Orchard Reach
← All Policies

Orchard Reach Ltd.

Privacy Policy

Effective: May 1, 2026

Draft — for legal review

1. Introduction

Orchard Reach Ltd. ("Orchard Reach," "we," "us," or "our"), a company registered in Bulgaria under UIC 208684883, with its registered office in Sofia, Bulgaria, operates the email outreach platform available at orchardreach.com (the "Platform"). This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Bulgarian data protection legislation.

For all privacy-related inquiries, please contact us at info@orchardreach.com.

2. Data Controller

Orchard Reach Ltd. is the data controller for personal data collected through the Platform in the course of providing our services. For personal data that our customers upload or provide to us for the purposes of email outreach campaigns (such as prospect contact information), Orchard Reach acts as a data processor on behalf of the customer, who remains the data controller. The relationship between Orchard Reach and its customers in this capacity is governed by our Data Processing Agreement.

3. Personal Data We Collect

3.1 Account Data (Data Controller)

When you register for and use our Platform, we collect the following personal data directly from you:

  • Full name and business contact details (email address, phone number)
  • Company name, job title, and industry
  • Billing information processed through Stripe (we do not store full payment card details)
  • Account credentials (managed through our authentication service)
  • Communication preferences and account settings
  • Usage data, including login history, feature usage, and campaign performance metrics

3.2 Prospect Data (Data Processor)

Orchard Reach conducts automated research and generates email outreach content on behalf of our customers. In the course of providing this service, we process prospect data which may include:

  • Business contact names and email addresses
  • Company names, job titles, and professional information
  • Publicly available business information used for research and personalisation

Orchard Reach processes this data solely on behalf of and under the instructions of our customers. Customers are responsible for ensuring they have a lawful basis for the outreach campaigns conducted through our Platform.

3.3 Website Visitor Data

When you visit orchardreach.com, we collect data through cookies and similar tracking technologies as described in our Cookie Policy. This includes IP addresses, browser type, device information, pages visited, and referral sources.

4. Legal Bases for Processing

We process personal data under the following legal bases as defined by Article 6 of the GDPR:

  • Contract performance (Article 6(1)(b)): Processing account data necessary to provide you with our Platform services, manage your subscription, and fulfil our contractual obligations.
  • Legitimate interests (Article 6(1)(f)): Processing usage data to improve our Platform, ensure security, prevent fraud, and for internal analytics. Our legitimate interest is balanced against your rights and freedoms.
  • Consent (Article 6(1)(a)): Processing website visitor data through non-essential cookies and marketing communications. You may withdraw consent at any time through your cookie preferences or by contacting us.
  • Legal obligation (Article 6(1)(c)): Processing data necessary to comply with applicable laws, including tax, accounting, and regulatory requirements.

5. Data Sharing and Sub-Processors

We share personal data with the following categories of third-party service providers ("sub-processors"), each of which is bound by data processing agreements:

  • Cloud infrastructure: Amazon Web Services (AWS), EU region eu-central-1 (Frankfurt, Germany), for hosting and data storage.
  • Payment processing: Stripe, Inc. (USA), for subscription billing and payment handling. Stripe participates in the EU-US Data Privacy Framework.
  • CRM: HubSpot, Inc. (USA), for customer relationship management. HubSpot participates in the EU-US Data Privacy Framework.
  • Email infrastructure: Mailreef, for email sending and deliverability management.
  • Analytics and tracking: Google Analytics (GA4), Microsoft Clarity, Meta Pixel, LinkedIn Insight Tag, and TikTok Pixel, as detailed in our Cookie Policy.
  • Content management: Sanity.io, for website content delivery.

A complete and current list of sub-processors is maintained on our Sub-Processor List page. Changes to sub-processors are subject to the notification procedures described in our Data Processing Agreement.

6. International Data Transfers

Our primary infrastructure is hosted within the European Union (AWS eu-central-1, Frankfurt). However, certain sub-processors, including Stripe and HubSpot, are based in the United States. For these transfers, we rely on:

  • The EU-US Data Privacy Framework, where the sub-processor is a certified participant;
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where the Data Privacy Framework does not apply.

We assess each sub-processor's data protection practices and the legal framework of the recipient country to ensure adequate safeguards are in place.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account data: Retained for the duration of your active subscription, plus 90 days following account cancellation or deletion, to allow for account recovery and to fulfil legal and accounting obligations.
  • Prospect data: Retained for the duration of the customer's active subscription. Deleted within 30 days of account closure, unless the customer requests earlier deletion.
  • Campaign analytics and logs: Retained for 12 months from the date of creation for performance analysis and deliverability optimisation. Aggregated, anonymised data may be retained indefinitely.
  • Website visitor data (cookies): Retained in accordance with the retention periods specified in our Cookie Policy.
  • Billing records: Retained for the period required by Bulgarian tax and accounting legislation (currently 10 years).

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, please contact us at info@orchardreach.com. We will respond within 30 days of receiving your request.

  • Right of access (Article 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17): You may request deletion of your personal data, subject to legal retention requirements.
  • Right to restrict processing (Article 18): You may request that we limit our processing of your personal data in certain circumstances.
  • Right to data portability (Article 19): You may request your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): You may object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at cpdp.bg, or with any other competent EU supervisory authority.

9. Automated Decision-Making

Orchard Reach uses automated processes to research prospects, generate personalised email content, and optimise campaign deliverability. These automated processes do not produce legal effects or similarly significant effects on individuals. No automated decisions are made regarding the approval, rejection, or scoring of individuals that would affect their rights or freedoms.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS), access controls through our authentication service, regular security reviews, and employee access limited to the minimum necessary. Further details are available in our Security Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and by posting the revised policy on our website with an updated effective date. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.