Privacy Policy

1. Information We Collect

We collect the following categories of information:

1.1 Information You Provide

• Account Data: When you register using Google Sign-In or phone number, we receive your name, email address, phone number, profile photo URL, and a unique user identifier (UID) from Firebase Authentication.
• Chat Messages: If you are signed in, the messages you send to and receive from OrchAI are stored in Firestore under your user account to enable chat history.
• Blog Interactions: If you are an admin, content you create (blog posts, news articles) is stored and attributed to your account.
• Onboarding Information: Your display name submitted during onboarding.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, referring URLs, and browser type via Firebase Analytics.
• Device Information: Device type, operating system, browser version, screen resolution, and language settings.
• IP Address: Your IP address is used for rate limiting (anonymous users are limited to 5 AI requests per hour) and fraud prevention. It is not stored long-term.
• Log Data: Server-side logs including request timestamps and error reports managed by Google Cloud / Firebase.

1.3 Information from Third Parties

• Google Sign-In: When you authenticate with Google, we receive your Google profile data as described in section 1.1.
• Google AdSense: If you view ads on our site, Google may collect additional data as described in Section 5.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate your identity.
• Provide and operate the OrchAI chat service, saving your conversation history if logged in.
• Enforce rate limits to prevent abuse by anonymous users.
• Display and personalize content across the web application and blog.
• Send transactional notifications (e.g., if we add email-based features in the future).
• Analyse usage patterns to improve the service, fix bugs, and develop new features.
• Comply with legal obligations, resolve disputes, and enforce our Terms of Service.
• Detect, prevent, and respond to fraud, security incidents, or other harmful activity.
• Serve relevant advertisements through Google AdSense (see Section 5).

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases pursuant to Article 6 of the General Data Protection Regulation (GDPR):

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms.

4. Cookies and Tracking Technologies

We use the following types of cookies:

4.1 Essential Cookies

Required for the website to function. These include session authentication cookies set by Firebase Authentication (specifically, the __session cookie used by next-firebase-auth-edge for server-side authentication). You cannot opt out of these.

4.2 Analytics Cookies

Firebase Analytics (powered by Google Analytics) uses cookies to understand how visitors interact with our site. Data is anonymised where possible. You may opt out via Google Analytics Opt-Out.

4.3 Advertising Cookies

We serve advertisements through Google AdSense. Google uses cookies (including the DSID, IDE, and __gads cookies) to show personalised ads based on your browsing history. You can opt out of personalised ads via Google Ad Settings or optout.aboutads.info.

See our Cookie Policy for complete details and opt-out instructions.

5. Google AdSense and Advertising

We use Google AdSense to display third-party advertisements on our website. Google, as a third-party vendor, uses cookies to serve ads based on prior visits to our site or other websites on the internet.

• Google's use of advertising cookies enables it and its partners to serve ads to you based on visits to our site and/or other sites on the Internet.
• Users may opt out of personalised advertising by visiting Google Ad Settings.
• We comply with Google AdSense policies, including requirements for a Privacy Policy that discloses the use of cookies, personalised advertising, and opt-out mechanisms.
• We do not directly pass personally identifiable information to Google for advertising purposes.

For more information about how Google uses data, visit How Google uses data when you use our partners' sites or apps.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share your information only in the following circumstances:

• Google Firebase (Infrastructure): We use Firebase Authentication, Firestore, and Firebase Storage. Google processes data on our behalf as a data processor under their Data Processing Agreement. See Firebase Privacy.
• Google Generative AI (Gemma 3):Your chat messages are sent to Google's API to generate responses. Messages are processed transiently and are not stored by Google for training without consent.
• Google AdSense: Google may collect information as described in Section 5.
• Legal Requirements: We may disclose your information if required by law, court order, or governmental authority, including in response to lawful requests by public authorities.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via prominent notice on our website.
• Protection of Rights: We may disclose information to protect the rights, property, or safety of Orch, our users, or others.

7. Data Retention

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate data. You can update your display name in your profile settings.
• Right to Erasure (Art. 17 GDPR / "Right to be Forgotten"): Request deletion of your account and associated data.
• Right to Restriction (Art. 18 GDPR): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20 GDPR): Receive your data in a machine-readable format.
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent (e.g., personalised ads), you may withdraw consent at any time without affecting prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, CNIL in France).

To exercise any of these rights, please email us at sameer@orch.live. We will respond within 30 days.

9. Children's Privacy

Our service is not directed to children under the age of 13 (or 16 where required by applicable law, including GDPR). We do not knowingly collect personal information from children.

If you believe we have inadvertently collected data from a child, please contact us at sameer@orch.live and we will take immediate steps to delete such information.

10. International Data Transfers

Orch is operated from India. Your data is processed on Google Firebase infrastructure, which may be hosted in data centers in the United States, Europe, or other regions. Google is certified under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses apply where required by GDPR.

By using our service and providing your data, you consent to the transfer of your information to countries outside your country of residence, including the United States, which may have different data protection rules.

11. Data Security

We implement commercially reasonable technical and organisational security measures to protect your personal data, including:

• Firebase Authentication with industry-standard token-based authentication (JWT).
• HTTPS encryption for all data in transit using TLS 1.2+.
• Firestore Security Rules enforcing per-user data access controls.
• Firebase Storage Security Rules for uploaded media files.
• Session tokens stored in HTTP-only cookies, inaccessible to JavaScript.
• Rate limiting to prevent brute-force and abuse.

However, no method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

12. Indian Digital Personal Data Protection Act (DPDP) 2023

As a service operated from India, we acknowledge and comply with the Digital Personal Data Protection Act, 2023 (DPDP Act). Under this Act:

• We process your personal data only for lawful purposes with your consent or on other legally permissible grounds.
• You have the right to obtain a summary of your personal data being processed, to correct and update inaccurate data, and to erase your data.
• You have the right to grievance redressal. Contact us at sameer@orch.live.
• We will not process the personal data of children (below 18 years in India) without verifiable parental consent.
• In the event of a personal data breach that is likely to cause harm, we will notify the Data Protection Board of India and affected individuals as required.
• We are the Data Fiduciary for data you provide to us directly. Google Firebase acts as a Data Processor.

13. Third-Party Links and Services

Our website may contain links to third-party websites (e.g., Google Play Store, GitHub). These sites have their own privacy policies, and we are not responsible for their content or practices. We encourage you to review the privacy policy of any third-party site you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes by:

• Updating the "Last updated" date at the top of this page.
• Posting a notice on our website for significant changes.

Your continued use of Orch after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

15. Contact and Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: