All Policies

1. Introduction

Orchard Reach Ltd. ("Orchard Reach," "we," "us," or "our"), a company registered in Bulgaria under UIC 208684883, with its registered office in Sofia, Bulgaria, operates the email outreach platform available at orchardreach.com (the "Platform"). This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Bulgarian data protection legislation.

For all privacy-related inquiries, please contact us at info@orchardreach.com.

2. Data Controller

Orchard Reach Ltd. is the data controller for personal data collected through the Platform in the course of providing our services. For personal data that our customers upload or provide to us for the purposes of email outreach campaigns (such as prospect contact information), Orchard Reach acts as a data processor on behalf of the customer, who remains the data controller. The relationship between Orchard Reach and its customers in this capacity is governed by our Data Processing Agreement.

3. Personal Data We Collect

3.1 Account Data (Data Controller)

When you register for and use our Platform, we collect the following personal data directly from you:

• Full name and business contact details (email address, phone number)
• Company name, job title, and industry
• Billing information processed through Stripe (we do not store full payment card details)
• Account credentials (managed through our authentication service)
• Communication preferences and account settings
• Usage data, including login history, feature usage, and campaign performance metrics

3.2 Prospect Data (Data Processor)

Orchard Reach conducts automated research and generates email outreach content on behalf of our customers. In the course of providing this service, we process prospect data which may include:

• Business contact names and email addresses
• Company names, job titles, and professional information
• Publicly available business information used for research and personalisation

Orchard Reach processes this data solely on behalf of and under the instructions of our customers. Customers are responsible for ensuring they have a lawful basis for the outreach campaigns conducted through our Platform.

3.3 Website Visitor Data

When you visit orchardreach.com, we collect data through cookies and similar tracking technologies as described in our Cookie Policy. This includes IP addresses, browser type, device information, pages visited, and referral sources.

4. Legal Bases for Processing

We process personal data under the following legal bases as defined by Article 6 of the GDPR:

• Contract performance (Article 6(1)(b)): Processing account data necessary to provide you with our Platform services, manage your subscription, and fulfil our contractual obligations.
• Legitimate interests (Article 6(1)(f)): Processing usage data to improve our Platform, ensure security, prevent fraud, and for internal analytics. Our legitimate interest is balanced against your rights and freedoms.
• Consent (Article 6(1)(a)): Processing website visitor data through non-essential cookies and marketing communications. You may withdraw consent at any time through your cookie preferences or by contacting us.
• Legal obligation (Article 6(1)(c)): Processing data necessary to comply with applicable laws, including tax, accounting, and regulatory requirements.

5. Data Sharing and Sub-Processors

We share personal data with the following categories of third-party service providers ("sub-processors"), each of which is bound by data processing agreements:

• Cloud infrastructure: Amazon Web Services (AWS), EU region eu-central-1 (Frankfurt, Germany), for hosting and data storage.
• Payment processing: Stripe, Inc. (USA), for subscription billing and payment handling. Stripe participates in the EU-US Data Privacy Framework.
• CRM: HubSpot, Inc. (USA), for customer relationship management. HubSpot participates in the EU-US Data Privacy Framework.
• Email infrastructure: Mailreef, for email sending and deliverability management.
• Analytics and tracking: Google Analytics (GA4), Microsoft Clarity, Meta Pixel, LinkedIn Insight Tag, and TikTok Pixel, as detailed in our Cookie Policy.
• Content management: Sanity.io, for website content delivery.

A complete and current list of sub-processors is maintained on our Sub-Processor List page. Changes to sub-processors are subject to the notification procedures described in our Data Processing Agreement.

6. International Data Transfers

Our primary infrastructure is hosted within the European Union (AWS eu-central-1, Frankfurt). However, certain sub-processors, including Stripe and HubSpot, are based in the United States. For these transfers, we rely on:

• The EU-US Data Privacy Framework, where the sub-processor is a certified participant;
• Standard Contractual Clauses (SCCs) approved by the European Commission, where the Data Privacy Framework does not apply.

