Orcho

Privacy Policy

Last Updated: December 2025

Introduction

Orcho ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI risk intelligence platform.

Information We Collect

1. Task Data from Your Systems

When you use Orcho's risk scoring API, we collect the following information:

  • Task Information: Task descriptions, prompts, code snippets, document content, and operational commands submitted for risk assessment
  • Risk Assessment Data: Risk scores, flagged issues, sensitive data detections, and recommended actions
  • User Information: User IDs, team identifiers, and organizational context (we do NOT collect personal identifying information unless explicitly provided in task content)
  • Integration Data: Information from connected platforms (Jira, GitHub, Cursor, Slack, etc.) necessary to assess task risk
  • File References: File paths and patterns from .aiignore files and similar configuration files

2. Usage Data

  • API Analytics: Number of API calls, response times, risk score distributions, and feature usage
  • Configuration Data: Your organization's risk thresholds, routing rules, and custom sensitivity settings
  • Performance Metrics: Task routing decisions (auto-approve, human review, block), accuracy rates, and system performance
  • Error Logs: Technical logs for debugging and improving service reliability

3. Aggregated Learning Data

  • Cross-Company Patterns: Anonymized, aggregated risk patterns across all customers to improve our risk models (no customer-specific data is shared)
  • Model Training Data: De-identified task patterns used to enhance risk detection accuracy

How We Use Your Information

We use collected information to:

1. Provide Core Services

  • Score AI tasks 0-100 for risk before execution
  • Detect sensitive data (PII, financial information, credentials, health data)
  • Route tasks based on risk level (auto-approve, human review, or block)
  • Generate risk assessment reports and audit trails

2. Improve Risk Intelligence

  • Train and refine our risk detection models
  • Learn from cross-company patterns to improve accuracy for all customers
  • Identify emerging risk patterns and threats
  • Optimize routing logic and sensitivity detection

3. Configuration Management

  • Store your organization's risk thresholds and rules
  • Maintain .aiignore patterns and custom sensitivity settings
  • Track usage for billing and analytics

4. Security and Compliance

  • Monitor for security threats and unauthorized access
  • Generate compliance reports and audit logs
  • Ensure system reliability and availability

Data Storage and Security

Where Your Data Is Stored

  • Primary Storage: Your data is stored on secure cloud infrastructure
  • Backup: Regular backups are maintained for data recovery purposes
  • Retention: Data is retained as long as your subscription is active

Security Measures

  • Encryption: All data is encrypted in transit and at rest
  • Access Controls: Strict access controls limit who can view your data
  • Monitoring: Continuous monitoring for security threats and unauthorized access
  • Compliance: We follow industry-standard security practices

Data Sharing and Disclosure

We do NOT sell, trade, or rent your personal information to third parties.

We may share your information only in the following circumstances:

  • Service Providers: With trusted third-party services that help us operate our platform (e.g., cloud hosting providers)
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In the event of a merger, acquisition, or sale of assets (with notice)
  • Consent: With your explicit consent for specific purposes

Third-Party Integrations

Development Platform Integrations

We integrate with platforms like Jira, GitHub, Cursor, and Slack to provide risk scoring.

  • Data Access: We only access data necessary for risk assessment
  • Platform Terms: We comply with each platform's security and privacy requirements
  • Your Control: You can disconnect integrations at any time

Your Rights and Choices

Access and Control

  • View Your Data: You can view your configuration and settings through the app
  • Update Information: You can modify risk thresholds, preferences, and settings
  • Delete Data: You can request deletion of your data (subject to legal requirements)

Opt-Out

  • You can disable certain features if you prefer not to use them
  • Manual override is always available for AI recommendations

Data Export

  • You can export your configuration and settings data
  • Risk assessment history and analytics can be provided upon request

Data Retention

  • Active Data: We retain your data while your subscription is active
  • Inactive Accounts: Data may be retained for up to 90 days after account deactivation
  • Legal Requirements: Some data may be retained longer to comply with legal obligations
  • Analytics: Aggregated, anonymized data may be retained for service improvement

International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international data transfers, including:

  • Standard contractual clauses
  • Adequacy decisions by relevant authorities
  • Appropriate technical and organizational measures

Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending email notifications for significant changes

Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • Email: founders@orcho.ai

Compliance

This Privacy Policy complies with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Other applicable privacy laws and regulations

Data Processing Legal Basis

Under GDPR, we process your data based on:

  • Contract Performance: To provide the services you've subscribed to
  • Legitimate Interest: To improve our service and ensure security
  • Consent: For optional features like anonymized data for model improvement

⚠️ Beta Testing Notice

This application is currently in beta testing.

While we make reasonable efforts to protect your data, the system is not yet fully compliant with data protection regulations such as GDPR or CCPA. Features, storage methods, and integrations may change during this period.

We strongly recommend that you do not input sensitive or confidential information while using the beta version. By participating in the beta, you acknowledge and accept these limitations.

This Privacy Policy is effective as of the date listed above and will remain in effect except with respect to any changes in its provisions in the future.