Privacy Policy
Last updated: 25 March 2026
Orosphinx LTD (“Orosphinx,” “we,” “us,” or “our”)
Effective date: 25 March 2026
Orosphinx LTD is a company registered in England and Wales. We operate the Orosphinx platform — a cloud-based enterprise resource planning system built for the jewelry and precious metals industry — along with the orosphinx.com website and related services (collectively, the “Service”).
This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you interact with the Service, whether as a business subscriber (“Tenant”), an authorised user of a Tenant account (“User”), an end customer of one of our Tenants whose data is processed through the Service (“End Customer”), or a visitor to our website (“Visitor”).
We are committed to protecting your privacy in compliance with the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”), the Egyptian Personal Data Protection Law No. 151 of 2020 and its Executive Regulations (“PDPL”), and other applicable data protection laws.
1. Data Controller & Data Processor Roles
Orosphinx acts in two capacities depending on context:
As Data Controller: We are the data controller for personal data we collect directly from Visitors to our website (e.g., contact form submissions, cookie data) and from Users and Tenants in connection with account administration, billing, and platform operations.
As Data Processor:When Tenants use our Service to manage their own business data — including End Customer records, transaction histories, and compliance records — we act as a data processor on the Tenant’s behalf. In this capacity, the Tenant is the data controller, and our processing is governed by the Data Processing Addendum incorporated into our Terms of Service.
2. Personal Data We Collect
2.1 Account & Authentication Data
When a Tenant or User registers for or uses the Service, we collect:
- Full name and display name
- Email address
- Phone number (stored in E.164 international format)
- Authentication credentials managed by our authentication provider (Supabase)
- Hashed security PINs (for point-of-sale access, stored using scrypt with per-user salts)
- Role assignments and permissions within a Tenant account
- Account status and location assignments
2.2 End Customer Data (Processed on Behalf of Tenants)
When Tenants use the Service to manage their customer relationships, the following End Customer data may be processed:
- Full name
- Phone number (stored in plaintext E.164 format, with separately stored masked and hashed versions for security)
- Email address
- Loyalty programme records and points balances
- Purchase history and transaction records
- Customer notes and segment tags
- Consent records (marketing, loyalty, analytics, communications)
2.3 Identity & Compliance Data
For Know Your Customer (“KYC”) and Anti-Money Laundering (“AML”) purposes, as required by applicable law, the following data may be collected:
- Full legal name and nationality
- Government-issued identity document type (National ID, Passport, Foreign Resident ID)
- Identity document number (encrypted at rest using AES-256-equivalent encryption, with a separately stored masked version and cryptographic hash for lookup)
- Document verification status and expiration date
- KYC trigger information (transaction thresholds that initiated verification)
- Suspicious Activity Report data (subject identification, suspicion type, related transactions, investigation notes) — processed solely to fulfil legal obligations
2.4 Transaction & Financial Data
Through the normal operation of the Service, we process:
- Sales receipts, timestamps, and line-item details
- Payment amounts in EGP and original currencies
- Gold and precious metal spot-price snapshots at time of transaction
- Cost-of-goods-sold calculations
- Payment method and payment processor transaction identifiers
- Void, return, and refund audit trails
- Payment plan and instalment records
- Shift and cash-management records
2.5 Website Visitor Data
When you visit orosphinx.com, we collect:
- Information you voluntarily provide through our contact form: name, email address, company name, company size, message content, and inquiry source
- Essential cookies for website functionality (theme preference)
- Standard web server logs (IP address, browser type, pages visited, timestamps)
2.6 Audit & Security Event Data
To maintain the security and integrity of the Service, we automatically collect:
- Comprehensive audit logs of all data mutations (create, update, delete actions) including pre-mutation and post-mutation state snapshots
- Actor identification (user ID and role) for every logged action
- Security events: authentication failures, PIN lockout events, break-glass access, API key rotations
- IP addresses and user agent strings associated with security events
- Idempotency keys for transaction deduplication (retained for 24 hours)
3. How We Use Personal Data
3.1 Lawful Bases for Processing
We process personal data under the following lawful bases. Where we rely on legitimate interest, a documented balancing assessment is available upon request to privacy@orosphinx.com.
