This Privacy Policy explains how SerVC Ltd. and its affiliates (“Orca”, “we”, “our”, or “us”) collect, use, disclose, and otherwise process personal information relating to individuals (“you” or “user”) who visit, access, or otherwise interact with our website, including any related applications and services at https://www.orcainc.com/, https://www.servc.co.il/, https://fms.orcainc.com/login, https://portal.orcainc.com/auth/login, https://fms.orcainc.com/published-investor-report, https://fms.orcainc.com/documents/data-room/external, https://fms.orcainc.com/kpi, and other subdomains (collectively the “Website(s)”), and our venture capital and private equity management platform (the “Platform”), and any application programming interfaces made available in connection with the Platform (the “API”), and together with the Website(s), and the Platform, the “Service”).

Orca provides a technology platform designed to support venture capital and private equity firms in managing investment data, investor communications, portfolio reporting, and related operational processes. In the course of providing these services, Orca may process certain information relating to individuals acting on behalf of our customers, investors, portfolio companies, or other business stakeholders.

Orca is committed to protecting personal information and handling such information in a transparent and responsible manner consistent with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the Israeli Privacy Protection Law, and other applicable privacy frameworks. This Privacy Policy describes how Orca collects, uses, stores, and safeguards personal information and explains the rights available to individuals whose information may be processed through the Service.

1. Effective Date and Changes to this Privacy Policy

This Privacy Policy takes effect when you first access or use the Service and will remain in force for as long as you continue to use or have access to the Service, or for a longer period if required under this Privacy Policy.

By accessing or using the Service, you acknowledge the data processing practices described in this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we do, we will revise the “Last Updated” date at the bottom of the policy. If we make material changes, we will provide notice through the Service or by other means, as required by applicable law. Continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

2. Our Service

As part of the Service (which includes the Websites and the Platform), Orca provides a cloud-based software platform designed to assist venture capital and private equity organizations in managing fund operations, portfolio data, investor communications, and related investment management workflows. The Platform enables Customers to maintain structured investment records, track portfolio performance, share documents with investors and other stakeholders, generate reports, and facilitate collaboration among authorized users within their organizations. The Service may be accessed through various interfaces, including web-based interfaces, application programming interfaces (APIs), and other access methods made available by Orca from time to time, subject to the applicable agreement with the Customer.

The Platform is provided to business customers and public sector entities (the “Customers”) and is not offered as a consumer-facing platform.

Processing within Customer Environments

In the course of providing the Platform, Orca may process information that Customers choose to upload to the Platform or otherwise make available in connection with their use of the Service. Such information may include operational data relating to the Customer’s investment activities, portfolio management processes, and investor communications. Such data may include Personal Information relating to individuals acting on behalf of a Customer (for example, employees, contractors, or authorized personnel).

Depending on how the Customer configures and uses the Platform, such information may include personal information relating to individuals acting on behalf of the Customer or interacting with the Customer’s investment activities (including, for example, names and business contact details of fund personnel, investors, advisors, or portfolio company representatives, investor account information or investor relationship records maintained by the Customer, portfolio company contact information and related communications, documents uploaded to the Platform, user account credentials and access permissions assigned within the Platform, records reflecting user interactions with the Platform, such as access history or activity logs, etc.).

With respect to such processing, Orca acts as a data processor (or service provider) on behalf of the relevant Customer and processes Personal Information solely in accordance with the Customer’s documented instructions and the applicable agreement. The relevant Customer determines the purposes of the processing and is responsible for establishing the appropriate legal basis for such processing under applicable law. Orca does not use such Personal Information for its own independent advertising, behavioral profiling, data monetization, or unrelated commercial purposes.

In certain cases, individuals who access or use the Service on behalf of a Customer may be required to confirm that they have read and understood this Privacy Policy. Such confirmation constitutes acknowledgment of the transparency notice set forth herein and does not modify the allocation of roles between Orca and the relevant Customer.

