Introduction
ORVYNEX LIMITED ("we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at orvynex.online, purchase our services, or engage with us in any capacity.
This policy is written in plain English and complies fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We encourage you to read it in full so you understand exactly how your data is handled.
Your Privacy Matters to Us
We take a minimal data approach — collecting only what we genuinely need to deliver our services. We do not sell, rent, or trade your personal data. We do not use advertising trackers or social media pixels on our website.
By accessing our website or purchasing our services, you acknowledge that you have read and understood this Privacy Policy. If you have any questions at any point, please contact us at support@orvynex.online.
Data Controller Information
For the purposes of UK data protection law, ORVYNEX LIMITED is the data controller — meaning we determine why and how your personal data is processed.
ORVYNEX LIMITED — Data Controller
Company Number: 16994736
Registered in England & Wales
📧 Email: support@orvynex.online
📞 Phone: +44 1632 960123 (Mon–Fri, 9am–5pm GMT)
🌐 Website: orvynex.online
If you have any questions, concerns, or requests relating to this policy or your personal data, contact us using the details above. You also have the right to contact the UK's data protection supervisory authority:
Information Commissioner's Office (ICO)
- Website: www.ico.org.uk
- Phone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
What Data We Collect
We collect only the personal data that is necessary for the purposes described in this policy. Here is a full breakdown of the categories of data we may process:
3.1 Contact & Identity Information
Collected when you make an enquiry, purchase a service, or contact us:
- Full name and business title or role
- Email address
- Telephone number (if provided)
- Company or trading name
- Business address (if provided)
3.2 Payment & Transaction Data
Collected when you make a purchase through our website:
- Transaction amount and date
- Payment method type (card type — Visa, Mastercard, etc.)
- Stripe payment reference and transaction ID
- Billing country (as provided to Stripe)
We Never See Your Full Card Details
Payment processing is handled entirely by Stripe. We never have access to your full card number, CVV, or bank account details. Stripe is PCI DSS Level 1 certified — the highest standard of payment security.
3.3 Service Delivery Data
Collected during the course of service delivery:
- Business goals, challenges, and objectives you share with us
- Information provided during video or telephone consultations
- Notes and documentation created during strategy sessions
- Email correspondence related to your project
- Feedback and responses to delivered materials
3.4 Website Usage Data
Automatically collected when you browse our website:
- IP address and approximate geographic location (country/region level)
- Browser type and version
- Device type and operating system
- Pages visited, time on page, and scroll depth
- Referring website (how you arrived at our site)
- Date and time of visits
3.5 Communication Records
- Emails sent to and received from our support address
- Records of consultation scheduling and attendance
- Any queries or complaints submitted to us
Special Category Data — We Do Not Collect This
We do not knowingly collect or process special category personal data, including health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sexual orientation, or criminal records. If any such information is inadvertently shared with us, we will delete it promptly.
How We Use Your Data
We use your personal data strictly for the following purposes:
4.1 Service Delivery
- To process your purchase and confirm payment
- To prepare and deliver your personalised eBook, business pre-plan, and briefing materials
- To schedule and conduct your video or telephone consultation
- To provide ongoing strategic support where included in your plan
- To respond to your questions and requests related to your service
4.2 Business Administration
- To maintain accurate financial and client records
- To comply with UK accounting and tax obligations
- To manage disputes, refunds, and cancellation requests
- To improve the quality and relevance of our services
4.3 Legal and Compliance Purposes
- To enforce our Terms of Service and other legal agreements
- To detect, prevent, and respond to fraud or security incidents
- To comply with applicable laws, regulations, and court orders
- To defend legal claims or assert our legal rights where necessary
4.4 Marketing Communications (Consent-Based Only)
- To send updates, resources, or relevant industry information — only where you have opted in
- To invite you to future events, webinars, or special offers — only with your consent
No Unsolicited Marketing
We will never send you marketing communications without your explicit consent. Every marketing email includes an unsubscribe link. You can also opt out at any time by emailing us at support@orvynex.online.
Legal Basis for Processing
Under UK GDPR, we are required to have a lawful basis for each type of processing we carry out. The following table explains the legal grounds we rely upon:
5.1 Contract Performance (Article 6(1)(b))
We process your contact information, payment data, and service delivery data because it is necessary to fulfil the contract between us — i.e. to deliver the services you have purchased. Without this processing, we could not provide our services.
