Home/Privacy Policy
Effective April 17, 2026· Updated April 17, 2026

Privacy Policy

Summary — what you should know

  • We collect your account info, workspace data, agent configs, documents, conversations, and billing data.
  • We never sell your data or use it for advertising.
  • Your content is sent to AI providers (OpenAI, Anthropic, Google) to generate responses — no PII redaction is performed.
  • Integration credentials are encrypted with AES-256-GCM. Passwords are hashed with bcrypt.
  • You can request access, correction, deletion, or export of your data at any time.
  • Governed by the laws of the Republic of Indonesia.

1. Introduction

ORXA ("we," "our," or "us") operates an AI agent platform that enables businesses and developers to build, configure, and deploy AI-powered assistants. This Privacy Policy explains what information we collect, how we use and store that information, and what rights you have over your data.

By registering for or using the Platform, you agree to the practices described in this policy. This policy applies to registered users, workspace members, and visitors who interact with authentication flows.

2. Information We Collect

2.1 Account and Identity Information

We collect your email address, full name, profile image (optional), and password (stored hashed with bcrypt). For Google OAuth users, we receive and store Google-issued tokens to maintain your session.

2.2 Authentication and Session Data

Short-lived JWT access tokens (15 min) and refresh tokens (7 days) are used for authentication. Sessions are tracked in Redis with metadata including login activity and failed attempts.

2.3 Workspace and Organization Data

We store workspace names, descriptions, logos, member roles, and workspace invitations (including invitee email addresses).

2.4 Agent Configuration Data

Agent names, descriptions, system instructions, model selection, temperature settings, token limits, and metadata are stored to operate your AI agents.

2.5 Knowledge and Document Data

Uploaded files (PDF, DOCX, TXT) are stored in cloud file storage (AWS S3). Parsed text content is stored in our database. Text, Q&A content, website content, and Notion page content are processed and indexed. Vector embeddings are generated by OpenAI and stored in our database for semantic search.

2.6 Conversation and Execution Data

Input messages, AI-generated responses, tool invocations (inputs and outputs), and performance metrics (token counts, cost, duration) are stored as part of execution records.

2.7 Integration Credentials

OAuth provider credentials are managed through Composio. Custom integration credentials (API keys, OAuth2 secrets, JWT keys) are encrypted with AES-256-GCM before storage. WhatsApp session credentials and active integration tokens are also stored.

2.8 Billing Information

Company name, tax ID, billing address, invoice records, and payment event logs from Xendit are stored for payment processing and audit.

2.9 Usage and Telemetry Data

Token consumption logs, integration token refresh logs, and aggregated dashboard analytics are collected and cached for performance.

3. How We Use Information

We use your information to:

  • Authenticate users and maintain sessions
  • Operate the Platform and deliver agent services
  • Process and index knowledge sources for AI retrieval
  • Enable AI agent responses via third-party model providers
  • Manage integrations and refresh tokens on your behalf
  • Send verification, password reset, and notification emails
  • Process payments and issue invoices
  • Display analytics dashboards
  • Maintain security (lockout, rate limiting, session validation)

Good to know

We do not use your information for advertising or sell it to third parties.

4. Data Storage and Security

4.1 Storage Locations

  • PostgreSQL — all persistent data
  • Redis — sessions, rate limits, caches
  • AWS S3 — uploaded files (ap-southeast-1, Singapore)
  • pgvector — embedding vectors within PostgreSQL

4.2 Credential Encryption

Custom integration credentials are encrypted at the application level using AES-256-GCM with PBKDF2-SHA256 key derivation before being written to the database.

5. Third-Party Services

5.1 AI Model Providers

ProviderData TransmittedPurpose
OpenAIDocument chunks, conversation messages, knowledge contextEmbeddings and AI responses
AnthropicConversation messages, system instructions, knowledge contextAI responses (Claude models)
GoogleConversation messages, system instructions, knowledge contextAI responses (Gemini models)

No PII Detection

We do not perform PII detection or content redaction before transmitting data to AI providers. We recommend avoiding uploading documents containing sensitive personal data unless you have reviewed the relevant provider's data processing terms.

5.2 Other Third-Party Services

  • Composio — OAuth integration management for 40+ providers
  • WAHA — WhatsApp message routing
  • Xendit — payment processing (IDR)
  • Resend/SMTP — transactional emails
  • AWS S3 — file storage

6. AI Processing

When an agent processes a message:

  1. System instructions and configuration are loaded
  2. Relevant content is retrieved from your knowledge base (RAG)
  3. The assembled prompt is sent to the selected AI provider
  4. The response is returned, stored, and delivered

Content from your documents is transmitted to OpenAI for embedding generation regardless of which AI model your agent uses for responses.

7. Data Retention

  • Account data — retained while your account exists; soft-deleted on removal
  • Execution records — retained indefinitely (configurable retention planned)
  • Knowledge documents — retained until you delete the knowledge source
  • Uploaded files — retained in S3 until explicitly deleted
  • Billing records — retained for audit and legal compliance

8. Your Rights

Your Data Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of your personal data
  • Correction — update your profile data via Platform settings
  • Deletion — request deletion of your personal data
  • Portability — request data export in a structured format
  • Objection — object to certain processing activities
  • Withdrawal of consent — withdraw consent at any time

To exercise your rights, contact us at the address in Section 13.

9. Data Sharing

We do not sell your personal data. We share data only with AI model providers, integration partners, payment processors, cloud infrastructure providers, and user-configured external services as described above. We may also disclose information if required by law.

10. Security Measures

MeasureDetails
Password hashingbcrypt with automatic salt
Account lockoutLocked after repeated failed attempts
Rate limitingPer-user and per-IP
Session managementShort-lived JWTs with token rotation and reuse detection
Credential encryptionAES-256-GCM for integration secrets
Email verificationRequired before account activation
Workspace isolationData scoped to workspaces
RBACRole-based permissions enforced at API level
SSRF protectionCustom integration URLs validated

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date and notify registered users of material changes via in-platform notification or email.

12. Governing Law

This Privacy Policy is governed by the laws of the Republic of Indonesia.

13. Contact Information

ORXA
Email: admin@vereintech.com
Website: https://www.vereintech.com/orxa

For data deletion requests or privacy concerns, include "Privacy Request" in the subject line.

Questions? Contact us at admin@vereintech.com

Last reviewed April 17, 2026.