Platform Account Administration. Customers are responsible for administering user accounts within their organizations and determining which individuals are authorized to access the Platform. Customers may assign roles, permissions, and access privileges to authorized users and may modify or revoke such permissions at their discretion. Orca processes Personal Information associated with such user accounts solely in accordance with the Customer’s instructions and the applicable service agreement.

Website-Related Processing

Where individuals interact directly with the Website component of the Service (for example, by submitting a contact form, requesting information, or communicating with Orca), Orca collects and processes business contact details such as name, business email address, phone number, company affiliation, and the content of the inquiry.

With respect to such Website-related processing, Orca acts as an independent data controller and processes the information in accordance with applicable law.

Roles and Responsibilities

For clarity, Orca may act in different data protection roles depending on the context in which Personal Information is processed through the Service.

3. Information We Collect

Orca collects and processes Personal Information in two distinct operational contexts:

1. Personal Information collected directly through the Website component of the Service; and
2. Personal Information processed within Customer environments in the course of providing the Platform and supporting Customers’ investment management, portfolio monitoring, and investor communication activities.

These two categories are governed by different legal roles and responsibilities, as further described below.

3.3. Information Collected via the Website

When individuals interact directly with the Website, Orca may collect the following categories of Personal Information:

(a) Business and Contact Information

When a visitor submits an inquiry, requests information, schedules a meeting, or otherwise communicates with Orca via the Website or email, we may collect:

• Full name
• Business email address
• Business phone number
• Company name and role
• The content of the inquiry or communication
• Any attachments voluntarily submitted

This information is provided voluntarily by the individual.

(b) Technical and Usage Information

When individuals access the Website, certain technical information may be collected automatically, including:

• IP address
• Browser type and version
• Device type and operating system
• Referring URLs
• Date and time of access
• Pages viewed and navigation paths
• Interaction data
• General geographic location derived from IP address

This information is collected for security, fraud prevention, system administration, performance monitoring, and analytics purposes.

(c) Cookies and Similar Technologies

The Website uses cookies and similar tracking technologies as described in Section 4 below. Certain cookies are strictly necessary for Website operation, while others may be subject to consent requirements under applicable law.

With respect to Personal Information collected via the Website, Orca acts as an independent data controller.

Note: If you provide Personal Information about another individual, you are responsible for ensuring that you have the legal authority or that person’s consent to share their information with us, and for informing them of this Privacy Policy.

3.4. Information Processed Within Customer Environments

In the course of providing the Platform, Orca may access, receive, store, and process data made available by Customers within their organizational environments or uploaded to the Platform in connection with the management of investment activities, portfolio monitoring, investor communications, and related operational processes.

Depending on the Customer’s configuration, deployment architecture, and security posture, such data may include Personal Information relating to individuals acting on behalf of the Customer, including:

• Business email addresses
• Usernames
• Authentication credentials or authentication metadata
• Investor contact information maintained by the Customer
• Portfolio company contact information and associated business records
• Communications exchanged between Customers and investors through the Platform
• Investment-related documents uploaded or shared through the Platform
• User account details, including login credentials and assigned permissions
• Records reflecting the use of the Platform by authorized users
• IP addresses
• Device identifiers
• System activity records
• Information enabling attribution of activity to a specific authorized user within the Customer’s organization

Orca does not control or determine the scope, structure, or content of data made available within Customer’s environment, including where Customers configure or create customizable data collection forms or similar interfaces within the Service. The Customer solely determines what information is collected, submitted, or otherwise processed through such features, and Orca provides only the technical infrastructure that enables the creation and operation of these tools.

Orca processes such data solely for the purpose of delivering its Services.

With respect to Personal Information processed within Customer’s environments:

• Orca acts as a data processor (or service provider) on behalf of the relevant Customer;
• The Customer determines the purposes and legal basis for processing under applicable law;
• Orca processes such data strictly in accordance with the Customer’s documented instructions and the applicable agreement.

Orca does not use Personal Information processed within Customer environments for independent advertising, behavioral profiling, data monetization, or unrelated commercial purposes.

