Privacy policy

This is a placeholder pending the production privacy review. The bullets below describe what OryxAI actually collects today. They are not yet a substitute for the binding privacy notice that will appear here before general availability.

What we collect

• Account data: email, name, hashed password (Argon2id), MFA factor, organisation membership.
• Audit data: SaaS event log per request (API key id, org id, kind, timestamp, IP, user agent). 30-day retention by default; longer retention available on enterprise plans.
• Billing data: handled by Stripe. We store only Stripe identifiers (customer id, subscription id, invoice id) — no card numbers.
• Scanned content: ingress / egress payloads are scanned in-memory and never persisted unless an explicit policy stores them.

Subprocessors

Postgres (self-managed or Aurora), Stripe (billing), AWS S3 (backups when enabled). The current list is mirrored in our security page.

Contact

Privacy questions: privacy@oryxai.dev.