One‑paragraph summary—Orchestrator AI provides an AI‑native SaaS platform that connects, automates, and optimises go‑to‑market workflows for enterprise customers. To deliver these Services we must process limited business‑contact, usage‑telemetry, and integration data under strict security controls (AES‑256, TLS 1.2+), recognised frameworks (ISO 27001/27701, NIST 800‑53/61), and robust legal regimes (GDPR, CCPA/CPRA, COPPA). We never sell personal data, never train foundation models on customer content, and honour all statutory privacy rights, including EU‑style Data Subject Access Requests (DSARs) world‑wide.  

‍

1. Scope and Controller Information

This Policy covers visitors to https://useorchestration.ai, customers using our web app, desktop agent, mobile apps, SDKs, and public APIs, and anyone interacting with our sales or support teams. Orchestrator AI, Inc. is the Controller for personal data described here; when we host or process customer‑supplied content inside tenant environments we act as a Processor pursuant to our Data Processing Addendum.

2. Key Definitions

• “Personal Data” means any information that identifies or can reasonably be linked to an individual (Art. 4 GDPR; Cal. Civ. Code §1798.140). GDPR California DOJ Attorney General
• “Sensitive Personal Data” includes data revealing precise geolocation, health, or children’s information (CPRA §1798.121). California DOJ Attorney General
• “Controller” / “Processor” are roles defined in GDPR Arts 4 (7) & (8).

3. What We Collect

• Account Data – When you open an account we record your name, business e-mail, hashed password, and job role. We retain these records for the duration of your subscription and erase them 30 days after contract termination, mirroring the “custom timeline” deletion model used by Slack workspaces.
• Telemetry – The platform automatically captures page clicks, feature flags, truncated IP addresses, and device fingerprints so we can improve performance. By default, Atlassian stores comparable analytics events for 12 months; we apply the same one-year window.
• Integration Records – Data ingested from connected CRMs, ticketing tools, or marketing apps (for example, lead objects or support-ticket IDs) stays only as long as the tenant’s admin-configured retention policy allows, following the same “workspace-level override” approach documented by Slack.
• Payment & Billing – We collect company address, tax/VAT ID, and PCI-vaulted payment tokens. U.S. tax guidance recommends keeping financial records for seven years, so we align our retention period with that IRS benchmark.
• Support Artefacts – Chat transcripts, diagnostic dumps, and screenshots shared with our Support team are purged 24 months after the case closes, consistent with the “daily purge after custom timeframe” pattern Slack applies to message history.
• Cookie IDs & Similar Technologies – Session cookies, analytics tags, and Global Privacy Control (GPC) signals are stored in the browser and governed by our Cookie Notice; Atlassian, for example, ties analytics cookies to a maximum lifespan of roughly one year.

We never intentionally collect government IDs, full card numbers, or biometrics; any accidental uploads must be scrubbed with our redaction tools, reflecting PCI DSS guidance that sensitive authentication data must not be stored after authorisation.

Special note on AI training data

Customer content remains inside tenant-scoped containers and is never used to train shared foundation models. Slack applies the same rule to its global models, and broader industry commentary shows many vendors now let customers opt out of AI training

‍

4  Legal Bases for Processing

• Provide and secure the Services – We rely on performance of a contract under GDPR Art 6 (1)(b); in U.S. law the equivalent basis is fulfilling the contract you (or your employer) signed.
• Improve, debug, and optimise – Processing necessary to keep our platform reliable falls under legitimate interests (GDPR Art 6 (1)(f)). The UK ICO notes that this basis is appropriate when processing is proportionate and users’ rights are protected. ‍
• Marketing e-mails – We use consent (GDPR Art 6 (1)(a)) for EU/UK recipients. In the U.S., messages must comply with the FTC’s CAN-SPAM Act, which requires clear identification, a physical address, and easy opt-out.
• Compliance, safety, and fraud prevention – Certain records are processed to meet legal obligations (GDPR Art 6 (1)(c)) and other statutory duties, such as PCI DSS rules that forbid long-term storage of sensitive card data.

