Privacy Policy

01 About this policy & who we are

Ordo (“we”, “us”, “our”) is committed to protecting your privacy. This policy applies to the personal data we collect through this website, the Ordo mobile app (iOS and Android), and our email communications. “Personal data” means any information that identifies you, or that relates to an identifiable person.

Ordo is an early-stage venture run by its founders. Until we complete incorporation, the people responsible for your personal data (the joint “controllers”) are Ordo's founders, Kirpal Sangha and Manraj Sangha. You can reach us about anything in this policy, including to exercise your rights, at support@ordo.fitness, or by post at [postal correspondence address]. Once we incorporate, we'll update this section with our registered company name, company number, registered office and ICO registration reference.

We are the “controller” for your personal data under UK data protection law — the UK GDPR and the Data Protection Act 2018. We are not currently required to appoint a Data Protection Officer; please use the contact details above for any data protection query.

02 The personal data we collect & why

We only collect data we need to run Ordo and deliver the service you've asked for. Depending on how you use Ordo, this may include the following categories — each with the “lawful basis” we rely on to use it:

• Waitlist & enquiry data — your name and email address when you join the waitlist, and anything you tell us when you contact us. Basis: your consent (for the waitlist and launch updates), and our legitimate interests in responding to enquiries.
• Account data — the email address and password you use to create your Ordo account in the app, and basic profile details. (There is no account on this website.) Basis: performance of our contract with you.
• Profile & weekly-setup data — the choices you make when setting up your week (training frequency, movement baseline, nutrition mode, upcoming events) and any goals, preferences or lifestyle information you give us. Some of this relates to your health and fitness — see section 03. Basis: performance of our contract; and, for health-related details, your explicit consent.
• Payment data — the pilot is bought as an in-app purchase through the Apple App Store or Google Play, under their terms. We don't take payments on this website, and we never see or store your card details — we only receive confirmation that a purchase was made. Basis: performance of our contract and compliance with our legal obligations (e.g. tax and accounting).
• Communications data — the content of, and our record of, messages between you and us (for example, emails), and your contact preferences. Basis: our legitimate interests in managing our relationship with you and, where relevant, your consent.
• Usage & technical data — how you interact with our website and app, plus technical information such as your IP address, device type, operating system and app version. Basis: our legitimate interests in keeping Ordo secure, working and improving.

If you don't provide certain data

Where we need personal data to perform a contract with you (for example, to create your account or provide the pilot) and you don't provide it, we may not be able to provide the service. We'll let you know if this is the case at the time.

03 Special category (health) data

Because Ordo helps you plan training, nutrition and recovery, some information you choose to give us — such as your fitness goals, activity levels or related lifestyle details — may count as “special category” data about your health under UK data protection law. We only collect this where you choose to provide it, and we rely on your explicit consent to use it to give you a personalised plan.

You can withdraw that consent at any time by contacting us or adjusting your settings; this won't affect any processing we carried out before you withdrew. Ordo does not provide medical advice and is not a substitute for professional healthcare.

04 How we collect your data

We collect personal data in three main ways:

• Directly from you — when you join the waitlist, create an account in the app, set up your week, buy the pilot in the app, or contact us by email.
• Automatically — as you use our website and app, through cookies and similar technologies (see section 10) and server logs.
• From third parties — for example, the Apple App Store or Google Play when you download or buy through them, and our service providers acting on our behalf.

05 Marketing & the weekly prompts

We send launch updates, occasional news and — once the app is live — the weekly prompt to set your week. We send these by email only, using our email provider Brevo. We don't send marketing by SMS or WhatsApp.

• We send marketing and launch emails to people who join the waitlist on the basis of your consent. You can opt out at any time using the one-click unsubscribe link in every email, or by contacting us — and we'll stop.
• We may also send you service messages (for example, about your account, the pilot, or important changes) where we don't need consent, because they're necessary to provide the service.

We don't sell your data, and we don't share it with third parties for their own marketing.