We assess each sub-processor's data protection practices and the legal framework of the recipient country to ensure adequate safeguards are in place.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your active subscription, plus 90 days following account cancellation or deletion, to allow for account recovery and to fulfil legal and accounting obligations.
• Prospect data: Retained for the duration of the customer's active subscription. Deleted within 30 days of account closure, unless the customer requests earlier deletion.
• Campaign analytics and logs: Retained for 12 months from the date of creation for performance analysis and deliverability optimisation. Aggregated, anonymised data may be retained indefinitely.
• Website visitor data (cookies): Retained in accordance with the retention periods specified in our Cookie Policy.
• Billing records: Retained for the period required by Bulgarian tax and accounting legislation (currently 10 years).

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, please contact us at info@orchardreach.com. We will respond within 30 days of receiving your request.

• Right of access (Article 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17): You may request deletion of your personal data, subject to legal retention requirements.
• Right to restrict processing (Article 18): You may request that we limit our processing of your personal data in certain circumstances.
• Right to data portability (Article 19): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at cpdp.bg, or with any other competent EU supervisory authority.

9. Automated Decision-Making

Orchard Reach uses automated processes to research prospects, generate personalised email content, and optimise campaign deliverability. These automated processes do not produce legal effects or similarly significant effects on individuals. No automated decisions are made regarding the approval, rejection, or scoring of individuals that would affect their rights or freedoms.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS), access controls through our authentication service, regular security reviews, and employee access limited to the minimum necessary. Further details are available in our Security Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and by posting the revised policy on our website with an updated effective date. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

1. Agreement to Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("Customer," "you," or "your") and Orchard Reach Ltd., a company registered in Bulgaria under UIC 208684883, with its registered office in Sofia, Bulgaria ("Orchard Reach," "we," "us," or "our"). By accessing or using the Orchard Reach platform at orchardreach.com (the "Platform"), you agree to be bound by these Terms. If you do not agree, you must not use the Platform.

These Terms apply to all visitors, users, and subscribers of the Platform. Additional terms may apply to specific features or services, which will be presented to you at the time of use.

2. Description of Service

Orchard Reach is a B2B SaaS platform that automates cold email outreach. The Platform conducts automated research on target businesses, generates personalised email content, and manages the sending infrastructure and deliverability on behalf of customers. Orchard Reach manages all aspects of the sending process, including domain management, email warmup, and reputation monitoring.

3. Account Registration and Responsibilities

To use the Platform, you must create an account and provide accurate, complete, and current information. You are responsible for:

• Maintaining the confidentiality of your account credentials;
• All activity that occurs under your account;
• Promptly notifying us at info@orchardreach.com of any unauthorised access or use of your account.

You represent and warrant that you are at least 18 years of age and have the legal authority to enter into these Terms on behalf of yourself or the organisation you represent.

4. Subscription Plans and Payment

Orchard Reach offers paid subscription plans as described on our Pricing page. By subscribing to a paid plan, you agree to the following:

• Billing: Subscription fees are billed in advance on a monthly or annual basis, as selected at the time of purchase. All prices are in Euros (€) unless otherwise stated.
• Payment method: Payments are processed securely through Stripe. You authorise us to charge your designated payment method for recurring subscription fees.
• Price changes: We may adjust subscription pricing with at least 30 days' written notice. Price changes take effect at the start of the next billing cycle following the notice period.
• Taxes: All fees are exclusive of applicable taxes (including VAT), which will be charged where required by law.
• Failed payments: If a payment fails, we will attempt to charge the payment method again. If payment remains outstanding for more than 14 days, we reserve the right to suspend your account until the balance is settled.

5. Customer Content and Intellectual Property

5.1 Your Content

You retain all ownership rights to the data, business information, targeting preferences, and other content you provide to the Platform ("Customer Content"). By using the Platform, you grant Orchard Reach a limited, non-exclusive, worldwide licence to use, process, and store your Customer Content solely for the purpose of providing and improving our services.

5.2 Our Intellectual Property

All rights, title, and interest in the Platform, including its software, design, algorithms, research methodologies, documentation, trademarks, and any proprietary technology, remain the exclusive property of Orchard Reach. These Terms do not grant you any right to use our trademarks, branding, or proprietary materials except as required to use the Platform.

5.3 Feedback

If you provide suggestions, feature requests, or other feedback regarding the Platform, you grant Orchard Reach an unrestricted, perpetual, irrevocable licence to use such feedback for any purpose without compensation or attribution.

6. Acceptable Use

Your use of the Platform is subject to our Acceptable Use Policy and our Anti-Spam Policy. Violation of either policy may result in suspension or termination of your account.

