Privacy Policy

This Privacy Policy describes how Cadmus Lab AI LLC ("Orderly," "we," "us," or "our") collects, uses, stores, and protects information in connection with the Orderly software-as-a-service platform (the "Service"), accessible at orderlybar.app and related subdomains.

Orderly is a business-to-business product. Our customers are businesses (typically bar, restaurant, and hospitality groups) that subscribe to the Service ("Customers"). Customers grant access to their employees and contractors ("End Users") to use the Service on the Customer's behalf.

When a Customer uses Orderly, the Customer is the controller of any personal information they upload, enter, or generate within the Service. Orderly acts as the processor of that information, handling it under the Customer's instructions and the terms of our agreement with that Customer. This Privacy Policy explains how we handle information in both roles.

1. Information we collect

1.1. Information End Users provide

When an End User creates an account or uses the Service, we collect:

• Name (first and last)
• Email address
• Hashed password
• Two-factor authentication secret (when enrolled) and bcrypt-hashed backup codes
• The Customer organization the End User belongs to and the End User's role within it
• Optional location assignment within the Customer's organization

1.2. Information Customers provide about their business

Customers upload, enter, or generate operational data within the Service, including:

• Inventory records (products, distributors, categories, pricing, case-break tiers, par levels)
• Order data (weekly orders, line items, approvals, denials, notes)
• Sales data (point-of-sale uploads, item counts, week dates)
• Location and distributor information
• Promotional campaign records

This data describes the Customer's business operations and may include the names of products, vendors, and other commercial information.

1.3. Information collected automatically

When End Users access the Service, we automatically log:

• IP address
• User-agent string (browser and device information)
• Timestamps of authentication events (login attempts, two-factor verifications, password changes, password resets)
• Authenticated actions taken within the Service (recorded in our audit log: who did what, when, against which target)
• The two-factor session state (whether enrolled, when last verified)

We do not use third-party advertising trackers, marketing pixels, or behavioral analytics tools that profile individual End Users for advertising purposes.

1.4. Information we do not collect

We do not currently collect:

• Payment card information (any future payment processing will be handled by a third-party processor such as Stripe; payment card data will not transit or be stored on our servers)
• Geolocation data more precise than the IP address used to access the Service
• Audio, video, or biometric data
• Information from social media accounts
• Information from third-party data brokers

2. How we use information

We use the information described above to:

• Provide and operate the Service for Customers and their End Users
• Authenticate End Users and enforce role-based access controls within the Service
• Maintain an audit log of authenticated actions for security, compliance, and dispute resolution
• Detect and respond to security incidents (failed login monitoring, suspicious-activity investigation)
• Communicate with Customers about their account, the Service, billing, support requests, security notices, and material changes to legal terms
• Comply with our legal obligations, including responding to lawful requests from law enforcement
• Improve the Service, including diagnosing errors and planning new features

We do not sell End User information. We do not share End User information with third parties for those parties' own marketing purposes.

3. Tenant isolation between Customers

Orderly is a multi-tenant platform. Each Customer's data is logically isolated from every other Customer's data using PostgreSQL Row-Level Security policies enforced at the database layer, with all application queries scoped to the authenticated Customer's organization. End Users of one Customer cannot read, modify, or otherwise access another Customer's data through the Service.

Backups, audit logs, and operational records are also scoped per Customer to the extent technically feasible.

4. How we share information

We share information only as described in this Privacy Policy. The categories of recipients are:

4.1. Service providers (sub-processors)

We use a small set of vetted third-party infrastructure providers to deliver the Service. As of the effective date of this Policy, those providers are:

• Railway — hosting of our application servers and PostgreSQL database (United States)
• Vercel — hosting of our frontend web application (United States)
• Cloudflare — domain registrar, DNS, and (via R2 storage) encrypted database backups (United States)
• Cloudflare R2 — object storage for encrypted database backups (United States)
• An email-delivery service for transactional emails such as password resets (we will identify the specific provider in this policy when this functionality is enabled in production)

Each sub-processor is contractually obligated to handle Customer data only as needed to provide their services to us and to maintain appropriate security safeguards. We will provide the current list of sub-processors to any Customer on request and will give Customers reasonable advance notice before we add or change a sub-processor.

