Order Command

Order Command

Privacy Policy

Last updated: February 15, 2026

Introduction

Order Command ("we," "us," or "our") operates ordercommand.com. This Privacy Policy explains how we collect, use, store, and protect your information when you use our order management platform.

If you have questions about this policy, contact us at daniel@ordercommand.com.

Information We Collect

We collect the following types of information:

  • Account information — your name, email address, phone number, and a securely hashed password.
  • Organization details — your organization name, locations, and team member information.
  • Location preferences — your default location and any locations you manage within your organization.

Email Integration

If you choose to connect your Gmail or Outlook account, we request OAuth access to read your email messages. Specifically, we collect:

  • Email subject lines, sender information, and message bodies.
  • PDF attachments related to orders (invoices, confirmations, etc.).
  • Email metadata such as thread IDs for grouping related messages.

Email content is archived in secure cloud storage (AWS S3) for processing. We generate a content hash of each email (using subject, sender, and body) for deduplication purposes — this allows us to detect shared inbox emails and avoid duplicate processing.

Your OAuth tokens are encrypted at rest using AES-256-GCM before storage and are never exposed in application logs. When you disconnect your email account, we revoke the OAuth token with the provider (Google or Microsoft) before deleting it from our systems. You can disconnect your email account at any time from your account settings.

AI Processing

Email content (including subject lines, message bodies, and extracted PDF text) is sent to our AI providers (Anthropic, OpenAI, and Google) to automatically extract order details such as:

  • Order numbers and retailer information.
  • Tracking numbers and shipping carriers.
  • Delivery dates and return windows.
  • Item descriptions and quantities.

AI-extracted data is stored with a confidence level and presented for your review before being applied to your orders. Each provider processes this data according to their own privacy policies and does not use it to train their models.

Order & Activity Data

We store your order information including items, tracking details, delivery status, and return deadlines. All changes to orders are logged in an activity history with source attribution (manual entry, email extraction, or system-generated).

Delivery Tracking

If your orders include tracking numbers, we may send those tracking numbers to third-party carrier tracking services (currently TrackingMore) to retrieve delivery status updates. This data is used solely to provide real-time delivery tracking within the Service.

Feedback Data

When you submit feature requests or feedback through the application, we collect the page URL and user agent along with your message to help us understand the context of your request.

How We Use Your Data

  • Tracking and managing your orders across locations.
  • Matching incoming emails to existing orders using order numbers, tracking numbers, and email threads.
  • Extracting order details from emails using AI to reduce manual data entry.
  • Logging activity and changes for audit and accountability purposes.
  • Improving the accuracy of our email extraction and matching over time.

Data Storage & Security

We take the security of your data seriously. Our infrastructure includes:

  • Database — PostgreSQL hosted on Supabase with connection pooling and encrypted connections.
  • Email archival — AWS S3 with server-side encryption.
  • OAuth tokens — encrypted with AES-256-GCM at the application layer, stored in AWS Secrets Manager with additional encryption at rest.
  • Passwords — hashed using bcrypt; we never store plaintext passwords.
  • Multi-tenant isolation — all data queries are scoped to your organization. Users in one organization cannot access data from another.

Google API Services User Data Policy

Order Command's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Order Command:

  • Only uses Gmail data to provide the order management features described in this policy (extracting order details from emails and tracking deliveries).
  • Does not sell Gmail data to third parties.
  • Does not use Gmail data for advertising, market research, or email campaign purposes.
  • Does not allow humans to read your Gmail data unless you provide affirmative consent for specific messages during the review queue workflow, or as required for security purposes (investigating abuse), or as required by applicable law.
  • Limits data transfer to third parties to Anthropic, OpenAI, and Google (AI extraction), AWS (infrastructure), and TrackingMore (delivery tracking), all necessary to provide the service.

Data Sharing

We do not sell your data. We share data only with the following service providers as necessary to operate the platform:

  • Anthropic, OpenAI, and Google — AI processing of email content for order extraction.
  • Amazon Web Services (AWS) — cloud infrastructure, storage, and secrets management.
  • Supabase — database hosting and management.
  • TrackingMore — delivery tracking via carrier APIs.

Data Retention

We retain your data for as long as your account is active. Email archives are stored to support order matching and historical reference.

When you disconnect an email account:

  • Your OAuth token is revoked with the email provider (Google/Microsoft).
  • Your email account record and all associated email messages and extractions are deleted from our database.
  • Email sync is immediately stopped for that account.

If you delete your user account, we disable your access immediately. Personal data is removed within 30 days. To request deletion of all organization data including archived emails in S3, contact us at daniel@ordercommand.com.

Your Rights

You have the right to:

  • Access and download your personal data.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated data.
  • Disconnect your email accounts at any time to stop email processing.
  • Export your order data.

To exercise any of these rights, contact us at daniel@ordercommand.com.

Cookies

We use session cookies for authentication purposes. These cookies contain a JSON Web Token (JWT) that identifies your session and are essential for the application to function. We do not use tracking or advertising cookies.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or an in-app notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at daniel@ordercommand.com.

Terms of Service
Back to Login