Home Privacy Policy

Privacy Policy

Last updated: March 9, 2026

Orckai ("we", "us", or "our") operates the Orckai platform at orckai.app and the website at orckai.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and website.

1. Data Ownership

All data you upload to or create within Orckai remains your property. This includes knowledge base documents, workflow inputs and outputs, API requests and responses, AI prompts and generated outputs, and configuration settings.

Your data is never used to train AI models. We process your data solely to provide platform functionality. We do not use customer content to train, fine-tune, or improve foundation models.

2. Information We Collect

Account Information: When you create an account, we collect your name, email address, organization name, and password (stored as a one-way hash — we cannot recover your original password).

Usage Data: We collect information about how you use the platform, including workflow executions, agent interactions, API calls, and feature usage. This data is used to improve the service and provide usage analytics.

Documents & Data You Upload: When you upload documents to Knowledge Bases or process files through workflows, that content is stored in your organization's isolated storage. We do not access, read, or use your uploaded content for any purpose other than providing the service to you.

Widget Visitor Data: When visitors interact with your embedded chat widgets, we may collect IP addresses, browser information, and any lead data (name, email, company) that visitors voluntarily provide. This data is scoped to your organization and accessible only to your team.

Technical Data: We collect IP addresses, browser type, device information, and access timestamps for security and audit logging purposes.

Payment Information: If you subscribe to a paid plan, payment processing is handled by our third-party payment processor. We do not store credit card numbers on our servers.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Orckai platform
  • Process your transactions and manage your subscription
  • Send you technical notices, security alerts, and support messages
  • Monitor usage patterns to improve performance and reliability
  • Detect, prevent, and address technical issues and security threats
  • Enforce rate limits and usage quotas to protect platform stability
  • Comply with legal obligations

4. Data Isolation & Multi-Tenancy

Orckai is built with multi-tenant data isolation. Each organization's data is fully isolated at the database level. Your documents, workflows, agents, knowledge bases, widgets, and all associated data are scoped to your organization and cannot be accessed by other tenants. This isolation extends to vector embeddings used for knowledge base retrieval — search results are always restricted to your organization's data.

5. Deployment Options

Managed SaaS (orckai.app): When you use our managed cloud service, your data is stored on our infrastructure with full multi-tenant isolation. This privacy policy applies to our hosted service.

Self-Hosted: If you deploy Orckai on your own infrastructure, all data remains entirely on your servers. We have no access to your self-hosted instance, its data, or its usage.

6. AI Processing & Third-Party Providers

When you use AI agents, workflows, or chat widgets, prompts and responses are sent to the LLM provider you configure (e.g., Anthropic, OpenAI). These requests are made using your own API keys. We do not store LLM conversation content beyond what is needed for execution history and debugging.

When sending data to AI providers, we follow these principles:

  • Only the data required for the request is transmitted
  • Internal system instructions and platform configuration are protected from disclosure
  • AI responses are filtered to prevent unintended exposure of internal information
  • Prompt injection attempts are detected and logged

Please review the privacy policies of your chosen LLM providers for their data handling practices.

7. Document Ingestion & Processing

Documents uploaded to knowledge bases are processed through a security scanning pipeline before being stored and indexed. This includes:

  • Detection and removal of embedded prompt injection attempts
  • Automatic redaction of credentials, API keys, and tokens found in document content
  • Filtering of malicious or dangerous content patterns
  • Validation at the individual chunk level during indexing

Documents that fail security checks may be sanitized or rejected. This protects your AI assistants from serving compromised or manipulated content to end users.

8. Data Sharing

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

  • Service Providers: With trusted third parties who help us operate the platform (hosting, payment processing, email delivery), bound by confidentiality agreements
  • AI Model Providers: Prompt and context data is sent to your configured LLM provider to generate responses, as described in Section 6
  • Legal Requirements: When required by law, regulation, or legal process
  • Safety: To protect the rights, safety, or property of Orckai, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice

9. Data Retention

We retain your account data for as long as your account is active. Workflow execution logs are retained for 90 days by default. You can delete individual resources (documents, knowledge bases, workflows, widgets) at any time, and associated data is removed from active storage. You can request deletion of your entire account and all associated data by contacting us. Upon deletion, we remove your data within 30 days, except where retention is required by law.

10. Security

We implement comprehensive security measures to protect your data:

  • Encryption at rest: Sensitive data such as API keys and integration credentials are encrypted using AES-256 before storage
  • Encryption in transit: All connections are protected with TLS, enforced with HSTS
  • Authentication: Passwords are stored as one-way hashes. Access tokens are short-lived (15 minutes) with secure refresh token rotation
  • API key protection: API keys are cryptographically hashed before storage — raw keys cannot be recovered from the database
  • Access control: Role-based permissions restrict what users can do within their organization
  • Rate limiting: Multiple rate limiting layers protect against brute force attacks and abuse across authentication, API, and widget endpoints
  • AI safety: Prompt injection detection, output filtering, and document ingestion scanning protect against AI-specific threats
  • Security headers: HSTS, Content Security Policy, and other headers are enforced at the edge
  • Audit logging: Security-relevant events are logged for monitoring and investigation
  • Tenant isolation: Organization-scoped queries ensure data cannot be accessed across tenants

11. Audit Logging

We maintain audit logs of security-relevant events to support monitoring, compliance, and incident investigation. Logged events include:

  • Authentication activity (login, logout, password changes, failed attempts)
  • API access events (key usage, endpoint accessed, scopes used)
  • Configuration changes (security settings, integration credentials)
  • Suspicious activity detection (prompt injection attempts, unusual patterns)
  • Workflow and agent executions

Audit logs include request metadata such as IP addresses and request identifiers to assist in security analysis. Logs are scoped to your organization and accessible to organization administrators.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@orckai.com.

13. Cookies & Local Storage

Our platform stores authentication tokens in your browser's local storage for session management. We do not use third-party advertising or tracking cookies. Our website may use analytics cookies to understand traffic patterns. You can clear local storage and disable cookies in your browser settings.

14. Customer Responsibilities

While Orckai provides extensive platform protections, customers are responsible for:

  • Uploading sensitive data only when necessary and appropriate for AI processing
  • Managing API keys and integration credentials securely
  • Granting appropriate permissions to users within their organization
  • Reviewing the content of knowledge base documents before connecting them to public-facing widgets

The platform provides tools, audit logs, and usage dashboards to assist organizations in managing these responsibilities.

15. Children's Privacy

Orckai is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

16. International Data Transfers

If you access Orckai from outside the country where our servers are located, your data may be transferred across borders. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the platform after changes constitutes acceptance of the updated policy.

18. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: