privacy-notice

Privacy Notice

When you visit our pages and use our products, you entrust us with your personal data. We are absolutely committed to treating your personal data with care and respect.

This Privacy Notice describes how ORFI collects and uses your personal data in relation to ORFI's websites, services, events, and experiences that reference this Privacy Notice (together, the "Services").

This Privacy Notice also does not apply to any products, services, or content that are offered by third parties having their own privacy policies, including other entities of our group companies and their affiliates (the “Group Companies”).

This Privacy Notice does not apply to content that we process on behalf of our Customers. For such data, we act as the processor, while our Customers are the controllers. The use of this data is governed by the agreements we have with our Customers, which cover access to and utilization of our services.

When you use ORFI Services, the controller of the personal data you provide is EdTech Plus B.V., an enterprise incorporated under the laws of the Netherlands, with headquarters in Amsterdam at Gustav Mahlerlaan 300, 1082 ME Amsterdam, the Netherlands (referred to as: "ORFI", “us’, “we”, “our”).

Our public websites, including https://orfi.ai, are referred to as the “Site.”

How to contact us: ORFI Privacy Office: privacy@orfi.ai

1. Sources of personal data

ORFI processes personal data provided by data subjects themselves or collected when they use our Services:

Information you may provide when you communicate with us by e-mail, or otherwise.

Provided you have been duly informed by us, we may monitor and record e-mails, live chats, or other communications available at the Site between you and our Service representatives or other ORFI representatives, to improve and monitor the quality of our Services.

You may provide your information through web forms to be contacted by us or to submit your request or query to us.
You may provide us information we need to check your identity as part of our KYC procedures.
You may provide information on behalf of another person or entity. If you completed the registration on behalf of another entity or if you otherwise provide information regarding another person or entity, you represent to us that you were authorized by that person or entity to use the submitted information.

2. Personal data we process

ORFI processes personal data related to its potential and current customers (individuals or representatives of legal entities), individuals who actually use the services (users), and users of the website. The categories of processed personal data include:

User Full name;
Whether the User is an administrator or not;
Contact information such as email address, phone number;
Job title;
Company name;
Company size;
Company industry;
Other information provided by the Customer in the registration form;
Payment and billing details;
Authentication or authorization data;
Information contained in support requests.
Metadata: personal data ORFI collects or generates during the provision and administration of the Services, information about users' preferences and usage of the Service, including user identifiers, authentication credentials, resource identifiers and attributes, IP addresses. We collect information about operational status, software errors and crash reports, quality and performance metrics, and other technical details necessary for us to operate and maintain services and related software;
Geographical location based on the IP address;
Service access times;
Statistics on page views and time spent on pages;
Communications. We may keep records of your communications and interactions with us, for example, when you provide feedback, or contact information, ask questions, or seek technical support;
Partially obscured copies of your ID document (when this is requested, only the following fields being visible: picture, name and surname, nationality, place and type of document, first 4 digits of the document number), in specific cases of our KYC process.

**
Sensitive personal data**: We do not intentionally collect sensitive personal data (for example, information revealing race, ethnic origin, political opinions, religion, etc.), and we ask our users not to provide us with such information.

3. Why we process your personal data

We only collect and use personal data for the purposes which are necessary in connection with the processing of your request/query, to verify your identity if you contact us, to send you our newsletter, enhance both the performance and the content of our Websites, to tailor our services and our Websites to our customers' and users' preferences, to analyze trends and to comply with any law in accordance with the applicable legislation, to protect us and our users/customers, from fraud or other illegal activities. More specifically, to:

To provide appropriate feedback to your questions and requests, and/or to fulfill the necessary steps to conclude an agreement with you;
To provide our services, specifically to create/update and personalize your account, enabling accessibility features, process payments, perform the necessary operations to deliver and maintain our services, support requests and any other inquiries about our Services, send notifications about changes to our Services and provide information that is relevant to the use of the Services and take the necessary steps to conclude an agreement with you, when applicable;
To allow the provision of the Services of a third party, as detailed in the ORFI Customer Agreement [https://docs.orfi.ai/customer-agreement/\], when you request this Service.

And also:

To develop, improve the performance of, and secure our Services;
To determine the effectiveness of our promotional campaigns, so that we can better tailor these campaigns to your interests;
For analytics, statistical, development, and research purposes, including providing our business partners and affiliates with aggregated statistical data.

All this is based on our legitimate interest to provide you with a better experience and product, and fine-tune our offers to your needs.

