Logo

Privacy Policy

Effective Date: May 18, 2026

Replaces all prior versions.

Introduction

Orys AI (“Orys AI”, “we”, “our”, or “us”) is committed to protecting the privacy and security of our customers’ data. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Platform. By using the Platform, you agree to the practices described in this Policy.

We serve B2B customers in the chemical, oil & gas, and industrial construction industries. We understand that the project and cost data our customers work with may be commercially sensitive, and we treat it accordingly.

1. Information We Collect

1.1 Account and Organization Information

  • Name, email address, job title
  • Company/organization name
  • Billing contact and address
  • Organizational role (Owner, Admin, Estimator, or Viewer)

1.2 Customer Content

  • Project documents uploaded to the Platform (PDFs and vendor quotes)
  • Cost catalog data, assemblies, line items, and estimates created within the Platform
  • AI-assisted workflow inputs and outputs confirmed by the user

1.3 Operational and Usage Data

  • Authentication tokens and session metadata
  • Action audit log entries (every user-initiated action is recorded, with AI-assisted actions clearly attributed separately from direct user actions)
  • Browser type, IP address, and pseudonymized product usage telemetry

1.4 Payment Information

Payment information is collected directly by Stripe through Stripe-hosted elements. Card numbers and CVVs never reach Orys AI infrastructure. We retain only Stripe customer and subscription identifiers. Stripe is PCI-DSS Level 1 certified. By making a payment through the Platform, you agree to Stripe’s Terms of Service.

2. How We Use Your Information

We use collected data solely to:

  • Create and manage your organization's account and user access
  • Deliver the AI-assisted estimating and catalog services described in our Terms of Service
  • Process subscription payments securely via Stripe
  • Provide customer support and respond to inquiries
  • Monitor platform performance, reliability, and security
  • Fulfill our obligations under applicable MSAs and DPAs
  • Comply with legal requirements

We do not use your data for advertising, profiling unrelated to service delivery, or any purpose not listed above.

3. AI Model Training - Explicit Prohibition

Orys AI does not use customer-uploaded documents, project files, catalog data, cost data, or any other customer content to train, fine-tune, improve, or benchmark any AI or machine learning model - including third-party models - without the express prior written consent of the customer organization.

This is a contractual commitment reflected in our Master Service Agreements and is a standing policy that applies to all customers regardless of whether a separate MSA is in place.

4. Data Storage and Security

4.1 Encryption

  • All data is encrypted in transit using HTTPS/TLS 1.2 or higher across all Platform components
  • All customer data is encrypted at rest using AES-256
  • AI agent conversation state is encrypted at the application layer using per-organization derived keys (HKDF-SHA256), in addition to platform-level encryption

4.2 Access Controls

  • Role-based access control (RBAC) is enforced at every API endpoint
  • Multi-tenant isolation is enforced at routing, database, and schema layers - no organization can access another organization’s data
  • Customer documents are accessible only via short-lived, read-only signed access tokens (1-hour expiry)
  • Removed organization members lose all data access immediately on the next request

4.3 Infrastructure and Hosting

The Platform is hosted on enterprise-grade managed cloud providers. All production infrastructure providers maintain recognized security certifications:

  • Microsoft Azure - Object storage, serverless functions, monitoring, and transactional email. ISO 27001, SOC 1/2/3, HIPAA-eligible.
  • Railway - Web application and API hosting. SOC 2 Type II.
  • Supabase - Identity provider and primary PostgreSQL database. SOC 2 Type II, HIPAA-ready.
  • Modal - GPU-accelerated AI inference. SOC 2 Type II.
  • Stripe - Subscription billing and payment processing. PCI-DSS Level 1.

4.4 SOC 2 Status

Orys AI is actively preparing for SOC 2 Type II certification through our compliance program with Vanta. Upon completion, the report will be available to customers and prospective customers under NDA upon request. Contact [email protected] to request a copy or to obtain our current security posture documentation.

5. Data Sharing and Subprocessors

We do not sell, rent, or trade your personal data or customer content to any third party. We share data only with subprocessors necessary to deliver the Platform, each of which is contractually bound to equivalent data protection standards. Our current subprocessors are:

  • Microsoft Azure - Object storage, serverless functions, monitoring, transactional email delivery
  • Railway - Web application and API hosting
  • Modal - GPU-accelerated AI inference
  • Supabase - Identity provider and primary PostgreSQL database
  • Stripe - Subscription billing and payment processing
  • Google OAuth - Optional user-initiated sign-in only
  • Microsoft OAuth - Optional user-initiated sign-in only
  • MongoDB Atlas - Encrypted AI agent conversation checkpoint storage
  • PostHog - Pseudonymized product analytics, proxied through our own domain

An up-to-date subprocessor list is maintained and available upon request at [email protected].

6. Data Retention and Deletion

Customer data is retained for the duration of the active subscription and for a reasonable period thereafter to support offboarding and legal compliance, unless a shorter retention period is specified in an applicable DPA or MSA.

  • User invitations expire automatically after 7 days
  • Removed organization members lose all data access immediately
  • Upon user-initiated deletion of a project, catalog entry, or document, that data is permanently removed from production systems and is not recoverable
  • Upon account or organization deletion, all associated customer data is permanently deleted from production systems within 30 days. Written confirmation of deletion is available upon request.
  • Payment records are retained as required by applicable financial and tax regulations

7. Your Rights and Choices

Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, restrict processing of, or request deletion of your data. To exercise any of these rights, contact [email protected]. We will respond within the timeframe required by applicable law.

8. Data Processing Agreement (DPA)

Customers subject to GDPR, PIPEDA, or other data protection regulations that require a formal DPA may request one by contacting [email protected]. A DPA must be executed prior to uploading any regulated data to the Platform. Our DPA establishes the legal basis for data processing, defines controller and processor responsibilities, and governs cross-border data transfers where applicable.

9. Cookies and Tracking

We use cookies and similar technologies to manage login sessions, maintain Platform functionality, and collect pseudonymized product analytics via PostHog, proxied through our own domain to minimize third-party data exposure. You can control or disable cookies through your browser settings, though doing so may affect Platform functionality.

10. Children’s Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect data from minors. If we become aware that such data has been collected, it will be deleted promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active customers via email at least 14 days before taking effect. The current version is always available at orysai.com/privacy-policy. Continued use of the Platform following an update constitutes acceptance of the revised Policy.

12. Contact and Data Inquiries

For privacy inquiries, data deletion requests, DPA requests, security concerns, or subprocessor information:

Orys AI

Email: [email protected]

Phone: +1 (346) 303-2588

Website: orysai.com

To report a security vulnerability, please contact [email protected] with sufficient detail to reproduce the issue. We will acknowledge valid reports promptly.

© 2026 Orys. All rights reserved.