Request Demo

Privacy Policy

Last Updated: January 16, 2026
Effective Date: January 16, 2026

This Privacy Policy explains how Orvia Technologies, Inc. ("we", "our", "us", "HAS", or "Company") collects, uses, stores, shares, and protects your information when you use our website (orviahq.com), desktop application, mobile applications, and related services (collectively, the "Service" or "Services").

HAS provides hotel audit and quality management software to hotels, resorts, restaurant chains, and multi-property hospitality groups ("Customers" or "Business Users"). Understanding our different data roles is critical:

Data Controller vs. Data Processor

  • Data Controller (for Account Data): We are the Data Controller for information we collect directly for our business operations, such as your account credentials, billing information, and service usage analytics.
  • Data Processor (for Service Data): We act as a Data Processor when processing "Service Data" — audit reports, inspection findings, photos, and other content you upload or create within the platform. For Service Data, you (the Customer) are the Data Controller, and we process this data solely on your behalf and according to your instructions.

Service Data Definition: "Service Data" refers to all audit reports, inspection records, findings, photos, corrective actions, compliance documentation, templates, and other content created or uploaded by you or your authorized users within the Service. You retain ownership and control of Service Data, and we process it only to provide the Service to you.

Data Processing Agreement (DPA): For customers subject to GDPR, CCPA, or other privacy regulations requiring a formal DPA, our Data Processing Addendum is automatically incorporated by reference into our Terms of Service. The DPA defines our responsibilities as a Data Processor and your responsibilities as a Data Controller. You can view and download the DPA here, or contact privacy@orviahq.com to request a signed copy.

If you do not agree with this Privacy Policy, you must not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

When you register, use our Services, or communicate with us, we may collect:

  • Account Information: Name, email address, phone number, job title, company/organization name
  • Business Information: Hotel/property names, addresses, organizational structure, and business contact details
  • Credentials: Login credentials (passwords are encrypted and never stored in plain text)
  • Payment Information: Billing address and payment method details (processed by our third-party payment processor, Paddle; we do not store complete credit card numbers)
  • Audit Data: Inspection reports, findings, photos, notes, corrective actions, and compliance records created within the Service
  • Communications: Support tickets, emails, chat messages, and feedback you send to us
  • User-Generated Content: Templates, checklists, action plans, and documents you create or upload

1.2 Information Collected Automatically

When you access or use our Services, we automatically collect:

  • Device Information: Device type, operating system, unique device identifiers, browser type and version
  • Usage Data: Pages visited, features used, clicks, navigation paths, time spent on pages, and session duration
  • Log Data: IP address, access times, referring URLs, error logs, and crash reports
  • Location Data: General geographic location based on IP address; precise location only if you explicitly enable location services for property mapping features
  • Sync Data: Timestamps and metadata related to offline-online data synchronization

1.3 Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to:

  • Maintain your login session and authentication state
  • Remember your preferences and settings
  • Analyze usage patterns to improve our Services
  • Provide security and fraud prevention
  • Deliver relevant marketing content (with your consent where required)

You can control cookie preferences through your browser settings. Disabling cookies may limit certain functionality of the Service.

1.4 Information from Third Parties

We may receive information from:

  • Business Partners: Referral partners, integration partners, and resellers
  • Service Providers: Analytics providers, payment processors, and identity verification services
  • Public Sources: Publicly available business information and professional profiles

⚠ Important Notice for Hospitality Organizations:

When your organization uses HAS to conduct audits, your employees and contractors may enter data about hotel guests, staff, or third parties. You are responsible for ensuring such data collection complies with applicable privacy laws and your organization's privacy policies.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

  • Create and manage your account
  • Provide, maintain, and improve our Services
  • Process transactions and send related information
  • Enable offline-online data synchronization
  • Generate audit reports, analytics, and insights
  • Provide customer support and respond to inquiries

2.2 Business Operations

  • Process payments and manage subscriptions
  • Send service-related communications (e.g., account verification, security alerts, billing notices)
  • Enforce our Terms of Service and protect our legal rights
  • Detect, prevent, and address fraud, security issues, and technical problems

2.3 Product Improvement & Aggregated Data

  • Analyze usage patterns to enhance functionality
  • Debug and fix software issues
  • Develop new features and services
  • Conduct research and analysis (using aggregated, anonymized data)

Aggregated & De-Identified Data Usage

We may use de-identified, aggregated, and anonymized data derived from your use of the Service for the following purposes:

  • Industry Benchmarks: Creating aggregated industry insights, compliance trends, and performance benchmarks that cannot identify any individual customer or property
  • AI/ML Training: Training machine learning models and algorithms to improve Service features (e.g., predictive compliance, automated scoring)
  • Product Analytics: Understanding how features are used across our customer base to prioritize development
  • Research & Development: Conducting research to enhance Service quality and develop new offerings

Important: This aggregated data cannot be used to identify you, your organization, specific properties, or any individual persons. We do not share your proprietary audit methodologies, templates, or findings with other customers.

