ORDERBADGER PRIVACY POLICY
Effective date: 1 March 2026

This Privacy Policy explains how Obsidian Black Ltd ("we", "us", "our") collects, uses, and protects personal data when you use OrderBadger, including our website at [https://orderbadger.com](https://orderbadger.com) (the “Website”) and our plugin and related services (the “Service”).

1. WHO WE ARE (DATA CONTROLLER)
   Controller: Obsidian Black Ltd
   Company number: 10633293
   Registered address: 12 Ladysmith Road, Exeter, EX1 2PU
   Privacy email: [email protected]

If you are a merchant using the plugin, you are typically the “controller” of your customers’ personal data. We act as a “processor” only to the extent we process customer/order data on your behalf (see Section 6).

2. WHAT DATA WE COLLECT
   A) Data you give us directly

- Contact details: name, email address, company name, role
- Messages and support: content of messages you send us (e.g. via forms or email)
- Marketing preferences: whether you opted in/out

B) Data we collect automatically on the Website

- Technical data: IP address, device type, browser type/version, operating system
- Usage data: pages viewed, clicks, referring URLs, approximate location (city/region)
- Cookies and similar technologies (see Section 10)

C) Data processed via the plugin/Service (merchant stores)
OrderBadger processes WooCommerce order data to generate flags/badges and other outputs.

PII minimisation: When OrderBadger sends order data to our server for evaluation, it strips the order of personal data (such as customer name, address, email, and phone) before transmission.

We may process:

- Store/admin details needed to operate the Service (e.g. store identifier, site URL, admin user details if required)
- Order metadata (e.g. order ID/reference, line items/SKUs, quantities, shipping method, totals, tags/badges, timestamps)
- Product/catalogue attributes used for rule evaluation (e.g. SKU/category/attributes)

We do not intentionally require or request customer personal data for rule evaluation. If you configure the Service in a way that causes personal data to be sent, you are responsible for ensuring it is lawful and appropriate.

3. WHY WE USE YOUR DATA (PURPOSES)
   We use personal data to:

- Provide and operate the Website and Service
- Provide early access/waitlist updates and product communications you request
- Respond to enquiries and provide support
- Improve product performance, reliability, and security
- Monitor for fraud, abuse, and service misuse
- Comply with legal obligations (e.g. accounting and tax)

4. OUR LEGAL BASES (UK GDPR)
   We rely on one or more of the following legal bases:

- Contract: to provide the Service you request
- Legitimate interests: to run and improve our business, secure systems, and prevent abuse (balanced against your rights)
- Consent: for optional marketing emails and certain cookies/analytics (where required)
- Legal obligation: where we must retain or disclose information to comply with law

5. MARKETING COMMUNICATIONS
   If you join the waitlist or request updates, we may send you product emails. You can opt out at any time using the unsubscribe link in emails or by contacting us at [email protected].

6. MERCHANT STORES: ORDER DATA AND PROCESSING
   If you use OrderBadger on a store, you are responsible for ensuring you have a lawful basis to process your customers’ data and to use any processors you choose.

OrderBadger is designed to minimise personal data processing. Within WooCommerce, orders are stripped of personal data before being sent to the SmartFACT evaluation server. The server evaluates the order against your fact rules and returns evaluation outcomes (e.g. flags/badges) to your store.

Where we process data on your behalf, we:

- Process it only on your instructions and for the purposes of providing the Service
- Apply reasonable security controls (see Section 9)
- Use sub-processors only as necessary (see Section 7)
- Do not retain orders (see Section 8)

If you want a formal Data Processing Agreement (DPA), contact us at [email protected].

7. SHARING DATA AND SUB-PROCESSORS
   We may share personal data with trusted third parties only where needed to run the Service. We do not sell your personal data.

Our providers include:

- DigitalOcean - hosting/infrastructure for the Service
- Cloudflare - DNS and email delivery/security services
- Formspree - website form handling (e.g. contact/waitlist forms)
- Google Analytics 4 (GA4) - website analytics
- Sentry - error monitoring and diagnostics
- Laravel Forge - deployment and server management tooling

We may update our providers from time to time.

8. DATA RETENTION
   We keep personal data only as long as necessary:

- Orders: not retained on our servers. Order data is evaluated and then discarded.
- Waitlist emails: retained until launch, then deleted or anonymised within 60 days.
- Support messages: retained for as long as reasonably necessary to provide support and maintain records in line with standard industry practice.
- Service logs/diagnostics: retained for 6 months, then deleted or anonymised.
- Billing/tax records (if applicable): retained for 6 years as required by law.

9. SECURITY
   We use reasonable technical and organisational measures to protect personal data, such as access controls, encryption in transit, least-privilege access, and monitoring. No method of transmission or storage is 100% secure; you should also secure your own store/admin accounts and hosting environment.

10. COOKIES AND ANALYTICS
    We use cookies and similar technologies to operate the Website and, if enabled, to measure and improve performance.

We currently use Google Analytics 4 (GA4) to understand website usage and improve the Website. GA4 may set cookies and process technical and usage information. We use a cookie banner/consent mechanism so you can control non-essential cookies (such as analytics). You can update your preferences at any time via the Cookie Settings link on the Website.

Cookie categories may include:

- Strictly necessary cookies (required for basic operation)
- Analytics cookies (optional, subject to consent where required)
- Functional cookies (optional preferences)

Cookie settings: Use the Cookie Settings link on the Website to review or change your preferences.

11. INTERNATIONAL TRANSFERS
    Some of our providers may process data outside the UK. Where international transfers occur, we use appropriate safeguards (such as UK Addendum to SCCs or adequacy regulations) as required by UK GDPR.

12. YOUR RIGHTS (UK GDPR)
    You have rights including:

- Access: request a copy of your personal data
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion (where applicable)
- Restriction: limit processing in certain situations
- Objection: object to processing based on legitimate interests
- Portability: receive data in a portable format (where applicable)
- Withdraw consent: where processing is based on consent

To exercise your rights, contact [email protected]. We may need to verify your identity.

13. COMPLAINTS
    If you have concerns, contact us first at [email protected]. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

14. CHILDREN
    OrderBadger is not intended for use by children and we do not knowingly collect children’s personal data.

15. CHANGES TO THIS POLICY
    We may update this policy from time to time. We will post the updated version on this page and update the “Effective date” above. Material changes may also be communicated via email or within the Service.