ORCAS Portal — operated by Orca Marketology LLC

Effective date: 01/08/2025 · Last updated: 01/08/2025

This Privacy Policy explains how we collect, use, share, and protect information in connection with the ORCAS Portal platform, our websites at orcasportal.com and app.orcasportal.com, our AI chat products, and our done-for-you services (collectively, the "Services").

Two roles, two sets of rules. ORCAS Portal operates an all-in-one business operations platform. Depending on the data involved, we act in one of two capacities:

As a controller / business for information about our own subscribers, prospects, and website visitors — the people and companies who buy and use ORCAS Portal.

As a processor / service provider for the data our customers load into the platform about their contacts, leads, and clients ("Customer Data"). We handle that data on our customers' behalf and under their instructions, not for our own purposes. Section 9 covers Customer Data specifically.

1. Who this applies to

This policy applies to:

Visitors to our marketing websites.

Subscribers and account users who sign up for a plan (Standard, Professional, Premium), an AI chat product, or our done-for-you service.

Prospects who book a discovery call, request a demo, or contact us.

It does not govern how our customers handle the contacts and end-users in their ORCAS Portal accounts — that relationship is governed by each customer's own privacy policy and our Data Processing terms (see Section 9).

2. Information we collect

2.1 Information you provide

Account & identity: name, business name, email, phone number, login credentials, and white-label branding details.

Billing: billing contact, plan selection, and transaction records. Card details are collected and stored directly by our payment processor — we do not store full card numbers.

Communications: messages you send us via live chat, email, support requests, forms, and discovery-call bookings.

AI chat interactions: messages, questions, and any information you or your site visitors submit to our Smart FAQ Chat or AI Lead Generation Chat products.

2.2 Information collected automatically

Usage & device data: IP address, browser and device type, pages viewed, features used, referring URLs, and timestamps.

Cookies & similar technologies: see Section 7.

Analytics & conversion tracking: aggregate metrics on how the Services and our marketing funnels perform.

2.3 Information from third parties

We may receive information from payment processors, advertising and analytics partners, and integrations you connect to your account (for example, social messaging or calendar integrations you authorize).

3. How we use information

As a controller, we use the information described in Section 2 to:

Provide, operate, secure, and improve the Services and our AI chat products.

Create and manage accounts, process payments, and provide support.

Communicate with you about your account, transactions, security, and service changes (these are operational messages you cannot opt out of while you hold an account).

Send marketing communications where permitted, subject to the consent and opt-out rules in Section 4.

Detect, prevent, and respond to fraud, abuse, and security incidents.

Comply with legal obligations and enforce our terms.

GDPR legal bases (where applicable): we rely on performance of a contract (to deliver the Services), legitimate interests (to secure and improve the Services and conduct B2B marketing), consent (for certain marketing and cookies), and legal obligation (recordkeeping, tax, compliance).

4. Email & SMS marketing consent

Because the Services include outbound email and SMS, consent and opt-out handling matter on both sides:

Marketing from us to you: we send marketing email only where you have opted in or where permitted by law. Every marketing email includes an unsubscribe link, consistent with CAN-SPAM.

SMS to you: if you provide a mobile number and consent to texts, you may receive account and marketing messages. Message and data rates may apply. Reply STOP to opt out and HELP for help. We honor opt-outs as required by the TCPA. We do not sell or share mobile opt-in data with third parties for their own marketing.

Messaging you send through the platform: when you use ORCAS Portal to send email or SMS to your own contacts, you are responsible for obtaining consent, maintaining A2P 10DLC registration where required, honoring opt-outs, and complying with CAN-SPAM, the TCPA, and applicable carrier rules. See Section 9.

5. How we share information

We do not sell your personal information. We share it only as follows:

Sub-processors and service providers who power the platform under contract (Section 6).

Payment processors to handle billing.

Professional advisors (legal, accounting) under confidentiality.

