Privacy Policy
Last updated: 3 April 2026
1. Introduction
APTIM-Solutions Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Orchestrate platform ("Service").
APTIM-Solutions Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we process personal data of individuals in the European Economic Area (EEA), we comply with the EU General Data Protection Regulation (EU GDPR).
2. Data We Collect
We collect and process the following categories of personal data:
- Account information: Full name, email address, and organisation membership when you register or are invited to Orchestrate.
- Authentication data: We use Auth0 as our identity provider. We do not store passwords. Auth0's privacy practices are governed by their own policy.
- Usage data: Actions performed within the platform (e.g. creating projects, updating RAID items) are recorded in an audit trail for governance purposes.
- Analytics data: We use Microsoft Clarity for session analytics (heatmaps, session recordings) to improve the user experience. Clarity collects anonymised interaction data. No personally identifiable information is captured by Clarity. Clarity is only activated if you consent to analytics cookies.
- AI interaction data: When you use AI-powered features (such as the project assistant), relevant project context is sent to Anthropic's Claude API to generate responses. We log the prompts sent and tokens used for usage tracking and cost management purposes. Anthropic does not use API inputs for model training.
- Error and performance data: We use Sentry for error monitoring and performance tracking. Sentry automatically collects technical data such as browser type, operating system, error stack traces, page URLs, and session identifiers when errors occur. This helps us identify and resolve issues quickly.
- Feedback data: When you submit feedback via the in-app widget, we collect your message, the page you were on, and your user ID.
- External resources: Organisation administrators may add external team members (non-users) with a name and optional email address for task assignment purposes.
3. How We Use Your Data
We process your personal data for the following purposes:
- Service delivery: To provide, maintain, and improve the Orchestrate platform, including user authentication, organisation management, and project governance features.
- Audit and compliance: To maintain audit trails of actions taken within projects for governance, accountability, and regulatory compliance.
- Communication: To send transactional emails such as project invitations, gate notifications, and system alerts.
- Analytics: To understand how users interact with the platform and to improve functionality and user experience.
- AI-powered features: To provide intelligent suggestions, project assistance, and content generation using Anthropic's Claude API. AI features process project data only when explicitly invoked by the user.
- Error monitoring: To detect, diagnose, and resolve technical issues using Sentry, ensuring the reliability and performance of the platform.
The legal bases for processing are: performance of a contract (providing the Service), legitimate interests (improving our product, maintaining security), and compliance with legal obligations (audit trails, data retention).
4. Data Sharing
We do not sell your personal data. We share data only with:
- Auth0 (Okta): Identity and authentication provider. Processes authentication credentials and session data.
- Anthropic: AI service provider (Claude API). Receives project context data when AI features are used. Anthropic does not use API inputs to train models. See Anthropic's Privacy Policy.
- Microsoft Clarity: Anonymised session analytics (heatmaps, session recordings). Only activated with user consent. See Clarity's privacy documentation.
- Sentry: Error monitoring and performance tracking. Collects technical diagnostic data when errors occur. See Sentry's Privacy Policy.
- Resend: Transactional email delivery (invitations, notifications).
- Hosting providers: Our infrastructure is hosted on Fly.io with databases in the EU region.
All third-party processors are bound by data processing agreements and are required to protect your data in accordance with applicable data protection law.
5. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Audit trail data is retained for the lifetime of the project for governance and compliance purposes. If you request account deletion, we will anonymise your personal data within 30 days while preserving the integrity of project records.
6. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Multi-tenant data isolation with strict organisation boundaries
- Role-based access control at platform, organisation, and project levels
- Regular security reviews and dependency updates
7. International Transfers
Our primary infrastructure is hosted in the EU. Where data is transferred outside the UK or EEA (e.g. to US-based sub-processors), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the sub-processor's participation in recognised data transfer frameworks.
8. Your Rights
Under UK GDPR and EU GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Request erasure of your data (right to be forgotten)
- Restrict or object to processing
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, please contact us at privacy@aptim-solutions.com. We will respond within 30 days.
9. Cookies and Similar Technologies
Orchestrate uses cookies and similar technologies to provide, secure, and improve the Service. The table below lists all cookies and storage mechanisms used:
Essential Cookies
These cookies are strictly necessary for the platform to function. They cannot be disabled without breaking core functionality. No consent is required under ICO guidance for strictly necessary cookies.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
appSession | Auth0 (Okta) | Encrypted session cookie for user authentication. Contains no personal data in readable form. | 24h rolling, 30 days max |
orch_org | Orchestrate | Stores the user's currently selected organisation ID for multi-tenant routing. | Session |
orch_consent | Orchestrate | Records the user's cookie consent preference (accepted or rejected). | 1 year |
Analytics Cookies
These cookies are only set if you accept analytics cookies via the cookie consent banner. You can change your preference at any time by clearing the orch_consent cookie in your browser settings, which will re-display the consent banner on your next visit.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
_clck | Microsoft Clarity | Persists the Clarity user ID for session analytics. | 1 year |
_clsk | Microsoft Clarity | Connects page views into a single Clarity session recording. | 1 day |
CLID | Microsoft Clarity | Identifies the first-time Clarity saw this user. Used for heatmap and recording analytics. | 1 year |
ANONCHK | Microsoft Clarity | Indicates whether MUID cookie consent was transferred. Set by Clarity. | 10 minutes |
MR, MUID, SM | Microsoft Clarity | Microsoft tracking identifiers used by Clarity for anonymised analytics. No personal data is captured. | Various (up to 1 year) |
Error Monitoring
Sentry uses browser local storage (not cookies) to store session replay identifiers and error context. This data is technical in nature and is used solely for diagnosing and resolving platform issues. It does not contain personally identifiable information.
We do not use advertising cookies or third-party tracking cookies. No data is shared with advertisers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "last updated" date. We encourage you to review this policy periodically.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@aptim-solutions.com
- APTIM-Solutions Ltd
- Registered in England and Wales
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.