Privacy Policy
Effective date: 17 June 2026 · Last updated: 17 June 2026
1. Who we are
This Privacy Policy explains how Orgs AI Ltd ("Orgs AI," "we," "us," or "our") collects, uses, and protects information in connection with the Orgs AI platform, including the OrgsOS coordination substrate, our website at orgs.ai, our dashboards, and related services (collectively, the "Service").
If you have questions, contact us at privacy@orgs.ai.
2. Scope and our role
Orgs AI is a platform for coordinating AI and human work. Because of how the Service operates, we handle data in two distinct roles:
- As a controller. For information about your account, billing, our website, and our own operational logging, we decide why and how the data is processed. This policy governs that data.
- As a processor.When you operate an Org on the Service, the Org processes content and records you and your end users supply ("Customer Data"). For most Customer Data, you are the controller and we act as your processor, handling it on your instructions under your customer agreement and any Data Processing Addendum (DPA). If that agreement conflicts with this policy regarding Customer Data, the agreement controls.
This distinction matters: if you are an end user whose data was entered into an Org by one of our customers, that customer, not Orgs AI, is responsible for how your data is used, and you should direct privacy requests to them.
3. Information we collect
- Account and identity data. Name, email, organization name, role, authentication identifiers, and session data. Authentication and user management are handled through our identity provider, Clerk.
- Billing data. Plan, transaction history, and payment metadata. Card details are handled by our payment processor, Stripe; we do not store full card numbers.
- Configuration and specification data. The Orgs, Operators, Agents, Playbooks, Workflows, DecisionSpecs, and other primitives you define, including their settings and decision-authority rules.
- Connector data. When you link a third-party service (for example GitHub, Slack, Google Ads, Google Calendar, Meta, Microsoft Ads, LinkedIn, Reddit, X, Stripe, SendGrid, or a CMS such as Ghost), we access data within the scopes you grant. We store references to your credentials in an encrypted secrets vault, not the credentials themselves in plaintext specifications, and we rotate and expire them according to defined policies.
- Customer Data and artifacts. Content your Org processes or produces: code, documents, marketing and campaign content, customer and lead records, reports, and similar artifacts. The nature of this data is determined by you.
- Operational memory. The Service maintains memory to coordinate work, including episodic records (events and outcomes), semantic facts, and procedural learnings. This is held in our own stores and through our memory provider, Honcho. Memory may contain Customer Data.
- Audit and decision records. Each significant action produces an audit record (who acted, what was done, when, the outcome, and which governance policies were evaluated) and an associated decision trace. These support security, accountability, and explainability.
- Usage and device data. Log data, IP address, browser and device information, and product interaction events, collected through standard server-side logging. We do not currently use third-party product-analytics tools; this data is collected only through our own application and infrastructure logs.
4. How we use information
We use information to:
- provide, operate, and maintain the Service and execute the Orgs you configure;
- authenticate users and enforce decision-authority and security policies;
- coordinate work between AI Operators and humans, including via the memory and audit systems;
- route requests to AI model providers to generate Operator outputs (see Section 5);
- communicate with you about your account, support, and service changes;
- bill for the Service and prevent fraud and abuse;
- maintain security, investigate incidents, and meet legal obligations; and
- improve the Service. We do not use Customer Data to train foundation models, and our model providers are contractually prohibited from training on data we send through their APIs, except where you explicitly opt in.
Where required by law, we rely on a lawful basis for each purpose (for example, performance of a contract, legitimate interests, consent, or legal obligation).
5. AI model processing and sub-processors
Operator outputs are generated by large language models. To produce a response, relevant context, which may include Customer Data, is sent to one or more AI model providers. We send this data directly to the providers we use; we do not route it through a third-party aggregation layer. Our primary inference provider is Anthropic (Claude models), with OpenAI used as a secondary or fallback provider.
These providers act as our sub-processors and are contractually limited to processing data to deliver the requested output, on terms that prohibit training on our data. We engage other sub-processors for hosting, storage, memory, authentication, payments, and communications, including: Clerk (authentication), Stripe (payments), Neon (database hosting), Vercel (application hosting and scheduled jobs), Railway (backend API and worker hosting), SendGrid and Resend (email), Honcho (operational memory), and Anthropic and OpenAI (AI inference).
In addition, when you connect a third-party service to an Org, that service is engaged as a sub-processor at your direction for the data your Org sends it (see Section 6). We notify customers of new sub-processors and provide an opportunity to object as set out in the DPA.
6. Connectors and third-party services
When you connect a third-party service, that service's own privacy terms govern the data held there. We access it only within the scopes you authorize and only to perform the actions your Org is configured to take. For advertising connectors specifically (for example Google Ads, Meta, and Microsoft Ads), campaigns are created in a paused state and require explicit human approval before any spend is enabled. You can revoke a connector's access at any time through the dashboard or the third party, which stops future access; data already processed may persist in memory and audit records subject to Section 7.
7. Data retention
We retain data for as long as needed to provide the Service and meet legal, accounting, and security obligations. Default retention for operational memory reflects the platform's design and is configurable by you within these limits:
| Data type | Default retention | Maximum |
|---|---|---|
| Episodic memory (events/outcomes) | 90 days | 365 days |
| Semantic memory (facts) | Indefinite (until deleted) | - |
| Procedural memory (learnings) | Indefinite; gated and reversible | - |
| Audit and decision records | 365 days | - |
| Account and billing records | Account duration + 6 years | - |
Sensitive categories flagged as protected topics (for example personal identifiers, credentials, and financial data) are masked on access, and that access is itself audited. On account termination or a valid deletion request, we delete or anonymize data within 30 days, except where retention is legally required.
8. How we share information
We do not sell personal information. We share it only:
- with sub-processors and service providers under contract (Section 5);
- with third-party services you connect (Section 6);
- in connection with a merger, acquisition, or asset sale, subject to this policy;
- to comply with law or a valid legal request, or to protect rights, safety, and security; and
- with your consent or at your direction.
9. International transfers
We are based in the United Kingdom, and our primary database is hosted in the United Kingdom (London). Some processing and compute takes place outside the UK, including in the United States and the European Economic Area, through our hosting providers. Where data is transferred across borders, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses), the EU Standard Contractual Clauses, and adequacy decisions where available.
10. Security
We protect data with measures including: storing credentials as encrypted vault references rather than plaintext, with rotation and expiry; encryption in transit and at rest; least-privilege scoping and decision-authority enforcement; isolation between Orgs and between tenants; immutable audit logging with no-credentials-in-logs and complete-audit-trail invariants; and access controls and monitoring. No system is perfectly secure, but we work to protect data against unauthorized access, loss, and misuse.
11. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. To exercise these rights, contact privacy@orgs.ai. We will respond within the timeframe required by applicable law. If your personal data was entered into an Org by one of our customers, we will refer your request to that customer, who acts as the controller.
For UK and EU residents (UK GDPR / EU GDPR):in addition to the rights above, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk.
For California residents (CCPA/CPRA): you have rights to know, delete, and correct your personal information, and to opt out of its sale or sharing. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use it for cross-context behavioural advertising.
12. Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect their personal information. If you believe a child has provided us personal information, contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice as required by law.
14. Contact us
Orgs AI Ltd
Unit 008, Westbourne Studios, 155 Acklam Road, London W10 5JJ, United Kingdom
privacy@orgs.ai
orgs.ai