4.2. At the direction of the Customer

If a Customer integrates the Service with another tool or instructs us to share their data with another party, we will do so. End Users should direct questions about such sharing to the Customer they work for.

4.3. Legal and safety

We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law, a valid legal process, or a lawful government request; to enforce our agreements; to protect the safety of any person; or to investigate or prevent fraud or security incidents.

If we receive a government request for Customer data, we will, where legally permitted, notify the affected Customer before disclosing.

4.4. Business transfers

If we are involved in a merger, acquisition, or sale of all or part of our business, Customer data and other information described in this Privacy Policy may be transferred as part of that transaction. We will notify Customers of any such transfer and explain any change in how their data is handled.

5. Data retention

We retain information for as long as a Customer's account is active and for a reasonable period afterward to allow for account recovery, dispute resolution, and compliance with our legal obligations.

When a Customer terminates their subscription, we will:

• Make the Customer's data available for export for at least 30 days after termination
• Delete the Customer's operational data from active systems within 90 days of termination, unless a longer retention period is required by law
• Retain encrypted backups for the duration of our regular backup-retention cycle (currently approximately 30 days), after which they are automatically aged out

Audit-log records of authenticated actions and authentication events may be retained longer to support security investigations and legal compliance, in accordance with applicable law.

6. Security

We use multiple layers of technical and operational controls to protect information, including:

• TLS/HTTPS encryption for data in transit (enforced by HSTS preload on the .app top-level domain)
• Bcrypt password hashing (not reversible to plaintext)
• Mandatory two-factor authentication (TOTP) for elevated roles (Bar Manager and above) and for our internal platform administrators
• A non-superuser database role for the runtime application, with PostgreSQL Row-Level Security policies enforcing tenant isolation
• An audit log of authenticated actions, including the originating IP address and user-agent
• Encrypted off-site database backups stored in object storage, with periodic restore drills to verify recoverability
• Internal access controls limiting which personnel can access production data, with all administrative impersonation ("View As") sessions logged in the audit trail under the administrator's identity

No system is perfectly secure. If we become aware of a security incident that affects a Customer's data, we will notify that Customer without undue delay in accordance with applicable law and our agreement with them.

7. Your rights

The rights available to End Users depend on where they live and the laws that apply to them. In all cases, End Users should generally direct requests about personal information to the Customer they work for, because the Customer is the controller of that information. We will assist Customers in responding to End User requests as required by law.

7.1. United States residents

If you are an End User in California, you may have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information has been collected about you, the right to delete it, the right to correct it, and the right to opt out of its sale or sharing. We do not sell personal information.

End Users in other US states with comparable privacy laws (currently including Colorado, Connecticut, Utah, and Virginia, with additional states adding similar laws) have analogous rights under those laws.

7.2. International End Users

The Service is hosted in the United States and intended for use by US-based Customers and their End Users. If End Users outside the United States access the Service, their information will be transferred to and processed in the United States. By using the Service, they consent to that transfer.

We do not currently market the Service to End Users in the European Economic Area, the United Kingdom, or other regions with comprehensive cross-border data-protection laws. If a Customer requires us to handle data subject to those laws, we will negotiate appropriate safeguards (including a Data Processing Addendum) before doing so.

8. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect information from children under 16. If we learn that we have inadvertently collected information from a child under 16, we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify Customers by email or by prominent notice within the Service before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

10. Contact

Questions about this Privacy Policy or about how we handle information can be sent to:

Cadmus Lab AI LLC
Attn: Privacy
Email: danny@cadmuslab.ai

For requests under specific privacy laws (CCPA, CPRA, etc.), please indicate which law you are invoking so we can route your request appropriately.