Skip to content
PEKVOR
Legal

Privacy Policy

Last updated: July 14, 2026

This Privacy Policy explains how PEKVOR LLC and its affiliates (collectively, “PEKVOR”, “we”, “us”, or “our”) collect, use, disclose, retain, and protect personal data when you visit our websites, communicate with us, engage our professional services, or use the OrchaFlow platform and related products (collectively, the “Services”).

We designed this Policy to meet the disclosure requirements of the major global privacy regimes, including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA) and other U.S. state privacy laws, Canada’s PIPEDA, Brazil’s LGPD, and applicable data-protection law in the United States (State of Wyoming). Region-specific rights are set out in Sections 12 and 13.

Please read this Policy together with our Terms of Service and, where applicable, the Data Processing Addendum (DPA) that governs personal data we process on behalf of our clients.

1.Who We Are (Data Controller)

For personal data we collect about website visitors, prospects, clients’ personnel, job applicants, and vendors, the data controller (or “business” under U.S. law) is PEKVOR LLC, a limited liability company (LLC) formed under the laws of the United States (State of Wyoming).

Where we process personal data on behalf of a client in the course of delivering the Services (for example, data contained in systems we build, host, or operate, or processed within OrchaFlow), we act as a processor (or “service provider”), and the client is the controller. In that role, our processing is governed by the applicable services agreement and DPA. See Section 16.

How to contact us about privacy

For any privacy question or to exercise your rights, contact us at contact@pekvor.com.

Where legally required, PEKVOR has appointed a representative in the EU and in the UK under Article 27 of the EU/UK GDPR. You may contact the representative through contact@pekvor.com, and we will route your request accordingly.

2.Scope of This Policy

This Policy applies to personal data processed through: (a) our public websites and any subdomains; (b) our sales, marketing, and support communications; (c) our professional-services engagements; (d) the OrchaFlow platform and other PEKVOR products; and (e) our recruitment and vendor-management activities.

This Policy does not apply to third-party websites, products, or services that we do not control, even if they link to or from the Services. Their privacy practices are governed by their own policies.

3.Key Definitions

  • Personal data / personal information: any information relating to an identified or identifiable natural person.
  • Processing: any operation performed on personal data (collection, use, storage, disclosure, deletion, etc.).
  • Controller / business: the party that determines the purposes and means of processing.
  • Processor / service provider: the party that processes personal data on behalf of, and under the instructions of, a controller.
  • Sensitive / special-category data: data such as health, race or ethnicity, religious or philosophical beliefs, political opinions, trade-union membership, genetic or biometric data, sexual orientation, and (under U.S. law) precise geolocation, government identifiers, and financial account details.
  • Sale and sharing (U.S. state law): the disclosure of personal information for monetary or other valuable consideration, or for cross-context behavioral advertising, respectively.

4.Categories of Personal Data We Collect

The specific data we collect depends on how you interact with us. We collect the following categories:

a. Information you provide

  • Identity and contact data: name, job title, employer, business email, business phone, mailing address, and similar details submitted through forms, consultations, or communications.
  • Account data (OrchaFlow): username, credentials, authentication data, profile details, roles, and preferences.
  • Commercial and billing data: purchase and subscription history, billing contact, tax identifiers, and (processed by our payment processors) partial payment-card or bank information.
  • Engagement content: information contained in messages, requests, proposals, contracts, support tickets, and documents you share with us.
  • Recruitment data: CV/résumé, work history, education, references, right-to-work information, and other details submitted through our careers pages.

b. Information collected automatically

  • Device and technical data: IP address, device and browser type, operating system, language, and device identifiers.
  • Usage data: pages viewed, features used, links clicked, timestamps, referring/exit pages, and diagnostic and performance logs.
  • Cookies and similar technologies: as described in Section 6.
  • Approximate location: derived from IP address; we do not collect precise geolocation from website visitors.

c. Information from third parties

  • Business-contact and enrichment data from lawful sources such as our clients, partners, referrals, and reputable data providers;
  • Authentication and profile data from single-sign-on or identity providers you choose to use;
  • Information from public sources and social or professional networks where permitted by law.

d. Client data processed on a client’s behalf

When we deliver Services, we may process personal data contained in a client’s systems or data sets. We handle that data only as a processor under the client’s instructions and the applicable DPA; the client’s own privacy notice governs it.

e. Sensitive data

We do not seek to collect sensitive data from website visitors and ask that you not submit it through our forms. Where a client engagement or OrchaFlow use case necessarily involves sensitive data, we process it only under appropriate safeguards and a lawful basis.

5.How and Why We Use Personal Data (Purposes and Legal Bases)

We use personal data for the purposes below. Where the GDPR or similar law applies, the legal basis for each purpose is indicated.