7. Compliance Obligations

You are solely responsible for ensuring that your use of the Platform complies with all applicable laws and regulations, including but not limited to:

• The General Data Protection Regulation (GDPR) and applicable national data protection laws;
• The CAN-SPAM Act (United States);
• The Canadian Anti-Spam Legislation (CASL);
• The Privacy and Electronic Communications Regulations (PECR, United Kingdom);
• Any other applicable anti-spam, data protection, or electronic communications legislation in the jurisdictions where your recipients are located.

You represent and warrant that the outreach campaigns conducted through the Platform are directed at legitimate B2B contacts and that you have a lawful basis for such outreach.

8. Beta and Preview Features

From time to time, we may offer beta, preview, or experimental features. These features are provided "as is" and "as available" without warranty of any kind. We may modify or discontinue beta features at any time without notice. Your use of beta features is at your own risk and does not entitle you to any service level commitments.

9. Limitation of Liability

To the maximum extent permitted by applicable law:

• Liability cap: Orchard Reach's total aggregate liability to you for all claims arising out of or related to these Terms or your use of the Platform shall not exceed the total fees paid by you to Orchard Reach during the twelve (12) months immediately preceding the event giving rise to the claim.
• Exclusion of damages: In no event shall Orchard Reach be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunities, or goodwill, regardless of whether such damages were foreseeable.
• Third-party actions: Orchard Reach is not liable for actions taken by email service providers, internet service providers, or other third parties that may affect the delivery or reception of emails sent through the Platform.

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded or limited under applicable law.

10. Indemnification

You agree to indemnify, defend, and hold harmless Orchard Reach, its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or related to: (a) your violation of these Terms; (b) your violation of any applicable law or regulation; (c) your Customer Content; or (d) any third-party claim related to the outreach campaigns conducted on your behalf.

11. Suspension and Termination

By Orchard Reach: We may suspend or terminate your account immediately if you breach these Terms, the Acceptable Use Policy, or the Anti-Spam Policy, or if we are required to do so by law. We may also suspend your account for non-payment as described in Section 4.

By you: You may cancel your subscription at any time through your account settings. Cancellation takes effect at the end of the current billing period. See our Refund and Cancellation Policy for details.

Effect of termination: Upon termination, your right to use the Platform ceases. You will have 30 days from the effective date of termination to export your data. After this period, we will delete your data in accordance with our Privacy Policy retention schedule.

12. Modifications to Terms

We reserve the right to modify these Terms at any time. We will provide at least 30 days' advance written notice of material changes via email to the address associated with your account. Your continued use of the Platform after the effective date of any modification constitutes your acceptance of the updated Terms. If you do not agree to the modified Terms, you must discontinue use of the Platform before they take effect.

13. Governing Law and Dispute Resolution

These Terms are governed by and construed in accordance with the laws of the Republic of Bulgaria, without regard to its conflict of laws principles. Any disputes arising out of or in connection with these Terms shall be submitted to the exclusive jurisdiction of the courts of Sofia, Bulgaria.

14. General Provisions

• Entire agreement: These Terms, together with the Privacy Policy, Acceptable Use Policy, Anti-Spam Policy, Cookie Policy, Data Processing Agreement, and Refund and Cancellation Policy, constitute the entire agreement between you and Orchard Reach.
• Severability: If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
• Waiver: No waiver of any term shall be deemed a further or continuing waiver of such term or any other term.
• Assignment: You may not assign or transfer your rights under these Terms without our prior written consent. Orchard Reach may assign its rights and obligations without restriction.
• Force majeure: Orchard Reach shall not be liable for any failure or delay in performance due to circumstances beyond its reasonable control, including natural disasters, government actions, internet disruptions, or third-party service failures.

1. Purpose

This Acceptable Use Policy ("AUP") governs how customers may use the Orchard Reach platform. It is designed to protect the integrity of our sending infrastructure, maintain high deliverability for all customers, and ensure compliance with applicable laws. This AUP is incorporated by reference into our Terms of Service.

2. Platform Responsibilities

Orchard Reach manages all aspects of the email outreach process, including automated prospect research, email content generation, domain and mailbox management, sending schedules, and deliverability monitoring. Customers provide business context, value propositions, and targeting preferences; Orchard Reach handles the execution.