Moreover, we may process your personal data:

To comply with legal obligations and judicial enforcement, and administrative orders that we or our customers are or may be subject to under any applicable law;
To protect and enforce our rights, our privacy and security, as well as our safety, systems, and property, or those of other persons we are responsible for, and to resolve disputes;
To verify your identity during onboarding as part of our KYC (Know-Your-Customer) checks, to authenticate you as an authorised user of the Services, or to detect and prevent possible frauds;
To perform audits and (internal) checks aimed at verifying that our internal processes are indeed operated in compliance with applicable legal, contractual, and regulatory requirements;

Moreover, we engage in notifications and promotional communications (marketing): subject to your approval, we may send you notifications, either via email, messages, and other promotional updates about new features, offerings, events and special opportunities or any other information we think our customers and users will find valuable.

4. Your consent when requested by applicable law

Some non-EEA legislations require your consent in order for us to process the personal data. Where and when this is the case, please consider that by accessing, viewing, and using the Websites, you consent to the processing of personal data as described in this Privacy Notice. You have the right to withdraw your consent at any time, which will not affect the lawfulness of the processing until that time.

5. To whom we disclose your personal data

We may disclose certain personal data to the following recipients to the extent required or permitted by applicable law and/or based on our legal interests.

More specifically:

Group Companies (a parent company, Nebius Group N.V. (CCI nr. 27265167) and its Affiliates that are involved in operating business activities or providing our services, also for support and technical maintenance purposes;
Third-party vendors providing services to us, to facilitate or evaluate our services, such as: ITSM, CRM, ERP, billing, and other systems required for administering ORFI business processes, legal advisers, accountants, suppliers of payment services;
Various public authorities, if and exclusively when this is strictly necessary to fulfill our legal obligations and/or to respond to law enforcement orders and requests;
Other third parties to enforce our Customer Agreement and protect our rights, privacy, and our properties;

In the event that ORFI goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal data may be among the assets transferred, and it will be transferred only subject to restrictions similar to those contained herein or as otherwise required by applicable laws and regulations.

We will never use your data other than as described in this Notice except with your prior consent.

6. Data transfer

We store your Personal data in our Data Centers in the European Union. However, we do operate globally and may process and transfer your personal data to other companies of the same Group Companies worldwide, or to third parties around the world for the purposes described in this Notice and specifically to ensure we can materially fulfill our agreement with you and/or answer to your requests, or – when applicable – upon your consent.

When we transfer your personal data outside the EU and EEA, we are fully committed to ensuring the safeguard and the protection of your personal data, which includes implementing appropriate measures in this regard, including:

adopting Standard Contractual Clauses adopted by the European Commission (and their approved equivalent for Switzerland and the UK), or other safeguard mechanisms;
securing personal data when in transit;
implementing internal policies to limit access to personal data and ensure awareness;

For an overview of the level of data protection in each country, please see https://www.cnil.fr/en/data-protection-around-the-world.

7. Retention of your personal data

We retain your personal data only for as long as it is necessary to fulfill the scopes described in this Notice. The exact length of time may vary depending on the type of data, the scope of the processing, the category of users involved, and - most importantly - whether we are compelled to retain certain personal data due to - most frequently and as an example - tax requirements or other legal requirements under applicable law, fraud prevention, or safety. Please consider that non-personal data may be retained and used by ORFI without limitation, in particular for archiving purposes, public interest, statistical, historical, or scientific research purposes.

8. Security

ORFI has a team dedicated to ensuring the security of your personal data. We have implemented technical, administrative, and physical security measures meant to protect the personal data we process, and we make a point of making sure that these measures are always state-of-the-art and are adequately tested by us.

Despite our best efforts, please keep in mind that no security measures are impenetrable, and no website or internet transmission is ever completely secure, and we cannot guarantee (i) that unauthorized access, hacking, data loss, or other breaches shall never occur; and (ii) the security of your data; any transmission is at your own risk.

10. Children

Our Websites and/or services are not intended for use under the age of 18. We do not knowingly process personal data from anyone under the age of 18.  If you are a parent or guardian of someone under that age limit, you may contact us in order to exercise their rights on their behalf as detailed in this Privacy Notice.

11. Specific jurisdictions

We provide additional information about the processing of your data to our visitors located in some specific jurisdictions:

11.1 US

The information contained under paragraphs 2 and 3 is meant to provide the necessary disclosures and to serve as a Notice at Collection under the California Privacy Rights Act, as are required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, Delaware Privacy Act, Iowa Consumer Data Protection Act, Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, Texas Data Privacy and Security Act.

Data We Collect and Use

Information We Collect Directly From You. We collect personal data you choose to provide, e.g., through registrations, applications, and surveys, and in connection with your inquiries and purchases. For example, you may choose to provide your name, contact information, and/or financial information in connection with your registration with the ORFI site.

Information We Collect Automatically. We and our third-party business partners may automatically collect information when you use our ORFI site through your usage of the ORFI product.

How do we use personal data?

