Privacy Policy

This Policy applies to the ORIXA Intelligence platform, websites, applications and related services (the “Services”). It should be read together with our Terms of Service and our Refund Policy.

ORIXA Intelligence acts as the data controller for personal data processed in connection with your account and use of the Services. Where the Services are provided to an Organisation (e.g. a fund, family office, corporate or DFI), the Organisation may also act as a data controller for the data of its users and the Customer Content uploaded to its workspace; ORIXA acts as a data processor in respect of such Customer Content on behalf of the Organisation.

We collect the following categories of personal data:

• Account information — full name, email address, password (hashed), organisation name, role.
• Profile information — avatar / profile picture (where you sign in with Google or upload one).
• Billing information — billing name, address, tax identifiers and payment method. Payment card data is processed and stored by Paddle, not by ORIXA.
• Customer Content — documents you upload (PDF, DOCX, XLSX, CSV, PPTX), assessment briefs and conversations with the Copilot.
• Usage and analytics data — pages visited, actions performed, assessment activity, API calls, error logs.
• Technical and device information — IP address, browser type, operating system, device identifiers, time zone, referrer URL.
• Authentication metadata — session tokens, OAuth identifiers (when signing in with Google).

• To provide, operate, maintain and improve the Services;
• To authenticate users and secure accounts (multi-factor and session management);
• To generate AI dossiers, run the agent pipeline and operate the Advisory Copilot;
• To process subscriptions, invoices and tax compliance via Paddle;
• To prevent, detect and respond to fraud, abuse and security incidents;
• To communicate with you (transactional emails, security notices, optional product updates);
• To comply with legal, accounting and regulatory obligations;
• To research, benchmark and improve our models and product features in an aggregated or de-identified manner.

Where the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies, we rely on the following legal bases:

• Performance of a contract — to provide the Services you have subscribed to;
• Legitimate interests — to secure and improve the platform, prevent fraud, and conduct ordinary business operations;
• Compliance with legal obligations — to comply with tax, accounting, anti-money-laundering and other applicable laws;
• Consent — where you have given consent, e.g. for non-essential cookies or marketing communications.

All payments are processed by Paddle.com Market Limited, acting as Merchant of Record. Paddle independently collects and processes billing, payment and tax information in accordance with its own privacy practices and applicable financial regulations. ORIXA does not receive or store your full payment-card details.

To produce assessments and Copilot responses, your inputs and selected Customer Content excerpts may be transmitted to third-party large language model providers (such as Anthropic and OpenAI) acting as our processors. These providers process data under contractual confidentiality obligations and, per their commercial APIs, do not use your inputs to train their foundation models.

AI-generated outputs may contain inaccuracies and must not be treated as authoritative. You are responsible for verification before any business or investment decision.

We do not sell your personal data. We share data only with:

• Service providers (processors) — hosting, storage, AI inference, analytics, transactional email, and Paddle for payments, each bound by data-protection agreements.
• Your Organisation — administrators of your Organisation may view your account activity and assessments within their workspace.
• Legal and regulatory authorities — where required by applicable law, court order or to protect our rights, users or the public.
• Business transfers — in connection with a merger, acquisition or sale of assets, subject to confidentiality.

Your data may be processed in jurisdictions outside your country of residence, including in the European Economic Area, the United Kingdom, the United States and other countries where our processors operate. Where required, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

We retain personal data only as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting or reporting requirements. Typical retention periods are:

• Account information — for the duration of your account, plus up to 24 months after deletion;
• Customer Content (uploads, assessments) — until you delete it or until your subscription ends, plus up to 90 days in backups;
• Billing records — for the period required by tax and accounting laws (typically 7–10 years);
• Security logs — up to 24 months.

We implement reasonable administrative, technical and organisational safeguards to protect personal data, including encryption in transit (TLS), encryption at rest for sensitive fields, password hashing with industry-standard algorithms (bcrypt), role-based access controls, and multi-tenant data isolation. No security measure is impenetrable, and we cannot guarantee absolute security.

Subject to applicable law, you may have the following rights:

• Right of access to your personal data;
• Right of rectification of inaccurate data;
• Right to erasure (“right to be forgotten”);
• Right to restriction of processing;
• Right to data portability;
• Right to object to processing based on legitimate interests;
• Right to withdraw consent where processing is based on consent;
• Right to lodge a complaint with a supervisory authority (e.g. an EU Data Protection Authority).

To exercise your rights, please contact us via the channels listed in section 16.

We use a minimal set of cookies and similar technologies for authentication (session cookies), security (CSRF tokens) and aggregated analytics. You can control or delete cookies via your browser settings; doing so may affect platform functionality (notably authentication).

The Services are not directed to or intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified via the Services or by email at least thirty (30) days before they take effect. The “Last updated” date above indicates when this Policy was last revised.

Questions regarding privacy or the exercise of your rights may be directed through the advisory booking page or via the contact channels published in your organisation's workspace.