3. Customer Responsibilities

While Orchard Reach manages the sending process, customers are responsible for:

• Providing accurate and truthful information about their business, products, and services;
• Ensuring their products, services, or business activities are lawful in all relevant jurisdictions;
• Ensuring their business falls outside the prohibited industries listed in Section 5;
• Responding promptly to any compliance inquiries from Orchard Reach;
• Not attempting to circumvent sending controls, reputation monitoring, or other platform safeguards.

4. Prohibited Content

Emails sent through the Platform must not contain:

• False, misleading, or deceptive content, including misleading subject lines;
• Content that infringes on intellectual property rights of any third party;
• Malware, phishing links, or other malicious content;
• Content that promotes hatred, discrimination, or violence;
• Any content that violates applicable laws or regulations.

5. Prohibited Industries

Orchard Reach does not provide services to businesses operating in the following industries or verticals, as these are associated with high spam complaint rates and deliverability risk:

• Gambling and online casinos
• Adult or pornographic content
• Pharmaceutical products and dietary supplements
• Cryptocurrency, NFT promotions, and speculative financial instruments
• Debt collection agencies
• Multi-level marketing (MLM) and pyramid schemes
• Weapons, firearms, and ammunition
• Cannabis and CBD products
• Payday loans and predatory lending
• Political campaigns and political action committees

Orchard Reach reserves the right to refuse service to any business that, in our sole judgment, poses a reputational or deliverability risk to the Platform.

6. Deliverability and Reputation Monitoring

Orchard Reach monitors sending reputation metrics across all managed domains and campaigns. To protect platform-wide deliverability, the following thresholds apply:

• Bounce rate: Campaigns generating a hard bounce rate exceeding 3% will be flagged for review. Campaigns exceeding a 5% hard bounce rate may be paused immediately.
• Spam complaint rate: Campaigns generating a spam complaint rate exceeding 0.1% will be flagged for review. Campaigns exceeding a 0.3% complaint rate may be paused immediately.

These thresholds exist to protect all customers on the Platform. Because Orchard Reach controls the sending process, elevated metrics may indicate an issue with the customer's business context, value proposition, or target market. Orchard Reach will work with the customer to identify and resolve the issue.

7. Sending Limits

Sending volumes are governed by your subscription tier as described on our Pricing page. Orchard Reach manages sending volumes, warm-up schedules, and per-domain limits to optimise deliverability. Customers may not attempt to circumvent these limits or request sending volumes that exceed safe deliverability thresholds.

8. Enforcement

Violations of this AUP are handled through the following escalation process:

1. First violation: Written warning issued to the customer via email. Affected campaigns may be paused for up to 24 hours while the issue is reviewed and resolved.
2. Second violation: Account suspension for up to 7 days. The customer must acknowledge the violation and confirm corrective action before service is restored.
3. Third violation or severe breach: Permanent account termination. No refund will be issued for the remaining subscription period.

Orchard Reach reserves the right to bypass the escalation process and immediately suspend or terminate an account in cases of severe or intentional violations, including use of the Platform for prohibited industries, fraud, or any activity that poses an immediate threat to our infrastructure or other customers.

9. Reporting Violations

If you become aware of any misuse of the Platform, please report it to info@orchardreach.com.

1. What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to enable website functionality, remember your preferences, and collect information about how you interact with the site. Some cookies are placed by us ("first-party cookies"), while others are placed by third-party services we use ("third-party cookies").

2. How We Use Cookies

When you first visit orchardreach.com, we display a cookie consent banner that allows you to accept all cookies, reject all non-essential cookies, or manage your preferences by category. Essential cookies that are necessary for authentication, security, and core Platform functionality cannot be disabled, as the Platform cannot function properly without them.

3. Cookie Categories

3.1 Essential Cookies (Always Active)

These cookies are strictly necessary for the operation of the Platform. They enable core functionality such as user authentication, session management, security protections, and cookie consent preferences. Because they are essential, they cannot be disabled.

• Authentication and session tokens
• Security cookies (CSRF protection, fraud prevention)
• Cookie consent preference storage

3.2 Analytics Cookies (Requires Consent)

These cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent, and navigation patterns. This data is used to improve the Platform and user experience.