5.2 Legitimate Interests (Article 6(1)(f))
We process certain data based on our legitimate business interests, provided these do not override your rights and freedoms. This includes:
- Improving our services and developing new offerings
- Maintaining and protecting the security of our systems
- Managing and retaining business records
- Detecting and preventing fraud and abuse
- Website analytics to understand how our site is used
Before relying on legitimate interests, we conduct a balancing test to ensure your rights are not disproportionately affected.
5.3 Consent (Article 6(1)(a))
Where we send marketing communications or use optional analytics tools, we do so only on the basis of your explicit, freely given consent. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
5.4 Legal Obligation (Article 6(1)(c))
We retain financial records and other data to comply with our legal obligations under UK tax law (HMRC), the Companies Act 2006, and anti-money laundering regulations.
Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We only share your data with third parties in the limited circumstances described below.
6.1 Data Processors We Work With
The following third-party service providers process data on our behalf under strict data processing agreements:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, payment details, billing country | USA / EU (adequacy safeguards) |
| Email Service Provider | Sending service-related emails | Name, email address | UK / EU |
| Cloud Storage | Secure document and data storage | Client documents, consultation notes | UK / EU |
| Video Conferencing Tool | Conducting consultations | Name, email (for scheduling) | Varies by platform |
6.2 Professional Advisors
We may share limited personal data with our legal advisors, accountants, or auditors where necessary — always under strict confidentiality obligations.
6.3 Legal Disclosure
We may disclose personal data to law enforcement, regulatory authorities, or courts if required by law, or to protect our legal rights, prevent fraud, or respond to a verified legal request.
Third-Party Accountability
All third-party processors we engage are required to implement appropriate technical and organisational security measures and to process your data only on our documented instructions. We conduct reasonable due diligence before onboarding any new processor.
International Data Transfers
Some of our service providers are based outside the United Kingdom. When personal data is transferred internationally, we ensure it is protected by one or more of the following mechanisms:
7.1 UK Adequacy Regulations
Transfers to countries that the UK government has recognised as providing an adequate level of data protection — including all EU/EEA member states — are permitted without additional safeguards.
7.2 Standard Contractual Clauses (SCCs)
For transfers to countries without adequacy status, we rely on the International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses approved by the UK Information Commissioner's Office.
7.3 Stripe (USA)
Stripe processes payment data in the United States. Stripe participates in recognised data protection frameworks and implements Standard Contractual Clauses to ensure transfers comply with UK data protection standards. For more information, see Stripe's Privacy Policy at stripe.com/privacy.
Your Data Remains Protected
Regardless of where your data is processed geographically, we ensure it receives the same level of protection as required under UK GDPR. You may contact us if you would like more information about the specific safeguards in place for any transfer.
Data Retention
We retain personal data only for as long as is necessary for the purpose it was collected, or as required by law. The following retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Client & financial records | 6 years from end of financial year | UK tax law (HMRC) requirement |
| Service delivery documents | 3 years from delivery date | Legitimate interest / dispute resolution |
| Consultation notes & emails | 2 years from last contact | Business administration |
| Marketing consent records | Until withdrawn + 12 months | Proof of consent (legal requirement) |
| Marketing data (inactive) | 26 months of inactivity | Standard marketing retention practice |
| Website usage / analytics data | 26 months maximum | Performance analysis |
| Legal dispute records | Duration of proceedings + 6 years | Statute of Limitations Act 1980 |
| Cookie consent records | 12 months | PECR compliance |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised so it can no longer be associated with any individual. You may request earlier deletion in certain circumstances — see Section 9 below.
Your Data Protection Rights
Under UK GDPR, you have a comprehensive set of rights over your personal data. We take these rights seriously and will respond to any valid request within one calendar month (with the possibility of a two-month extension for complex requests).
Right of Access
Request a copy of all personal data we hold about you, free of charge (Subject Access Request).
Right to Rectification
Request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request deletion of your personal data in certain circumstances ("right to be forgotten").
Right to Restriction
Request that we limit how we process your data while a dispute or verification is pending.
Right to Portability
Request your data in a structured, machine-readable format to transfer to another provider.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Withdraw Consent
Withdraw consent at any time where processing is consent-based, without affecting past processing.
Right to Complain
Lodge a complaint with the ICO if you believe your data has been handled unlawfully.
9.1 Automated Decision-Making
We do not use automated decision-making systems or profiling that produce legal or similarly significant effects. All strategic advice and service delivery involves human review and judgement.
9.2 Erasure Limitations
While we respect your right to erasure, we may be unable to delete all data if we are legally required to retain it (e.g., financial records required by HMRC for 6 years). We will always explain clearly what we can and cannot delete, and why.
