Privacy Policy

Last updated: 27 April 2026

This Privacy Policy explains how KOLOT, S.à r.l.-S, operating the product Orgix, collects, uses, stores and protects personal data in connection with the website https://orgix.app, the Orgix platform available at https://platform.orgix.app, Orgix emails, support communications, user accounts, company workspaces and Orgix modules.

Orgix is a modular business management and ERP platform for small and medium-sized businesses, associations, clubs, communities and local organizations.

This Privacy Policy is intended to be clear and transparent. If you have any questions, you can contact us at [email protected].

Orgix is currently under active development. Customers should apply data minimization principles and avoid uploading unnecessary sensitive, confidential or irreplaceable personal data, especially while certain modules and features are still evolving.

While Orgix implements reasonable technical and organizational measures, no online service can guarantee uninterrupted availability or absolute security.

1. Who we are

Orgix is operated by:

KOLOT, S.à r.l.-S
56, rue du Parc
L-3542 Dudelange
Luxembourg

RCS Luxembourg: B302121
Business permit / Autorisation d’établissement: N° 10188303 / 0
Email for privacy requests: [email protected]
Contact page: https://orgix.app/contact-us/

In this Privacy Policy, “Orgix”, “we”, “us” or “our” refers to KOLOT, S.à r.l.-S, acting as the operator of the Orgix product.

We have not appointed a Data Protection Officer at this stage. Privacy-related requests can be sent to [email protected].

2. Scope of this Privacy Policy

This Privacy Policy applies to:

the public website https://orgix.app;
the Orgix platform https://platform.orgix.app;
Orgix user accounts;
company workspaces created inside Orgix;
current and future Orgix modules;
emails sent by Orgix, such as verification, password reset, invitation and system notification emails;
contact and support requests sent through Orgix forms or by email.

This Privacy Policy does not apply to third-party websites, services or payment providers that have their own privacy policies.

3. Our role under GDPR: controller and processor

Depending on the situation, Orgix may act either as a data controller or as a data processor.

3.1 When Orgix acts as data controller

Orgix acts as a data controller when we decide why and how personal data is processed. This usually includes processing related to:

website visitors;
account registration;
login and authentication;
user profile management;
security, fraud prevention and abuse prevention;
Orgix subscription billing;
customer support and legal requests;
service communications;
compliance with legal obligations.

3.2 When Orgix acts as data processor

Orgix acts as a data processor when a customer organization uses Orgix to process personal data inside its own company workspace.

For example, a customer organization may use Orgix to manage:

employees;
members;
club or community participants;
contacts;
company documents;
membership records;
payment statuses;
internal approvals;
files;
workforce-related records;
finance-related records;
module-specific data.

In these cases, the customer organization is usually the data controller, and Orgix processes the data on behalf of that organization according to the applicable agreement, including the Data Processing Agreement where applicable.

If you are a member, employee, participant or contact of an organization using Orgix, you may need to contact that organization directly to exercise certain privacy rights.

4. Personal data we collect and process

The personal data we process depends on how you use Orgix and which modules are enabled by your organization.

4.1 Account and login data

We may process:

email address;
username;
password hash;
account status;
email verification status;
failed login attempts;
account lock information;
ban status and ban reason, where applicable.

We do not store your password in plain text.

4.2 User profile data

We may process:

first name;
last name;
timezone;
avatar;
signature image or file;
profile metadata and preferences.

Your signature may be used in documents or workflows if you or your organization enable such functionality.

4.3 Session, device and security data

For authentication, security and fraud prevention, we may process:

session identifiers;
refresh token hashes;
device identifiers;
browser and device information;
operating system information;
IP address;
user agent;
login timestamps;
session expiry and revocation information;
trusted device status;
security metadata.

The platform uses essential authentication and security cookies, including HTTPOnly cookies.

4.4 Company and workspace data

When a company workspace is created or managed in Orgix, we may process:

official company name;
display name;
workspace slug;
company status;
legal form;
registration number;
VAT number, if provided;
address details;
locale;
timezone;
currency;
brand color;
support email;
phone number, if provided;
social links;
company logo and icon;
company settings and module configuration.

Some company profile elements, such as a company logo, may be made available through public or semi-public URLs when needed for normal platform functionality, such as branded emails or login pages.

4.5 Staff, roles, departments and access data

Orgix may process data related to company structure, including:

company members;
roles and positions;
departments;
access permissions;
invitations;
approval rules;
user assignments;
role-based access control settings;
audit records related to actions inside the workspace.

