Skip to main content

Privacy Policy

Policy Quick Links:
Terms and Conditions
Data Protection Addendum
Privacy Policy
Orlo Service Level Agreement
Website Cookie Policy
Orlo Platform Information Collection and Cookies

This is the Privacy Notice for SocialSignIn T/A Orlo.

This privacy notice is not something for you to agree, nor does it form part of our terms and conditions. It is to simply tell you what we do with your personal data and be as transparent as possible.

Who are we?

Our company is called SocialSignIn, but we are more commonly known as Orlo. We are registered with Companies House under registration 08237170, and with the ICO under registration ZA181887

Our registered address is 5 – 7c, Centre City, Hill street, Birmingham, B5 4AU.

What data do we process?

If you are a customer of Orlo, we will hold the following information about you:

  • Your name and contact information
  • Social media URL’s
  • Your organisation’s name and address
  • Information about your business activities
  • Information and documentation about your matters or enquiries, including communications with you
  • Billing and payment information

As a potential customer, we will hold the following:

  • Your name, and contact information
  • Information and documentation relating to your business and sector, from yourself, websites,
  • Companies House, social media and our marketing partners.

Because we use your data to engage you in a contract, if you fail to provide some or all that data, we will not be able to enter a commercial relationship with you.

Please note that we use YouTube API services. By using Orlo to manage your YouTube account you are agreeing to be bound by their terms of service, available to view here ( You can also view Google’s Privacy Policy here and revoke access at any time through the Google Security Settings page.

Explaining the lawful basis

Reference to the basis of processing (e.g., “(Basis is Article. 6.1.f)”) is a reference to the article of the UK General Data Protection Regulation under which we undertake the processing in question. This will usually be an Article 6 lawful basis as we do not process special category (Article 9) data.

Engaging you in and continuing our commercial relationship

We use the information we hold about you and your business, both personal and otherwise, to give you the best product and service we can.

We will add your details to our email address book and customer relationship management platform. We also use your information to send contracts, bill you, and keep track of payments that you make, as well as to keep in contact throughout our relationship.

The basis for this is Article 6.1.b – ‘performance of a contract’, as this is necessary to deliver the product and service to you.

We will retain your personal data until our contract expires or is terminated, at which point, we will delete your data from our live systems. Our back up files are overwritten every 4 weeks. Contracts and email correspondence will be retained for 7 years before deletion.

We will continue to send electronic marketing to you until you opt out, or if we have no further engagement from you, we will delete your data after 6 months.

Sending email direct marketing to prospective and existing business clients

If you are from a corporate or public sector organisation and we have met at a conference or networking event, you have asked for information on internet forums, contacted us via our website or email and we feel that you could be a suitable customer, we will perform due diligence checks to ensure that we would be a compatible company for you. The information from these checks is used to contact you and to explore business opportunities. We will also proactively identify suitable prospective customers and send email marketing direct to the appropriate representative of the organisation to facilitate an introduction.

If you are an existing customer, we will send you appropriate information and updates on our product and services.

The basis for our electronic marketing activity is Article 6.1.f – ‘Legitimate Interest’, we have a legitimate interest to perform basic due diligence on prospective clients, and to market our services to current and prospective business to business customers.

If at any time, you want to stop receiving emails from us, simply let us know by using the unsubscribe link on our emails or contact us direct, and we will stop.

We will delete your data if after 6 months we have no engagement from you. If we have engaged initially but we lost touch, we will delete your data after 7 months.

Third parties

As a general principle, we will not transfer your personal data to third parties without your permission, but there are some exceptions to this:

  • It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate. The lawful basis is Article 6.1.c – ‘Legal Obligation’
  • We use an accountancy service which have limited visibility of your personal business data for the administration of company financial affairs. The basis for this is Article 6.1.f, we have a legitimate interest to allow our accountant to have limited access to our client personal data to manage our accounts.
  • If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. Our lawful basis for this activity (although we are sure we will not need to) is Article 6.1.f, we have a legitimate interest to pursue money owed to us

We do use other organisations to process your data on our behalf, these are software services hosted in the ‘cloud’. These services are used to manage our contact with you, such as our customer relationship management system; to store data, provide email functionality and online collaboration tools.

We only engage with those data processors which can provide us reassurances of their ability to keep your data safe and secure. We ensure that they have the right technical and organisational measures in place and that our agreement is covered by the appropriate contractual arrangements as required by the UK GDPR.

Where do we keep your data?

For clarity, all personal data that is processed by the Orlo platform, is stored in UK based, accredited data centres.

For our own commercial purposes, if you are a customer or prospective customer, the software services we use to manage your personal data (such as Google, HubSpot and Xero accounting), store your data in their secure data centres. Where we are able, we specify UK based storage, but where data must be transferred out of the UK, our providers have put in place Standard Contractual Clauses as an authorised transfer mechanism. Should any other need arise to transfer your data outside of the UK, we will ensure adequate protections are in place.


The UK GDPR requires us to implement appropriate technical and organisational measures to protect data. We have in place technical measures, such as anti-virus, anti-malware, strong passwords, and authentication protocols. Information passed over the internet to our software services is protected by Transport Layer Security (TLS) encryption. We have organisational measures in place which include policies and procedures to protect your data and access your rights, and we provide training to our staff.

Your rights

The UK GDPR provides you as data subjects with rights over your data. The relevant rights are:

  • Get access to your personal data and information about our processing of it
  • In some circumstances, restrict our processing of your data and compel us to erase the bits we do not use for legal purposes
  • Object to our processing for business to business marketing
  • Ask us to rectify any inaccurate information we may inadvertently hold

If you want to exercise any of these rights, please just get in contact at the above address or email us at

You also have the right to lodge a complaint about our processing with a supervisory authority — the UK’s Information Commissioner’s Office.

Information Commissioner’s Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113

This privacy notice was last updated in December 2020.