1. Overview
Kolerr Lab ("we," "us," or "our") operates the Orchesity platform at orchesity.com ("Service" or "Platform"). This Privacy Policy describes how we handle personal information in connection with the Service.
By using Orchesity you consent to the practices described in this Policy. If you do not agree, you must discontinue use of the Platform.
We are committed to compliance with applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
We do not sell your personal information. We do not sell, rent, or trade personal information to third parties for their own marketing purposes.
2. Information We Collect
2.1 Information you provide directly
- →Account registration: Name, email address, hashed password when you register with email/password.
- →Profile information: Display name and any optional profile details you add in Settings.
- →Payment information: We do not store your payment card data. Payments are handled by Stripe. We receive and store only Stripe customer IDs and subscription status metadata.
- →Generation prompts: The natural-language descriptions and requirements you submit to generate scaffolds.
- →Contact and support: Any information you provide when submitting a support request or contact form, including email address and message content.
2.2 Information collected via OAuth providers
- →Google OAuth: When you sign in with Google, we receive your Google account ID, email address, and display name. We do not receive or store your Google password.
- →GitHub OAuth (authentication): When you sign in with GitHub, we receive your GitHub user ID, email address, and username.
- →GitHub OAuth (integration): When you connect your GitHub account for repository deployment, we receive and securely store an encrypted GitHub OAuth access token limited to the 'repo' scope. This token is used only when you explicitly trigger a deployment.
2.3 Information collected automatically
- →Log data: Server logs including IP address, browser type, operating system, referring URL, pages visited, and timestamps. Retained for up to 90 days.
- →Usage data: Actions performed within the Service including generations created, frameworks selected, credits consumed, and feature engagement for analytical and reliability purposes.
- →Device information: Browser and device type, screen resolution, and language settings.
- →Cookies and session tokens: See Section 9 for details.
3. How We Use Information
We use the personal information we collect to:
- →Create and manage your user account and authenticate your identity
- →Provide, operate, maintain, and improve the Service
- →Process subscription payments and manage billing through Stripe
- →Transmit your generation prompts to OpenAI's API to produce Generated Output
- →Send transactional emails: account verification, password reset, payment receipts, and service notifications
- →Respond to your support requests and contact form messages
- →Monitor and analyze usage patterns to improve the Service and user experience
- →Detect, investigate, and prevent fraudulent transactions, abuse, and unauthorized access
- →Enforce our Terms of Service and Acceptable Use Policy
- →Comply with applicable legal obligations, including responding to valid legal process
- →Send product update communications where you have consented or where permitted by law
Aggregate analytics. We may use de-identified, aggregated data (e.g., "X% of users generate Django scaffolds") for product research and public communications. This data cannot reasonably be used to identify individuals.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:
Contract performance (Art. 6(1)(b))
To create your account, provide the Service, process payments, and send essential transactional communications.
Legitimate interests (Art. 6(1)(f))
To detect and prevent fraud and abuse, maintain security, analyze aggregate usage, and improve the Service. We balance these interests against your rights and freedoms.
Legal obligation (Art. 6(1)(c))
To comply with applicable laws, including tax, accounting, and law enforcement obligations.
Consent (Art. 6(1)(a))
For optional marketing communications, where required. You may withdraw consent at any time.
6. Third-Party Processors
We currently use the following sub-processors:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI, Inc. | AI generation | Generation prompts, framework preferences | USA |
| Stripe, Inc. | Payment processing | Email, billing info, subscription metadata | USA |
| Railway Corp. | Backend hosting | All user data stored in the database | USA |
| Vercel, Inc. | Frontend hosting | IP addresses, page requests (CDN logs) | USA / Global CDN |
| GitHub, Inc. | Code deployment (opt-in) | Generated scaffold files, repo name | USA |
| Google LLC | OAuth authentication (opt-in) | Email, name, Google account ID | USA / Global |
| Gmail / SMTP | Transactional email | Email address, email content | USA |
We enter into Data Processing Agreements (DPAs) with sub-processors where required by GDPR. We review our sub-processors periodically and will update this list as processing arrangements change.