• Google Analytics (GA4): Collects anonymised usage data including page views, sessions, and user journeys. Data is processed by Google LLC.
• Microsoft Clarity: Collects interaction data including heatmaps and session recordings to understand user behaviour. Data is processed by Microsoft Corporation.

3.3 Marketing Cookies (Requires Consent)

These cookies are used to track visitors across websites and display relevant advertisements. They help us measure the effectiveness of our marketing campaigns.

• HubSpot: Tracks visitor activity for marketing automation and lead tracking. Data is processed by HubSpot, Inc.
• Meta Pixel: Tracks conversions and enables retargeting on Facebook and Instagram. Data is processed by Meta Platforms, Inc.
• LinkedIn Insight Tag: Tracks conversions and enables retargeting on LinkedIn. Data is processed by LinkedIn Corporation.
• TikTok Pixel: Tracks conversions and enables retargeting on TikTok. Data is processed by TikTok/ByteDance Ltd.

4. Cookie Consent and Management

On your first visit to orchardreach.com, you will see a consent banner offering the following options:

• Accept All: Enables all cookie categories, including analytics and marketing.
• Deny All: Disables all non-essential cookies. Only essential cookies required for core functionality will remain active.
• Manage Preferences: Opens a preference centre where you can individually enable or disable analytics and marketing cookie categories.

Your consent preferences are stored and respected across your browsing sessions.

5. Consent Renewal

In accordance with GDPR and ePrivacy requirements, we request renewed cookie consent every 13 months. After this period, the consent banner will be displayed again on your next visit, and you will be asked to reconfirm or update your preferences.

6. How to Control Cookies

In addition to the consent banner, you can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may impair the functionality of the Platform. For more information on managing cookies in your browser, visit allaboutcookies.org.

7. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use or for regulatory reasons. The updated policy will be posted on our website with a revised effective date.

1. Scope and Parties

This Data Processing Agreement ("DPA") is entered into between the customer using the Orchard Reach platform ("Data Controller" or "Controller") and Orchard Reach Ltd., UIC 208684883, Sofia, Bulgaria ("Data Processor" or "Processor"). This DPA supplements and forms part of the Terms of Service and applies to all processing of personal data by the Processor on behalf of the Controller in connection with the Platform.

2. Definitions

Terms used in this DPA have the meanings given to them in the GDPR. "Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the definitions set forth in Article 4 of the GDPR.

3. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the Orchard Reach email outreach platform services, including automated prospect research, email content generation, and campaign management. Processing begins on the date the Controller creates an account and continues for the duration of the subscription, plus the data retention period described in our Privacy Policy.

4. Nature and Purpose of Processing

The Processor processes prospect personal data (names, business email addresses, job titles, company information, and publicly available professional information) for the purpose of conducting automated research, generating personalised email outreach, managing sending infrastructure, and providing campaign analytics to the Controller.

5. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by EU or Member State law;
• Ensure that persons authorised to process personal data are bound by confidentiality obligations;
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Security Policy;
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection, and restriction);
• Assist the Controller in ensuring compliance with obligations regarding data breach notification, data protection impact assessments, and prior consultations with supervisory authorities;
• At the Controller's choice, delete or return all personal data upon termination of the service, unless EU or Member State law requires continued storage;
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and Article 28 of the GDPR.

6. Sub-Processors

The Controller provides general authorisation for the Processor to engage sub-processors. A current list of sub-processors is maintained at orchardreach.com/legal/sub-processors.

• Notification of changes: The Processor will notify the Controller via email at least 30 days before engaging a new sub-processor or replacing an existing one.
• Right to object: The Controller may object to a new sub-processor within 30 days of receiving notification. If the Controller objects and the parties cannot resolve the objection within a reasonable period, the Controller may terminate the affected services by providing written notice. The Processor will not engage the objected-to sub-processor for processing the Controller's data until the objection is resolved.
• Sub-processor obligations: The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
• The name and contact details of the point of contact for further information;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

8. Audit Rights

The Processor shall make available to the Controller, upon reasonable request and no more than once per year, an annual summary report describing the technical and organisational security measures in place and any relevant audit or assessment results.

Enterprise customers may request an on-site or remote audit of the Processor's data processing activities, subject to the following conditions: (a) the audit is conducted at the Controller's expense; (b) reasonable advance notice of at least 30 days is provided; (c) the audit is conducted during normal business hours and does not unreasonably disrupt the Processor's operations; and (d) confidential information of other customers is not disclosed.

