1. Data We Collect
Orylo collects the following data to provide fraud detection services:
- Transaction metadata (amount, currency, timestamp)
- Customer identifiers (Stripe customer ID, email)
- Payment metadata (last 4 digits of card, country)
- Fraud detection results (risk scores, decisions)
2. Data Retention (GDPR Article 5)
Fraud detection records are automatically deleted after 90 days. This ensures compliance with GDPR's data minimization principle.
3. Your Rights (GDPR Articles 15-21)
- Right to Access: Request a copy of your data via API endpoint
/api/customers/[id]/export - Right to Deletion: Request permanent deletion of your data via API endpoint
DELETE /api/customers/[id] - Right to Portability: Export your data in JSON format
4. Security Measures
- HTTPS encryption for all data in transit
- Database encryption at rest (Neon PostgreSQL)
- No storage of full credit card numbers (PCI compliance) - only last 4 digits and country
- Secure session management with HttpOnly cookies
- Multi-tenancy isolation (organization-level data separation)
5. Data Processing
Orylo processes payment data on behalf of merchants. We act as a data processor under GDPR. Merchants remain the data controllers.
6. PCI Compliance
Orylo is PCI compliant. We do not store, process, or transmit full credit card numbers. All payment data is handled securely through Stripe, a PCI DSS Level 1 certified payment processor.
- No full card numbers (PAN) stored
- No CVV/CVC codes stored
- Only Stripe tokens (pi_xxx, pm_xxx, cus_xxx)
- Card metadata limited to last4 + country (non-sensitive per PCI DSS)
7. Contact
For data deletion or export requests, contact: privacy@orylo.com
Last updated: January 24, 2026