Privacy Policy

1. Information We Collect

1.1 Information you provide directly

• Account registration: name, email address, phone number, organisation name, job title, and password.
• Profile data: profile photo, professional information, and preferences set within the Service.
• Business data: contacts, companies, deals, projects, tasks, activities, and files you create, import, or manage within the platform.
• Communications: messages sent via the team chat module, portal communications, and support enquiries.
• Payment information: billing address and payment instrument details submitted during subscription purchase. Full card data is processed by Razorpay or Stripe; we do not store primary account numbers (PANs).

1.2 Information collected automatically

• Usage data: features accessed, pages visited, clicks, searches, and interaction sequences within the Service.
• Log data: IP address, browser type and version, operating system, referring URL, and timestamps.
• Device information: device type, screen resolution, and hardware identifiers for web and mobile clients.
• Authentication data: ORIS Identity tokens (JWT), session identifiers, and multi-factor authentication status.

1.3 Information from third parties

• Accounting connectors: if you connect Tally, Zoho Books, QuickBooks, Xero, SAP, ERPNext, or Busy, we receive financial and transactional data per your configuration and consent.
• ORIS modules: PeopleOS (HR/payroll), ThynkBooks (accounting), and ThynkReach (marketing) share user, transaction, and contact data with Oris Work as authorised by your administrator.
• Identity providers: if you authenticate via ORIS Identity (OIDC), we receive name, email, and role information from that provider.

2. How We Use Your Information

We use personal data only for the following purposes:

• Service delivery: providing, operating, and maintaining the Oris Work platform and all subscribed modules.
• Authentication and access control: verifying your identity, enforcing role-based permissions, and preventing unauthorised access.
• Billing and subscriptions: processing payments, issuing invoices, managing trial periods, and enforcing plan limits.
• Support and communication: responding to your enquiries, providing technical assistance, and sending transactional notifications (e.g., password resets, invoice receipts).
• Product improvement: aggregate, anonymised analysis of feature usage to improve the platform. We do not use individual business data for model training without explicit consent.
• Security and fraud prevention: detecting suspicious access patterns, preventing abuse, and investigating incidents.
• Legal compliance: meeting our obligations under applicable law, including data protection regulations, tax law, and court orders.

We do not sell, rent, or share your personal data with third parties for their independent marketing or advertising purposes.

3. Data Storage and Residency

Oris Work offers three data residency regions, selected by the account administrator during onboarding. Once selected, primary business data (companies, contacts, deals, projects, messages) is stored and processed exclusively within that region.

Certain operational data (authentication tokens, system logs, and error reports) may be processed outside your selected region solely for security monitoring and incident response. Such processing is governed by standard contractual clauses (SCCs) where required by applicable law.

All data in transit is encrypted with TLS 1.2 or higher. All data at rest is encrypted using AES-256. Encryption keys are managed by Oris and rotated annually.

4. Data Sharing and Disclosure

We share personal data only in the following circumstances:

4.1 Within the ORIS ecosystem

If your organisation subscribes to PeopleOS, ThynkBooks, or ThynkReach, relevant data is shared between those modules and Oris Work to provide integrated functionality. Data flows are governed by the terms of your master subscription agreement and are limited to what is necessary for the subscribed services.

4.2 Service providers and sub-processors

We engage sub-processors to operate the Service, including cloud infrastructure providers, payment processors, and error monitoring tools. Each sub-processor is bound by a data processing agreement and may only process data on our documented instructions. A current list of sub-processors is available at privacy@oriswork.com.

4.3 Third-party accounting connectors

When you connect an accounting system (e.g., Tally, Xero), financial data is transmitted to or from that system per your explicit configuration. Oris acts as a data processor on behalf of your organisation for these flows; the third-party provider's own privacy policy governs their handling of data.

4.4 Legal requirements

We may disclose data when required by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.5 Business transfers

In the event of a merger, acquisition, or sale of substantially all of our assets, personal data may be transferred as part of that transaction. We will notify affected users and provide options consistent with applicable law.

5. Cookies and Tracking Technologies

We use a minimal set of cookies, strictly necessary for operating the Service. We do not use advertising, behavioural tracking, or third-party analytics cookies.

All cookies are set with HttpOnly, Secure, and SameSite=Lax attributes. They cannot be accessed by JavaScript and are transmitted only over HTTPS in production.

6. Data Retention

We retain personal data for as long as your account is active or as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

• Active subscription data: retained for the duration of the subscription.
• Post-cancellation: business data is retained for 30 days following account cancellation, after which it is permanently deleted. You may export all data before deletion via the Settings → Data Export feature.
• Audit logs: retained for 2 years from creation (Enterprise plan) or 1 year (Pro plan) for compliance purposes.
• Billing records: retained for 7 years as required by applicable tax law (GST, UAE VAT).
• Support communications: retained for 3 years from the date of the last interaction.

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@oriswork.com. We will respond within 30 days (or within the timeframe required by applicable law). Identity verification may be required before we can fulfil a request.

For Indian users: your rights under the Digital Personal Data Protection Act 2023 (DPDPA) include the right to access, correct, and erase your personal data, and to nominate a representative to exercise these rights on your behalf.

For EU users: if you believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

8. Security

We implement technical and organisational security measures appropriate to the risk of our processing activities:

• Encryption: TLS 1.2+ in transit; AES-256 at rest for all stored data.
• Authentication: ORIS Identity OIDC with JWT tokens; direct-credential passwords hashed using scrypt (N=16384). Multi-factor authentication (MFA) available on all plans.
• Access control: role-based access control (RBAC) with row-level security at the database layer. Production access is restricted to authorised personnel.
• Audit logs: all create, update, and delete operations are logged with user identity, timestamp, and changed values.
• Infrastructure: hosted on ISO 27001-certified cloud infrastructure. Network traffic is filtered through WAF and DDoS mitigation layers.
• Vulnerability management: regular dependency updates, automated SAST scanning, and annual penetration testing.
• Incident response: in the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, as required by applicable law.

Despite these measures, no system is entirely impenetrable. You are responsible for maintaining the security of your account credentials and for notifying us immediately at security@oriswork.com if you suspect unauthorised access.

9. Children's Privacy

The Service is designed for professional business use and is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data to us, contact us at privacy@oriswork.com and we will promptly delete that information.

10. AI Features and Data Processing

Oris Work includes Clairbot, an AI assistant powered by the ORIS AI Service (Anthropic-powered). When you use Clairbot:

• Queries and relevant business context are transmitted to the ORIS AI Service for processing. Context is limited to what is necessary to answer your query.
• AI-generated outputs are not applied to your account without human review and explicit confirmation.
• We do not use your individual business data to train AI models without your explicit consent.
• AI processing occurs within your selected data residency region where technically possible.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and by displaying a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

The version history of this Policy is available upon request at privacy@oriswork.com.

12. Contact and Data Protection Officer

For privacy-related questions, requests, or complaints, contact us at:

Registered entity: Oris Intelligence Private Limited, India.

You may also submit requests via our contact page.