In providing the Platform, Orca does not routinely review, analyze, or otherwise examine the substantive content of information uploaded or made available by Customers, except where necessary to provide technical support, maintain the functionality and security of the Service, comply with legal obligations, or as otherwise instructed by the relevant Customer. The Customer remains responsible for determining the categories of information processed through the Platform and for ensuring that such processing complies with applicable data protection laws.

3.5. Customer Responsibility for Uploaded Content

Customers are responsible for determining the categories of information that they choose to upload, store, or otherwise process through the Platform. Customers must ensure that they have a lawful basis under applicable data protection laws for providing such information to Orca for processing. Orca does not independently verify the legality of data uploaded by Customers and processes such information solely on behalf of the relevant Customer in accordance with the applicable agreement.

Customer-Configured Data Collection Features

To the extent the Services include functionality that allows Customer to configure, create, or deploy data collection interfaces (including, without limitation, forms, questionnaires, portals, or similar tools), Customer acknowledges and agrees that it solely determines: (a) the categories and types of personal data collected through such features; (b) the purposes for which such data is collected and processed; and (c) the manner in which such data is presented, requested, or obtained from data subjects.

Customer represents and warrants that it has established a valid legal basis for the collection and processing of any personal data collected through such features, and that it has provided all required notices and obtained any necessary consents under applicable data protection laws.

Orca does not monitor or control the content of data collected through such features and acts solely as a processor in relation to such data, processing it only in accordance with Customer’s documented instructions and the applicable Agreement.

3.6. Platform Activity Records

In order to maintain the integrity, reliability, and security of the Platform, Orca may maintain records reflecting user activity within the Platform environment. These records may include information such as login timestamps, administrative actions, document access events, and other system interactions. Such records are maintained solely for operational, security, audit, and compliance purposes and are not used for profiling or marketing activities.

3.7. System-Generated and Automatically Collected Technical Data

In addition to the information described above, Orca may generate or collect certain technical and system-level data automatically in connection with the operation, security, and maintenance of the Service. This category includes information that is created through the technical functioning of the Service itself and may not be directly provided by an individual.

(a) Service Infrastructure and Operational Data

Orca may collect technical data necessary to ensure the proper functioning, integrity, and security of the Service, including:

• System performance metrics
• Service availability data
• Configuration and deployment metadata
• API request records
• Load-balancing and routing information
• Backup and recovery logs
• Diagnostic and error reports
• Versioning and update logs

To the extent such information contains Personal Information relating to identifiable individuals within a Customer’s environment, Orca processes it solely in its capacity as a data processor on behalf of the relevant Customer.

(b) Security and Integrity Monitoring Data

Orca may automatically generate and retain certain system-level operational records that arise as part of the technical functioning of the Service and that are necessary to maintain the reliability, availability, and security of the Platform infrastructure.

These records may include technical logs reflecting system performance, service availability, authentication activity, and other operational metrics used to maintain the integrity, stability, and security of the Service, such as:

• system performance and reliability metrics
• authentication and access control records
• application diagnostics and error reports
• audit logs relating to administrative actions within the Platform infrastructure.

Where such records relate to identifiable individuals acting on behalf of a Customer, Orca processes such information in accordance with its processor role as described in Section 2.

(c) Website Analytics and Security Data

Separately, in relation to the Website component of the Service, Orca may automatically collect limited analytics and technical data, including:

• IP address
• Browser and device information
• Pages accessed
• Timestamp data
• Interaction patterns

Orca does not use advertising identifiers (such as mobile advertising IDs) for cross-context behavioral advertising, and does not engage in consumer profiling activities.

(d) De-Identified and Aggregated Technical Data

Orca may derive statistical, aggregated, or de-identified technical information from system operations for purposes such as:

• Capacity planning
• Service optimization
• improving the Platform’s reliability and resilience
• identifying general usage trends and system performance patterns

Such information does not identify individuals and is not used to reconstruct individual-level activity.

You are not legally required to provide us with any Personal Information. However, some of the information we request is necessary for us to provide you with access to and use of the Service. If you choose not to provide certain information, we may be unable to offer you some or all of the features or functionality of the Service.

4. Cookies and Similar Technologies

The Service (including the Website and the Platform) uses cookies and other tracking technologies, including pixels, web beacons, scripts, and similar automated data collection tools, in order to support the operation, security, and performance of the Service and to understand how visitors interact with its content.

Cookies are small text files placed on a user’s device when visiting a website. Other tracking technologies may include pixels, scripts, or similar technologies that enable websites or service providers to recognize a device, measure interactions with content, analyze browsing patterns, or collect information about how the Service is used. These technologies may collect technical information such as device identifiers, browser type, IP address, pages visited, referring URLs, and interaction patterns.

Orca uses these technologies for purposes such as maintaining Service functionality, improving performance and reliability, measuring engagement with Service content, supporting security and fraud prevention measures, and understanding general usage patterns in order to improve the Service and related services.

Where required by applicable law, the deployment of cookies and other tracking technologies that are not strictly necessary for the operation of the Service is subject to the user’s consent. Users accessing the Service (including the Website and the Platform) are therefore presented with a cookie management banner that allows them to accept, reject, or customize the use of non-essential cookies and other tracking technologies.

Detailed information regarding the categories of cookies and tracking technologies used on the Service, together with options for managing user preferences, is available through the cookie management interface accessible on the Service. Users may also configure their browser settings to refuse or delete cookies. Please note that disabling certain cookies or tracking technologies may affect the functionality or availability of certain Service features.

Additional information regarding Orca’s privacy practices is available here.

Orca does not use cookies or similar technologies for cross-context behavioral advertising or consumer data brokerage activities.

5. How Orca Uses the Information

Depending on the circumstances of the interaction, Orca may process Personal Information on the basis of one or more lawful grounds permitted under applicable data protection law, including:

• legitimate interests in operating, securing, and improving the Service and managing business communications;
• consent, where individuals voluntarily submit information or where consent is required for certain tracking technologies;
• contractual necessity, where processing is required to respond to requests relating to potential services or engagements; and
• compliance with applicable legal or regulatory obligations.

The purposes of processing differ depending on whether Orca acts as an independent data controller (in connection with the Website) or as a data processor (in connection with the Platform services provided to Customers).

5.1. Website-Related Processing

Where Orca collects Personal Information directly via the Website component of the Service, such information is processed for the following purposes:

• responding to inquiries, contact requests, or other communications submitted through the Website;
• evaluating potential business relationships or engagements;
• providing information regarding Orca’s services and capabilities;
• sending newsletters, updates, and marketing or promotional communications, where permitted under applicable law;
• administering and maintaining the Website, including troubleshooting, performance monitoring, and technical maintenance;
• protecting the Website against misuse, unauthorized access, or malicious activity;
• complying with applicable legal or regulatory obligations.

Where permitted under applicable law, Orca may use business contact details to send newsletters, updates, and other communications regarding its services, capabilities, or relevant developments. Recipients may opt out of such communications as described in Section 6 below.

Orca does not use Website-collected Personal Information for consumer advertising, cross-context behavioral tracking, or unrelated commercial data monetization.

Where Orca sends marketing or promotional communications, it does so in accordance with applicable law and, where required, based on the individual’s prior consent.

However, Orca may process Personal Information collected via the Website on the basis of its legitimate interests in operating, securing, and improving the Website, managing business communications, and evaluating potential engagements, provided that such interests are not overridden by the rights and freedoms of the relevant individuals.

Where required under applicable data protection laws, Orca processes Personal Information on the basis of legitimate interests, consent, contractual necessity, or compliance with legal obligations, depending on the nature of the interaction and the applicable regulatory framework.

5.2. Processing Within Customer Environments

In the course of providing the Platform and supporting Customers’ use of the Service, Orca processes Personal Information solely on behalf of and under the documented instructions of the relevant Customer.

