Privacy Policy

Last updated: March 27, 2026

1. Introduction

Ordena ("we", "our", or "us") provides a case management platform for law firms and legal professionals. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at ordenacrm.com.

By using Ordena, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organisation details. Authentication is handled by Clerk, Inc.

Google Calendar Data

If you connect your Google account, we access your Google Calendar to create, read, update, and delete calendar events on your behalf. We request only the minimum scopes necessary to provide the appointment scheduling feature. We do not store, sell, or share your Google Calendar data with third parties. You may revoke this access at any time via your Google account settings at myaccount.google.com/permissions.

Client and Case Data

We store case records, client information, documents, tasks, invoices, and appointment data that you and your team enter into Ordena. This data is stored on Convex cloud infrastructure and is accessible only to members of your organisation.

Client Portal Data

When clients access the Ordena Client Portal, we collect and store the following data to provide the portal service:

  • Profile information — name, date of birth, contact details, nationality, passport number, and address, as voluntarily provided by the client.
  • Authentication tokens — one-time password (OTP) codes and magic-link tokens are stored as SHA-256 hashes only; the raw values are never persisted.
  • Session data — session tokens are stored as SHA-256 hashes in our database. The raw session token is held only in an httpOnly, Secure, SameSite=Strict cookie on the client device and is never accessible to browser JavaScript.
  • Portal activity — last login timestamp and notification history.

Payment Information

Payment processing is handled directly by Stripe, Inc. via your organisation's own Stripe account. We do not store raw card numbers. Stripe API keys you provide are encrypted at rest using AES-256-GCM encryption.

Usage Data

We may collect anonymised usage data such as feature interactions to improve the platform. This data does not include personal or case information.

3. How We Use Your Information

  • To provide and operate the Ordena platform
  • To sync appointments with Google Calendar when you authorise this
  • To send transactional emails (case assignments, invoice notifications, appointment reminders, portal login codes) via Resend
  • To authenticate users and portal clients securely via Clerk and our own session system
  • To process client payments via your organisation's Stripe account
  • To send portal clients daily reminders to complete their profile, where applicable
  • To improve platform reliability and performance

4. Google API Services

Ordena's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google Calendar data to create and manage appointments within Ordena
  • We do not transfer Google user data to third parties
  • We do not use Google user data for advertising
  • We do not allow humans to read your Google data unless you explicitly request support assistance and grant access

5. Data Sharing and Disclosure

We do not sell your personal data. We share data only with the following service providers who process it on our behalf:

  • Convex, Inc. — database and backend infrastructure
  • Clerk, Inc. — user authentication
  • Vercel, Inc. — frontend hosting
  • Resend, Inc. — transactional email delivery
  • Stripe, Inc. — payment processing
  • Google LLC — calendar integration (only when you authorise)

We may also disclose information if required by law or to protect the rights and safety of our users.

6. Data Retention

Your data is retained for as long as your organisation account is active. When an organisation is deleted, all associated data — including client portal sessions, profile data, and notifications — is permanently removed after a 30-day grace period. You may request deletion at any time by contacting us.

Portal authentication tokens (OTP codes and magic links) expire automatically within 10 minutes and 72 hours respectively, and are invalidated upon first use. Portal sessions expire after 30 days of inactivity.

7. Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS) for all communications
  • AES-256-GCM encryption at rest for sensitive credentials
  • SHA-256 hashing for all authentication tokens — raw values are never stored
  • httpOnly, Secure, SameSite=Strict cookies for portal sessions
  • Role-based access control and rate limiting
  • Org-scoped data isolation — clients can only access their own organisation's portal

However, no method of transmission over the internet is 100% secure.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of your data
  • Revoke Google Calendar access at any time
  • Export your organisation's data upon request
  • Request deletion of your portal profile and session data

9. Children's Privacy

Ordena is not directed at children under 16. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of Ordena after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at: aws200workspace@gmail.com

Terms of ServiceBack to Ordena