Privacy Policy

1. Data Controller

OryGent Labs, Barcelona, Spain is the data controller for personal data processed through the OryGent platform.

Contact: privacy@orygent.com

2. Data We Collect

Account data: Name, email address, company name, role, industry sector, company size. Collected during registration and onboarding.

Usage data: Pages visited, features used, AI operations count, twin interactions, session duration. Collected automatically via PostHog analytics (with consent).

Payment data: Processed exclusively by Stripe. We do not store credit card numbers. We receive only transaction confirmations and subscription status.

Company content: Documents uploaded to knowledge base, twin configurations, conversation logs, policy rules. This is your business data — see Section 5.

Technical data: IP address, browser type, device information, cookies. See our Cookie Policy.

3. Legal Basis for Processing

Contract performance: Processing necessary to provide the OryGent service you subscribed to (GDPR Art. 6(1)(b)).

Legitimate interest: Platform security, fraud prevention, service improvement (GDPR Art. 6(1)(f)).

Consent: Analytics cookies, marketing communications (GDPR Art. 6(1)(a)). You may withdraw consent at any time.

Legal obligation: Tax records, regulatory compliance (GDPR Art. 6(1)(c)).

4. Data Retention

Active accounts: Data retained for the duration of your subscription plus 90 days after cancellation.

After cancellation: Company data is available in read-only mode for 90 days (export available via DSAR API). After 90 days, data is permanently deleted.

Audit logs: Retained for the period specified in your plan (30/90/365 days) or as required by applicable law.

Legal obligations: Payment records retained for 7 years per tax regulations.

5. Your Data Ownership

Your data is yours. All company documents, knowledge base content, twin configurations, and conversation history remain your intellectual property.

We do not use your data to train AI models. We do not sell, rent, or share your data with third parties for their own purposes.

6. International Transfers

Your data may be processed by sub-processors located outside the EU/EEA. All transfers are protected by Standard Contractual Clauses (SCCs) and supplementary security measures.

Sub-processors: Supabase (database, EU region), Railway (API hosting, US), Stripe (payments, US), Anthropic (LLM, US), Vercel (frontend, global CDN), PostHog (analytics, EU), Sentry (error tracking, US), Novu (notifications, US).

Full sub-processor list available in our Data Processing Agreement.

7. Your Rights (GDPR)

Under GDPR, you have the right to: access your personal data, rectify inaccurate data, erase your data (right to be forgotten), restrict processing, data portability, object to processing, and not be subject to automated decision-making.

To exercise your rights, email privacy@orygent.com or use the Data Subject Access Request feature in Settings. We respond within 30 days (GDPR maximum).

8. Cookies

We use essential cookies for authentication and preferences. Analytics cookies (PostHog) are only set with your consent. See our full Cookie Policy for details.

9. Changes to This Policy

We may update this policy with at least 30 days notice. Material changes will be communicated via email and in-app notification. Continued use after the effective date constitutes acceptance.

10. Contact & Complaints

OryGent Labs — Barcelona, Spain

Privacy inquiries: privacy@orygent.com

You have the right to lodge a complaint with your local data protection authority. In Spain: Agencia Española de Protección de Datos (AEPD).