Such processing is limited to what is necessary to deliver the Service, including:

• operating and maintaining the Platform and its core functionality
• enabling Customers to manage investment records, portfolio information, and investor communications
• facilitating collaboration among authorized users within a Customer’s organization;
• supporting document sharing, reporting, and investor engagement workflows implemented by the Customer
• maintaining system reliability, performance, and operational integrity of the Platform
• providing technical support and responding to Customer service requests
• maintaining operational integrity and service continuity
• generating audit trails and activity records required for security oversight

Orca does not independently determine the purposes for which Personal Information within a Customer’s environment is processed. The Customer determines the purposes and legal basis for such processing under applicable law. Orca does not use Personal Information processed within Customer environments for advertising, marketing profiling, cross-context behavioral tracking, or unrelated commercial exploitation.

5.3. Service Operation and Internal Administration

Orca may process Personal Information, in either controller or processor capacity as applicable, for internal administrative and operational purposes reasonably necessary to operate the Service and its business, including:

• maintaining internal records and documentation;
• conducting internal audits or compliance reviews;
• enforcing contractual rights and obligations;
• supporting corporate governance and risk management;
• complying with applicable legal, regulatory, or governmental requirements;
• supporting corporate transactions such as mergers, acquisitions, reorganizations, or asset transfers, subject to appropriate safeguards.

Where such processing relates to Personal Information within Customer environments, it remains subject to Orca’s processor role and the applicable Customer agreement.

5.4. De-Identified and Aggregated Information

Orca may derive statistical, aggregated, or de-identified information from data processed in connection with the Service for purposes such as:

• improving system performance and reliability;
• capacity planning and infrastructure optimization;
• improving the reliability and resilience of the Platform infrastructure;
• supporting ongoing security and operational risk management practices.

Such information does not identify individuals and is not used to reconstruct individual-level activity.

6. Your Choices Regarding Communications

Orca may use business contact information collected through the Website or in the context of existing business relationships to communicate information regarding its services, capabilities, industry developments, or relevant updates.

Such communications are directed to business representatives and are not based on consumer profiling or cross-context behavioral advertising.

You may opt out of receiving marketing or promotional communications from Orca at any time by:

• using the unsubscribe mechanism included in the communication (where applicable); or
• contacting us at support@orcainc.com.

We will process opt-out requests within a reasonable period and in accordance with applicable law.

Please note that even if you opt out of marketing communications, Orca may continue to send administrative or service-related communications that are necessary in connection with an existing business relationship, contractual engagement, or security-related matter.

7. Your Rights

Depending on your place of residence and the applicable data protection laws, you may have certain rights in relation to your Personal Information. These rights may arise under, among other frameworks, the EU General Data Protection Regulation (GDPR), the Israeli Privacy Protection Law, 1981 (the “PPL”), and certain U.S. state privacy laws.

Because Orca operates both as an independent data controller (in connection with Website-related processing) and as a data processor (in connection with the operation of the Platform and the processing of information on behalf of Customers), the manner in which rights may be exercised depends on the context in which your Personal Information is processed.

7.1. Rights in Relation to Website-Related Processing

With respect to Personal Information collected directly by Orca via the Website and processed by Orca in its capacity as an independent data controller, you may have the right, subject to applicable law, to:

• obtain confirmation as to whether Orca processes your Personal Information;
• access the Personal Information held about you and receive supplementary information regarding its processing;
• request correction of inaccurate or incomplete Personal Information;
• request deletion of Personal Information where legally justified;
• request restriction of processing in certain circumstances;
• object to certain types of processing;
• withdraw consent where processing is based on consent;
• request portability of Personal Information where applicable;
• lodge a complaint with a competent supervisory or regulatory authority.

These rights are not absolute and may be subject to limitations, including where processing is necessary to comply with legal obligations, establish or defend legal claims, protect legitimate interests, or ensure the security and integrity of systems and services.

Orca does not engage in automated decision-making or profiling that produces legal effects concerning individuals within the meaning of applicable data protection laws.

