Privacy Policy
Effective date: 2026-05-04
Contact: privacy@ordomark.com
This policy explains what OrdoMark collects when you use the web application at ordomark.com and app.ordomark.com, what we do with it, who we share it with, and the controls you have.
This policy covers the OrdoMark web application. The OrdoMark Connector browser extension has its own policy that describes the data flows specific to the extension; if you use it, please read both. The extension policy is available at the OrdoMark Connector privacy policy.
If you have a privacy question, a data request, or a concern, write to privacy@ordomark.com.
Who we are
OrdoMark is a multi-tenant e-commerce distribution platform. Manufacturers list products with wholesale prices, sellers list those products on marketplaces (Etsy today, with Shopify and Amazon planned), and OrdoMark routes orders, charges sellers, pays manufacturers, and pushes tracking back to the marketplace.
Summary
- We collect what we need to operate the platform: account info, organization data, marketplace connection tokens, order data, and payment metadata.
- We never see your card numbers. Stripe holds them.
- We never see your Etsy or Shopify password. We use OAuth tokens or extension-issued keys.
- We do not sell your data, share it with advertisers, or use it to train third-party machine learning models.
- The application is hosted on Google Cloud in the
us-central1region (Iowa, USA).
What we collect
Account information
- Your name and email address
- A hashed password (we use bcrypt; we never store the plaintext)
- The role you sign up under (seller, manufacturer, or platform admin)
- Authentication metadata such as login timestamps and IP addresses for security purposes
Organization information
- Organization name and type (manufacturer or seller)
- The organization’s business profile and any settings the organization admin configures
- For manufacturers: a flag indicating whether the organization makes products directly or sources from another manufacturer (this is internal and never visible to sellers)
- Relationship records linking manufacturers to sellers, and child manufacturers to parent manufacturers
Marketplace connection data
- OAuth access tokens and refresh tokens (encrypted at rest with AES-256-GCM)
- Shop ID, shop name, shop URL, and the display name of the shop owner as provided by the marketplace
- The shop email address as reported by the marketplace, when available
- Any extension API key you generate to authorize the OrdoMark Connector browser extension
Order data
- Order identifiers, dates, status, and payment status as reported by the marketplace
- Line items (product title, SKU, quantity, price, variations)
- Shipping address, including buyer name, address lines, city, state, zip, and country
- Buyer display name, buyer email (where the marketplace exposes it), and any gift message
- Total amount, item subtotal, shipping cost, tax, and any discounts
- Tracking numbers and carrier information once shipment is recorded
- Per-order fee breakdown (wholesale price, manufacturer price, markup, OrdoMark fees, Stripe fees, and payout amounts) which we retain as an immutable audit record
Payment data
Payments are processed through Stripe. OrdoMark stores:
- A Stripe Customer ID for each seller
- A Stripe Connected Account ID for each manufacturer
- Identifiers for individual payment intents, charges, and transfers
- Payout amounts and statuses
OrdoMark does not receive, store, or process card numbers, bank account numbers, or full payment credentials. Those are held by Stripe under their own security and compliance controls.
Support correspondence
When you email us or reach out through a support channel, we keep a record of the conversation so we can respond and follow up.
Technical data
We collect ordinary server-side data needed to operate the service: request logs, error traces, IP addresses on authenticated requests, and timestamps. This data is used for security, debugging, and abuse prevention.
What we do not collect
- We do not collect or store your card number, CVV, or bank account number. Stripe holds them.
- We do not store your Etsy, Shopify, or Amazon password. We use OAuth tokens or extension-issued keys.
- We do not collect data from any website outside of the OrdoMark application and the marketplace connections you authorize.
- We do not run third-party advertising or behavioral-tracking SDKs in the application.
