How Oracron collects, uses, and protects your data — in plain language, with full GDPR and CCPA compliance detail.
This Privacy Policy describes how Global Link Ventures LLC ("we," "us," or "our"), a Wyoming limited liability company with its principal place of business in Sheridan, Wyoming, collects, uses, discloses, and safeguards personal data in connection with the Oracron platform and its Sentra invoice audit module (collectively, "the Service"). This Policy applies to all users of the Service, including administrators, logistics managers, finance team members, and freight procurement professionals who access the Service on behalf of their employer or client organisation ("Customer").
Global Link Ventures LLC acts as the Data Controller within the meaning of Article 4(7) of EU Regulation 2016/679 (the General Data Protection Regulation, "GDPR") with respect to account and usage data. Where Customers upload invoice documents for processing, Global Link Ventures LLC typically acts as a Data Processor on behalf of the Customer (the Data Controller for that content data), in accordance with the applicable Data Processing Agreement ("DPA").
Global Link Ventures LLC currently markets its Service primarily to business customers in the United States. Prior to actively targeting individuals or organisations in the European Economic Area ("EEA"), we will appoint an EU representative in accordance with Article 27 GDPR and update this Policy accordingly. Until that appointment is made, EEA-based Data Subjects may direct inquiries to oracron@arrow-scm.com.
This Service is strictly business-to-business (B2B). It is not directed at consumers or natural persons acting in a purely private capacity. All users access the Service on behalf of a company or other legal entity.
When a Customer registers for Oracron or an individual user is provisioned within a Customer account, we collect:
The core function of Oracron is to process freight invoices. When you upload documents to the Service, we process:
Invoice documents may contain commercial personally identifiable information ("commercial PII") — for example, individual shipper or consignee contact names and addresses appearing on freight documents. We process this data solely to provide the audit functionality you have engaged us to perform; we do not use it for any other purpose.
We automatically collect certain technical information when you use the Service:
This data is used solely for security monitoring, debugging, and service reliability. It is retained for 90 days and then permanently deleted (see Section 6).
See Section 10 for a full description of our cookie use. In summary: we use session-only authentication cookies necessary to keep you signed in. We do not use advertising, behavioural tracking, or persistent analytics cookies.
We process personal data only where we have a valid lawful basis under GDPR Article 6. The table below sets out each processing purpose, the categories of data involved, and the applicable legal basis.
| Purpose | Data Categories | GDPR Lawful Basis | Notes |
|---|---|---|---|
| Account creation and authentication | Account data (name, email, password hash) | Art. 6(1)(b) — Performance of contract | Necessary to provide access to the Service as agreed. |
| Invoice processing and audit | Invoice/document data, extracted structured data | Art. 6(1)(b) — Performance of contract | Core functionality of the Service. |
| Billing and payments | Billing contact name and email | Art. 6(1)(b) — Performance of contract | Invoicing and subscription management. Card data processed by Stripe; we do not store it. |
| Service communications | Account data (email) | Art. 6(1)(b) — Performance of contract | Transactional emails: onboarding, alerts, invoice processing results, security notifications. |
| Security monitoring and fraud prevention | Technical/log data, account data | Art. 6(1)(f) — Legitimate interests | Our legitimate interest in protecting the integrity of the Service and our Customers' data. |
| Service improvement and debugging | Technical/log data, anonymised usage patterns | Art. 6(1)(f) — Legitimate interests | Improving reliability, performance, and feature quality. We do not build individual user profiles. |
| Legal compliance and dispute resolution | Account data, log data | Art. 6(1)(c) — Legal obligation | Complying with applicable law, responding to lawful government requests, enforcing our Terms of Service. |
| Customer support | Account data, support correspondence | Art. 6(1)(b) — Performance of contract | Resolving technical issues and responding to your queries. |
We do not use your data for: advertising, marketing profiling, behavioural tracking, the training of AI models. Invoice data is submitted to AI services solely for inference — completing the specific extraction or analysis task requested. Every AI call includes a system-level data-protection instruction prohibiting training use, and we select AI providers whose API terms contractually prohibit training on inference data. These protections are subject to, and depend on, the continued terms and compliance of our AI service providers; we will notify you of any material change, sale or rental to third parties, or any purpose incompatible with the purposes listed above.
We share personal data only with the sub-processors listed below, each of whom provides essential infrastructure to deliver the Service. We do not sell personal data. We do not share personal data with advertising networks, data brokers, or analytics platforms. Each sub-processor relationship is governed by a Data Processing Agreement ("DPA") consistent with GDPR Article 28 requirements.
| Sub-processor | Purpose | Location | DPA & Transfer Mechanism |
|---|---|---|---|
| Supabase, Inc. supabase.com |
Database hosting, file storage, and authentication services. All application data and invoice files are stored in Supabase's EU Frankfurt region (AWS eu-central-1). | EU (Frankfurt, Germany) — primary US (Supabase Inc. legal entity) |
DPA in place. Primary data storage is EU-resident. Legal entity transfer covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). |
| Anthropic PBC anthropic.com |
AI-powered invoice text extraction and structured data mapping via the Claude Vision API. Invoice documents are sent to the API for inference processing. | United States | DPA in place. Transfer covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). See Section 5 for detail. Every AI call includes a system-level instruction prohibiting training use of submitted data. AI provider API terms contractually prohibit training on inference data by default. We will notify customers of any material change to AI provider data-handling terms. |
| Stripe, Inc. stripe.com |
Payment processing and subscription billing. Stripe processes billing contact information and payment card data on our behalf. | United States / EU | DPA in place. Stripe is PCI-DSS Level 1 certified. Transfers covered by Stripe's EU SCCs. We do not store payment card numbers — all card data is tokenised and held by Stripe. |
We may disclose personal data to government authorities, law enforcement agencies, or courts where we are legally required to do so, or where necessary to establish, exercise, or defend legal claims. Where permitted by law, we will notify the affected Customer before complying with such a request.
In the event of a merger, acquisition, asset sale, or reorganisation involving Global Link Ventures LLC, personal data held by us may be transferred to the successor entity. We will provide notice before personal data is transferred and becomes subject to a materially different privacy policy.
Global Link Ventures LLC is incorporated in the United States. When you access the Service from the EEA, the UK, or Switzerland, your personal data may be transferred to and processed in the United States. The EU has not adopted an adequacy decision for the United States applicable to our processing at this time.
We rely on the following transfer mechanisms to ensure that such transfers comply with Chapter V of the GDPR:
If you are an EEA-based Customer and wish to review the applicable SCCs or discuss our transfer impact assessments, please contact oracron@arrow-scm.com.
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, to comply with legal obligations, and to resolve any disputes. Specific retention periods are as follows:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | For the duration of the account, plus 3 years after the account is last active or terminated, whichever is later. | Contractual necessity; legal obligation (tax and contractual records). |
| Invoice and document data (uploaded files, extracted data, audit results) | Per Customer agreement. Default: 2 years from upload date unless the Customer configures a shorter period or requests deletion. | Contractual necessity; Customer's audit and compliance requirements. |
| Technical and log data (access logs, error logs, API logs) | 90 days, then permanently deleted. | Legitimate interest in security monitoring; proportionality requires short retention. |
| Billing records | 7 years from the date of the transaction. | Legal obligation under US tax and accounting law. |
| Support correspondence | 2 years from resolution of the support ticket. | Legitimate interest in maintaining service quality records and resolving disputes. |
At the end of the applicable retention period, data is securely deleted or anonymised so that it can no longer be attributed to an identifiable individual. Anonymised, aggregated data (e.g. aggregate platform usage statistics with no individual attributable data) may be retained indefinitely.
We implement technical and organisational measures appropriate to the risk of the processing, consistent with GDPR Article 32. Our current security programme includes:
No method of transmission over the internet or method of electronic storage is 100% secure. While we take commercially reasonable steps to protect your data, we cannot guarantee absolute security.
If you are located in the EEA, the UK, or Switzerland, you have the following rights under the GDPR (Articles 15–22). We are committed to facilitating the exercise of these rights promptly and without undue burden. All rights can be exercised by contacting oracron@arrow-scm.com. We will respond within 30 days of receipt, as required by GDPR Article 12(3), with the possibility of a single 2-month extension in cases of complexity or high volume (you will be informed of any extension).
There is no fee for exercising your rights unless requests are manifestly unfounded or excessive (e.g. repetitive), in which case we may charge a reasonable administrative fee or decline to act — we will explain our reasoning if so.
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about: the purposes of processing, the categories of data concerned, the recipients or categories of recipient, the envisaged retention period, and the existence of any automated decision-making. We will provide this information in a structured, commonly used format. The first copy is free.
You have the right to have inaccurate personal data corrected without undue delay. Where personal data is incomplete, you have the right to have it completed. You can correct most account data (name, email, company) directly in the Oracron platform settings. For other data, contact us at oracron@arrow-scm.com.
You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent on which processing was based (where applicable); (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required by EU or Member State law. This right is subject to exceptions — for example, we may be required to retain certain data to comply with a legal obligation or for the establishment or defence of legal claims. Where we cannot delete data in full, we will explain why and confirm what has been deleted.
You have the right to request that we restrict processing of your personal data (i.e. store it but not actively use it) in the following circumstances: (a) you contest the accuracy of the data, for the period we need to verify it; (b) the processing is unlawful but you prefer restriction over erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing and we are assessing whether our legitimate grounds override yours. When processing is restricted, we will inform you before lifting the restriction.
Where we process your personal data by automated means on the basis of contract performance or consent (Art. 6(1)(a) or (b)), you have the right to receive that data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) and to have it transmitted directly to another controller where technically feasible. This right covers account profile data and extracted invoice data associated with your account. It does not apply to data processed on the basis of legitimate interests.
You have the right to object at any time to processing of your personal data that is based on legitimate interests (Art. 6(1)(f)), including profiling based on those provisions. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You may also object at any time to processing for direct marketing purposes (we do not conduct direct marketing profiling, but this right remains available).
