top of page

Orca Privacy Policy

Last updated: April 15, 2026

Who we are

Orca is provided by Retailogists Inc. (“we”, “us”). Orca is an order management system (OMS) for Shopify and Shopify Plus retailers. It ingests orders from connected sales channels, orchestrates inventory and fulfillment across warehouses, 3PLs, and stores, and exposes reporting and workflow tools to merchant staff.

Scope

This policy explains what we collect, how we use and share it, how long we keep it, and your rights in Canada and the United States.

Roles

For data flowing through a merchant’s Orca tenant — orders, customers, inventory, fulfillment records sourced from Shopify and connected systems — the merchant is the controller / business and Retailogists is the processor / service provider, acting on the merchant’s documented instructions.

For our website, Orca user accounts, billing, and support, we are the controller / business.

1) Information We Collect

From Shopify and connected sales channels (as configured by the merchant)

  • Order data: order IDs, timestamps, line items, quantities, SKUs, prices, discounts, taxes, shipping methods, order status, fulfillment status, returns and refunds.

  • Customer data attached to orders: name, shipping and billing address, email, phone number, customer ID, order history, and tags. Orca does not store full payment card numbers — payment is processed by Shopify or the merchant’s payment processor.

  • Inventory and product data: SKUs, product attributes, stock levels, locations, cost data (where provided), bundles and kits.

  • Channel and store metadata: connected stores, locations, warehouses, and sales channel identifiers.

From connected fulfillment, WMS, 3PL, ERP, and carrier systems

  • Fulfillment events: pick, pack, ship, and delivery events, tracking numbers, carrier and service level.

  • Inventory movements: transfers, adjustments, receipts, and cycle counts.

  • Accounting and ERP references: invoice and PO numbers, GL codes, and tax identifiers where the merchant connects an ERP (e.g., NetSuite, SAP, Microsoft Dynamics 365).

From admins and users of Orca

  • Account and login details (name, work email, role).

  • Usage logs: features used, API calls, actions taken in the Orca app.

  • Support tickets and related correspondence.

  • Billing information, handled via Shopify Billing or our payment processor.

  • Technical data: IP address, device and browser, and cookies used for session and login.

2) How We Use Information

  • Provide, secure, monitor, and troubleshoot Orca.

  • Route orders, synchronize inventory, and orchestrate fulfillment between Shopify, warehouses, 3PLs, carriers, and ERP systems the merchant has connected.

  • Generate analytics, dashboards, and reports for the merchant (order volume, fulfillment SLAs, inventory turns, returns, channel performance).

  • Communicate about the service, respond to support requests, and improve features.

  • Comply with law and prevent fraud or abuse.

We do not sell personal information and do not use it for third-party targeted advertising.

3) Data Sharing

We share information only with:

  • Service providers (cloud hosting, logging, analytics, email, billing) under contracts that limit their use of data to providing services to us.

  • Shopify and the downstream platforms a merchant connects — WMS, 3PLs, ERPs, carriers, returns platforms — strictly to execute orders and operations the merchant has configured.

  • Parties involved in a business transfer (merger, acquisition, financing), with appropriate protections.

  • Law enforcement and regulators where legally required.

4) Security

We apply multiple layers of protection:

  • Encryption in transit (TLS) and at rest for merchant data.

  • Tenant isolation: each merchant’s data is logically segregated.

  • Least-privilege access controls, SSO and MFA for internal systems, and regular access reviews.

  • Continuous monitoring, audit logging, and incident response procedures.

  • Secrets management for API keys and credentials to connected systems.

No system is perfectly secure, but we work to align Orca with industry-standard controls for SaaS order management platforms.

5) Data Retention

  • We keep merchant data for as long as the merchant’s Orca subscription is active and as needed to provide the service.

  • After termination, merchant data is scheduled for deletion within 90 days, subject to any written retention request from the merchant.

  • Limited backups and operational or security logs may persist up to 12 months for legal, security, and compliance purposes.

  • Aggregated and de-identified data that no longer identifies any individual or merchant may be retained for benchmarking and product improvement.

6) International Data Transfers

Orca is hosted in North America. Data from merchants and their customers may be processed in the United States and Canada. Where required by law, we rely on appropriate transfer mechanisms (such as standard contractual clauses) to protect personal data in cross-border transfers.

7) Your Rights

Canada (PIPEDA and provincial laws)

  • Request access to your personal information.

  • Request correction of inaccurate data.

  • Withdraw consent where applicable.

United States (state privacy laws)

Depending on your state, you may have rights to:

  • Access your personal information.

  • Correct inaccurate data.

  • Delete your information.

  • Obtain a portable copy of your data.

  • Opt out of targeted advertising, sale, or profiling (as defined by law).

Note: Orca does not sell or “share” personal information for cross-context behavioral advertising.

For a merchant’s end customers

If you are a shopper whose order was processed through an Orca-powered merchant, that merchant is the controller of your data. Please direct access, correction, and deletion requests to the merchant first. We will assist the merchant in responding within the timelines required by law.

How to exercise your rights

Email support@retailogists.com or use our web form. We will verify your identity and respond as required by law. You may designate an authorized agent where permitted.

8) Children

Orca is a B2B product directed to retail merchants and their staff. It is not directed to children under 13, and we do not knowingly collect personal information from children.

9) Compliance Standards

Orca is designed to support merchants in meeting major data protection regimes, including:

  • EU GDPR (General Data Protection Regulation)

  • US CCPA / CPRA (California) and other US state privacy laws

  • Canadian PIPEDA and provincial privacy laws

  • Other applicable data protection laws

We offer a Data Processing Addendum (DPA) to merchants on request.

10) Sub-processors

Orca uses a limited set of sub-processors for cloud hosting, logging, analytics, email delivery, and billing. An up-to-date list is available on request by emailing support@retailogists.com. Merchants on paid plans are notified of material sub-processor changes in advance.

11) Changes

We may update this policy. We will update the “Last updated” date and provide additional notice if required by law.

12) Contact

Retailogists Inc.

Privacy Officer: Vincent Younan, COO

Email: vincent.younan@retailogists.com

For privacy questions or concerns, please contact us at the above email address. We are committed to addressing all privacy inquiries promptly and thoroughly.

bottom of page