Part C
Privacy policy
Legal text in French
Our legal documents were authored in French. Translations in English and other languages are pending jurisdictional review by local counsel. In case of discrepancy, the French version prevails.
This policy explains how OraData LLC collects, uses, shares, and protects personal data of Users. It complies with the General Data Protection Regulation (GDPR / EU), the California Consumer Privacy Act (CCPA / USA), and any applicable data protection law in the User's country of residence.
Article 1 — Data controller
OraData LLC, Bloomington, Minnesota, USA. Data Protection Officer contact: dpo@oradata.ai.
Article 2 — Data collected
- Identification — full name, email, country, ID document (hashed), verification selfie.
- Account — tier, task history, reliability score, Cohen's Kappa, wallet balance.
- Payment — IBAN, Wave/Chipper/PayPal numbers (encrypted), Stripe Connect identifiers.
- Technical — IP address, user agent, login logs, analytics cookies (prior consent).
- Uploaded content — images, videos, audio, text, annotations, geolocation where relevant.
- Communications — support tickets, chat messages, emails.
Article 3 — Purposes and legal bases
- Contract performance — account management, task assignment, payments.
- Legal obligation — KYC, invoicing, accounting retention, HIPAA compliance.
- Legitimate interest — fraud detection, quality scoring, Platform security.
- Consent — analytics cookies, optional marketing emails.
Article 4 — Recipients and transfers
Personal data are never sold. They are shared only with:
- Technical subprocessors — Supabase (hosting), AWS (S3 storage), Cloudflare (CDN), Resend (email), Stripe/Wave/Chipper/Wise (payments). All bound by Data Processing Agreements.
- Dataset-buying clients — only anonymized/assigned Content (never the identity of the producing Freelancer, except with explicit consent).
- Legal authorities — upon a duly motivated court order only.
Data are hosted primarily in the United States (Supabase US + AWS us-east-1). Transfers outside the EU are governed by the Standard Contractual Clauses (SCCs) of the European Commission and, where applicable, by the USA-EU Data Privacy Framework.
Article 5 — User rights
In accordance with GDPR, CCPA, and equivalent laws, each User has the following rights:
- Access and portability — obtain a copy of their data in a readable format.
- Rectification — correct their data from profile settings.
- Erasure (right to be forgotten) — delete their account. Already-assigned Content remains OraData property but the contributor's identity is anonymized.
- Objection and restriction of processing.
- Consent withdrawal at any time for consent-based processing.
- Complaint to the competent supervisory authority (CNIL in France, ICO in the UK, etc.).
Any request is handled within 30 days by email at dpo@oradata.ai.
Article 6 — Security
- Encryption at rest — AES-256 on all S3 buckets and Supabase disks.
- Encryption in transit — TLS 1.3 mandatory on all endpoints.
- Authentication — optional MFA for all, mandatory for admin accounts and DICOM radiologists.
- Row Level Security (RLS) on Postgres for all sensitive tables.
- Permanent audit log of all accesses to PHI data (medical imaging).
- Annual third-party penetration testing.
- Incident response: notification within 72h of data breach, per GDPR.
Article 7 — Cookies
The Platform uses (a) strictly necessary cookies (session, authentication, CSRF) — no consent required; (b) anonymous analytics cookies (duration, path) — opt-in consent via banner; (c) no third-party advertising cookies.
Article 8 — HIPAA addendum (medical imaging)
For medical imaging data (Protected Health Information / PHI) processed under HIPAA campaigns:
- OraData acts as a Business Associate under 45 CFR § 164.502.
- A BAA (Business Associate Agreement) is signed with each PHI-producing client and each radiologist Freelancer.
- Only Gold+ tier Freelancers with a signed BAA have access to DICOM tasks.
- Any suspected PHI breach is notified to the producing client within 24h and to affected persons per the Breach Notification Rule.
- PHI access register retained 6 years minimum.
Article 9 — Minors' data
The Platform is strictly reserved for adults (18 years). No minor data is knowingly collected. If an identifiable minor appears in uploaded Content, the Freelancer must blur the face or obtain documented parental consent; otherwise, the Content is rejected and unpaid.
Article 10 — Amendments to this Policy
Any substantial change is notified to Users by email 30 days before taking effect, with changes highlighted. Continued access to the Platform constitutes acceptance of the changes.
This document is under review by legal counsel (Minnesota attorney + GDPR specialist). The signed version will be published here before the official launch.