ML CONSULTING MB

Orchestroz

Privacy Policy

How ML Consulting MB collects, uses, shares and protects personal data in the Orchestroz iOS application and its mobile-web response surface.

Plain language. GDPR-aligned. No tracking, no advertising, no third-party model training on your data.

DOCUMENT

Orchestroz — Privacy Policy

VERSION

1.0

EFFECTIVE

2026-05-25

CONTROLLER

ML Consulting MB · Legal entity code 306991112

JURISDICTION

Republic of Lithuania

SUPERVISORY AUTHORITY

Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius

DISTRIBUTION

Apple App Store · iOS, iPadOS + mobile-web bridge

PRIVACY CONTACT

support+orchestroz@mlconsulting.lt

READ WITH

Orchestroz Terms and Conditions v1.0


Contents

What is in this Privacy Policy.

1. Who We Are and How to Contact Us

2. Scope of this Policy

3. Our Two Roles — Controller and Processor

4. Categories of Personal Data We Process

5. Purposes and Legal Bases

6. How We Collect Your Data

7. Who We Share Your Data With

8. International Transfers

9. How Long We Keep Your Data

10. How We Protect Your Data

11. Your Rights and How to Exercise Them

12. Children’s Data and Minor Participants

13. Automated Decisions, AI Features and Profiling

14. Cookies, Tracking and Analytics

15. Apple-Platform Disclosures

16. Changes to this Privacy Policy

17. How to Complain


At a Glance

A short summary of the longer policy below.

WHAT YOU SHOULD KNOW FIRST.

Orchestroz is enterprise software used by ensembles, conservatories, contractors and festival production offices (each a “Workspace Owner”). When you use the iOS App or respond via the Mobile-Web Bridge from any browser, we process some personal data either as data controller (for example, your sign-in identity and our billing records) or as data processor on behalf of the Workspace Owner (for example, your RSVP responses, attendance and reliability records inside their Workspace). We do not sell your data, we do not show ads, we do not perform cross-app or cross-website tracking, and we do not use your data to train third-party AI models. AI features are off by default and require explicit opt-in.

This Privacy Policy is published by ML Consulting MB and supplements the Orchestroz Terms and Conditions. If anything here conflicts with mandatory privacy law that protects you, the mandatory law applies.


1

Who We Are and How to Contact Us

The data controller for this Privacy Policy.

1.1. Identity. “We”, “us” and “our” mean ML Consulting MB, a Lithuanian small partnership with legal entity code 306991112 and registered in the Republic of Lithuania, the developer and operator of the Orchestroz iOS / iPadOS application (the “App”) and its browser-accessible response pages (the “Mobile-Web Bridge”).

1.2. Privacy contact. For any privacy enquiry, data-subject request, complaint or correction, write to us at support+orchestroz@mlconsulting.lt. We respond within the time limits required by the EU General Data Protection Regulation (“GDPR”) and applicable national law.

1.3. Data Protection Officer. We are not currently required to designate a DPO under Article 37 GDPR. Where you would otherwise reach out to a DPO, please use the privacy contact in clause 1.2.

1.4. EU representative. ML Consulting MB is established in the European Union. We do not appoint a separate Article 27 representative; you may contact us directly at the address in clause 1.1.

2

Scope of this Policy

What this policy covers — and what it does not.

2.1. What is covered. This Privacy Policy describes how we collect, use, share, retain and protect personal data when you:

download, install, sign in to or use the Orchestroz iOS / iPadOS App;

respond to an invitation, RSVP or urgent call via the Mobile-Web Bridge from any browser;

visit the Orchestroz pages on mlconsulting.lt;

contact us about Orchestroz (support requests, sales, legal notices, security reports).

2.2. What is not covered. This Privacy Policy does not cover:

the privacy practices of the Workspace Owner that invited you (your ensemble, conservatory, contractor or festival office) for data they control within their Workspace — ask the Workspace Owner directly;

the privacy practices of Apple Inc. when you sign in with Apple, purchase a Subscription via the App Store, or store data in iCloud / CloudKit — see Apple’s Privacy Policy at apple.com/privacy;

the privacy practices of any other third-party service you reach by following a link from the App (for example, SSO providers configured by the Workspace Owner).

3

Our Two Roles — Controller and Processor

The same App; different roles for different categories of data.

