GDPR Information

1. Roles under GDPR

When you visit our website, sign up for early access, or contact sales, OrderSilo acts as the data controller.

When you use the platform to manage COD orders and store end-customer information, you are typically the data controller for that end-customer data, and OrderSilo acts as your data processor, processing personal data on your documented instructions to deliver the Service.

A Data Processing Agreement (DPA) incorporating Standard Contractual Clauses or other approved transfer mechanisms is available on request for business customers who require it.

2. Categories of data subjects and data

• Prospective and registered business users (account holders and team members).
• End customers whose order details you submit (names, phones, addresses, order values, delivery status).
• Website visitors (technical logs, cookie data, analytics events).
• Individuals who communicate with our support or sales teams.

3. Purposes and lawful bases (controller processing)

For processing where we are controller, we rely on the following lawful bases as appropriate:

• Contract — to provide accounts, trials, billing, and core platform access.
• Legitimate interests — to secure the platform, prevent abuse, improve products, and conduct B2B marketing where balanced against your rights.
• Consent — for non-essential cookies and optional marketing where required.
• Legal obligation — for tax, accounting, and regulatory compliance.

4. Processor commitments

When we process personal data on your behalf, we will:

Process data only on your documented instructions unless required by EU or Member State law.

Ensure personnel are bound by confidentiality.

Implement appropriate technical and organizational security measures, including tenant isolation between workspaces.

Assist you with data subject requests, DPIAs, and supervisory authority enquiries where reasonably required.

Notify you without undue delay after becoming aware of a personal data breach affecting your workspace, where we are processor.

Delete or return personal data at the end of the service relationship, subject to legal retention requirements.

5. Sub-processors

We use carefully selected sub-processors for hosting, email, analytics, payment, and infrastructure. A current list is available on request via the Send us a message form on this website. We impose data protection obligations on sub-processors consistent with GDPR Article 28.

We will inform customers of material changes to sub-processors where required by contract, allowing objection where applicable.

6. International transfers

Primary hosting is in the EEA. Where subprocessors or integrated services involve transfers outside the EEA, we use Standard Contractual Clauses, adequacy decisions, or other mechanisms recognized under GDPR Chapter V.

7. Data subject rights

Individuals have the right to access, rectification, erasure, restriction, objection, portability, and to withdraw consent at any time where processing is consent-based.

If we process your data as controller, contact us via the Send us a message form on this website.

If your data was submitted by an OrderSilo customer (for example an online store operator), please contact that business first; we will assist them as processor where appropriate.

You may lodge a complaint with your supervisory authority. In Romania: ANSPDCP — www.dataprotection.ro.

8. Fraud prevention and cross-tenant signals

OrderSilo may use fraud indicators, phone normalization, and optional cross-tenant blocklist features to protect operators from repeat abusers. Where blocklist data is shared across tenants, only the minimum information necessary to prevent fraud is used, in line with our legitimate interests and your configuration.

Customers remain responsible for lawful bases and transparency toward their end customers for order processing and fraud checks performed on their behalf.

9. Data Protection Officer and EU representative

For GDPR enquiries, contact us via the Send us a message form on this website. Where required by scale or regulation, we will appoint a Data Protection Officer and publish contact details on this page.

We do not currently require an EU representative under Article 27; if that changes, we will update this section.

10. Records and accountability

We maintain records of processing activities where required, conduct privacy reviews for new features involving personal data, and review retention and security practices regularly.

Customers should maintain their own records of processing for end-customer data they control and provide appropriate privacy notices on their storefronts and order forms.