Privacy Policy

This Privacy Policy explains how ALL SURE LTD ("orchagent", "we", "us", or "our") collects, uses, and protects your personal information when you use our AI agent platform at orchagent.io.

Company Details:

• Company: ALL SURE LTD
• UK Company Number: 16710999
• Registered Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
• Contact: info@orchagent.io

We act as the data controller for personal information collected through our platform.

We collect and process the following categories of information:

Account Information (via Supabase Auth)

• Email address
• Name (if provided)
• Profile picture (if provided)
• Authentication data
• Date of birth (for age verification)

API Keys

• orchagent API keys: Stored as SHA-256 hashes (we cannot see the original key)
• LLM provider API keys (OpenAI, Anthropic, Google): Encrypted with AES-256 at rest

Usage Data

• Agent runs and executions
• Timestamps and processing time
• Structured inputs and outputs for run history
• Error logs (without sensitive content)

Agent Content

• Agent code (Python/TypeScript) uploaded during publish
• Prompts, schemas, and configuration files
• Secrets stored in the secrets vault (encrypted at rest)

Analytics (PostHog)

• Sign-up and sign-in events
• Page views and navigation
• Feature usage patterns

Error Tracking (Sentry)

• Error reports and stack traces
• Session replays (with sensitive data masked)

Payment Data (Stripe)

• Subscription payment information (credit card details handled by Stripe, not stored by us)
• Billing history and invoices

We use your information to:

• Provide the Service: Authenticate you, execute agent runs, and deliver platform functionality
• Process Payments: Handle subscriptions and billing via Stripe
• Age Verification: Ensure users meet minimum age requirements (13+)
• Improve the Platform: Analyze usage patterns to enhance features and user experience
• Ensure Security: Detect and prevent fraud, abuse, and security threats
• Communicate: Send service updates, security alerts, and (with consent) marketing communications
• Comply with Legal Obligations: Meet regulatory requirements and respond to lawful requests

Your Content

We do NOT use your agents, skills, prompts, or private data to train third-party AI models. Your proprietary content remains private and is not shared with LLM providers for training purposes.

Aggregated Analytics

We MAY analyze aggregated, anonymized usage patterns to improve platform features. This includes:

• Which features are most used
• Common error patterns (without sensitive details)
• Performance metrics and optimization opportunities

This data is fully anonymized and cannot be traced back to individual users.

LLM Provider Data Usage

Your use of LLM providers (OpenAI, Anthropic, Google) is subject to THEIR data policies. We recommend reviewing:

• OpenAI's data usage policy (opt-out available for API usage)
• Anthropic's data policy
• Google's Gemini API data policy

We do not control how these providers use data sent through their APIs.

Analytics Opt-Out

You can opt out of analytics by emailing privacy@orchagent.io. Note that opting out may degrade service quality as we rely on analytics to identify and fix issues.

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide you with our services, including payment processing and agent execution
• Legitimate Interests: Improving our platform, preventing fraud, ensuring security, and managing platform operations
• Consent: Where you have explicitly agreed (e.g., marketing communications, parental consent for minors)
• Legal Obligation: Compliance with tax laws, CSAM reporting, and other applicable laws

We use the following third-party services to operate our platform:

Agent Execution (E2B)

When you run agents on our platform, your agent code and execution data are processed in sandboxed environments provided by E2B. Each run gets a fresh, isolated environment that is destroyed after execution. E2B processes this data as a sub-processor under our instructions.

Always-On Services (Fly.io)

Long-running agents (such as Discord bots or monitoring tools) are hosted on Fly.io infrastructure. Your agent code and runtime data are processed on Fly.io servers under our data processing agreement.

When you use agents that call LLM providers, your prompts and agent outputs are sent directly to those providers using your API keys. You are responsible for reviewing the privacy policies of any LLM provider you use with orchagent, including but not limited to:

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• Google Privacy Policy
• Any other LLM provider whose API keys you connect to orchagent

Your data may be transferred to and processed in countries outside the UK/EEA. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with our sub-processors
• UK adequacy decisions for countries deemed to provide adequate protection

We retain your data for the following periods:

• Account Data: While your account is active, plus 30 days after deletion
• Usage Logs: 90 days
• Run History: 7 days (Free), 90 days (Pro), full retention with export (Team and Enterprise). Structured inputs, outputs, and logs.
• Billing Records: 7 years (UK tax requirements)
• Analytics Data: 2 years

You can request deletion of your account and associated data at any time by contacting us at privacy@orchagent.io. Note that we must retain billing records for 7 years to comply with UK tax law, even after account deletion.

Under data protection laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Restrict Processing: Request limitation of processing in certain circumstances
• Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, contact us at privacy@orchagent.io. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

We use the following cookies:

• Authentication (Supabase): Essential cookies to keep you signed in
• Analytics (PostHog): To understand how users interact with our platform
• Error Tracking (Sentry): To identify and fix technical issues

Essential cookies are required for the service to function. Analytics cookies help us improve the platform but are not strictly necessary. You can opt out of non-essential cookies by emailing privacy@orchagent.io.

Age Requirements

The minimum age to use orchagent is 13 years old (COPPA compliance).

Parental Consent (Ages 13-17)

Users between 13-17 years old MUST obtain verifiable parental consent before:

• Creating an account
• Making purchases
• Publishing agents or skills

We may request proof of parental consent at any time. Acceptable forms include:

• Signed consent form from parent/guardian
• Parental verification via email or phone
• Video verification showing parent consent

No Knowing Collection Under 13

We do NOT knowingly collect personal information from children under 13. If we discover we have collected such information:

• We will delete it within 48 hours of discovery
• We will notify the user and request proof of age or parental consent
• If not provided within 14 days, the account will be permanently deleted

Reporting Underage Users

If you believe a user is under 13, report to privacy@orchagent.io with evidence.

If you are a California resident, you have additional rights:

• Right to Know: What personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information
• Right to Non-Discrimination: Equal service regardless of exercising privacy rights

We do not sell personal information. To exercise your CCPA rights, contact us at privacy@orchagent.io.

Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• API keys stored as cryptographic hashes or encrypted
• Sandboxed agent execution (isolated environments per run)
• Regular security assessments and monitoring
• Access controls and audit logging

Data Breach Response

In the event of a personal data breach, we will:

Notification to Supervisory Authority (ICO)

• Report within 72 hours of becoming aware of the breach
• Include: nature of breach, categories and approximate number of affected individuals, consequences, and measures taken or proposed

Notification to Affected Users

If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay with:

• Description of the breach in clear, plain language
• Name and contact details of our data protection contact point
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm

Exceptions

Notification may not be required if:

• We have implemented appropriate technical protection measures (e.g., encryption) rendering data unintelligible to unauthorized persons
• We have taken subsequent measures ensuring the high risk is no longer likely to materialize
• Notification would involve disproportionate effort (in which case we will make a public communication)

Security Incident Reporting

To report a security vulnerability or incident, contact security@orchagent.io.

We do NOT store, process, or transmit credit card information directly. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor (the highest level of certification).

How Payment Processing Works

When you make a purchase:

• Credit card details are sent directly to Stripe's secure servers
• We only receive a tokenized payment method identifier
• We cannot access your full card number, CVV, or card details
• Stripe handles all card data in compliance with PCI DSS requirements

Payment Security Questions

For questions about payment security, see Stripe's Security Documentation.

For privacy-related inquiries or to exercise your rights:

• General Inquiries: info@orchagent.io
• Privacy Requests: privacy@orchagent.io
• Security Issues: security@orchagent.io
• Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

We will respond to privacy requests within 30 days as required by GDPR and UK data protection laws.