Overview

Orkid Labs (“we”, “our”, “us”) provides a secure protocol and technical services for institutional users. This Privacy Policy explains what personal data we collect when you use our website, how we use it, and your rights. This page acts as the public privacy policy required by LinkedIn when creating an application that uses "Sign in with LinkedIn".

Data We Collect

• Identity data from LinkedIn: profile identifier (LinkedIn ID), full name, and email address when you authenticate with LinkedIn.
• Contact information you provide directly (email addresses submitted for access or support).
• Access logs and audit records including timestamps and chosen infrastructure intent (e.g., “rail” or “ai”) when you download the manifesto.
• Technical data (IP address, browser user-agent, and basic telemetry) collected for security and operations.

How We Use Your Data

• To verify identity and prevent automated or abusive access to restricted documents.
• To generate a short-lived, signed URL that allows you to securely download private content.
• To maintain audit logs required by our security and compliance processes.
• To communicate with you about services, support, or legal notices.

Third-Party Services

We use the following third-party services which may process your data:

• LinkedIn — used only for authentication via OAuth (Sign in with LinkedIn). You control the data you permit LinkedIn to share.
• Supabase — used for private storage, signed URL generation, and audit logging. Stored data includes the manifesto file and access logs. We use a server-side service role; Supabase acts as our data processor.
• Cal.com / cal.com — used for calendaring/booking links (no personal data is routed through our servers for scheduling links unless you submit it voluntarily).

Cookies and Local Storage

We set a secure, HTTP-only session cookie (`orkid_session`) after successful LinkedIn authentication to maintain a short-lived session used only for gate operations (server-side JWT). We also use minimal, non-identifying cookies for analytics where applicable.

Retention

Access logs and audit records are retained for security and compliance for a period consistent with our internal retention policy. Contact us if you require specific retention limits.

Your Rights

You may request access to, correction of, or deletion of your personal data. To exercise these rights, contact us at the address below. We will respond as required by applicable law.

Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal data. Access to audit logs and manifests is restricted to authorized server processes using service-role credentials.

Contact

For questions about this Privacy Policy or data requests, contact: joshua.davidson@orkidlabs.com.