Last updated: April 1, 2025
This policy explains what data Orvixo collects, why we collect it, how we store and protect it, and what rights you have over it. Please read it carefully.
Orvixo is operated by Orvixo Technologies Pvt. Ltd., a company incorporated in India, with offices at 12 Indiranagar 100 Feet Road, Bangalore 560038, India and at 1 Canada Square, Canary Wharf, London E14 5AB, United Kingdom.
When this policy refers to "Orvixo," "we," "us," or "our," it means Orvixo Technologies Pvt. Ltd. and any subsidiaries or affiliated entities that process data under our control.
Account information. When you sign up, we collect your name, email address, and a hashed password. If you sign up via Google or GitHub OAuth, we receive the email address and display name from those providers; we do not receive your OAuth provider password.
Organisation data. We store the name and settings for your Orvixo workspace, and the names and email addresses of any members you invite.
Database connection metadata. We store the connection parameters you provide (host, port, database name, credentials). Credentials are encrypted at rest using AES-256 and are never logged in plaintext.
Query data. Natural-language questions you ask and the SQL queries Orvixo generates are stored to power query history and to improve answer quality for your workspace. We do not use your queries to train our shared models.
Dashboard and chart data. Dashboard configurations, chart definitions, and the results of queries are stored so that dashboards can be rendered and updated in real time.
Usage telemetry. We collect event data (pages visited, features used, errors encountered) to understand how the product is used and to identify bugs. This data is pseudonymised.
Support correspondence. If you email us or use the in-app chat, we retain the conversation.
We use the data we collect exclusively to:
- Provide and operate the Orvixo service you have signed up for - Send you transactional emails (password resets, invoices, workspace invitations) - Notify you of product changes and security updates - Debug issues and improve the reliability of the service - Comply with legal obligations
We do not sell personal data. We do not share personal data with advertising networks.
If you are in the European Economic Area or United Kingdom, we rely on the following legal bases:
- Contractual necessity — processing required to deliver the service you have contracted for (account operation, query processing, dashboard storage) - Legitimate interests — pseudonymised product analytics and fraud prevention, where our interests do not override your rights - Legal obligation — retaining records to comply with applicable law - Consent — optional marketing communications, which you may withdraw at any time
We retain your data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required by law to retain it (for example, billing records, which we retain for 7 years in accordance with Indian GST and UK VAT requirements).
Query history older than 12 months is purged from our live databases and moved to cold storage, then deleted at the 24-month mark.
We implement the following security controls:
- TLS 1.2 or higher on all data in transit - AES-256 encryption of database credentials at rest - Separate encryption keys per organisation, rotated annually - SOC 2 Type II audit in progress (expected completion Q3 2025) - Access to production customer data is restricted to three senior engineers and requires a Jira ticket with business justification
No security measure is perfect. If you discover a vulnerability, please disclose it responsibly to security@orvixo.com.
We use the following sub-processors to deliver the service. All have been assessed under our vendor security programme and are bound by data processing agreements.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | EU (Ireland), India (Mumbai) |
| OpenAI | Natural language to SQL inference | United States |
| Stripe | Payment processing | United States |
| PostHog | Product analytics | EU (Frankfurt) |
| Resend | Transactional email | United States |
Transfers to sub-processors in the United States take place under Standard Contractual Clauses.
Depending on where you are located, you may have the right to:
- Access the personal data we hold about you - Correct inaccurate personal data - Delete your personal data ("right to erasure") - Restrict processing in certain circumstances - Data portability — receive your data in a machine-readable format - Object to processing based on legitimate interests - Withdraw consent for optional processing at any time
To exercise any of these rights, email privacy@orvixo.com. We will respond within 30 days.
If you are in the UK or EEA and are not satisfied with our response, you may lodge a complaint with your local supervisory authority (in the UK, the ICO; in India, the Data Protection Board once the DPDP Act is in force).
We use the following categories of cookies:
Strictly necessary. Session tokens, CSRF protection, and language preference cookies. These cannot be disabled.
Analytics. We use PostHog with IP anonymisation to collect pseudonymised usage data. You may opt out by clicking the "Cookie preferences" link in the footer.
We do not place third-party advertising cookies.
We will notify you by email at least 14 days before making material changes to this policy. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance.
Privacy enquiries: privacy@orvixo.com
Orvixo Technologies Pvt. Ltd. 12 Indiranagar 100 Feet Road Bangalore 560038, India