9. International Transfers

The Processor processes data primarily within the European Economic Area (AWS eu-central-1, Frankfurt). Where personal data is transferred to sub-processors outside the EEA, the Processor ensures appropriate safeguards are in place, including the EU-US Data Privacy Framework and Standard Contractual Clauses, as described in the Privacy Policy.

10. Governing Law

This DPA is governed by the laws of the Republic of Bulgaria. Any disputes arising from this DPA shall be submitted to the courts of Sofia, Bulgaria.

1. Cancellation

You may cancel your Orchard Reach subscription at any time through your account settings or by contacting us at info@orchardreach.com. Cancellation takes effect at the end of your current billing period. You will continue to have access to the Platform and all features of your plan until the end of the paid period.

2. No Refunds

All subscription fees are non-refundable. This includes monthly subscription fees, annual subscription fees, and any fees for add-on services. By subscribing to a paid plan, you acknowledge and agree that all sales are final.

3. Discretionary Exceptions

Orchard Reach may, at its sole and absolute discretion, issue a partial or full refund in exceptional circumstances, including but not limited to:

• Verified and sustained service failures attributable to Orchard Reach that materially prevented you from using the Platform;
• Billing errors resulting in overcharges;
• Early cancellation within the first 14 days of a new subscription, evaluated on a case-by-case basis.

Any refund decision made by Orchard Reach is final and does not establish a precedent, entitlement, or obligation for future refund requests. Refund requests should be directed to info@orchardreach.com.

4. Data Export

Following cancellation, you will have 30 days to export your data from the Platform. After this 30-day window, your data will be deleted in accordance with the retention periods specified in our Privacy Policy. We recommend exporting all necessary data before your cancellation takes effect.

5. Account Termination by Orchard Reach

If your account is terminated by Orchard Reach due to a violation of our Terms of Service, Acceptable Use Policy, or Anti-Spam Policy, no refund will be issued for the remaining subscription period. You will still have 30 days to export your data unless the violation involves illegal activity, in which case data may be preserved for legal purposes.

1. Our Commitment

Orchard Reach is committed to responsible email outreach practices. Spam undermines the effectiveness of legitimate business communication and damages the deliverability of all users on our Platform. This Anti-Spam Policy outlines how we prevent, detect, and respond to spam and other forms of unsolicited or harmful email.

2. How We Prevent Spam

Orchard Reach takes a proactive approach to spam prevention through the following measures:

• Automated research and targeting: Our platform conducts its own research to identify relevant prospects, reducing the risk of sending to unverified or irrelevant contacts.
• Content generation: All outreach emails are generated by our platform to be personalised, relevant, and professional. Generic mass messaging templates are not used.
• Sending infrastructure management: We manage all sending domains, mailboxes, warm-up schedules, and sending volumes to maintain optimal deliverability and comply with best practices.
• Automatic unsubscribe: Every email sent through the Platform includes an automatic one-click unsubscribe mechanism in compliance with CAN-SPAM and GDPR requirements. Recipients who unsubscribe are immediately and permanently suppressed from future outreach.
• Suppression lists: We maintain global and customer-specific suppression lists that prevent emails from being sent to recipients who have opted out, bounced, or been flagged.

3. Monitoring and Enforcement

Orchard Reach actively monitors the following deliverability and reputation metrics:

• Hard bounce rates across all managed domains
• Spam complaint rates reported by major mailbox providers
• Blacklist status of sending IPs and domains (including Spamhaus, Barracuda, and other major blacklists)
• Sender reputation scores via Google Postmaster Tools and other monitoring services

When metrics exceed acceptable thresholds (as defined in our Acceptable Use Policy), Orchard Reach will take corrective action, which may include pausing campaigns, adjusting targeting, or contacting the customer to discuss modifications.

4. Customer Obligations

While Orchard Reach manages the outreach process, customers are responsible for:

• Providing accurate information about their business, products, and services;
• Not requesting outreach to individuals who have previously opted out of communications from the customer;
• Not providing misleading or false business information that would result in deceptive email content;
• Complying with all applicable anti-spam and electronic communications laws.

