PRIVACY

Privacy Policy

Effective: April 23, 2026 · Last updated: April 23, 2026

This policy explains how OraTek Diagnostics, Inc. ("OraTek", "we", "us") collects, uses, and protects personal data in connection with the OraTek CRM application (the "Service"). The Service is a sales and outreach platform used by our own sales team and by other companies who license it from us.

If you have questions or want to exercise your rights under this policy, contact us at privacy@oratekdx.com.

1. Who this policy applies to

This policy covers two groups of people:

Customers and users — the companies that use OraTek CRM and the individual salespeople, marketers, and managers who log in. We are the data controller for your account, and a data processor for the business contact data you put into the Service.
Prospects and business contacts — the people your sales team researches and reaches out to. We hold their information on behalf of our customer. We don't market to them from OraTek; your rep does.

2. Data we collect

Account data (customer users)

Name, email, profile photo, role, team, manager assignment
Authentication info — password hash (bcrypt) or Google account identifier
Organization (employer) name and plan
Login timestamps, IP address, user agent

Data you bring into the Service

Business contact records — names, titles, companies, emails, phones, LinkedIn URLs, notes
Campaign content — message templates, sequences, email drafts
Activity logs — calls made, emails sent, meetings booked, status changes
Deal and pipeline data — amounts, stages, close dates
Event and conference records you track
Recruiting candidate data (manager-level users only)

Integration data (with your explicit consent)

When you connect a third-party account, we receive only what's needed for the connected feature:

Google (Gmail + Calendar) — see section 3 for the detailed Google-specific disclosures.
LinkedIn — your li_at session cookie (encrypted at rest), used by our automation worker to send invites and messages on your behalf at your direction.
Anthropic (Claude) — your personal API key is stored in your browser only. We never receive or transmit it.

Data we do not collect

No Protected Health Information (PHI). OraTek CRM is a sales tool, not a clinical system.
No payment card data — billing is handled by our payment processor (Stripe).
No tracking cookies used for ad networks.

3. Google API Services disclosures

OraTek CRM's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request

https://www.googleapis.com/auth/gmail.send — send emails on your behalf (restricted scope)
https://www.googleapis.com/auth/gmail.readonly — read message metadata and bodies so we can detect replies to sequences you've enrolled prospects in (restricted scope)
https://www.googleapis.com/auth/calendar.events — read and write your calendar to show your schedule, book meetings, and record demos
openid email profile — identify you when you log in

What we do with Google user data

Limited Use. We use Google user data only to provide user-facing features inside the Service — sending emails you composed, detecting replies from your prospects so sequences stop, displaying your calendar, booking meetings you initiated.
We do not transfer Gmail data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
We do not use Gmail data for serving ads, including retargeted or personalized ads.
We do not allow humans to read your Gmail data except (a) with your explicit permission, (b) for security purposes such as investigating abuse, (c) to comply with law, or (d) where the data is aggregated and anonymized for internal operations.
We do not use Gmail data to train machine learning models.

Data access and deletion

You can revoke OraTek's access to your Google account at any time from the Connections page in the CRM, or at myaccount.google.com/permissions. When you revoke access, we retain aggregated activity data (e.g. "Sarah sent 12 emails last week") for reporting but delete stored message contents and tokens within 30 days.

4. How we use data

To operate the Service — authenticate you, save your work, show your pipeline
To provide AI assistance — your in-browser Julie uses your own Anthropic API key; we don't receive those chat messages
To send emails and LinkedIn messages you compose or approve
To measure campaign performance (opens, clicks, bounces, replies)
To monitor for abuse, debug errors, and keep the Service secure
To communicate with you about billing, updates, and security

5. How we share data

We share data with service providers strictly as needed to run the Service, and only under data processing agreements (DPAs):

DigitalOcean — hosting, database, object storage
Resend — transactional and marketing email delivery (from our mail.oratekdx.com sender)
Google — when you connect Gmail or Calendar
Anthropic — only if you choose to share a chat transcript or send Julie requests through a shared key (not our default)
Sentry / Better Stack — error logging, anonymized where possible
Stripe — billing

We don't sell personal data. We don't share it with advertisers.

6. Where data is stored

All production data is stored in the United States (DigitalOcean NYC3 region). Backups encrypted at rest. In transit, we use TLS 1.2+.

7. Retention

Active account data: kept while your account is active.
Deleted by you: deleted from primary storage within 30 days, from backups within 90 days.
Account closed: data retained 30 days for recovery, then permanently deleted. You can request immediate deletion at privacy@oratekdx.com.
Google OAuth tokens: deleted immediately when you disconnect, within 30 days in backups.
Audit logs: 12 months for security purposes.

8. Your rights

Access — request a copy of your data
Correction — request changes to inaccurate data
Deletion — request we delete your data (subject to our legal retention obligations)
Portability — request your data in a machine-readable format
Withdraw consent — disconnect integrations or delete your account at any time

For EU/UK residents: you may also lodge a complaint with your local data protection authority. We comply with GDPR Article 28 as a processor for customer-uploaded contact data.

For California residents: you have rights under the CCPA/CPRA including the right to know, delete, and opt out of sale (we don't sell). Contact us at privacy@oratekdx.com.

9. Email opt-outs (CAN-SPAM, CASL)

Every marketing email sent through OraTek CRM includes a one-click unsubscribe link. Unsubscribes are honored within 10 business days and apply across all sequences from the sending organization. List-Unsubscribe headers are included on every bulk send.

10. Security

Passwords hashed with bcrypt (12 rounds)
Sensitive tokens (LinkedIn cookies, Google OAuth refresh tokens) encrypted at rest with AES-256-GCM
TLS 1.2+ in transit
Least-privilege database access, rate limiting, audit logging
Annual security reviews; incident response plan in place

If you believe your account has been compromised, email security@oratekdx.com.

11. Children

OraTek CRM is a business tool and is not directed at children under 16. We do not knowingly collect data from children.

12. Changes to this policy

We'll post changes here and notify customer admins by email. Continued use after the effective date means you accept the revised policy.

13. Contact

OraTek Diagnostics, Inc.
Orem, Utah, USA
Privacy questions: privacy@oratekdx.com
Security concerns: security@oratekdx.com
Data deletion requests: privacy@oratekdx.com