How we use your data
- Operate the platform: create your account, route incoming orders, calculate fees, charge sellers, and pay manufacturers
- Push tracking information back to the marketplace where the order originated, so the buyer is notified the same way they would be on any other order
- Send transactional email: account invitations, password resets, order notifications, and order status updates
- Provide customer support
- Detect and prevent fraud, abuse, and security incidents
- Comply with our legal, tax, and accounting obligations
- Improve the product based on aggregate usage patterns
We do not use your data:
- For third-party advertising
- To train machine-learning models that are not part of the OrdoMark product you signed up for
- For credit scoring or any lending decision
Subprocessors
| Subprocessor | Purpose | Region |
|---|---|---|
| Stripe, Inc. | Payment processing, Stripe Connect transfers, payment method storage | United States |
| Google Cloud Platform | Application hosting, database, secret management, networking | us-central1 (Iowa, USA) |
| Google Workspace (SMTP relay) | Outbound transactional email | United States |
| Etsy, Inc. | Marketplace API for order sync (when OAuth is used) | United States |
If we add or replace a subprocessor, we will update this list and, for material changes, give notice as described in the Changes to this policy section.
How long we keep your data
We retain personal and account data for as long as your account is active.
When an account is deleted:
- Active personal data is removed from production systems within 30 days of the deletion request, with a short grace window for backups.
- Encrypted database backups are rotated out within 30 days of the deletion.
- Financial and tax records (orders, fee breakdowns, Stripe transfer records) are retained for 7 years to comply with US tax and accounting requirements. These records are kept in restricted, audit-logged storage.
- Audit logs and security records are retained for the period required by law or our security policy, whichever is longer.
If you want a copy of your data before deletion, request it at privacy@ordomark.com before submitting the deletion request.
Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct information that is wrong or out of date
- Delete your account and the personal data associated with it (subject to the financial-records retention described above)
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent for processing that depends on consent
- Lodge a complaint with a supervisory authority (for users in the EU, UK, or other jurisdictions with a data-protection regulator)
To exercise any of these rights, write to privacy@ordomark.com. We respond to verified requests within 30 days. We will not discriminate against you for exercising a privacy right.
International data transfers
OrdoMark’s application and database run on Google Cloud in the us-central1 region (Iowa, USA). Stripe is also US-based. If you are located outside the United States, your data is transferred to and processed in the United States.
For users in the EU, UK, or other jurisdictions that require a transfer mechanism, the transfer is supported by the European Commission’s Standard Contractual Clauses (SCCs). By using OrdoMark, you consent to that transfer.
Cookies and similar technologies
- Authentication. Session and JWT/refresh tokens to keep you logged in.
- Security. CSRF tokens to protect against cross-site request forgery.
- Preferences. Lightweight UI preferences such as the active dashboard tab.
We do not run third-party advertising cookies, and we do not embed third-party tracking pixels for ad networks or social platforms.
Children
OrdoMark is a B2B product intended for businesses. It is not directed at children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@ordomark.com and we will remove the relevant account data.
Security
- TLS in transit for all API and web traffic
- AES-256 encryption at rest for marketplace tokens and other secrets
- bcrypt password hashing
- JWT-based access tokens with short expiry, plus refresh tokens
- Role-based access control scoped by Organization
- Audit logging on sensitive operations
- Secret management via Google Cloud Secret Manager
No system is perfectly secure. If you believe your account has been compromised, contact us at privacy@ordomark.com immediately.
The browser extension
The OrdoMark Connector browser extension has its own data flows because it runs inside your browser, on your Etsy seller dashboard. Those flows are described in detail in the extension privacy policy.
In short: the extension reads order, listing, review, and shop data from the seller-dashboard pages you already see while you’re logged into Etsy, and it sends that data to your OrdoMark account at api.ordomark.com. Once that data has reached OrdoMark, this policy governs it.
Changes to this policy
We may update this policy as the product changes. If a change materially affects what we collect or how we use it, we will:
- Update the Effective date at the top of the policy
- Post a notice in the application before the change takes effect
- For account-affecting changes, send an email to the address on your account
Continued use of OrdoMark after a change takes effect means you accept the updated policy. If you don’t accept the change, you can close your account at any time.
Contact
OrdoMark
privacy@ordomark.com