Legal and safety: to comply with law, respond to lawful requests, protect rights and safety, or enforce our terms.

Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this policy.

6. Sub-processors & infrastructure

ORCAS Portal is built on third-party infrastructure. The following categories of sub-processors support the Services.

Core platform & hostingHighLevel / LeadConnector: Underlying SaaS platform, data storage, and application infrastructure

SMS & voice: Twilio (via LeadConnector) Text messaging and call delivery

Email delivery: Mailgun (via LeadConnector) Transactional and marketing email sending

Payments: Billing and payment processing

CDN / security: Cloudfalre Content delivery and edge security

We require sub-processors to protect personal information consistent with this policy and applicable law.

7. Cookies & tracking

We use cookies and similar technologies to keep you logged in, remember preferences, measure performance, and support marketing and conversion tracking. You can control cookies through your browser settings; disabling some cookies may affect functionality. Where required by law, we present a consent banner and honor your choices, including recognized opt-out signals such as Global Privacy Control (GPC) where applicable.

8. Data retention

We retain personal information for as long as your account is active and as needed to provide the Services, then for the period required to meet legal, tax, accounting, and security obligations or to resolve disputes. Customer Data is retained and deleted according to your account settings and our agreement with you (Section 9). When data is no longer needed, we delete or anonymize it.

9. Customer Data & regulated data

When you use ORCAS Portal to manage your own contacts, leads, and clients, that information is Customer Data, and we process it as your service provider / processor:

You are the controller of Customer Data and are responsible for its accuracy, for the legal basis and consent to collect and message it, and for honoring data-subject and opt-out requests.

We process Customer Data only to provide the Services and per your instructions, and we do not use it for our own marketing or sell it.

Regulated and sensitive data: if you handle health information, financial data, or other regulated data through the platform, you are responsible for your own compliance (for example, HIPAA, GLBA, or state health-privacy laws such as Washington's My Health My Data Act). Do not transmit protected health information through the Services unless a Business Associate Agreement (BAA) or appropriate Data Processing Addendum is in place with us. Contact us to execute one.

A Data Processing Addendum (DPA) is available on request and governs our processor obligations, including sub-processor terms and international transfer mechanisms.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, and reliance on infrastructure providers with established security programs. No system is perfectly secure; we cannot guarantee absolute security, and you are responsible for safeguarding your account credentials.

11. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to opt out of certain processing, and to appeal a denied request. We do not sell personal information or use it for cross-context behavioral advertising in a way that requires an opt-out under U.S. state law; if that ever changes, we will provide the required controls.

California (CCPA/CPRA): rights to know, delete, correct, and limit use of sensitive personal information, and to be free from discrimination for exercising them.

Other U.S. states (including Virginia, Colorado, Connecticut, and others with comprehensive privacy laws): comparable access, deletion, correction, and opt-out rights.

EEA/UK (GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.

To exercise any right, contact us at [email protected]. We will verify your request and respond within the timeframe required by applicable law. If your request concerns Customer Data held in another company's ORCAS Portal account, we will direct you to that company as the controller.

12. Children's privacy

The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

13. International transfers

We are based in the United States, and information may be processed in the U.S. and other countries where our sub-processors operate. Where we transfer personal information from the EEA, UK, or Switzerland, we use appropriate safeguards such as Standard Contractual Clauses.

14. Third-party links & services

The Services may link to or integrate with third-party websites and tools we do not control. Their privacy practices are governed by their own policies, and we are not responsible for them.

15. Changes to this policy

We may update this policy from time to time. We will post the revised version with a new "Last updated" date and, for material changes, provide additional notice where required. Your continued use of the Services after changes take effect constitutes acceptance.

16. Contact us

Questions, requests, or to execute a DPA/BAA:

Company: ORCAS Portal dba Orca Marketology, LLC

Email: [email protected]

Mailing address: 30 N Gould St, Ste R Sheridan, WY 82801