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significant effects on you. Oracron does not make any fully automated decisions that produce legal effects concerning users. Our AI engine (Sentra) produces invoice audit flags and confidence scores, but all final decisions (approve, reject, escalate) are made by human reviewers within the Customer's organisation. This right is included for completeness; it is not engaged by our current processing.
Send your request to oracron@arrow-scm.com with the subject line "GDPR Rights Request — [type of right]." Include sufficient information to identify your account (your name, work email address, and company). We may ask for additional verification to confirm your identity before processing the request; this is to protect you against unauthorised requests.
If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. A directory of EU supervisory authorities is available at edpb.europa.eu. We would encourage you to contact us first so we can address any concern directly.
If you are a California resident, you have the following rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"). Because Oracron is a B2B service, most data we process relates to individuals acting in a business capacity; however, we recognise that California law may apply to employees of our Customer organisations and we honour these rights accordingly.
You have the right to request that we disclose to you: (a) the categories of personal information we have collected about you; (b) the categories of sources from which it was collected; (c) our business or commercial purpose for collecting, selling, or sharing it; (d) the categories of third parties to whom we disclose it; and (e) the specific pieces of personal information we have collected. See Sections 2, 3, and 4 of this Policy for this information. You may submit a verifiable consumer request at oracron@arrow-scm.com.
You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (e.g. information necessary to complete a transaction, detect security incidents, comply with a legal obligation, or exercise free speech). We will respond to verified deletion requests within 45 days, with the possibility of a 45-day extension where reasonably necessary.
Under CPRA, you have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of the processing. You can update most account information directly in the platform settings, or contact us at oracron@arrow-scm.com.
We do not sell personal information. We do not share personal information for cross-context behavioural advertising. Accordingly, the right to opt out of sale/sharing is not engaged. We will update this Policy if our practices change.
We do not use sensitive personal information (as defined under CPRA) for purposes other than those permitted by CPRA Section 1798.121. We do not use sensitive personal information to infer characteristics about individuals.
We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different price, level of service, or quality of service as a result of exercising these rights.
Email oracron@arrow-scm.com with subject line "CCPA Rights Request." We will verify your identity before processing the request. You may also designate an authorised agent; the agent must provide written authorisation signed by you, or a power of attorney.
We use a minimal set of cookies strictly necessary to operate the Service. We do not use third-party advertising cookies, cross-site tracking cookies, or persistent analytics cookies.
| Cookie Name / Type | Purpose | Duration | First or Third Party |
|---|---|---|---|
| Supabase Auth Session sb-[project]-auth-token |
Stores your encrypted authentication session token to keep you signed in to the platform. | Session (cleared on browser close) or up to 1 hour idle timeout | First party (oracron.arrow-scm.com) |
| CSRF / security token | Prevents cross-site request forgery attacks. | Session | First party |
We do not use Google Analytics, Mixpanel, Amplitude, Facebook Pixel, or any other third-party analytics or advertising tracking scripts. Our public marketing pages do not load third-party tracking scripts beyond the fonts and Tailwind CDN listed in the page source.
Server-side access logs (IP address, page URL, timestamp) are generated automatically by our infrastructure provider and retained for 90 days. These are used only for security monitoring and are not used for behavioural profiling.
Because we use only strictly necessary session cookies, we do not display a cookie consent banner. If we add non-essential cookies in the future, we will implement a GDPR-compliant consent management platform and update this Policy before doing so.
The Oracron Service is a professional B2B software platform designed for use by logistics professionals, finance teams, and freight procurement personnel acting on behalf of corporate entities. It is not directed at individuals under the age of 18 and is not designed for or marketed to minors.
We do not knowingly collect personal information from anyone under 18 years of age. If we become aware that we have inadvertently received personal information from a user under 18, we will take steps to delete that information from our records as soon as possible. If you believe we may have collected information from or about a minor, please contact us at oracron@arrow-scm.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, the introduction of new features, updates to applicable law, or feedback from regulatory authorities. When we make material changes, we will:
Non-material changes (e.g. clarifications of existing language, correction of typographical errors, updates to contact details) may be made without specific notice beyond updating the "Last Updated" date. We encourage you to review this Policy periodically.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you should discontinue use of the Service and contact us to arrange data deletion.
The current version of this Policy is always available at oracron.arrow-scm.com/privacy-policy.html.
For any questions about this Privacy Policy, to exercise your data subject rights under GDPR or CCPA/CPRA, or to report a suspected data protection concern, please contact our privacy team:
Response Times
General inquiries: within 5 business days
GDPR rights requests: within 30 days (Art. 12 GDPR)
CCPA requests: within 45 days
Data breach notifications: within 72 hours (Art. 33 GDPR)
When submitting a rights request, please include your full name, work email address, company name, and a clear description of the right you wish to exercise. We may request additional information to verify your identity and protect against unauthorised requests.
This Privacy Policy was last updated on November 19, 2025 and is effective as of November 19, 2025. It supersedes all prior versions. © 2025 Global Link Ventures LLC. All rights reserved.
Sentra
by Oracron
Enter your credentials to continue