Requests relating to Website-collected Personal Information may be submitted using the contact details provided in Section 15 below.

7.2. Processing Within Customer Environments

Where Personal Information is processed by Orca within a Customer’s IT infrastructure or through the Platform in connection with the Customer’s use of the Service, Orca acts solely as a data processor (or service provider) on behalf of the relevant Customer. In such cases:

• The relevant Customer is the data controller responsible for determining the purposes and legal basis of the processing;
• The relevant Customer is responsible for responding to data subject rights requests relating to such processing.

If Orca receives a request relating to Personal Information processed on behalf of a Customer, Orca will, where appropriate and permitted, refer the request to the relevant Customer or notify the Customer in accordance with the applicable agreement between Orca and that Customer.

Orca does not independently modify, erase, restrict, or disclose Personal Information processed within a Customer’s environment except in accordance with the Customer’s documented instructions or where required to do so under applicable law.

Individuals acting on behalf of a Customer (for example, employees, contractors, or authorized personnel) should therefore direct rights requests relating to data processed within the Customer’s systems to the relevant Customer organization.

7.3. Limitations in Platform Integrity and Security Contexts

In certain circumstances, the exercise of data subject rights may be subject to limitations where such limitations are necessary and proportionate in order to protect the security, integrity, and reliability of the Platform, to prevent unauthorized access to Customer data, to comply with legal or regulatory obligations, or to safeguard the rights and freedoms of other individuals. Any such limitations will be applied strictly in accordance with applicable data protection laws.

7.4. Verification and Response Procedures

To protect Personal Information and prevent unauthorized disclosure, Orca may require reasonable verification of identity before responding to a request. This may include requesting additional information sufficient to confirm that the requester is the data subject or is authorized to act on their behalf.

Orca will review and respond to valid requests within the timeframes required under applicable law. Where permitted by law, response periods may be extended where necessary due to the complexity of the request or the volume of requests received.

If Orca is unable to fulfill a request, in whole or in part, it will provide an explanation consistent with applicable legal requirements.

8. Duration of Information Retention and Storing

Orca retains Personal Information for no longer than is necessary in light of the purposes for which the information was collected and processed, the nature of the engagement, applicable legal and regulatory requirements, and legitimate operational and security considerations.

The applicable retention framework varies depending on Orca’s role in relation to the relevant data and the context in which it is processed.

Where applicable, Orca retains certain records for periods required under applicable tax, accounting, or other statutory retention obligations.

8.1. Personal Information Processed by Orca as Controller

Personal Information collected directly via the Website (including business contact details and communications submitted through inquiry forms or email correspondence) is retained for a period that is reasonably necessary to manage business communications, evaluate potential engagements, maintain appropriate business records, and comply with applicable legal and regulatory obligations.

Where feasible, Orca defines internal retention schedules for categories of operational records (such as system logs, security monitoring records, and business communications) based on documented criteria including operational necessity, security best practices, contractual commitments, and applicable statutory obligations.

Retention periods in this context are determined based on documented internal criteria that take into account, among other things:

• the nature and sensitivity of the information;
• whether an ongoing or potential business relationship exists;
• applicable statutory limitation periods;
• legal, regulatory, audit, or compliance requirements;
• the need to preserve information in connection with potential disputes or claims.

Where Personal Information is no longer required for these purposes, Orca will take reasonable steps to delete, anonymize, or otherwise securely dispose of such information in accordance with its internal data governance practices.

8.2. Personal Information Processed on Behalf of Customers

Where Personal Information is processed within a Customer’s environment or through the Platform in connection with the Customer’s use of the Service, Orca retains such information in accordance with:

• the documented instructions of the relevant Customer; and
• the terms of the applicable agreement between Orca and the Customer.

Orca does not independently determine the retention periods applicable to Personal Information processed on behalf of Customers. The relevant Customer remains responsible for defining retention policies applicable to its systems and environments.