We may use your personal data in the following ways for our business purposes:

To render our Services (ORFI)

We use your personal data to:

Operate our business;
Deliver our products and services;
Process, complete, and fulfill your requested transactions;
Provide customer service and respond to requests or inquiries;
Communicate with you;
Tailor our marketing programs and campaigns; and
Provide you with newsletters, alerts about the product.

Categories of Data Subjects and Categories of Personal Data we collect and disclose

We act as a data processor to our Customers, hence the categories of personal data subject to processing associated with the rendering of ORFI Services are defined in the Data Processing Agreement. We may disclose the below-listed categories of personal data with our Affiliates and third parties that act as our sub-processors.

Categories of personal data processed

Customer’s Employee/Representative referred in the Customer Agreement as User (Hiring manager, Recruiter, or a Team member is being referred to as a User)

User’s Full Name
E-mail, the user’s email address used for login or communication, the Customer’s corporate email domain (used for matching or validation)
Company Name, the name of the user’s company.
Acceptance of the Customer Agreement
User’s Sessions. The user’s active or historic session data
The manager’s position/title within the Customer’s organization
Approximate size of the manager’s company (e.g., number of employees)
The manager’s role or level within a specific team (administrator, user without admin rights)
The timestamp and logs regarding the creation or modification of the User account
Indication whether the user has opted in to marketing emails
A list/count of invites the manager has sent to potential team members, e-mail address of the person invited to a team and timestamp regarding when the team invite was accepted
The manager details who sent the team invite, date/time when the team invite expires
The team’s name, as designated by the User within the product/application
The transcription of an interview/meeting call
Metadata about the call
Full name (username) of participants who spoke during the call
Activity logs regarding recording of shared screens during the call

Candidates interviewed by the Customer’s Hiring manager, Recruiter or a Team member

Work authorization or visa status if discussed during the call
Right-to-work documents (e.g., work permits, residency cards) if discussed during the call
Expected salary or rate if discussed during the call
Previous salary details (if provided) if discussed during the call
Any additional information voluntarily provided by the candidate (e.g., personal interests, hobbies, or reasons for applying) if discussed during the call
The transcription of an interview/meeting call
Metadata about the call
Full names of participants who spoke during the call
Information or recording of shared screens during the call
Any information that the Candidate voluntarily brings up for discussion during the call

Your Rights: You may have certain data rights under state privacy laws, including to request information about the collection of your personal information, to access your personal information in a portable format, and to correct or delete your personal information. If you wish to exercise any of your rights, please contact our Privacy Office at privacy@orfi.ai. Additionally, you have the right to appeal a possible denial of any of these rights by submitting a form that will be provided to you in case of such a denial.

To ensure the security of your ORFI account, we will generally ask you to verify your request using the contact information you have already provided. If you are an authorized agent making a request on behalf of a consumer pursuant to applicable state law, we may ask you to provide information verifying you have proper authority to make the request on behalf of the consumer or we may ask the consumer to verify their identity with us directly.

We will verify your identity and provide you with an answer within 4 (four) weeks. Please consider that we may need to request additional personal data to verify your identity and protect us against fraudulent requests. If you perform your request through an authorized agent, we will need a power of attorney or a written permission from you authorizing the agent to perform the request on your behalf.

You have the right to be free from unlawful discrimination or retaliation for exercising your rights.

We do not sell your personal data (including your personal information).

12. Your Rights

As ORFI is subject to the General Data Protection Regulation (GDPR), all our Website users, notwithstanding their location, enjoy the following rights:

The right to request ORFI to provide you access to, correct, or delete your personal data;

The right to request to restrict how ORFI processes your personal data

The right to object to such processing and to withdraw the consent you previously provided.

The right to request ORFI to rectify incorrect personal data.

The right to request ORFI to delete your personal data.

The right to request that ORFI provide you with a machine-readable copy of your personal data and not to be subject to automated decisions.

Moreover, you can make a complaint to the supervisory authority of your place of residence. Please see:

for the EU – https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

There may be circumstances where we cannot accommodate a request if it would prevent us from fulfilling certain legal obligations under applicable laws and regulations.

13. Updates

Our business is constantly developing and changing and our Privacy Notice may also change. We may update this Privacy Notice from time to time and publish a new version on our websites. We recommend you keep an eye on possible updates. If we plan any material changes, we will – of course – inform you.

14. Questions?

If you have any queries or questions about this Privacy Notice or about the manner we process Personal data, please contact our Privacy Office at EdTech Plus B.V., Gustav Mahlerlaan 300, 1082 ME, Amsterdam, the Netherlands: privacy@orfi.ai.

Publication date: [04/11/2025]

Web address: https://docs.orfi.ai/privacy-notice/