Back to home

Privacy Policy

Last updated: March 18, 2026

1. Who We Are

Orchestria is operated by Morena Capital s.r.o., a company registered in the Slovak Republic. We are the data controller for the personal data processed through the Service.

Contact: hello@orchestria.dev

2. Data We Collect

We collect the following categories of data:

  • Account data: email address, password (hashed), display name
  • Usage data: tasks created, projects, worker configurations, planner activity
  • Technical data: IP address, browser type, device information, access timestamps
  • Payment data: processed securely via Stripe — we do not store card numbers
  • API credentials: third-party API keys you provide, encrypted with AES-256 at rest

3. How We Use Your Data

  • To provide and maintain the Service
  • To authenticate your identity and secure your account
  • To process payments and manage subscriptions
  • To send transactional emails (account verification, password resets, billing)
  • To improve the Service based on aggregated, anonymized usage patterns
  • To respond to support requests and communicate about the Service

4. AI Worker Data

When you connect AI workers using your own API keys (BYOK), task content and instructions are sent directly to your chosen AI provider (Anthropic, OpenAI, Google, or Moonshot). We facilitate this connection but do not store or log AI request/response content. Your AI provider's privacy policy governs the processing of data by their models.

5. Data Storage & Security

  • All data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) enforced on every table
  • API credentials are encrypted using AES-256-GCM before storage
  • All connections use TLS 1.3 encryption in transit
  • Authentication tokens are hashed using SHA-256
  • The Service is hosted on Cloudflare Workers (edge-distributed, EU-compliant regions available)

6. Data Sharing

We do not sell your personal data. We share data only with:

  • Supabase: database hosting and authentication
  • Cloudflare: application hosting and CDN
  • Stripe: payment processing (paid plans only)
  • AI providers: only when you explicitly configure and use AI workers with your keys

7. Your Rights (GDPR)

As we operate from the EU (Slovak Republic), you have the following rights under GDPR:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data ("right to be forgotten")
  • Portability: receive your data in a machine-readable format
  • Objection: object to processing based on legitimate interest
  • Restriction: request limited processing in certain cases

To exercise any of these rights, email us at hello@orchestria.dev. We will respond within 30 days.

8. Cookies

We use essential cookies for authentication (session tokens) and security. We do not use advertising or tracking cookies. No cookie consent banner is required as we only use strictly necessary cookies.

9. Data Retention

We retain your data for as long as your account is active. Upon account deletion, we remove personal data within 30 days. Anonymized, aggregated analytics data may be retained indefinitely. Backup data is purged within 90 days of account deletion.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your data rights:

Morena Capital s.r.o.
Slovak Republic
hello@orchestria.dev