4.6 Membership and CRM-related data

If the Membership module or related CRM functionality is used, Orgix may process:

member or contact email;
full name, if provided;
primary phone number, if provided;
membership status;
access status;
payment status;
payment dates;
reminder flags;
invitation status;
invitation token hashes;
membership period information;
transaction identifiers;
amount and currency;
provider information;
transaction metadata and payloads received from payment providers.

Customer organizations are responsible for ensuring that they have a valid legal basis to upload and manage this data in Orgix.

4.7 Payment and billing data

For Orgix subscriptions, we may process:

Stripe customer identifier;
Stripe subscription identifier;
selected plan;
subscription status;
invoice and payment status metadata;
billing-related events received from Stripe;
payment amount and currency;
timestamps and payment-related metadata.

We do not store full payment card details. Payment card data is processed by Stripe.

For internal payments configured by customer organizations, such as paid memberships, the customer organization may connect its own payment provider, such as Stripe or HivePay. In that case, Orgix may store configuration data, encrypted credentials where applicable, transaction identifiers, payment status, amount, currency and related metadata in order to display or record payment status inside the platform.

Where HivePay is used, Orgix may store external payment IDs, provider status, amount, currency, period information and transaction payloads or webhook payloads received from HivePay. If a provider response contains wallet addresses, transaction hashes or similar blockchain-related metadata, such information may be included in the stored payload even if Orgix does not store it in separate dedicated fields.

Unless expressly stated otherwise, Orgix does not collect a commission on internal customer-organization payments and does not act as the seller of a customer organization’s membership or club subscription.

4.8 Files and media

Orgix may process files uploaded by users or customer organizations, including:

avatars;
signatures;
company logos;
company icons;
documents;
images;
file names;
file types;
file sizes;
storage paths;
file URLs;
access scope;
deletion status;
file metadata.

Customer organizations and users are responsible for the content they upload to Orgix.

Users and customer organizations should not upload special categories of personal data or highly sensitive documents unless this is necessary for their lawful use of the platform and they have the appropriate legal basis to do so.

4.9 Contact and support requests

If you contact us through the website contact form or by email, we may process:

your name, if provided;
your email address;
your message;
selected topic or request type, if provided;
information necessary to answer your request.

Contact form submissions are sent to us by email and are not intended to be stored in the Orgix platform database.

At this stage, Orgix does not use a third-party support chat widget or ticketing system.

4.10 Email communication data

Orgix sends transactional emails, including:

email verification messages;
password reset messages;
invitation emails;
membership-related notifications;
platform and security notifications.

These emails may include:

recipient email address;
subject;
message content;
verification, reset or invitation links;
token-related information;
company logo URL, where applicable.

We do not currently send newsletters or marketing email campaigns. If this changes, we will provide appropriate information and, where required, ask for consent or provide an unsubscribe option.

4.11 Logs and audit data

For security, debugging, compliance and audit purposes, we may process:

event type;
user ID;
IP address;
user agent;
device ID;
resource identifiers;
timestamps;
metadata related to actions in the platform;
security and system logs.

We apply redaction measures to reduce the exposure of sensitive personal data in logs, such as passwords, tokens, emails, phone numbers or IP addresses where appropriate.

4.12 Workforce, absence and sick leave data

If the Workforce module is used, Orgix may process workforce-related information such as:

working time;
holidays;
absence records;
sick leave status or dates;
contract or employment-related settings;
reports for accounting or administrative purposes.

Orgix is not intended to store detailed medical diagnoses. Users and customer organizations should not upload detailed medical information unless strictly necessary and lawful.

4.13 Future modules

Orgix is modular. Depending on the modules enabled by a customer organization, Orgix may process additional categories of data necessary for those modules.

Where appropriate, we may update this Privacy Policy or provide additional module-specific information.

5. Data relating to children

Orgix is not directed to children and is not intended for use by children as end users.

Orgix is also not intended to be used as a system for storing children’s personal data. Customer organizations should not use Orgix to store data relating to children unless this is explicitly supported by the relevant module, lawful, necessary, and covered by the customer organization’s own privacy documentation and legal basis.

6. Why we process personal data and legal bases

We process personal data only when we have a lawful basis to do so.

The main purposes and legal bases are listed below.