How to Exercise Your Rights
Email us at support@orvynex.online with the subject line: "Data Rights Request – [Your Name]". Include your name, email address used with us, and a description of your request. We may ask for proof of identity to protect your data. We will respond within one calendar month.
Cookies & Tracking
Our website uses cookies — small text files stored on your device — to ensure the site functions correctly and to remember your preferences. Here is a full account of how we use (and do not use) cookies.
10.1 Essential Cookies We Use
- Cookie consent record: Stores your cookie preference decision so we don't ask you every visit (expires: 12 months)
- Session security cookies: Used by Stripe for payment fraud detection during checkout (set by Stripe, not us)
What We Do NOT Use
- Google Analytics or any behavioural analytics tracking
- Facebook Pixel or any social media tracking pixels
- Advertising or retargeting cookies
- Third-party marketing or affiliate tracking
- Any cross-site tracking technologies
10.2 Stripe Cookies
When you proceed to payment, Stripe may set cookies for fraud prevention and security purposes. These are essential for secure payment processing and cannot be disabled without breaking the checkout experience. Stripe's use of cookies is governed by their own Privacy Policy.
10.3 Managing Your Cookie Preferences
You can control cookies through your browser settings — most browsers allow you to refuse, delete, or be notified before a cookie is stored. Please be aware that disabling all cookies may affect basic website functionality. For more detail, see our dedicated Cookie Policy.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures are proportionate to the risks involved.
11.1 Technical Security Measures
- TLS/SSL Encryption: All data transmitted between your browser and our website is encrypted in transit using TLS 1.2 or higher
- Encrypted Storage: Personal data at rest is stored on encrypted servers
- Access Controls: Role-based permissions limit who within our organisation can access personal data
- Secure Payment Processing: Payments handled by Stripe (PCI DSS Level 1 certified) — we never handle raw card data
- Secure Email: Business communications conducted over secure, encrypted email channels
- Regular Updates: Systems and software are kept up to date with security patches
11.2 Organisational Security Measures
- Data Minimisation: We collect and retain only the minimum personal data necessary
- Confidentiality Obligations: All team members operate under strict confidentiality agreements
- Need-to-Know Basis: Personal data is only accessible to those who genuinely need it to fulfil their role
- Incident Response Plan: We have documented procedures for identifying, containing, and reporting data security incidents
- Vendor Review: Third-party processors are assessed for security standards before engagement
11.3 Data Breach Notification
Despite our best efforts, no system is entirely immune to security incidents. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:
- Notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33
- Notify affected individuals without undue delay where the breach poses a high risk to their rights (UK GDPR Article 34)
- Provide clear information about the nature of the breach, data affected, likely consequences, and steps taken to address it
- Maintain an internal record of all breaches, regardless of whether they require ICO notification
Report a Security Concern
If you believe there has been a security incident involving your data, or if you notice any suspicious activity related to our services, please contact us immediately at support@orvynex.online with the subject line "Security Concern".
Children's Privacy
Our website and services are directed exclusively at businesses and professionals. They are not intended for, and should not be used by, individuals under the age of 18 years.
We do not knowingly collect, solicit, or process personal data from anyone under 18. If we become aware that we have inadvertently collected personal data from a child, we will delete that information from our systems promptly and without delay.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@orvynex.online and we will take immediate action.
Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our data practices, applicable law, or our business operations. When we make changes:
- The "Last Updated" date at the top of this page will be revised
- Material changes (changes that significantly affect your rights or how we process your data) will be communicated via email or a prominent notice on our website at least 14 days before taking effect
- Minor changes (such as clarifications or corrections) take effect immediately upon publication
- Continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy
We encourage you to review this policy periodically. Previous versions can be requested by contacting us directly.
Contact & Complaints
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please get in touch:
ORVYNEX LIMITED — Privacy & Data Team
Company Number: 16994736
Registered in England & Wales
📧 Email: support@orvynex.online
📞 Phone: +44 1632 960123 (Mon–Fri, 9am–5pm GMT)
🌐 Website: orvynex.online
We aim to respond to all data protection requests and queries within one calendar month. For complex or multiple requests, we may extend this by a further two months, in which case we will notify you.
14.1 Making a Complaint
If you are unhappy with how we have handled your personal data, we ask that you contact us first so we can attempt to resolve the matter. If you remain dissatisfied, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
- Website: www.ico.org.uk
- Phone: 0303 123 1113
- Online complaints: ico.org.uk/make-a-complaint
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Related Policies
- Terms of Service: orvynex.online/terms-and-use
- Refund & Cancellation Policy: orvynex.online/refund-and-cancelation
- Cookie Policy: orvynex.online/cookies