  • Provide and operate the Services — to deliver professional services, operate OrchaFlow, manage accounts, and process transactions. *Basis: performance of a contract; legitimate interests.*
  • Communicate with you — to respond to inquiries, provide support, and send service and administrative messages. *Basis: legitimate interests; performance of a contract; consent where required.*
  • Billing and administration — to invoice, collect payment, and keep financial records. *Basis: contract; legal obligation; legitimate interests.*
  • Marketing — to send relevant communications about our products and services, subject to your preferences. *Basis: consent and/or legitimate interests; you may opt out at any time.*
  • Improve and secure the Services — analytics, product development, troubleshooting, fraud prevention, and information security. *Basis: legitimate interests; legal obligation.*
  • Recruitment — to assess applications and manage hiring. *Basis: steps prior to entering a contract; legitimate interests; consent where required.*
  • Legal, compliance, and protection — to comply with law, enforce our terms, establish or defend legal claims, and protect our rights, users, and the public. *Basis: legal obligation; legitimate interests; vital interests.*
  • Corporate transactions — to evaluate, negotiate, or complete a merger, acquisition, financing, or asset sale. *Basis: legitimate interests; legal obligation.*

Where we rely on legitimate interests, we balance those interests against your rights and freedoms and can provide our balancing assessment on request. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

6.Cookies, Analytics, and Similar Technologies

We use cookies and similar technologies (pixels, local storage, SDKs) to operate the site, remember preferences, measure performance, and — only with consent where required — understand usage and support marketing.

  • Strictly necessary cookies enable core functionality and security and cannot be switched off.
  • Preference cookies remember your settings, such as theme and language.
  • Analytics cookies help us understand how the site is used; non-essential analytics load only after consent where legally required.
  • Marketing cookies, if used, support relevant advertising and measurement and are set only with consent where required.

You can manage cookies through our consent banner (where shown) and your browser settings. We honor recognized opt-out signals, including the Global Privacy Control (GPC), as a valid request to opt out of “sale”/“sharing” where applicable. We do not guarantee response to legacy “Do Not Track” signals, which lack a common standard.

7.How We Disclose Personal Data

We do not sell your personal data for money. We disclose personal data only as described here:

  • Service providers / processors — vendors who host, support, secure, or operate the Services (e.g., cloud hosting, analytics, email, payment processing, CRM, support tooling), bound by contract to process data only on our instructions.
  • Affiliates — members of the PEKVOR group, for the purposes described in this Policy.
  • Professional advisers — auditors, lawyers, accountants, and insurers, where necessary.
  • Business transfers — an actual or prospective buyer, investor, or successor in a corporate transaction, subject to confidentiality.
  • Legal and safety — authorities, courts, or third parties where required by law, to enforce our agreements, or to protect rights, property, safety, or security.
  • With your direction or consent — to any other party you ask us to share with.

A current list of key sub-processors used to deliver OrchaFlow and hosted Services is available on request.

U.S. state-law statement

In the preceding twelve (12) months, we have not “sold” personal information as defined under U.S. state privacy laws. To the extent certain analytics or advertising cookies constitute “sharing” for cross-context behavioral advertising, you may opt out as described in Sections 6 and 13.

8.International Data Transfers

We operate globally and may transfer, store, and process personal data in countries other than your own, whose data-protection laws may differ from those of your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we implement an approved transfer mechanism, such as the European Commission’s Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement / Addendum, supported by a transfer risk assessment and supplementary technical and organizational measures where appropriate. Where a U.S. recipient is self-certified under the EU–U.S. Data Privacy Framework (and its UK and Swiss extensions), we may rely on that framework for the relevant transfer.

You may request a copy of the relevant safeguards by contacting us using the details in Section 20.

9.Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, tax, or reporting requirements, and to establish or defend legal claims.

We determine retention periods based on the nature and sensitivity of the data, the purpose of processing, applicable legal or contractual retention obligations, and the risk of harm from unauthorized use or disclosure. For example, we typically retain: inquiry and marketing data until you unsubscribe or object and for a reasonable follow-up period thereafter; client and billing records for the duration of the engagement plus the period required by law; and recruitment data for up to 12 months unless a longer period is agreed or required.

When personal data is no longer required, we delete, anonymize, or securely destroy it.

10.Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal data appropriate to the risk, which may include encryption in transit and at rest, access controls and least-privilege, network security, logging and monitoring, secure development practices, vendor due diligence, and staff training.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

In the event of a personal-data breach that is likely to result in a risk to individuals, we will notify affected parties and the relevant supervisory authorities as and where required by applicable law and, for client data, in accordance with the applicable DPA.

