is ‘highly available’ which means that, if for some reason one server was to go offline the other servers would not only be able to pick up the work but would also contain replica data to ensure there is no downtime. We also run other databases that are built and configured so that, if one was to go down, there is already another ready to ‘hot swap’ and step in. All servers that serve our application are load balanced and so can distribute load/requests to a at least 3 servers.
  • Monitoring. All of the servers we manage have antivirus and malware scanners installed and have updates applied frequently. We perform daily port scanning on public IP addresses to ensure there are no unexpected changes. Configuration management is dealt with by scripts with are kept and managed in our private version control system.
  • Security testing. Orlo has its entire application scanned by external technically skilled individuals. Their remit is to try to break, gain unsolicited access and “hack” our systems in a safe way in order to find flaws or potential weaknesses in our platform. If you would like to see the raw and unedited report with you, please speak to your account manager.

We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track with a combination of active checks and, for some things, such as back-ups, passive checks. Our set up allows use to detect unexpected behaviour early and team members are alerted if an expected behaviour has not executed as expected.

Our code is written to log any critical events for our developers to address.

8. What back-ups does Orlo take?

Orlo carries out backup continuously. Whilst our main datastore holds replicas of data at all times, we also run our other databases with duplicate data in ready to swap over should the need arise.

Multiple snapshots of the entire database are taken every day and we store them on a separate server from the one that holds live data.

From these various back-ups, we are able to restore the entire database in the event of a major incident. We test our disaster recovery at least annually.

9. Will you need access to our systems?

We do not need access to your systems to provide our services to you.

10. Does Orlo rely on third parties to provide its services?

To date Orlo has not used external developers and intends to use only in-house developers moving forward. This may change in the future but, if so, external developers would be given only limited access to code bases, no access to live data and all code/contributions would be vetted before been deployed.

We use Cloud KMS to manage encryption keys for our services. We currently use leading providers, Rackspace, Amazon Web Services, Google Cloud Services, SendGrid, Loggly and Twilio to provide hosting services. They have all been vetted and authorised by a designated approver within Orlo as part of our supplier on-boarding process and we have written contracts with each of them incorporating appropriate data protection provisions to protect your personal data.

11. What audit trails are maintained to protect our data?

Our software normally maintains a record of your users’ activities in our application such as which of your users created a post to send out, who edited the post, and who created any free text notes on your followers’ messages. You can view these audit logs through the application.

12. What procedures does Orlo have in place to deal with data breaches?

We are proud of our record of having no reportable data breaches to date. However, we know the importance of being prepared for an incident.

All security incidents and platform wide issues will be recorded in a Major Incident Report which will cover: the nature of the incident, the impact on your business and data subjects the resolution and any preventative action planned to avoid recurrence. We will also make an assessment as to whether the breach must be reported to the Information Commissioner and/ or affected individuals.

In the event of a data breach affecting your personal data, we will report this to you without undue delay through our normal support process.

13. Where will our personal data be processed by Orlo?

We use three of the leading providers to host our data and applications, Rackspace, Amazon Web Services and Google Cloud Services. All of the live data is stored within the UK and a limited number of back-ups are stored within the EU.

Where our designated staff are permitted access to your data to fulfil their roles, they do so only from our premises.

14. What happens to our data at the end of the contract?

You are able to export your social inbox whenever you wish during your contract term. Our reports are printable and downloadable.

Once our contract with you has ended, we expunge all of your data (other than your shortened links) which then propagates through our backups. The deletion process can take up to a month to be completely removed from backups.

We retain your shortened links after our contract so that any social posts created from within our application using our link shortening service continue to redirect users to the correct location. No other information is retained or stored.

15. Will Orlo help us comply with data subject rights?

You have full control over your user data and data from followers so you should be able to manage all data subject rights yourself just by using the application. If you need any specific guidance on how to do this, you can use our ‘help’ feature in the application or consult our user guide or use our online chat facility.

16. Will we be able to audit Orlo premises and systems for compliance?

You will appreciate how important it is that our systems and premises ensure confidentiality for all of our clients and we do not normally allow clients to have access. We do, however, engage an external specialist to check our systems and provide a report on compliance each year and we are happy to make that available to you for your peace of mind.

Of course, if a court or regulatory body requires us to give you access, we will honour that requirement but will require you comply with our security and health and safety requirements in doing so.

17. What changes can we expect to see in our contract and services?

Your services will continue unchanged although you may see some new features within our application and we may make additional security checks when you seek our support.

The GDPR requires you, as a data controller, to include additional things in your contracts with data processors. We have, therefore, prepared new data protection provisions, which will replace those in our current contract with you. We will be in touch with each of our clients to provide details of the changes so that we can all be satisfied that we are meeting our legal obligations.


Any questions about this Privacy Policy should be addressed to one of our contact details listed here or in the footer of our website.