5. How We Use Personal Data

• Authentication & account management
• Real‑time orchestration and analytics
• Security monitoring (Zero‑Trust, RBAC, MFA)
• Personalised in‑app guidance produced by AI agents
• Regulatory compliance and dispute resolution

6. Cookies & Tracking Technologies

We place (i) strictly‑necessary cookies for login and load‑balancing, (ii) analytics cookies (13‑month TTL) to understand feature usage, and (iii) marketing cookies only with opt‑in consent for EU/EEA visitors via an IAB TCF 2.2‑compatible banner. Global Privacy Control (GPC) signals trigger an automatic opt‑out.

7. Automated Decision‑Making & AI Disclosures

Our AI agents may score leads, prioritze tickets, or auto‑route workflow tasks. These decisions do not produce legal or similarly significant effects without human oversight (GDPR Art 22). Users may request algorithmic explanations or object to profiling.

8. Sharing & International Transfers

We share personal data only with vetted Sub‑processors providing cloud hosting (AWS), support, analytics, or email delivery. A live, version‑controlled list can be obtained, and customers can subscribe to change notices.

Cross‑border mechanisms

• EU Standard Contractual Clauses (2021) for transfers outside the EEA/UK. ‍
• EU‑U.S. Data Privacy Framework certified participation for U.S. hosting (Commission Implementing Decision (2023) 1795). ‍
• Additional onward transfers require recipients to adopt equivalent safeguards.

9. Security Measures

We operate an ISO 27001‑aligned Information Security Management System (ISMS) extended by ISO 27701 privacy controls. ISO Technical controls include AES‑256 encryption at rest, TLS 1.2+ in transit, network segmentation, quarterly penetration tests, and continuous vulnerability scanning mapped to NIST SP 800‑53 Rev 5 control families.

10. Incident Response & Breach Notification

Our Computer Security Incident Response Plan follows NIST SP 800‑61 guidelines, with 24 × 7 monitoring and defined RTO/RPO metrics. In the event of a personal‑data breach we will notify affected customers and competent regulators within 72 hours as mandated by GDPR Art 33. ‍

11. Data Retention & Disposal

Default retention rules appear in § 3; customers may configure shorter periods. Back‑up archives are encrypted and roll off after 30 days. Secure erasure is performed using NIST SP 800‑88 media sanitisation techniques.

12. Your Privacy Rights

EU/UK/EEA

Right to access, rectify, erase, restrict, port, or object; lodge complaints with a supervisory authority; and withdraw consent at any time. cy.ico.org.uk

California & other U.S. states

Rights to know, delete, correct, and opt‑out of “sale”/“sharing” of personal information under CCPA/CPRA; identical mechanisms extend to Colorado, Virginia, Connecticut, and Utah statutes.

Global options

All users may manage preferences via Settings → Privacy, submit DSARs via our portal, or email privacy@orchestrator‑ai.com.

13. Children’s Privacy

Our Services are not directed to children under 13. We comply with COPPA and do not knowingly collect their data; any inadvertent collection is deleted promptly.

14. Third‑Party Links & Integrations

Our Sites may include links or scripts from third‑party providers (e.g., Slack, Zendesk app integrations). Their processing is governed by their own privacy notices, and we recommend reviewing those policies. ‍

15. Your Responsibilities

Customers are responsible for (i) configuring lawful data integrations, (ii) obtaining all necessary consents, and (iii) complying with any sector‑specific regulations (e.g., HIPAA, GLBA) before ingesting data into Orchestrator AI.

16. Policy Updates

Material changes will be posted here and, where appropriate, notified by email or in‑app 30 days before they take effect. Continued use after the effective date constitutes acceptance.

17. Contact & Dispute Resolution

Data Protection Officer: go@useorchestration.ai

‍

‍