Upon termination or expiration of the applicable agreement, Orca will delete or return Personal Information processed on behalf of the Customer in accordance with the contractual arrangements and applicable law, subject to limited retention where required for legal, regulatory, evidentiary, or security-related purposes.

8.3. Retention of System Logs, Audit Trails, and Backup Data

Given the nature of the Service, certain security logs, audit trails, and system integrity records may be retained for defined and documented periods in order to support security monitoring, system diagnostics, incident investigation, compliance obligations, and operational continuity.

Retention periods for such records are determined in accordance with security best practices, contractual requirements, and applicable legal obligations. Where such records contain Personal Information, they are retained only for as long as reasonably necessary for these purposes.

Backup copies of data may persist for limited periods as part of standard backup and disaster recovery cycles. Data contained in backup systems remains subject to appropriate technical and organizational safeguards and is securely overwritten or deleted in the ordinary course of system operations.

8.4. De-Identified and Aggregated Information

Orca may retain statistical, aggregated, or de-identified information derived from system operations without time limitation, provided that such information does not identify individuals and cannot reasonably be used to reconstruct individual-level activity.

9. Sharing Information with Third Parties

Orca may disclose Personal Information to limited categories of recipients where necessary to provide the Service, operate its business, comply with legal obligations, or protect legitimate interests. Such recipients may include service providers supporting the operation of the Platform, infrastructure and hosting providers, analytics providers in connection with Website usage, professional advisors, corporate affiliates, and competent authorities where disclosure is required by law.

The manner in which Personal Information is shared depends on whether Orca acts as an independent data controller (in connection with Website-related processing) or as a data processor (in connection with the operation of the Platform and the provision of Services to Customers).

9.1. Service Providers and Sub-Processors

Orca engages third-party service providers to support the operation, delivery, security, and maintenance of the Service. Such providers may include, for example: cloud infrastructure and hosting providers, platform infrastructure and security service providers, analytics providers (in relation to Website usage), CRM or communication management platforms, professional advisors (legal, financial, audit), managed infrastructure support providers, etc.

Where Orca processes Personal Information as a data processor on behalf of a Customer, such third parties act as sub-processors. In such cases:

• Where Orca engages third-party providers in connection with the provision of the Service, it does so under written agreements or standard terms that include data protection and confidentiality commitments appropriate to the nature of the services provided.
• Orca conducts reasonable due diligence prior to engaging such providers and requires them to implement security measures consistent with applicable law and industry standards.
• Orca’s responsibility for the acts and omissions of sub-processors shall be governed by the terms of the applicable agreement between Orca and the Customer.

Where Orca processes Personal Information as a data controller (e.g., Website-related data), such third parties act as service providers under appropriate contractual arrangements.

A list of principal sub-processors used in connection with the Service is made available through Orca’s designated sub-processor disclosure page or may otherwise be provided to Customers upon request or through contractual documentation.

9.2. Affiliates and Corporate Structure

Orca may share Personal Information with its affiliates or group companies where such sharing is necessary for internal administrative purposes, service delivery, security management, or corporate governance, and subject to appropriate safeguards.

9.3. Legal and Regulatory Disclosures

Orca may disclose Personal Information where required to do so by applicable law, regulation, court order, or lawful governmental request.

Orca may also disclose Personal Information where necessary to:

• enforce its contractual rights;
• protect the security or integrity of the Service;
• investigate suspected fraud or unlawful activity;
• protect the rights, property, or safety of Orca, its Customers, or others.

9.5. Corporate Transactions

In the event of a merger, acquisition, reorganization, financing transaction, sale of assets, or similar corporate event, Personal Information may be transferred to the relevant successor entity or counterparty, subject to appropriate confidentiality and data protection safeguards.

9.6. De-Identified and Aggregated Information

Orca may share statistical, aggregated, or de-identified information that does not identify individuals and cannot reasonably be used to identify them.

9.7. No Sale of Personal Information

Orca does not sell Personal Information for monetary consideration and does not engage in consumer data brokerage or cross-context behavioral advertising activities.