5. Recipient Rights

Recipients of emails sent through the Orchard Reach platform have the right to:

• Unsubscribe from further emails at any time using the one-click unsubscribe link included in every message;
• Report any email as spam or unwanted, which will be reflected in our monitoring metrics;
• Contact us at info@orchardreach.com to request removal from all outreach lists.

Unsubscribe requests are processed immediately and automatically. Once a recipient unsubscribes, they will not receive further outreach from the relevant customer through our Platform.

6. Reporting Spam

If you believe you have received spam or unsolicited email through the Orchard Reach platform, please contact us at info@orchardreach.com with the full email headers and content. We will investigate and take appropriate action.

1. Overview

Orchard Reach is committed to protecting the security and confidentiality of customer data and prospect data processed through our Platform. This Security Policy describes the technical and organisational measures we implement to safeguard data. While we do not currently hold SOC 2 or ISO 27001 certifications, we follow industry best practices appropriate to the nature and scale of our operations.

2. Infrastructure Security

• Cloud hosting: The Platform is hosted on Amazon Web Services (AWS) in the EU region eu-central-1 (Frankfurt, Germany). AWS maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications for its infrastructure.
• Encryption in transit: All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher. Internal service-to-service communication is also encrypted.
• Encryption at rest: All data stored on the Platform, including databases and file storage, is encrypted at rest using AES-256 encryption via AWS managed keys.
• Network security: The Platform employs private subnets, security groups, and network access control lists to restrict access to internal services. Backend services are not directly accessible from the public internet.

3. Application Security

• Authentication: User authentication is managed through a dedicated authentication service with support for secure password policies and session management.
• Access control: Role-based access control (RBAC) is implemented across the Platform, ensuring users only have access to features and data appropriate to their subscription tier and role.
• Secrets management: API keys, database credentials, and other sensitive configuration values are stored in AWS Systems Manager Parameter Store and AWS Secrets Manager, not in source code.
• Dependency management: We regularly review and update third-party dependencies to address known vulnerabilities.

4. Operational Security

• Access policies: Employee and contractor access to production systems is limited to the minimum necessary for their role. Access is reviewed periodically and revoked upon role change or departure.
• Logging and monitoring: We maintain logs of system activity and security events. Anomalous activity is reviewed and investigated.
• Incident response: We maintain an incident response process for handling security events. In the event of a personal data breach, affected customers will be notified within 72 hours of discovery, as described in our Data Processing Agreement.

5. Payment Security

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Orchard Reach does not store, process, or transmit full payment card data. Payment information is submitted directly to Stripe's secure infrastructure.

6. Data Backup and Recovery

Customer data is backed up regularly using AWS-native backup services. Backups are encrypted and stored within the EU region. We maintain and periodically test recovery procedures to ensure data availability in the event of a failure.

7. Vulnerability Disclosure

If you discover a security vulnerability in the Orchard Reach platform, we encourage responsible disclosure. Please report any security concerns to info@orchardreach.com. We will acknowledge receipt within 48 hours and work to address confirmed vulnerabilities promptly. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

8. Continuous Improvement

We regularly review and improve our security practices as the Platform grows. This includes evaluating the need for formal certifications such as SOC 2 and ISO 27001 as our customer base and operational complexity increase.

1. Overview

This page lists the sub-processors engaged by Orchard Reach Ltd. to process personal data on behalf of our customers. This list is maintained in accordance with our Data Processing Agreement and GDPR requirements. Customers are notified at least 30 days in advance of any changes to this list.

For questions about our sub-processors, please contact info@orchardreach.com.

2. Current Sub-Processors

The following sub-processors are currently engaged by Orchard Reach:

3. International Transfer Safeguards

For sub-processors located outside the European Economic Area, Orchard Reach relies on the following transfer mechanisms:

• EU-US Data Privacy Framework (DPF): For sub-processors certified under the DPF, as indicated in the table above.
• Standard Contractual Clauses (SCCs): For sub-processors not certified under the DPF, we execute Standard Contractual Clauses approved by the European Commission.

4. Changes to This List

Orchard Reach will notify customers via email at least 30 days before engaging a new sub-processor or making material changes to existing sub-processor arrangements. Customers may object to changes in accordance with the procedures described in our Data Processing Agreement.

5. Version History

This sub-processor list was last updated on May 1, 2026. Previous versions are available upon request by contacting info@orchardreach.com.