2.4 Marketing (With Consent)

  • Send promotional communications about new features, products, or special offers
  • Personalize your experience and recommendations
  • You may opt out of marketing communications at any time

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, our legal basis for processing your personal data includes:

  • Contract Performance: Processing necessary to fulfill our contractual obligations to you (e.g., providing the Service)
  • Legitimate Interests: Processing for our legitimate business interests, such as fraud prevention, security, product improvement, and direct marketing (where not overridden by your rights)
  • Legal Compliance: Processing necessary to comply with legal obligations
  • Consent: Where you have given explicit consent for specific processing activities

4. Data Sharing and Disclosure

We may share your information with:

4.1 Service Providers

Third parties who perform services on our behalf, including:

  • Cloud Infrastructure: Hosting, database, and authentication providers
  • Payment Processing: Our merchant of record for subscriptions
  • Email Services: Transactional email delivery providers
  • Analytics: Usage analytics and monitoring tools
  • Customer Support: Help desk and communication platforms

All service providers are contractually obligated to protect your data and use it only for specified purposes. Authenticated customers can view our complete Sub-processor List in their account settings. This list is also available in our Data Processing Addendum.

4.2 Your Organization

If you use HAS through your employer or organization, your organization's administrators may have access to your account information and usage data as permitted by your organization's agreement with us.

4.3 Legal Requirements

We may disclose information when required by law, legal process, or government request, or when we believe in good faith that disclosure is necessary to:

  • Comply with applicable laws or legal processes
  • Protect the rights, property, or safety of HAS, our users, or others
  • Enforce our Terms of Service
  • Detect and prevent fraud or security issues

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. International Data Transfers

Your data may be processed and stored in countries outside your country of residence, including the United States. These countries may have data protection laws that differ from those in your country.

When we transfer personal data internationally, we implement appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission (see our Data Processing Addendum)
  • Binding Corporate Rules where applicable
  • Transfers to countries with adequate data protection determinations

By using the Service, you consent to the transfer of your data to these countries.

6. Data Retention

We retain your personal data for as long as necessary to:

  • Provide the Services while your account is active
  • Comply with legal, regulatory, tax, accounting, or reporting obligations
  • Resolve disputes and enforce our agreements
  • Maintain business records for audit and compliance purposes

Hospitality Industry Note:

Audit records and compliance documentation may be retained for extended periods as required by hospitality industry regulations, health and safety requirements, brand standards, or your organization's data retention policies.

Upon account deletion or termination, we will delete or anonymize your personal data within 90 days, except where retention is required by law or for legitimate business purposes.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 General Rights

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Data Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request restriction of processing in certain circumstances
  • Withdraw Consent: Withdraw consent where processing is based on consent

7.2 GDPR Rights (EEA/UK)

If you are in the EEA or UK, you have all rights under the GDPR, including the right to lodge a complaint with your local data protection authority.

7.3 CCPA Rights (California)

California residents have rights under the California Consumer Privacy Act (CCPA), as amended in 2026:

  • Right to Know: What personal information is collected, used, disclosed, or sold (we do not sell personal information)
  • Right to Delete: Request deletion of your personal information (subject to legal retention requirements)
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information (if applicable)
  • Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA rights

2026 CCPA Update: Opt-Out Confirmation

As required by California law effective January 1, 2026, when you submit an opt-out request (e.g., "Do Not Sell or Share My Personal Information"), we will:

  1. Process your request within 15 business days
  2. Display a visible "Opt-Out Honored" indicator in your account settings confirming your request has been processed
  3. Send email confirmation of the opt-out status

You can verify your opt-out status at any time by visiting your account privacy settings or contacting privacy@orviahq.com.

Historical Data Requests: For "Right to Know" requests, we can provide data going back to January 1, 2022, if we still maintain those records. Older data may have been deleted per our retention policies.

To Exercise Your Rights:

Email us at privacy@orviahq.com. We will respond within 30 days (or as required by applicable law). We may request identity verification before processing your request.

8. Security

We implement industry-standard security measures to protect your data, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication support
  • Infrastructure Security: SOC 2 compliant cloud providers, regular security audits
  • Monitoring: Real-time threat detection and logging
  • Employee Training: Regular security awareness training for all staff

However, no system is 100% secure. You use the Service at your own risk. We are not liable for unauthorized access resulting from your failure to protect your credentials or from circumstances beyond our reasonable control.

9. Children's Privacy

The Service is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we learn that we have collected data from a child under 18, we will promptly delete it.

If you believe we have collected data from a child under 18, please contact us immediately at privacy@orviahq.com.

10. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a new "Last Updated" date
  • Sending an email notification for significant changes
  • Displaying an in-app notification when you next access the Service

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

12. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Orvia Technologies, Inc.

Privacy Inquiries: privacy@orviahq.com

General Support: support@orviahq.com

Address: 1234 Hospitality Drive, Suite 500, Austin, TX 78701, USA

For EU/UK residents, you may also contact your local data protection authority if you have concerns about our data practices. Enterprise customers requiring a Data Processing Agreement should review our Data Processing Addendum.