Privacy Policy

Effective date: October 29, 2025

At Orchestria, we take your privacy seriously. This privacy policy explains how we collect, use, and protect your personal data when you use our platform.

1. Data Collected

We collect the following types of data:

Account data: Email address, name, password (hashed), subscription plan.

Usage data: Flow execution logs, quota consumption, API request history.

Google Drive data (with your consent): Access to Google Drive files that you choose to connect via our OAuth2 connectors. We only read and write files necessary for your automated workflows.

Cookies: We use secure HTTP-only cookies to maintain your login session (JWT token).

2. Use of Data

Your data is used only to:

  • Provide and improve our automation services
  • Authenticate your account and manage your quotas
  • Execute your automation workflows
  • Provide technical support
  • Comply with our legal obligations

We never sell your data to third parties.

3. Data Sharing

We only share your data with:

Essential third-party service providers:

  • Google Drive API (only files you explicitly connect)
  • OpenAI API (for AI flow generation - only your input/output samples)
  • SendGrid (for transactional email sending)

Privacy guarantee: Your workflow data (processed files, execution data, actual contents) is NEVER sent to third-party AI services. Only the input/output samples you explicitly provide when creating a flow are used to generate the workflow structure.

Legal obligations: We may disclose your data if required by law.

4. Security

We implement strict security measures:

  • HTTPS (TLS) encryption for all communications
  • HTTP-only and Secure cookies for sessions
  • Google Drive tokens encrypted with AES-256-GCM
  • Passwords hashed with bcrypt
  • Automated daily backups

5. Your Rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

  • Access: You can request a copy of your personal data
  • Rectification: You can correct your data from the Account page
  • Deletion: You can delete your account at any time (permanent deletion within 30 days)
  • Consent withdrawal: You can disconnect your Google Drive accounts at any time

To exercise these rights, contact us at contact@orchestria.io.

6. Data Retention

We retain your data as long as your account is active. After account deletion:

  • Your personal data is deleted within 30 days
  • Anonymized execution logs may be retained up to 90 days for performance analysis
  • Backups are deleted after 30 days

7. Cookies

We use the following cookies:

Strictly necessary cookies:

  • token: HTTP-only cookie containing your session JWT (expiration: 7 days)

No tracking or advertising cookies are used.

8. Changes to this Policy

We may update this policy occasionally. We will inform you of significant changes by email. The current version is always available on this page.

9. Contact

For any questions regarding this privacy policy, contact us at:

Email: contact@orchestria.io
Legal entity: OCVISION EURL
Trading name: Orchestria

10. SFTP Connectors and Data Protection

SFTP Connectors:

When you configure an SFTP connector, Orchestria securely stores your connection credentials:

  • Stored credentials: Host, port, username, and password encrypted with AES-256
  • Configured folders: Paths to INPUT (read) or OUTPUT (write) folders you designate
  • Archive folder: Optional, used to move processed files (INPUT only)

SFTP Connector Usage:

SFTP connectors are used exclusively for:

  • INPUT Connectors: Automatically retrieve files (JSON, XML, CSV, TXT) from your SFTP servers to trigger your workflows. If configured, processed files are automatically archived.
  • OUTPUT Connectors: Send workflow results to your SFTP servers in JSON format
  • Data Transformation: Files are processed in real-time in memory according to your configured workflows

SFTP Data Privacy Guarantees:

We formally commit:

  • NO sharing with third-party AI services: Your SFTP files are NEVER sent to OpenAI or any other artificial intelligence service
  • NO sharing with third parties: Your files remain strictly between your SFTP servers and our secure infrastructure
  • Isolated processing: Data is processed only by our dedicated servers via secure backend proxy

SFTP Data Storage & Protection:

  • Encrypted credentials: All SFTP passwords are encrypted with AES-256 in our secure PostgreSQL database
  • Files: NOT stored on our servers. Files are read/written directly from/to your SFTP servers and processed in RAM memory only
  • Execution logs: Contain only metadata (file name, execution date, status), never file contents
  • Communication encryption: All SFTP connections use SSH (port 22) with secure authentication

SFTP Credentials Retention & Deletion:

  • Retention period: Credentials are kept as long as you maintain the active SFTP connector
  • Immediate deletion: You can delete an SFTP connector at any time from the Connectors page. Credential deletion is immediate.
  • Automatic deletion: Upon deletion of your Orchestria account, all SFTP credentials are permanently deleted within 30 days

SFTP Security Best Practices:

We recommend:

  • Limit permissions: Create a dedicated SFTP account with access only to necessary folders
  • Use strong passwords: Or use SSH key authentication (support coming soon)
  • Monitor logs: Regularly review execution logs from the Connectors page
  • Minimization principle: We only access files in the folders you configure