| Purpose | Lawful Basis (UK/EU GDPR) | PDPL Basis |
|---|---|---|
| Providing and operating the Service | Performance of a contract (Art. 6(1)(b)) | Contractual necessity |
| Account authentication and security | Performance of a contract; Legitimate interest in platform security | Contractual necessity; Legitimate interest |
| KYC/AML compliance and suspicious activity reporting | Legal obligation (Art. 6(1)(c)) | Legal obligation |
| Audit logging and data integrity | Legal obligation; Legitimate interest in fraud prevention | Legal obligation; Legitimate interest |
| Website analytics and service improvement | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Responding to enquiries via contact form | Consent (Art. 6(1)(a)); Legitimate interest | Explicit prior consent |
| Marketing communications | Consent (Art. 6(1)(a)) | Explicit prior consent |
| Payment processing | Performance of a contract | Contractual necessity |
3.2 Specific Processing Activities
We use personal data to:
- Authenticate Users and enforce role-based access controls across Tenant accounts
- Process and record point-of-sale transactions, manufacturing operations, inventory movements, and treasury activities
- Enable compliance with KYC/AML regulations applicable to the precious metals industry
- Monitor platform security, detect unauthorised access, and investigate incidents
- Provide customer support and respond to enquiries
- Generate aggregated, anonymised analytics to improve the Service (no individual-level profiling)
- Process payments through integrated payment providers
- Send transactional notifications (e.g., OTP codes, payment confirmations, shift reports)
3.3 Automated Decision-Making & Artificial Intelligence
We use Azure OpenAI services in a limited capacity to generate market insights and trend analysis based on aggregated market data. This processing does not involve individual personal data, does not produce decisions with legal or similarly significant effects on any person, and does not involve automated profiling of individuals.
4. Data Sharing & Third-Party Processors
We share personal data only as necessary to operate the Service, with the following categories of recipients:
4.1 Infrastructure & Authentication
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Authentication, database hosting, file storage | Email, phone number, auth tokens, uploaded files | EU/US |
4.2 Communications
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Twilio Inc. | SMS OTP delivery and customer notifications | Phone numbers, SMS message content | US |
| Resend Inc. | Email notifications and reports | Email addresses, email content | US |
4.3 Payment Processing
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Instapay | Payment processing (Egyptian market) | Customer phone, transaction amount, transaction ID | Egypt |
| Fawry | Payment processing, QR codes, kiosk payments | Customer phone, transaction amount, transaction ID | Egypt |
| Paymob | Payment processing | Customer phone, transaction amount, transaction ID | Egypt |
4.4 Monitoring & AI Services
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Sentry (Functional Software Inc.) | Error tracking and performance monitoring | Error context, tenant context (no direct PII except in error payloads) | US |
| Microsoft Azure (OpenAI Service) | Market insight generation | Aggregated market data only (no personal data) | EU/US |
5. Cookies & Tracking Technologies
5.1 Cookies We Use
| Cookie/Storage | Type | Purpose | Duration |
|---|---|---|---|
| orosphinx_theme | localStorage | Store user’s light/dark theme preference | Persistent until cleared |
| Session authentication tokens | httpOnly cookie | Maintain authenticated sessions | Session duration |
5.2 What We Do Not Use
We do not currently deploy third-party advertising trackers, social media pixels, behavioural analytics platforms (e.g., Google Analytics, Hotjar, Mixpanel), or cross-site tracking technologies. If we introduce such technologies in the future, we will update this policy and implement appropriate consent mechanisms before activation.
6. International Data Transfers
Orosphinx is based in the United Kingdom. Personal data processed through the Service may be transferred to and stored in jurisdictions outside the UK and the European Economic Area (“EEA”), including the United States and Egypt.
6.1 Transfer Safeguards
We ensure that all international transfers of personal data are protected by appropriate safeguards:
- UK to US / US-based processors:We rely on the UK Extension to the EU-US Data Privacy Framework where the recipient is certified, and on the International Data Transfer Agreement (“IDTA”) or Addendum to the EU Standard Contractual Clauses where they are not.
- UK to EU/EEA: Transfers are covered by the UK adequacy regulations recognising EEA member states.
- UK/EU to Egypt: We execute Standard Contractual Clauses and conduct Transfer Impact Assessments.
- Egyptian PDPL transfers: For data subject to the PDPL, cross-border transfers comply with PDPC licensing requirements and are supported by written data subject consent where required.
7. Data Security
We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction:
7.1 Encryption
- In transit: All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher.
- At rest: Sensitive personal data fields are encrypted using AES-256-equivalent symmetric encryption with per-field key derivation.
- Authentication credentials: User PINs are hashed using the scrypt key derivation function with unique salts per user.
- Key rotation: Encryption keys support zero-downtime rotation via dual-key read with previous-key fallback.
7.2 Access Controls
- Tenant isolation: Every database query is scoped to the authenticated Tenant through PostgreSQL Row-Level Security policies. Tenant identifiers are derived from the authenticated session, never from client input.