11.Your Privacy Rights

Subject to your location and applicable law, you may have some or all of the following rights. We do not discriminate against you for exercising them.

a. EEA, UK, and Switzerland (GDPR)

  • Access to your personal data and information about how we process it;
  • Rectification of inaccurate or incomplete data;
  • Erasure (“right to be forgotten”) in certain circumstances;
  • Restriction of processing in certain circumstances;
  • Data portability for data you provided, where processing is based on consent or contract and carried out by automated means;
  • Objection to processing based on legitimate interests, and to direct marketing at any time;
  • Withdrawal of consent where processing is based on consent;
  • The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 14);
  • The right to lodge a complaint with your supervisory authority.

b. California (CCPA/CPRA)

  • Right to know the categories and specific pieces of personal information collected, the sources, purposes, and categories of recipients;
  • Right to delete personal information, subject to exceptions;
  • Right to correct inaccurate personal information;
  • Right to opt out of the “sale” or “sharing” of personal information;
  • Right to limit the use and disclosure of sensitive personal information;
  • Right to non-discrimination for exercising your rights; and
  • The right to use an authorized agent to submit requests.

We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA. We do not knowingly sell or share the personal information of consumers under 16.

c. Other U.S. states

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Tennessee, and others — have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, and certain profiling. You also have the right to appeal a refusal of your request. Where required, we honor universal opt-out mechanisms such as GPC.

d. Canada (PIPEDA), Brazil (LGPD), and other regions

Individuals in Canada, Brazil, and other jurisdictions have rights of access, correction, and (under the LGPD) confirmation, portability, deletion, and information about sharing, among others. Individuals in the United States (State of Wyoming) have the rights provided under local data-protection law.

e. How to exercise your rights

Submit a request to contact@pekvor.com. We will verify your identity before responding and may decline or limit requests as permitted by law. Response times follow applicable law: under the EU/UK GDPR we respond within one month, extendable by up to two further months for complex or numerous requests (we will tell you within the first month and why); under the CCPA and most other U.S. state laws we respond within 45 days, extendable by a further 45 days (90 days total) with notice, and we act on requests to opt out of the sale or sharing of personal information as soon as feasibly possible and within 15 business days. There is normally no fee unless a request is manifestly unfounded, excessive, or repetitive.

Where we process personal data as a processor on a client’s behalf, we will refer your request to the relevant client (controller) and support them in responding.

12.Children’s Privacy

The Services are intended for businesses and individuals aged 18 and over and are not directed to children. We do not knowingly collect personal data from children under 16 (or the age of digital consent in your jurisdiction). If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

13.Automated Decision-Making and AI Features

Some Services, including OrchaFlow, use automation, machine learning, and artificial-intelligence features. We design these features to keep meaningful human oversight over decisions that produce legal or similarly significant effects, and we do not use solely automated decision-making of that kind without a lawful basis and appropriate safeguards.

AI-generated outputs may be inaccurate or incomplete and should be reviewed by a qualified person before being relied upon. We do not use client data or personal data to train third-party foundation models without an appropriate legal basis or the client’s instruction. Where third-party AI providers process data on our behalf, they are engaged as sub-processors under contractual restrictions.

14.Marketing Choices

You can opt out of marketing at any time by using the unsubscribe link in our emails or by contacting us. We will still send necessary service and administrative communications. Where required, we obtain your consent before sending electronic marketing and honor applicable rules such as the ePrivacy Directive, CAN-SPAM, and CASL.

16.Our Role as Processor vs. Controller

For personal data we handle in delivering Services to a client (including data within systems we build or operate and data in OrchaFlow tenants), we act as a processor/service provider and process it only per the client’s documented instructions and the DPA, which addresses security, sub-processing, transfers, breach notification, and assistance with data-subject requests.

For personal data about our own website visitors, prospects, contacts, applicants, and vendors, we act as a controller as described in this Policy.

17.Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post the updated version with a new “Last updated” date and, where required, provide additional notice or seek consent. Material changes take effect as stated in the notice.

18.How to Contact Us and Complaints

For any privacy question, request, or complaint, contact:

  • PEKVOR LLC — Privacy Team
  • Email: contact@pekvor.com

If you are in the EEA or UK and are not satisfied with our response, you may lodge a complaint with your local supervisory authority (for UK residents, the UK Information Commissioner’s Office (ICO); for EEA residents, your national data protection authority; complaints may also be made through our EU/UK representative). We would appreciate the chance to address your concerns first.

This Privacy Policy is benchmarked to major global privacy frameworks and common industry practice. It is not legal advice; we recommend a final review by qualified legal counsel before or shortly after it goes live.