Depending on the category of personal data, ML Consulting acts in one of two roles:

CONTROLLER

We are the data controller (we decide why and how the data is used) for: your account identifiers (Sign in with Apple, email, SSO subject), our service telemetry, the communications you send to us, our billing and invoicing records, and the operation, security and improvement of the App itself.

PROCESSOR

We are the data processor (the Workspace Owner decides why and how the data is used; we process it on their instructions) for all Customer Data within a Workspace — including Member and Musician identity and contact data, RSVPs, attendance, Trust Notes, Reliability Scores, the Recommendation graph, Admin Mini-Pack contents, audit-log entries and exports. We process that data under a Master Data Processing Agreement (“Master DPA”) with the Workspace Owner.

3.3. Which role applies to you. If you are a Workspace Owner (an institution, conservatory, contractor or festival office), you are our data-controller customer for billing and account data, and you are the data controller for your Workspace; we are your data processor for what happens inside your Workspace. If you are a Member or substitute Musician invited by a Workspace Owner, the Workspace Owner is the data controller for your data inside their Workspace; we are their processor. For your sign-in identity and our operational telemetry, we are the controller.

4

Categories of Personal Data We Process

What we hold, by category. Our role for each is shown in italic at the end of the line.

We categorise personal data as set out below. Where we act as processor on behalf of a Workspace Owner, the Workspace Owner controls which categories below are populated.

Account Data Name, email, Apple ID subject identifier, SSO subject identifier, password hash, profile photo (optional), preferred language, notification preferences. (Controller)

Workspace & Membership Data Workspace name, organisation type, role within Workspace (admin, manager, contractor, member, musician), section / part / instrument, ensemble and project assignments. (Processor for the Workspace Owner)

Event & Response Data Event details, requirements, invitations, RSVPs, reminder timestamps, urgent-call records, response streams via the Mobile-Web Bridge, shortlist decisions, booking states. (Processor)

Attendance & Reliability Data Attendance records, minutes late, no-show flags, Trust Notes (workspace-internal), Member and Section Reliability Scores, Recommendation Edges. (Processor)

Admin Mini-Pack Data Contract-handoff fields, fee metadata, call-sheet metadata, payment-handoff fields entered by the Workspace Owner (we do not process payments). (Processor)

Communications Data Support requests, sales enquiries, legal and security notices you send to us, our replies. (Controller)

Billing & Order-Form Data Workspace Owner billing contact, VAT / tax ID, invoice records, payment status (we do not store full card numbers; payment processors do that). (Controller)

Telemetry & Diagnostics Anonymised device model and OS version, App version, crash reports, performance metrics, feature-flag exposure. (Controller)

Audit-Log Entries Append-only records of create / update / archive / RSVP / urgent-call / response / shortlist / booking / admin / attendance / export / settings / Trust-Note actions, with timestamp, actor and object IDs. (Processor)

AI Inputs / Outputs (opt-in) Where the Workspace Owner enables an AI helper, the redacted prompt text we send to the language-model sub-processor and the draft output we receive back. (Processor; sub-processor described in section 7)

4.1. Sensitive (special-category) data. We do not request, and ask you not to enter, special-category data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation). If the Workspace Owner enters such data despite this instruction, the Workspace Owner is responsible for having a valid Article 9(2) GDPR lawful basis.

4.2. Location data. Orchestroz does not perform continuous GPS tracking. Some Workspace Owners may configure event-location pin-drops at the moment a Member or Musician confirms attendance; that feature is off by default at the workspace level.

4.3. Children’s data. See section 12.

5

Purposes and Legal Bases

Why we process each category, and under which Article 6 GDPR ground.

Each numbered purpose lists the data used and the legal basis (Article 6 GDPR).

5.1. Authenticate you and create your Account.

Data used — Account Data.

Legal basis — Performance of a contract — Article 6(1)(b) GDPR.

5.2. Provide the App and Mobile-Web Bridge to the Workspace Owner that invited you.

Data used — Workspace & Membership Data, Event & Response Data, Attendance & Reliability Data, Admin Mini-Pack Data, Audit-Log Entries.

Legal basis — Performance of a contract with the Workspace Owner — Article 6(1)(b); for non-contracting end users (Members, Musicians), our legitimate interest in operating the App on the Workspace Owner’s instructions — Article 6(1)(f).

5.3. Run subscription billing, issue invoices, comply with tax law.

Data used — Billing & Order-Form Data.

Legal basis — Performance of a contract — Article 6(1)(b); legal obligation — Article 6(1)(c).

5.4. Respond to support requests, sales enquiries, legal and security notices.

Data used — Communications Data.

Legal basis — Legitimate interests — Article 6(1)(f) (responding to incoming contact).

5.5. Operate, secure, debug and improve the App; detect abuse and fraud.

Data used — Telemetry & Diagnostics, Audit-Log Entries.

Legal basis — Legitimate interests — Article 6(1)(f) (keeping the App safe and reliable).

5.6. Comply with our legal obligations (record-keeping, accounting, audit, regulator requests, lawful disclosure orders).

Data used — Any category, to the extent required.

Legal basis — Legal obligation — Article 6(1)(c).

5.7. Defend or pursue legal claims.

Data used — Any category, to the extent required.

Legal basis — Legitimate interests — Article 6(1)(f).

5.8. Provide opt-in AI features when the Workspace Owner activates them.

Data used — AI Inputs / Outputs.

Legal basis — Performance of a contract with the Workspace Owner — Article 6(1)(b).

5.9. Send service emails (security alerts, terms changes, outages).

Data used — Account Data, Communications Data.

Legal basis — Legitimate interests — Article 6(1)(f); legal obligation where applicable.

5.10. Send marketing emails about Orchestroz updates (Workspace Owners only).

Data used — Account Data, Billing & Order-Form Data.

Legal basis — Consent — Article 6(1)(a) where required; otherwise legitimate interests — Article 6(1)(f), with an opt-out in every message.

5.11. Where we rely on legitimate interests (Article 6(1)(f) GDPR), we have balanced our interest against your rights and freedoms. You can object at any time — see clause 11.5.

5.12. Where we rely on consent (Article 6(1)(a) GDPR), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawing consent for an AI feature, for example, disables that feature for your Workspace going forward.

6

How We Collect Your Data

Sources of the personal data we hold.

We receive personal data from the following sources:

directly from you when you create or sign in to an Account, complete onboarding, respond to an invitation or contact us;

from the Workspace Owner that invited you, when it sets up the Workspace, imports a roster (CSV), invites Members or Musicians to a Trusted Pool, or records attendance, Trust Notes or admin data;

from another Member or Musician when they capture a recommendation that leads to a Recommendation Edge (subject to the consent rule in the Orchestroz Terms, Schedule A, clause A5.3);

automatically from your device when you use the App or Mobile-Web Bridge (telemetry, crash reports, audit-log entries);

from Apple when you Sign in with Apple, or from an SSO provider configured by the Workspace Owner when you sign in via SSO;

from sub-processors acting on our behalf (see section 7) when they pass back operational data needed to provide the Services.

7

Who We Share Your Data With

Our sub-processors and other recipients.

7.1. No sale, no advertising. We do not sell personal data. We do not share personal data with advertisers, ad networks, data brokers or marketing analytics companies. We do not use your data to build advertising profiles.

7.2. Sub-processors. We use a small set of trusted sub-processors strictly to operate the Services. Each is bound by a written processing agreement requiring confidentiality, GDPR-aligned safeguards and assistance with data-subject rights. The current list is:

Apple Inc. App Store distribution, Sign in with Apple, APNs push notifications, iCloud / CloudKit storage where used. (United States — EU–US Data Privacy Framework / Standard Contractual Clauses)

7.3. AI feature special rules. When a Workspace Owner enables an AI helper, we redact customer-identifying free-text and third-party personal data before transmission to the AI sub-processor, in line with the rules disclosed in the in-App AI settings. We do not allow the AI sub-processor to use your inputs or outputs to train any third-party model.

7.4. Other recipients. In addition to sub-processors, we may disclose personal data:

to professional advisers (lawyers, accountants, auditors) under confidentiality, where strictly necessary;

to public authorities (regulators, courts, law-enforcement) where we are required to do so by law, or to defend or pursue legal claims;

in connection with a merger, acquisition, restructuring or sale of assets, in which case the recipient will be bound by data-protection obligations no less protective than this Policy.

7.5. Workspace Owner access. Inside a Workspace, the Workspace Owner can see all Customer Data within that Workspace as scoped by its role configuration. Role-gated data (such as Trust Notes and Reliability Scores) is visible only to authorised users with the appropriate role.

8

International Transfers

When your data leaves the European Economic Area.

8.1. Where we host. We aim to host Orchestroz primarily in the European Economic Area (“EEA”). Some sub-processors (notably Apple and certain backend and AI providers) operate from the United States or other third countries.

8.2. Safeguards. Where personal data is transferred outside the EEA, we rely on one or more of the following:

an adequacy decision adopted by the European Commission under Article 45 GDPR (for example, the EU–US Data Privacy Framework where the recipient is certified);

Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR, supplemented by additional technical and organisational measures where required;

derogations under Article 49 GDPR in narrow, documented cases (for example, your explicit consent for a specific transfer).

8.3. Copies of safeguards. You can request a copy of the safeguards in place for a specific transfer by emailing support+orchestroz@mlconsulting.lt. Commercially sensitive details may be redacted.

9

How Long We Keep Your Data

Retention periods, by data category.

Account Data (Workspace Owner administrators) For the life of the Account, plus up to 24 months after Workspace deletion. (trigger: Account deletion request or Workspace closure)

Account Data (Members, Musicians, substitutes via Mobile-Web Bridge) For the life of the Workspace invitation, plus up to 24 months after archive. (trigger: Archive by the Workspace Owner or erasure request)

Workspace, Event, Response and Attendance Data Default 36 months from the relevant Event, configurable by the Workspace Owner in Settings. (trigger: Configured retention or erasure request)

Trust Notes and Reliability Scores Default 36 months from the last operational event referenced, configurable by the Workspace Owner. (trigger: Configured retention or erasure request (subject to clause 11.4))

Audit-Log Entries Append-only; default 36 months, configurable up to the period required by the Workspace Owner’s applicable law. (trigger: Lapse of retention period; not erasable except for limited GDPR rights and legal obligations)

Admin Mini-Pack Data For the life of the related Booking plus the retention period required by applicable contract / tax law. (trigger: Lapse of legal retention period)

Billing & Order-Form Data At least 10 years where required by Lithuanian and EU accounting and tax law. (trigger: Lapse of statutory retention period)

Communications Data (support tickets) 24 months from closure of the ticket. (trigger: Lapse of retention period)

Telemetry & Diagnostics 13 months from collection. (trigger: Lapse of retention period)

AI Inputs / Outputs Stored only inside the relevant Workspace as part of the related record. We do not retain AI inputs / outputs separately at the sub-processor beyond the operational call (“zero-retention” mode where available). (trigger: Erasure of the related record)

9.1. After retention. When the retention period ends, we delete or fully anonymise the personal data. Anonymised data may continue to be used for product analytics and aggregate reporting.

9.2. Legal holds. We may retain specific records beyond the periods above where required to defend or pursue legal claims, comply with an audit or investigation, or comply with a court order or regulatory request.

10

How We Protect Your Data

Technical and organisational measures.

10.1. Encryption. All communication between the App, the Mobile-Web Bridge and our backend is encrypted using TLS 1.3 with App Transport Security enforced (no exceptions in the iOS Info.plist). Personal data at rest is encrypted using industry-standard algorithms.

10.2. Authentication. Sign in with Apple is our primary authentication path; email magic-link is offered as a fallback; SSO (SAML / OIDC) is available at Conservatory and above. Auth tokens on iOS are stored in the iOS Keychain via the Security framework, never in UserDefaults.

10.3. Biometric gates. High-consequence operations (locking a Booking, viewing Trust Notes, generating an Audition / Reaudition Committee Pack, accessing the audit log, accessing the Substitute Pool Brokerage add-on) can be gated by Face ID / Touch ID via the iOS LocalAuthentication framework. The Workspace Owner controls which operations require biometric reauthentication.

10.4. Tenant isolation. All business records are isolated by organisation identifier. Route- and action-level permission checks are enforced server-side using Postgres row-level security policies (or equivalent at the chosen backend).

10.5. Append-only audit log. Create, update, archive, RSVP, urgent-call, response, shortlist, booking, admin, attendance, export, settings and Trust-Note actions are recorded in an append-only audit log.

10.6. Secure response links. Member and substitute response links are signed tokens with a time-to-live (TTL). Expired or invalid links fail safely without leaking Event or call data.

10.7. Secret handling. Authentication, storage, reminder, e-signature, calendar and AI credentials are kept server-side only and are rotated per provider best practice.

10.8. Apple Data Protection. On-device storage uses iOS Data Protection class “CompleteUntilFirstUserAuthentication” for the SwiftData store and “Complete” for export PDFs containing Trust-Note data.

10.9. Incident response. If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify our supervisory authority within 72 hours where required by Article 33 GDPR, and we will notify affected individuals where required by Article 34 GDPR.

10.10. No system is perfectly secure. We use commercially reasonable measures, but no online system is completely secure. You can help by keeping your device and Apple ID secure and reporting suspicious activity to us at support+orchestroz@mlconsulting.lt.

11

Your Rights and How to Exercise Them

Your GDPR rights and how we honour them.

Subject to applicable law, you have the following rights regarding personal data we hold about you:

the right of access (Article 15) — to know what personal data we hold and to receive a copy;

the right to rectification (Article 16) — to have inaccurate or incomplete data corrected;

the right to erasure / “to be forgotten” (Article 17) — to have your data deleted in the circumstances set out in the GDPR;

the right to restriction (Article 18) — to limit how we process your data in certain circumstances;

the right to data portability (Article 20) — to receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller;

the right to object (Article 21) — in particular, to object to processing based on legitimate interests or to direct marketing;

the right to withdraw consent (Article 7(3)) at any time, where processing is based on consent;

the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Article 22) — see section 13;

the right to lodge a complaint with a supervisory authority (Article 77) — see section 17.

11.1. How to make a request. Send us your request at support+orchestroz@mlconsulting.lt. We may ask you to confirm your identity before we act, to avoid disclosing data to the wrong person. We aim to respond within one month under Article 12(3) GDPR; we may extend by a further two months where the request is complex, and we will tell you within one month if we do.

11.2. No fee. We do not charge for handling reasonable requests. Where a request is manifestly unfounded or excessive (in particular because of its repetitive character), we may charge a reasonable fee or refuse to act, and we will explain why.

11.3. Where to address Workspace-controlled data. For data the Workspace Owner controls (everything inside a Workspace — Members, Musicians, RSVPs, attendance, Trust Notes, Reliability Scores, exports, audit-log entries), please contact the Workspace Owner first. We will assist the Workspace Owner to comply with your request as required by Article 28 GDPR.

11.4. Erasure carve-outs. We may decline an erasure request, in whole or in part, where retention is necessary: (i) for compliance with a legal obligation (for example, accounting law, audit-log retention required by Workspace Owner policy); (ii) for the establishment, exercise or defence of legal claims; or (iii) for archiving in the public interest. In those cases we will tell you which exception applies.

11.5. Right to object. Where we process your data based on legitimate interests (clause 5.11), you may object on grounds relating to your particular situation. We will stop processing unless we have compelling legitimate grounds that override your rights, or the processing is necessary for the establishment, exercise or defence of legal claims.

11.6. Marketing opt-out. You can opt out of marketing emails at any time via the unsubscribe link in any marketing message or by emailing support+orchestroz@mlconsulting.lt.

12

Children’s Data and Minor Participants

Orchestroz is not designed for minors as the contracting party.

12.1. App rating. Orchestroz is rated 4+ in the App Store and does not target children. We do not knowingly collect data from minors as the contracting party.

12.2. Youth ensemble participants. Some Workspace Owners (for example, school music programs, youth choirs, conservatory pre-college programs) may invite minor Members into their Workspace. In those cases the Workspace Owner is responsible for: (i) obtaining and documenting parental / guardian consent under Article 8 GDPR or the applicable national age of digital consent; (ii) adapting the privacy notice to the language and rights regime applicable to minors; and (iii) configuring the App so that the minor’s data is processed proportionately and only for the legitimate operational purposes described in that notice.

12.3. Discovery and erasure. If you believe a minor’s data has been entered into Orchestroz without the appropriate consent, contact us at support+orchestroz@mlconsulting.lt. We will work with the relevant Workspace Owner to investigate and, where appropriate, erase the data.

13

Automated Decisions, AI Features and Profiling

No solely-automated decisions; AI is opt-in and human-reviewed.

13.1. No Article 22 decisions. We do not subject you to decisions producing legal or similarly significant effects based solely on automated processing within the meaning of Article 22 GDPR. Decisions about you (for example, audition outcomes, contractor renewal, employment, disciplinary action) are made by the Workspace Owner with meaningful human review and must not be made in reliance solely on App output.

13.2. AI features are opt-in. AI-assisted helpers (for example, weekly fulfilment summary drafts, repeated-failure-cause summaries, admin-gap highlights, anomaly detection, manager summary text) are off by default and are activated only when an admin of the Workspace Owner explicitly enables them in Settings.

13.3. AI safety rules. When AI helpers are enabled:

AI never automatically selects a substitute, auto-publishes a Booking, or changes booking / billing / admin-packet state;

AI never exposes private Trust Notes outside authorised roles;

AI output is editable text only and requires human confirmation before any save, send or export;

we redact customer-identifying free-text and third-party personal data before sending an AI prompt to the language-model sub-processor;

we do not allow the AI sub-processor to use your inputs or outputs to train any third-party model.

13.4. Reliability Scores. Reliability Scores are calculated deterministically from saved attendance, fulfilment and Trust Note records. They are workspace-internal and must not be used as the sole basis for a material decision affecting an individual.

13.5. EU AI Act readiness. We will keep AI features aligned with applicable obligations under Regulation (EU) 2024/1689 (AI Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature.

14

Cookies, Tracking and Analytics

No third-party advertising tracking. No App Tracking Transparency prompt.

14.1. App Tracking Transparency. Orchestroz does not perform cross-app or cross-website tracking. We do not request App Tracking Transparency authorisation, in line with Apple’s requirements and our App Privacy Manifest.

14.2. Mobile-Web Bridge cookies. The Mobile-Web Bridge uses strictly necessary cookies and short-lived signed tokens to deliver Response Links, prevent CSRF attacks and remember anti-replay state. We do not set marketing, analytics or social-media cookies on the Mobile-Web Bridge.

14.3. Website cookies. On mlconsulting.lt we may use strictly necessary cookies and a limited set of analytics cookies (configured to anonymise IP addresses where required by national law). Where consent is required under the ePrivacy Directive or its national implementations, we present a cookie banner and respect your choice.

14.4. No advertising. We do not place ads in the App. We do not sell ad space or share data with advertising networks. There is no advertising profile of you in our systems.

15

Apple-Platform Disclosures

Information specific to iOS / iPadOS distribution.

15.1. App Privacy Manifest. Orchestroz publishes an App Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data types we collect (Contact Info, User Content, Identifiers), the purposes (App Functionality and — if you opt in — Analytics), and required-reason API usage (UserDefaults, FileTimestamp, SystemBootTime, DiskSpace).

15.2. App Privacy Nutrition Label. In App Store Connect, our App Privacy Nutrition Label declares: Data Linked to You = Contact Info, User Content; Data Not Linked to You = Identifiers (organisation identifier only, opaque); Tracking = None.

15.3. Permissions. The App may ask for:

Notifications — only when you enable push preferences in Settings (not on first launch);

Photos — only if you choose to attach a profile picture (optional);

Files & Folders — via the iOS DocumentPicker when you import a roster CSV.

We do not request access to your camera, microphone, contacts or precise location.

15.4. Sign in with Apple. Because we offer email magic-link sign-in, Apple Guideline 4.8 requires Sign in with Apple to be at least equally prominent. Sign in with Apple discloses to us only the data Apple shares with you at the consent screen; you can choose to hide your email and Apple will give us a relay address.

15.5. iCloud / CloudKit. Where the App stores data in your private iCloud / CloudKit container, that data is governed by Apple’s Privacy Policy. If you delete the App, reset your device or disable iCloud, that data may be lost; you are responsible for maintaining the in-App exports that matter to you.

16

Changes to this Privacy Policy

How we tell you about updates.

16.1. Routine updates. We may update this Privacy Policy from time to time — for example, to reflect new features, new sub-processors, regulatory change or operational change.

16.2. Material changes. Where a change is material and adverse to you, we will give reasonable advance notice (at least thirty (30) days unless a shorter period is required by law) by in-App notice and, where we have your email address, by email.

16.3. Versioning. Each version of this Privacy Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.

17

How to Complain

Your right to lodge a complaint with a supervisory authority.

17.1. Talk to us first. If you are unhappy with how we have handled your personal data, please contact us at support+orchestroz@mlconsulting.lt so we can try to resolve it.

17.2. Lithuanian supervisory authority. You also have the right to lodge a complaint with our lead supervisory authority:

AUTHORITY

Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate)

ADDRESS

L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania

WEBSITE

vdai.lrv.lt

PHONE

+370 5 271 2804

17.3. Your home authority. If you live in another EU / EEA country, you may also complain to the supervisory authority in that country. Where you bring a complaint outside Lithuania, the supervisory authority you contact will coordinate with the Lithuanian authority under the GDPR cooperation mechanism.

— — —

END OF PRIVACY POLICY

Orchestroz · v1.0 · Read with the Orchestroz Terms and Conditions

© 2026. All rights reserved.