06 Who we share your data with

We share personal data only where necessary, and we require anyone who processes data on our behalf to protect it and use it only on our instructions. We may share data with:

• Service providers (processors) who help us run Ordo and act only on our instructions — currently Hostinger (website hosting, UK/EU), Brevo (email delivery, EU), the Apple App Store and Google Play (app distribution and in-app purchases), Google Fonts (serving fonts to your browser), and PostHog (website analytics — only when you consent; see section 10).
• Professional advisers such as lawyers and accountants, where needed.
• Authorities and regulators where we're required to by law, or to protect our rights, property or safety, or those of others.
• A buyer or successor if we reorganise, sell or transfer our business, in which case we'll make sure your data stays protected.

We never sell your personal data.

07 Transferring your data outside the UK

We keep your data in the UK or EU wherever we can. Brevo processes data in the EU, which is covered by UK “adequacy”, and Hostinger hosts our site in the UK/EU. Some providers — such as Apple, Google and PostHog — may process data outside the UK/EU (for example, in the US). Where data goes to a country without UK “adequacy”, we rely on an appropriate safeguard — such as the UK's International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU–US Data Privacy Framework. You can ask us for more detail using the contact details below.

08 How long we keep your data

We keep personal data only for as long as we need it:

• Waitlist & marketing contacts — until you unsubscribe or ask us to remove you, after which we delete or anonymise your details within 30 days.
• Account data — while your Ordo account is active, and for up to 30 days after you delete it, after which we erase or anonymise it.
• Payment & tax records — for 6 years, as required by UK tax law.
• Enquiries & support messages — for up to 24 months after your query is resolved.

When we no longer need your data, we delete it or anonymise it so it can no longer identify you.

09 How we keep your data secure

We use appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse or alteration — including encryption in transit, access controls, and limiting access to those who need it. No method of transmission or storage is completely secure, but we work hard to protect your data and have procedures to deal with any suspected breach, including notifying you and the regulator where we're legally required to.

10 Cookies & similar technologies

Our website uses a small number of cookies and similar technologies:

• Essential cookies that make the site work — for example, to keep your session secure and to protect forms against cross-site request forgery. These don't need your consent because the site can't function properly without them.
• Analytics — PostHog. We use PostHog to understand how the site is used so we can improve it. This relies on non-essential cookies/identifiers and only runs if you consent via our cookie banner. You can change your choice at any time.
• Third-party connections — we load fonts from Google Fonts, which means your browser connects to Google's servers to fetch them.

We don't use advertising cookies. If we add advertising or conversion-tracking (for example, from social media platforms), we'll only load it with your consent and list it here first. You can manage your choices through our cookie banner, or control or delete cookies through your browser settings — though blocking essential cookies may stop parts of the site working.

11 Your rights

Under UK data protection law you have the following rights, free of charge in most cases:

• Access — to be told whether we hold your data and to get a copy of it.
• Rectification — to have inaccurate or incomplete data corrected.
• Erasure — to ask us to delete your data in certain circumstances (the “right to be forgotten”).
• Restriction — to ask us to limit how we use your data in certain circumstances.
• Portability — to receive certain data in a portable format, or have it sent to another provider.
• Objection — to object to processing based on our legitimate interests, and to direct marketing at any time.
• Withdraw consent — where we rely on your consent, you can withdraw it at any time (this won't affect processing already carried out).
• Rights around automated decisions — we don't make decisions about you by solely automated means that produce legal or similarly significant effects.

To exercise any of these rights, contact us using the details in section 15. We'll respond within one month — we may extend this for complex requests, and we'll tell you if so. We may need to verify your identity first.

12 Children's data

Ordo is aimed at adults and is not directed at children. We don't knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we'll delete it.

13 Third-party links

Our website and app may contain links to third-party websites, apps or services (for example, the App Store, Google Play or social media). We're not responsible for their privacy practices, and this policy doesn't apply to them. Please read their own privacy notices before sharing any personal data with them.

14 Changes to this policy

We may update this policy from time to time to reflect changes in how we work or in the law. When we do, we'll update the “last updated” date and version at the top and, where the changes are significant, we'll tell you directly. Please check back from time to time.