10. Third Party Services and Embedded Content

The Website may contain links to external websites or incorporate content or functionalities provided by third parties. Where users choose to interact with such third-party services, any collection or processing of Personal Information by those third parties is governed by their respective privacy policies and terms. Orca does not control and is not responsible for the data handling practices of third-party websites or services. Users are encouraged to review the privacy policies of any external services they access through the Website. The use of third-party cookies and similar technologies in connection with analytics or performance measurement is described in Section 4 above.

11. Information Security

Orca implements appropriate technical and organizational measures designed to protect Personal Information against unauthorized access, disclosure, alteration, and destruction, taking into account the nature of the information and the risks associated with its processing. Such measures may include, as applicable:

• access control mechanisms;
• role-based authorization;
• encryption and secure transmission protocols;
• network and infrastructure monitoring;
• internal security policies and training;
• vendor risk assessments and contractual safeguards.

Access to Personal Information is limited to personnel and service providers who require such access in order to perform their responsibilities and who are subject to confidentiality and data protection obligations. In the event of a personal data breach, Orca will act in accordance with applicable legal and contractual obligations, including notification requirements where applicable.

While Orca applies security controls consistent with industry practices, no method of transmission or storage can be guaranteed to be entirely secure.

12. International Transfers

Personal Information may be processed in jurisdictions other than the country in which the relevant individual is located. In the context of on-premise deployments, Personal Information is generally processed within the Customer’s chosen infrastructure environment. In connection with SaaS deployments or the use of certain service providers, Personal Information may be processed in Israel, the European Economic Area (EEA), the United States, or other jurisdictions where Orca or its service providers operate. The location of processing may depend on the deployment model selected by the Customer and the infrastructure providers used to operate the Service.

Where required by applicable law, Orca implements appropriate safeguards to support lawful cross-border transfers. Such safeguards may include reliance on adequacy decisions, standard contractual clauses approved by relevant regulatory authorities, or other lawful transfer mechanisms recognized under applicable data protection laws.

13. Children’s Privacy

The Service is not directed to children and is intended for business use. Orca does not knowingly collect Personal Information from individuals under the age of eighteen (18).

If Orca becomes aware that Personal Information has been collected from a minor without appropriate authorization, it will take reasonable steps to delete such information.

14. General Provisions

For any question, concern, comments or suggestions regarding this Privacy Policy, please contact Orca at support@orcainc.com. This Privacy Policy applies globally to all users of the Orca Service, and we will comply with applicable privacy laws based on your place of residence.

Updates to this Privacy Policy. Orca may update this Privacy Policy from time to time to reflect changes in its practices, legal requirements, or operational needs. The updated version will be made available on the Website with an updated “Last Updated” date. Where required by applicable law, Orca will provide additional notice of material changes. Continued use of the Service following the effective date of an updated Privacy Policy constitutes acknowledgment of the revised terms.

Governing Law. This Privacy Policy and any disputes arising from it shall be governed by the laws of the State of Israel, without prejudice to any mandatory rights or remedies available to individuals under applicable data protection laws. Subject to the foregoing, the competent courts located in Tel Aviv–Jaffa, Israel shall have exclusive jurisdiction over disputes arising out of or relating to this Privacy Policy, and the user and Orca hereby submit to the personal jurisdiction and venue of such courts. Nothing in this section shall prevent either party from seeking injunctive or equitable relief in any court of competent jurisdiction where such relief is necessary to protect its rights.

Copyright. The copyrights in this publication are owned by Orca and its affiliates.

Trademarks. “Orca” is a trademark of Orca. No license to use any of the Orca trademarks is given or implied. The trademark may not be copied, downloaded, reproduced, used, modified or distributed in any way (except as an integral part of an authorized copy of material appearing in these web pages, as set forth in the previous section paragraph), without the prior written consent of Orca. All other trademarks or trade names referred to in the Service are the property of their respective owners.

15. Contact Us

If you have questions or comments about the Privacy Policy or Orca’s data collection in general, please send us an email at support@orcainc.com.

Last modified: 31 March 2026