Purpose	Examples	Legal basis
Providing the Orgix service	Account creation, login, workspaces, modules, user profiles, files, roles, departments, approvals	Performance of a contract or steps prior to entering into a contract
Managing subscriptions and billing	Plans, Stripe customer/subscription IDs, invoices, payment status	Performance of a contract; legal obligations for accounting and tax records
Authentication and security	Sessions, tokens, device data, IP address, rate limiting, audit logs, account lockout	Legitimate interests; performance of a contract; legal obligations where applicable
Customer support and legal requests	Contact forms, email support, privacy requests	Legitimate interests; performance of a contract; legal obligations
Transactional emails	Verification, password reset, invitations, system notifications	Performance of a contract; legitimate interests
Compliance and record keeping	Accounting records, legal notices, audit trails, dispute management	Legal obligations; legitimate interests
Improving and maintaining the service	Debugging, technical logs, service monitoring	Legitimate interests
Optional analytics, if introduced	Google Analytics or similar analytics tools, subject to cookie consent where required	Consent where required; legitimate interests where legally permitted
Customer-controlled workspace processing	Employee, member, file, payment status or module data processed inside a customer workspace	Customer organization’s legal basis; Orgix acts as processor

Where we rely on legitimate interests, we consider the impact on your rights and freedoms and apply appropriate safeguards.

Where we rely on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

7. Cookies and similar technologies

The Orgix platform uses essential cookies and similar technologies for:

authentication;
session management;
account security;
CSRF protection;
user preferences;
platform functionality.

These cookies are necessary for the platform to work correctly.

At the date of this Privacy Policy, we do not use non-essential analytics or marketing tracking technologies on the website or platform. We may introduce Google Analytics or similar analytics tools in the future. If we use non-essential analytics or marketing cookies, we will provide appropriate information in our Cookie Policy and, where required, request consent.

For more details, please refer to our Cookie Policy.

8. Analytics and marketing

We do not currently use Google Analytics, marketing pixels, advertising trackers or behavioral advertising tools.

We may introduce Google Analytics in the future to understand how visitors use the website and improve the product. If we do so, we will update our Cookie Policy and, where required, request consent before using non-essential analytics cookies.

We do not currently send newsletters or marketing email campaigns.

9. Who we share personal data with

We do not sell personal data.

We may share personal data with service providers and third parties when necessary to operate Orgix, provide the service, process payments, secure the platform, comply with legal obligations or respond to lawful requests.

9.1 Infrastructure and hosting

Orgix uses hosting infrastructure provided by:

Hetzner Online GmbH
Germany / European Union

Core platform data, including database, Redis, application services and file storage, is intended to be hosted on infrastructure located in the European Union.

9.2 Cloudflare

Orgix uses Cloudflare for DNS, proxy, CDN and WAF/security services.

This means that website and platform traffic may pass through Cloudflare’s network. Cloudflare may process technical data such as IP addresses, request metadata, security events and traffic-related information in order to provide these services.

9.3 Stripe

Orgix uses Stripe for subscription payments and billing.

Stripe may process payment-related personal data as an independent controller or processor depending on the context and Stripe’s own terms. Orgix does not store full payment card details.

9.4 Email provider

Orgix uses an SMTP email provider for transactional emails.

At the date of this Privacy Policy, transactional emails are sent using mail.adm.tools. Email data may include recipient email addresses, email content and transactional links necessary to deliver the message.

9.5 HivePay

Customer organizations may choose to connect HivePay for internal membership or community-related payments.

Where HivePay is used, transaction metadata and payment status information may be exchanged between HivePay and Orgix. HivePay’s own privacy practices and processing locations are governed by HivePay’s own documentation and policies.

9.6 Customer organizations

If you are invited to or participate in a customer organization’s workspace, that organization may access and manage data related to your participation in that workspace, according to your role, permissions and the organization’s configuration.

9.7 Authorities and legal requests

We may disclose personal data if required to do so by law, court order, competent authority or to protect our rights, users, customers or the security of the service.

10. Sub-processors

Orgix maintains information about key service providers and sub-processors used to provide the service.

A dedicated Sub-processors page is planned at:

Sub-processors

Until that page is available, the main providers include:

Hetzner Online GmbH — hosting infrastructure;
Cloudflare — DNS, CDN, proxy and WAF/security services;
Stripe — subscription payment processing;
mail.adm.tools — transactional email delivery;
HivePay — optional customer-configured membership payment integration;
PostgreSQL and Redis — database and infrastructure components operated as part of Orgix’s hosting environment.

We may update the list of sub-processors from time to time.

11. International data transfers

We aim to host core Orgix platform data in the European Union.

However, some service providers may process personal data outside the European Economic Area, especially providers with global infrastructure such as Cloudflare, Stripe, Google Analytics if introduced, or other future service providers.

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards where required, such as:

adequacy decisions;
Standard Contractual Clauses;
data processing agreements;
transfer impact assessments where required;
other lawful transfer mechanisms under applicable data protection law.

12. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

General retention principles:

Data category	Retention principle
Account data	Kept while the account is active and for a reasonable period after deletion where required for legal, security or legitimate business purposes
Company workspace data	Kept while the customer workspace is active, unless deleted earlier by the customer or required otherwise
Billing and accounting data	Kept for the period required by applicable accounting, tax and legal obligations
Security logs and audit logs	Kept for a limited period; routine successful audit events are normally retained up to around 90 days unless longer retention is necessary
Expired email tokens	Verification tokens currently expire after around 24 hours; expired tokens may be deleted after a limited retention period
Password reset tokens	Password reset tokens currently expire after around 1 hour; expired tokens may be deleted after a limited retention period
Revoked sessions	Revoked sessions may be deleted after a limited retention period, currently around 90 days
Deleted membership records	May be permanently purged after a defined deletion period, currently around 90 days
Contact requests	Kept only as long as necessary to respond and manage the request, unless further retention is required for legal or business reasons
Files	Kept while needed for the account, workspace or module, unless deleted by the user or customer organization, subject to backup, audit, legal or technical retention

Some data may remain in backups for a limited period before being overwritten or deleted according to backup rotation practices.

13. Account deletion and data deletion

Users may request deletion of their account or use available account deletion functionality where provided in the platform.

When a user deletes their account, we delete or anonymize account-related personal data, subject to data that must be retained for legal, security, audit, fraud prevention, contractual or technical integrity reasons.

In some cases, certain records may be retained in anonymized or pseudonymized form to preserve database integrity, audit history, security records or legal compliance.

If your data is processed inside a customer organization’s workspace, deletion may need to be requested from that organization, because the organization may be the data controller for that data.

14. Data export and portability

Orgix is being developed with data protection and portability in mind.

Where technically available, users may export certain account data through the platform. Users may also contact us at [email protected] to request access to or portability of their personal data.

Because Orgix is still in active development, some export features may be implemented progressively.

15. Your rights

Subject to applicable law and depending on the processing context, you may have the following rights:

right of access;
right to rectification;
right to erasure;
right to restriction of processing;
right to data portability;
right to object;
right to withdraw consent where processing is based on consent;
right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at:

[email protected]

We may need to verify your identity before responding to your request.

We will respond to requests within one month, unless an extension is permitted by applicable law due to the complexity or number of requests.

If your request relates to data controlled by a customer organization, we may direct you to that organization or cooperate with that organization as its processor.

16. Complaint to supervisory authority

If you believe that your personal data has been processed in violation of applicable data protection law, you have the right to lodge a complaint with a supervisory authority.

In Luxembourg, the competent authority is:

Commission nationale pour la protection des données (CNPD)
Website: https://cnpd.public.lu

We encourage you to contact us first at [email protected] so we can try to resolve your concern.

17. Security measures

We apply technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration or disclosure.

These measures may include:

password hashing;
refresh token hashing;
HTTPOnly authentication cookies;
CSRF protection;
security headers;
rate limiting;
role-based access control;
tenant isolation;
audit logging;
security event monitoring;
redaction of sensitive personal data in logs where appropriate;
encryption of certain credentials, such as membership payment integration credentials;
controlled access to infrastructure;
hardened container and deployment configuration;
backup and recovery practices.

No system can be guaranteed to be completely secure. Users and customer organizations are responsible for using strong passwords, protecting access to their accounts and managing permissions carefully.

18. Automated decision-making and AI

At the date of this Privacy Policy, Orgix does not use personal data for automated decision-making that produces legal or similarly significant effects.

Some platform features may automatically update statuses or access based on configuration set by the customer organization, such as:

invitation expiry;
membership payment status;
membership access status;
account security controls;
approval workflow status.

These are operational automations configured for platform functionality.

Orgix may introduce AI-assisted features in the future. If such features involve personal data processing in a way that materially changes this Privacy Policy, we will update this document and provide additional information where required.

19. Customer organization responsibilities

Customer organizations using Orgix are responsible for:

ensuring they have a lawful basis for the personal data they upload or manage in Orgix;
informing their employees, members, contacts or participants about how their data is processed;
configuring roles, permissions and access rights appropriately;
avoiding unnecessary upload of sensitive or excessive data;
responding to privacy requests where they act as data controller;
complying with employment, membership, accounting, tax, data protection and other laws applicable to their organization.

Orgix provides tools, but customer organizations remain responsible for how they use those tools and what data they decide to process inside their workspace.

20. Third-party services and links

The website or platform may contain links to third-party websites or services.

We are not responsible for the privacy practices, security or content of third-party websites or services. You should review their privacy policies before using them.

21. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we add new modules, introduce new providers, change our processing practices or need to comply with legal requirements.

The latest version will be published on this page with the “Last updated” date.

If changes are material, we may notify users through the platform, by email or by another appropriate method.

22. Contact

For privacy questions, requests or concerns, please contact: