Oriora — Privacy Policy
Last updated: 2026-05-26 Effective: 2026-05-26
1. Who we are
This Privacy Policy describes how Orioralabs OÜ ("Oriora", "we", "our", "us") collects, uses, and protects your personal data when you use our services.
Orioralabs OÜ is a private limited company registered in Estonia, registration code 17506353, with its registered office at Tuukri 19-202, 10120 Tallinn, Estonia. We are the data controller for the personal data described in this Privacy Policy.
For any questions, requests, or complaints regarding your personal data, please contact us at [email protected].
2. What personal data we collect
We collect the following categories of personal data:
Account data
- Name (where you provide it)
- Email address
- Hashed password
- Account creation date
Payment and billing data
- Billing country (provided to our payment processor)
- Transaction records, ecosystem dollar balance, invoices
- Payment method details are handled by our payment processor and are not stored by Oriora directly.
Usage metadata
- Which Oriora apps or services you use
- Timestamps and counts of requests
- Routing decisions (which underlying AI vendor handled which request)
- Error logs, latency metrics
- Caching state (transient, operational only)
- Server access logs (IP address, user agent / device info, request timestamps) retained briefly for operational and security purposes
What we do NOT collect or store
- The text of prompts you submit to our services
- The text of outputs generated by AI vendors in response to your prompts
- Multi-turn conversation history
- Any AI vendor credentials you provide for BYOK paths are stored only in encrypted form and used only to route your requests
3. Why we collect personal data — legal basis
We process your personal data under the following legal bases under the EU General Data Protection Regulation (GDPR):
- Contract: to create and operate your account, process payments, manage your ecosystem dollar balance, route your requests to AI vendors and return the response, and send you transactional emails (account, billing, security).
- Legitimate interest: to monitor security and prevent fraud and abuse, to operate and improve the Oriora service, and to send you occasional product update emails about Oriora services (see Section 9 for your opt-out right).
- Legal obligation: to comply with applicable legal, tax, and accounting obligations, including Estonian tax law.
4. Who we share your personal data with
We share personal data only with the sub-processors and third parties listed in the Oriora Sub-processors document, which forms part of this Privacy Policy. In summary:
- Infrastructure sub-processors — Supabase (database + authentication), Railway (server hosting), Vercel (landing page hosting), Cloudflare (DNS, CDN, AI Gateway), Resend (transactional email delivery).
- Payment processor — Creem OÜ (Estonia), acting as Merchant of Record and an independent data controller for payment data, not as Oriora's sub-processor.
- AI vendors (Anthropic, OpenAI, Google, and others in Oriora's catalogue) — content is transmitted to a vendor only to fulfil your request. These vendors are your third-party relationships, not Oriora's sub-processors; see the Sub-processors document for the full explanation.
We do not sell your personal data. We do not share your personal data with advertisers, data brokers, or marketing partners.
We may disclose personal data where required by law, court order, or regulatory authority, or as necessary to protect our rights or the safety of others.
5. Where your data is processed and stored
Oriora is based in Estonia (European Union). Some of our infrastructure sub-processors are located in the United States or operate globally. Where personal data is transferred outside the European Economic Area, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission. Details of each sub-processor's data location are in the Sub-processors document.
6. How long we keep your data
We retain your personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.
| Data type | Retention period |
|---|---|
| Billing and invoice records | As required by Estonian tax and accounting law |
| Account data (name, email, login credentials) | While your account is active; deleted or anonymised after account closure |
| Operational usage metadata (request logs, routing decisions, error logs) | Limited operational duration appropriate to security and debugging needs |
| Prompt content, output content, multi-turn conversation history | Not retained |
| Email suppression list (where you have unsubscribed from product updates) | Indefinite, to honour your unsubscribe request |
7. Your rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights with respect to your personal data under applicable data protection law. These include:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion, subject to legal-obligation retention.
- Object — object to processing based on legitimate interest, including direct marketing.
- Lodge a complaint with a supervisory authority — for Oriora customers, the lead supervisory authority is the Estonian Data Protection Inspectorate (https://www.aki.ee).
You may also have other rights under applicable law. To exercise any of these rights, contact us at [email protected].
8. Cookies
Oriora uses only strictly necessary cookies required for the operation of the service, such as authentication session cookies. We do not use analytics, advertising, marketing, or third-party tracking cookies. No cookie consent banner is shown because no non-essential cookies are set.
9. Email communications
We send the following categories of email:
Transactional emails — account confirmations, password resets, billing receipts, security alerts, and similar messages necessary for the operation of your account. These are sent under the performance-of-contract legal basis and will continue as long as your account is active.
Product update emails — occasional messages about new features, improvements, or changes to Oriora services. We send these to existing customers under the legitimate-interest legal basis as permitted by applicable law. You may opt out at any time by clicking the unsubscribe link in any such email or by contacting [email protected]. Unsubscribing does not affect your continued receipt of transactional emails.
We do not send third-party promotional emails, industry newsletters, or marketing partner content.
10. Children
Oriora's services are intended for individuals aged eighteen (18) and over, in accordance with Section 2 of the Oriora Terms of Service. We do not knowingly collect personal data from anyone under eighteen. If you believe a person under eighteen has provided personal data to us, please contact [email protected] and we will take appropriate steps to delete the data.
11. Data security
Oriora takes appropriate technical and organisational measures to protect your personal data, including encryption of stored credentials, access controls, and secure infrastructure providers. No system is perfectly secure; we cannot guarantee absolute security.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. For any change that materially affects your rights, we will provide at least thirty (30) days' advance notice by email or in-product notification. Other changes will take effect when posted on Oriora's website.
Your continued use of the service after the effective date of any change constitutes your acceptance of the updated Privacy Policy.
13. Contact
For any questions, requests, or complaints regarding this Privacy Policy or your personal data, contact us at [email protected]. Postal correspondence may be sent to Oriora's registered office set out in Section 1.