- Role-based access: Users are assigned granular permissions that restrict access to features and data within their Tenant account.
- PIN-protected operations: High-risk point-of-sale operations require a secondary PIN authentication with automatic lockout after repeated failures.
7.3 Audit & Monitoring
- Immutable audit trail: All data mutations are logged with before-and-after state snapshots, actor identification, timestamps, and trace identifiers.
- Security event logging: Authentication failures, privilege escalations, break-glass access, and key rotations are recorded with IP address and user agent metadata.
- Idempotency controls: Duplicate mutation attempts are detected and rejected using time-limited idempotency keys.
8. Data Breach Notification
In the event of a personal data breach:
- UK GDPR: We will notify the ICO within 72 hours of becoming aware of a breach that poses a risk to the rights and freedoms of data subjects.
- EU GDPR: We will notify the relevant EU supervisory authority within 72 hours and affected individuals where required.
- Egyptian PDPL: We will notify the PDPC and affected data subjects within 72 hours of discovery.
- Tenant notification: Where we are acting as data processor, we will notify the affected Tenant within 24 hours of confirming a breach that affects their data.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and authentication data | Duration of the Tenant subscription + 30 days post-termination | Contractual necessity |
| End Customer records | As determined by the Tenant (data controller); deleted within 30 days of Tenant request or subscription termination | Tenant instruction |
| Transaction and financial records | 7 years from transaction date | UK tax law; Egyptian commercial law |
| KYC/AML records and Suspicious Activity Reports | 7 years from the end of the business relationship | Money Laundering Regulations 2017; Egyptian AML Law |
| Audit logs | 7 years from creation | Regulatory compliance; legitimate interest |
| Security event logs | 2 years from creation | Legitimate interest in platform security |
| Consent records | Duration of consent + 7 years | Legal obligation |
| Website contact form submissions | 2 years from submission | Legitimate interest |
Upon expiry of the retention period, personal data is securely deleted or irreversibly anonymised.
10. Your Rights
10.1 Rights Under UK GDPR and EU GDPR
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”): Request deletion of your data where there is no compelling reason for its continued processing.
- Right to restrict processing: Request that we limit how we use your data while a concern is being resolved.
- Right to data portability: Receive your data in a structured, commonly used, machine-readable format (JSON, CSV, or PDF).
- Right to object: Object to processing based on legitimate interests, including direct marketing.
- Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal effects.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
10.2 Rights Under Egyptian PDPL
In addition to the rights above, if your data is processed under the PDPL, you have the right to:
- Be informed of any processing of your personal data before it occurs
- Access your data held by us or any processor
- Withdraw previously granted consent
- Request correction, updating, or deletion of your data
- Restrict processing to the specific purpose for which consent was granted
- Be notified of any data breach affecting your personal data
- Object to processing that causes harm to your legitimate interests
- Lodge a complaint with the PDPC
10.3 How to Exercise Your Rights
To exercise any of these rights, contact us using the details in Section 14. We will respond within 30 days for requests under UK GDPR, EU GDPR, or the PDPL.
10.4 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority:
- UK:Information Commissioner’s Office (ICO) — ico.org.uk
- EU: The supervisory authority of the EU member state where you reside or work
- Egypt: Personal Data Protection Centre (PDPC)
11. Children’s Privacy
The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take prompt steps to delete it.
12. Multi-Tenant Architecture & Tenant Data Isolation
Orosphinx operates a multi-tenant architecture in which each Tenant’s data is logically isolated from all other Tenants. This isolation is enforced at the database level through PostgreSQL Row-Level Security policies. Tenant identifiers are derived exclusively from the authenticated session context and cannot be manipulated through client requests. No Tenant can access, view, or modify another Tenant’s data through the Service.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will post the updated policy on our website with a revised “Last updated” date and notify Tenants and Users via email or in-platform notification at least 30 days before the changes take effect.
14. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data subject rights, or need to report a privacy concern:
Orosphinx LTD
Registered in England and Wales
Data Protection Enquiries: privacy@orosphinx.com
General: hello@orosphinx.com
Data Protection Officer: dpo@orosphinx.com
For urgent data breach reports, please email privacy@orosphinx.com with “DATA BREACH” in the subject line.
15. Regulatory Supervision
Orosphinx operates under the supervision of:
- United Kingdom:The Information Commissioner’s Office (ICO) for UK GDPR compliance
- Egypt: The Personal Data Protection Centre (PDPC) for PDPL compliance
- European Union: The relevant EU supervisory authority for EU GDPR compliance, where applicable
This Privacy Policy is provided in English. Where a translated version is provided for convenience, the English version shall prevail in the event of any inconsistency.