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy:
| Data category | Retention period |
|---|---|
| Account data (email, name, password hash) | Lifetime of account + 30 days post-deletion |
| Generation prompts and history | 90 days from generation date |
| Generated project files (ZIP storage) | Up to 90 days; may be deleted earlier for capacity |
| Server and access logs | 90 days |
| Billing / transaction records | 7 years (tax and legal compliance) |
| Support correspondence | 3 years from last interaction |
| GitHub access tokens | Until you disconnect GitHub integration or delete account |
| Anonymized / aggregated analytics | Indefinitely (no personal identifiers) |
Following the deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain certain records for longer periods (e.g., financial records).
8. Security
We implement technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- ✓Passwords are hashed using bcrypt with a cost factor of 12 or greater — we never store plaintext passwords
- ✓GitHub OAuth access tokens are encrypted at rest using Fernet symmetric encryption before database storage
- ✓All data in transit is encrypted using TLS 1.2 or higher
- ✓Database credentials and API keys are stored as environment variables, never in source code
- ✓Access to production infrastructure is restricted to authorized personnel only
- ✓JWT session tokens have a 7-day expiry and are invalidated on logout
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that poses a high risk to your rights, we will notify you without undue delay and in accordance with applicable law.
10. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
Access
Request a copy of the personal data we hold about you.
Rectification
Request correction of inaccurate or incomplete personal data.
Erasure
Request deletion of your personal data ('right to be forgotten'), subject to legal retention requirements.
Restriction
Request that we restrict processing of your data in certain circumstances.
Portability
Request a machine-readable copy of your data that you provided to us.
Objection
Object to processing based on legitimate interests or for direct marketing purposes.
Withdraw consent
Withdraw any consent previously given, without affecting the lawfulness of prior processing.
Automated decisions
Not be subject to solely automated decisions that significantly affect you.
To exercise any of these rights, please email us at legal@orchesity.com with the subject line "Privacy Rights Request" and your full name and account email. We will respond within 30 days (or within the timeframe required by applicable law).
Many rights can be exercised directly through your account: you can update your profile in Settings, view your generation history, and delete your account at any time from the Settings page.
11. California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information.
In the preceding 12 months, we have collected the following categories of personal information: Identifiers (name, email, IP address); Commercial information (subscription and transaction records); Internet activity (usage logs, pages visited); Inferences about preferences (framework usage patterns).
We do not sell or share your personal information with third parties for cross-context behavioral advertising within the meaning of the CCPA.
Your CCPA rights include:
- →Right to know what personal information is collected, used, shared, or sold
- →Right to delete personal information we hold about you
- →Right to correct inaccurate personal information
- →Right to opt out of sale or sharing of personal information (we do not sell or share)
- →Right to non-discrimination for exercising CCPA rights
- →Right to limit use and disclosure of sensitive personal information
To submit a CCPA request, contact us at legal@orchesity.com. We may need to verify your identity before processing your request.
12. EEA & UK Residents (GDPR / UK GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, Kolerr Lab acts as the data controller for personal data processed in connection with the Service.
You have the rights described in Section 10. In addition, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the ICO (ico.org.uk).
Where we process your data based on legitimate interests, you may object at any time by emailing legal@orchesity.com. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
13. International Data Transfers
Kolerr Lab is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States or other countries where our service providers operate, which may have different data protection laws than your country.
For transfers of personal data from the EEA or UK to the United States, we rely on the following transfer mechanisms as applicable:
- →Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with sub-processors
- →The UK International Data Transfer Agreement (IDTA) for transfers from the UK
- →Where available, the EU-US Data Privacy Framework or the UK Extension thereof
14. Children's Privacy
The Service is not directed to individuals under the age of 18 ("children"). We do not knowingly collect personal information from children. If you believe that we have inadvertently collected personal information from a child under 18, please contact us immediately at legal@orchesity.com and we will take steps to delete that information promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- →Email registered users at the address on file at least 14 days before the effective date
- →Update the "Last updated" date at the top of this Policy
- →Display a banner in the application for logged-in users
Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the updated terms.
16. Contact & Data Protection Officer
For privacy-related inquiries, requests, or to exercise your rights, please contact us. We aim to respond to all requests within 30 days.
Company: Kolerr Lab
Privacy / legal: legal@orchesity.com
General support: support@orchesity.com
Website: orchesity.com
GDPR users: if you believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your national data protection authority.