Privacy Policy
Last updated: April 20, 2026
This policy explains what data we collect when you use Orqesa (orqesa.com and the Orqesa product), how we use it, who we share it with, and the rights you have. Plain-English summaries precede each section.
1. Who we are
"Orqesa", "we", "us" means the team operating the Orqesa product and the orqesa.com website. We act as the data controller for personal data collected through the website and the product.
Questions or privacy requests: hi@orqesa.com. We reply within 30 days (GDPR requirement). If you are in the EU/EEA or UK and believe we have not handled a request correctly, you have the right to complain to your local data protection authority.
2. What we collect
We only collect what we need. The table below is exhaustive for the orqesa.com website; the Orqesa product (when you have access) adds the data you explicitly give it (connected-tool data, agent conversations, approvals).
| Category | Examples | Source | Legal basis |
|---|---|---|---|
| Contact data | Email address you submit to the waitlist | You, directly | Consent; performance of service |
| Technical data | IP address (temporarily, for rate limiting), browser type, device type, screen size, referrer, pages visited, session ID | Your browser, our logs | Legitimate interest (security, service reliability) |
| Usage analytics | Page views, button clicks, time on page, aggregated session duration, Core Web Vitals | Google Analytics 4, Vercel Analytics | Consent (EU/UK); legitimate interest (elsewhere) |
| Communications | Emails you send us; our replies | You, directly | Legitimate interest (answering your questions) |
| Product data (when you have product access) | Data from tools you connect (GitHub, Slack, Stripe, etc.), agent conversations, approvals, actions | You, via the product | Contract (to deliver the service you requested) |
We do not collect: biometric data, precise location, payment card details (alpha is free), government IDs, or any special category data under GDPR Article 9.
3. How we use it and our legal bases
- Deliver the service — send your waitlist confirmation, set up your workspace, route agent actions to your approved tools.
- Keep it secure and working — rate-limit abusive traffic, investigate bugs, respond to incidents.
- Understand what's useful — aggregated analytics tell us which features people use (consent-gated for EU/UK visitors).
- Communicate with you — product announcements, security alerts, replies to your questions.
Under the UK GDPR and EU GDPR, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Sending waitlist confirmation and setting up your workspace | Performance of a contract — Art. 6(1)(b) |
| Product and security announcements we must send you | Legitimate interest — Art. 6(1)(f) |
| Non-essential marketing emails | Consent — Art. 6(1)(a) |
| Analytics (Google Analytics 4, Vercel Analytics) for EU/UK/CH visitors | Consent — Art. 6(1)(a) |
| Analytics outside those regions | Legitimate interest — Art. 6(1)(f) |
| Rate limiting and abuse prevention | Legitimate interest — Art. 6(1)(f) |
| Responding to lawful requests and meeting legal obligations | Legal obligation — Art. 6(1)(c) |
We do NOT:
- Sell your personal data to anyone.
- Share your data with advertisers or ad networks.
- Use your conversations, connected-tool data, or outputs to train AI models — ours or any subprocessor's.
- Profile you for purposes unrelated to delivering the service.
- Process special category data under GDPR Article 9 (health, biometric, political, religious, sexual orientation, and so on).
4. AI models and our no-training commitment
Orqesa advisors are powered by third-party AI models. We maintain Zero Data Retention (ZDR) agreements with our AI providers where available.
We commit that:
- Your data is never used to train the AI models of Orqesa or any subprocessor. This applies to your conversations, connected-tool data, and product usage.
- Your inputs and the model's outputs are not retained by the AI provider beyond the immediate request, where ZDR is supported.
- If a provider does not offer ZDR for a specific feature, we will name that feature and its retention in the subprocessors list and require your opt-in before you use it.
Current AI providers: Anthropic (Claude), OpenAI (GPT-series), Google (Gemini). The current list with regions and DPA links lives at /subprocessors.
5. Who we share with (subprocessors)
We use a small number of infrastructure and AI providers to operate the service. A complete, current list lives at /subprocessors— including each provider's purpose, region, and link to their data processing agreement.
We give you 30 days' notice before adding or replacing a subprocessor. You can subscribe to changes via the subprocessors page.
6. Analytics and cookies
We use two analytics services:
- Google Analytics 4 — aggregated pageview and event data. Uses cookies.
- Vercel Web Analytics — cookieless, aggregated traffic and performance metrics (Core Web Vitals).
If you visit from the EU, EEA, UK, or Switzerland, we ask for your consent before loading these. If you decline, analytics are not loaded for your visit. You can change your mind anytime via the Cookie settings link in the footer.
Outside those regions, analytics load on the basis of our legitimate interest. You can still opt out by declining in the banner or by using browser controls such as "Do Not Track", Global Privacy Control, or your ad-blocker of choice.
7. How long we keep your data
- Waitlist email — until you ask us to delete it, or 24 months from your last interaction with us, whichever is sooner.
- IP address (rate limiting) — held in memory for 60 seconds, then discarded.
- Analytics data — GA4 default 14 months; Vercel Analytics default 30 days.
- Product data — for as long as your account is active; deleted within 30 days of account closure, with encrypted backups rolled off within 90 days.
- Legal obligations— when we must keep data longer (tax, dispute, security incident), we keep only what's strictly required and delete the rest.
8. Your rights
Depending on where you live, you have some or all of these rights:
- Access — get a copy of the personal data we hold about you.
- Correction — fix inaccurate data.
- Deletion — ask us to erase your data (subject to our legal obligations).
- Portability — get your data in a machine-readable format.
- Object or restrict — stop specific processing or marketing.
- Withdraw consent — wherever we rely on consent, you can withdraw it at any time.
- Complain — to your local data protection authority. Common ones: UK Information Commissioner's Office; your EU member-state DPA; California Attorney General for CCPA.
- No automated decisions with legal effects — Orqesa advisors propose actions. You approve every action with legal or similarly significant effects. You retain the right to review the reasoning, modify the proposed action, reject it, or ask for human review.
To exercise any right, email hi@orqesa.com. We respond within 30 days. No charge for reasonable requests.
9. International data transfers
Our infrastructure and AI providers operate globally. Where your data leaves your region (for example, EU to US), we use appropriate safeguards:
- EU–US Data Privacy Framework (DPF) — for transfers to DPF-certified US subprocessors (active since July 2023).
- UK Extension to the EU–US DPF (UK–US Data Bridge) — for UK transfers to DPF-certified US subprocessors (active since October 2023).
- Standard Contractual Clauses (SCCs) under European Commission Decision 2021/914 Module 2, where DPF does not apply.
- UK International Data Transfer Addendum to the EU SCCs, as issued by the UK ICO.
You can request copies of the safeguards in place by emailing hi@orqesa.com.
10. Security
We use standard industry safeguards:
- TLS 1.2+ for all traffic; HSTS on public endpoints.
- Encrypted storage at rest.
- Least-privilege access; secrets stored in managed secret stores, never in source code.
- Third-party OAuth tokens for connected tools encrypted at rest and never logged in plaintext.
- Content Security Policy, strict CORS, origin-pinned CSRF protection on mutation endpoints.
Breach notification: if a personal-data breach is likely to result in risk to your rights, we notify you and the relevant authority within 72 hours, per GDPR Article 33.
11. Children
Orqesa is a business tool intended for users aged 18 or over using it in a business context. We do not knowingly collect data from minors. If you believe a minor has submitted data, email hi@orqesa.comand we'll delete it.
12. Changes to this policy
We update this policy when our practices change. Material changes are notified by email (for users with an account) and by a banner on the site. The "last updated" date at the top of this page always reflects the current version.
13. Contact
For any question about this policy or your data: email hi@orqesa.com. We reply within 30 days.