Back to Orgs.AI

Privacy Policy

Effective date: 17 June 2026 · Last updated: 17 June 2026

1. Who we are

This Privacy Policy explains how Orgs AI Ltd ("Orgs AI," "we," "us," or "our") collects, uses, and protects information in connection with the Orgs AI platform, including the OrgsOS coordination substrate, our website at orgs.ai, our dashboards, and related services (collectively, the "Service").

If you have questions, contact us at privacy@orgs.ai.

2. Scope and our role

Orgs AI is a platform for coordinating AI and human work. Because of how the Service operates, we handle data in two distinct roles:

This distinction matters: if you are an end user whose data was entered into an Org by one of our customers, that customer, not Orgs AI, is responsible for how your data is used, and you should direct privacy requests to them.

3. Information we collect

4. How we use information

We use information to:

Where required by law, we rely on a lawful basis for each purpose (for example, performance of a contract, legitimate interests, consent, or legal obligation).

5. AI model processing and sub-processors

Operator outputs are generated by large language models. To produce a response, relevant context, which may include Customer Data, is sent to one or more AI model providers. We send this data directly to the providers we use; we do not route it through a third-party aggregation layer. Our primary inference provider is Anthropic (Claude models), with OpenAI used as a secondary or fallback provider.

These providers act as our sub-processors and are contractually limited to processing data to deliver the requested output, on terms that prohibit training on our data. We engage other sub-processors for hosting, storage, memory, authentication, payments, and communications, including: Clerk (authentication), Stripe (payments), Neon (database hosting), Vercel (application hosting and scheduled jobs), Railway (backend API and worker hosting), SendGrid and Resend (email), Honcho (operational memory), and Anthropic and OpenAI (AI inference).

In addition, when you connect a third-party service to an Org, that service is engaged as a sub-processor at your direction for the data your Org sends it (see Section 6). We notify customers of new sub-processors and provide an opportunity to object as set out in the DPA.

6. Connectors and third-party services

When you connect a third-party service, that service's own privacy terms govern the data held there. We access it only within the scopes you authorize and only to perform the actions your Org is configured to take. For advertising connectors specifically (for example Google Ads, Meta, and Microsoft Ads), campaigns are created in a paused state and require explicit human approval before any spend is enabled. You can revoke a connector's access at any time through the dashboard or the third party, which stops future access; data already processed may persist in memory and audit records subject to Section 7.

7. Data retention

We retain data for as long as needed to provide the Service and meet legal, accounting, and security obligations. Default retention for operational memory reflects the platform's design and is configurable by you within these limits:

Data typeDefault retentionMaximum
Episodic memory (events/outcomes)90 days365 days
Semantic memory (facts)Indefinite (until deleted)-
Procedural memory (learnings)Indefinite; gated and reversible-
Audit and decision records365 days-
Account and billing recordsAccount duration + 6 years-

Sensitive categories flagged as protected topics (for example personal identifiers, credentials, and financial data) are masked on access, and that access is itself audited. On account termination or a valid deletion request, we delete or anonymize data within 30 days, except where retention is legally required.

8. How we share information

We do not sell personal information. We share it only:

9. International transfers

We are based in the United Kingdom, and our primary database is hosted in the United Kingdom (London). Some processing and compute takes place outside the UK, including in the United States and the European Economic Area, through our hosting providers. Where data is transferred across borders, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses), the EU Standard Contractual Clauses, and adequacy decisions where available.

10. Security

We protect data with measures including: storing credentials as encrypted vault references rather than plaintext, with rotation and expiry; encryption in transit and at rest; least-privilege scoping and decision-authority enforcement; isolation between Orgs and between tenants; immutable audit logging with no-credentials-in-logs and complete-audit-trail invariants; and access controls and monitoring. No system is perfectly secure, but we work to protect data against unauthorized access, loss, and misuse.

11. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. To exercise these rights, contact privacy@orgs.ai. We will respond within the timeframe required by applicable law. If your personal data was entered into an Org by one of our customers, we will refer your request to that customer, who acts as the controller.

For UK and EU residents (UK GDPR / EU GDPR):in addition to the rights above, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk.

For California residents (CCPA/CPRA): you have rights to know, delete, and correct your personal information, and to opt out of its sale or sharing. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use it for cross-context behavioural advertising.

12. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect their personal information. If you believe a child has provided us personal information, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice as required by law.

14. Contact us

Orgs AI Ltd
Unit 008, Westbourne Studios, 155 Acklam Road, London W10 5JJ, United Kingdom
privacy@orgs.ai
orgs.ai