Privacy Policy

orchestr.sh ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using orchestr.sh, you agree to the collection and use of information in accordance with this policy.

2.1 Information You Provide

• Account Information: Name, email address, company name
• Cloud Credentials: AWS/GCP/Azure access keys and secrets (encrypted)
• Deployment Configurations: Agent settings, model selections, infrastructure preferences
• Payment Information: Billing details (processed by third-party payment processors)
• Communications: Support requests, feedback, emails

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent
• Device Information: Browser type, IP address, operating system
• Cookies: Session cookies for authentication and preferences
• Log Data: Deployment logs, API requests, errors

2.3 OAuth Authentication

When you sign in with Google or GitHub, we receive your basic profile information (name, email, profile picture) as authorized by the OAuth provider.

We use your information to:

• Provide and maintain the Service
• Process your deployments and manage infrastructure
• Authenticate your identity
• Send service notifications and updates
• Respond to support requests
• Improve our Service and develop new features
• Detect and prevent fraud or abuse
• Comply with legal obligations
• Send marketing communications (with your consent)

4.1 Encryption

We implement industry-standard security measures:

• Cloud Credentials: Encrypted using AES-256-GCM before storage
• Data in Transit: All connections use TLS/SSL encryption
• Authentication: JWT tokens with secure session management
• Database: Encrypted at rest in PostgreSQL

4.2 Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication (optional)
• Regular security audits
• Limited employee access to production data

We do not sell your personal information. We may share data:

5.1 With Service Providers

• Vercel: Hosting and deployment
• Database Providers: Data storage
• Payment Processors: Billing (Stripe, etc.)
• Analytics: Usage analytics (anonymized)

5.2 With Cloud Providers

Your encrypted cloud credentials are used solely to provision infrastructure in your own cloud account. We do not share these with any third parties.

5.3 Legal Requirements

We may disclose information if required by law or to:

• Comply with legal processes
• Enforce our Terms of Service
• Protect our rights and safety
• Prevent fraud or illegal activities

You have the right to:

• Access: Request a copy of your data
• Correction: Update inaccurate information
• Deletion: Request deletion of your account and data
• Export: Download your data in a portable format
• Opt-out: Unsubscribe from marketing emails
• Object: Object to certain data processing

To exercise these rights, contact us at privacy@orchestr.sh

We retain your data:

• Account Data: Until you delete your account
• Deployment Logs: 90 days by default
• Backups: Up to 30 days after deletion
• Legal Requirements: As required by law

When you delete your account, we permanently delete your data within 30 days, except where retention is required by law.

We use cookies for:

• Essential: Authentication and session management (required)
• Analytics: Understanding usage patterns (optional)
• Preferences: Remembering your settings

You can control cookies through your browser settings. Disabling essential cookies may limit functionality.

We integrate with:

• OAuth Providers: Google, GitHub (for authentication)
• LLM Providers: OpenAI, Anthropic, HuggingFace
• Cloud Providers: AWS, GCP, Azure

These services have their own privacy policies. We recommend reviewing them.

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers.

Our Service is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.

California residents have additional rights:

• Right to know what data we collect
• Right to delete your data
• Right to opt-out of data sales (we don't sell data)
• Right to non-discrimination

For EU users, we comply with GDPR:

• Lawful basis for processing (consent, contract, etc.)
• Data protection by design and default
• Right to data portability
• Right to be forgotten
• Data breach notification

We may update this Privacy Policy from time to time. We will notify you of material changes via:

• Email notification
• Notice on our website
• In-app notification

Your continued use after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy or our data practices:

• Email: privacy@orchestr.sh
• Data Protection Officer: dpo@orchestr.sh