ORA

Privacy Policy

Last updated: December 2, 2025

Legal Compliance: This privacy policy complies with GDPR, COPPA, and other applicable data protection laws. We do not sell your personal information.

1. Controller Information

Data Controller: ORA
Privacy Contact: privacy@myora.co

2. Lawful Basis for Processing

Under GDPR, we must have a lawful basis to process your personal data. We process your data based on the following legal grounds:

  • Consent (Article 6(1)(a)): When you give us explicit permission to process your data, such as when you sign up for our service or agree to receive marketing communications
  • Contract (Article 6(1)(b)): When we need to process your data to fulfill our contract with you, such as providing the services you've subscribed to
  • Legitimate Interest (Article 6(1)(f)): When we have a legitimate business interest in processing your data, such as improving our services, preventing fraud, or ensuring security
  • Legal Obligation (Article 6(1)(c)): When we are required by law to process your data, such as for tax purposes or to comply with legal requirements

3. Categories of Personal Data We Collect

Identity Data

Name, email address, username, profile picture, Apple ID (for authentication)

Contact Data

Email, phone number, billing address, location

Technical Data

IP address, browser type, device information, operating system, app version, unique device identifiers

Usage Data

How you use our services, preferences, analytics, feature usage, session data

Content Data

Social media statistics, collaboration data, media kit content, brand information, rate calculations

Financial Data

Subscription information, payment history (processed by Apple, not stored by us), transaction IDs

Marketing Data

Communication preferences, marketing consent, newsletter subscriptions

4. How We Use Your Personal Data

Service Provision

We use your data to provide and maintain our business management platform for content creators, calculate rates, and generate analytics

Account Management

We use your data to create and manage your account, process payments, and provide customer support

Communication

We use your data to send service updates, support communications, and marketing materials (only with your consent)

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Account Data: Until account deletion or 3 years of inactivity
  • Transaction Data: 7 years for tax and legal compliance
  • Marketing Data: Until consent is withdrawn
  • Technical Data: 2 years maximum
  • Analytics Data: Anonymized after 2 years

6. Your Privacy Rights (GDPR and Other Laws)

You have the following rights regarding your personal data:

Your GDPR Rights (EU/EEA Residents)

As an EU or EEA resident, you have the following rights regarding your personal data:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you, including how we use it and who we share it with.

Right to Rectification (Article 16)

You can ask us to correct any inaccurate or incomplete personal data we have about you.

Right to Erasure (Article 17)

You can request that we delete your personal data, also known as the "right to be forgotten".

Right to Restrict Processing (Article 18)

You can ask us to limit how we process your data in certain circumstances.

Right to Data Portability (Article 20)

You can request to receive your data in a structured, commonly used format that you can transfer to another service.

Right to Object (Article 21)

You can object to us processing your data when we rely on legitimate interests as our legal basis.

Right to Withdraw Consent (Article 7)

If we process your data based on consent, you can withdraw that consent at any time.

Right to Human Review (Article 22)

You have the right to request human review of any automated decision making that significantly affects you.

To exercise any of these rights, contact us at privacy@myora.co. We will respond within 30 days (or 45 days for complex requests).

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • End-to-end encryption for sensitive data
  • Regular security assessments and updates
  • Access controls and multi-factor authentication
  • Staff training on data protection
  • Incident response procedures
  • Secure data storage and transmission

8. International Data Transfers

If we transfer your data outside the EEA, we ensure adequate protection through:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Certification schemes

For more detailed information about international data transfers, see Section 14 below.

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Inform affected individuals without undue delay
  • Provide clear information about the breach and our response

10. Children's Privacy (COPPA Compliance)

Our services are not directed to children:

  • EU/EEA: Users must be at least 16 years old (GDPR requirement)
  • United States: Users must be at least 13 years old (COPPA requirement)
  • Parental Consent: Users under 18 must have parental or guardian consent
  • No Collection: We do not knowingly collect personal data from children under the applicable age limit without parental consent
  • Deletion: If we discover we have collected data from a child without consent, we will delete it immediately
  • Contact: Parents can contact us at privacy@myora.co to review, delete, or refuse further collection of their child's information

11. Third Party Service Providers and Data Processors

We use third party service providers to operate our Service. These processors are bound by data processing agreements and only process data as instructed:

Data Storage and Backend Services

  • Supabase: Cloud database and backend services (data storage, authentication, API services). Location: United States. Privacy Policy

Payment Processing

  • Apple App Store: In-app purchase processing for iOS subscriptions. Location: United States. Privacy Policy

We do not store your payment information. All payment data is processed directly by Apple through the App Store.

Social Media Information

You may choose to provide information about your social media accounts (Instagram, TikTok, YouTube, Snapchat) including follower counts, engagement metrics, and platform statistics. This information is:

  • Manually entered by you in the app
  • Used to calculate rates and generate analytics
  • Stored securely in your account
  • You can update or delete this information at any time

12. Cookies and Tracking Technologies

Since ORA is primarily a mobile app, our website uses minimal cookies:

  • Essential Cookies Only: We use only essential cookies required for basic website functionality (session management, security)
  • No Tracking Cookies: We do not use cookies to track your behavior across the web
  • No Advertising Cookies: We do not use cookies for advertising purposes
  • No Analytics Cookies: We do not use cookies for website analytics

You can control cookies through your browser settings. Note that disabling essential cookies may affect basic website functionality.

Mobile App Analytics

In our mobile app, we collect anonymized usage data to improve the Service:

  • App Analytics: We collect anonymized usage data to improve the Service
  • Error Tracking: We track errors and crashes to fix issues
  • Performance Monitoring: We monitor Service performance and response times

All analytics data is anonymized and aggregated. We do not use analytics to identify individual users.

13. AI and Automated Decision Making

ORA uses artificial intelligence to provide certain features and insights:

  • AI Features: Contract analysis, dashboard insights, and recommendations
  • Data Processing: AI processes your contract text and collaboration data to provide insights and recommendations
  • Contract Analysis: AI analyzes contract text to identify key terms, potential issues, and provide recommendations. Contract text is sent to our AI service provider (OpenAI) for analysis
  • Automated Decisions: Some features use automated decision making. You have the right to request human review of automated decisions
  • Transparency: We will inform you when AI is used in decision making processes that significantly affect you
  • Opt Out: You can choose not to use AI features, though this may limit functionality
  • No Profiling: We do not use automated processing to create profiles that produce legal effects or significantly affect you without human review

Note: Rate calculations use predefined formulas and industry benchmarks, not AI. Social media statistics are manually entered by you, not collected via API.

14. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence:

  • Primary Location: United States (where our servers and service providers are located)
  • EU/EEA Transfers: For EU/EEA residents, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection
  • Adequacy Decisions: We rely on adequacy decisions where applicable
  • Binding Corporate Rules: Our service providers are bound by data protection agreements
  • Your Rights: International transfers do not affect your privacy rights under GDPR or other applicable laws

15. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

  • Service Providers: With third-party processors who help us operate the Service (listed in Section 11)
  • Legal Requirements: When required by law, court order, or government regulation
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
  • Protection of Rights: To protect our rights, property, or safety, or that of our users
  • With Your Consent: When you explicitly consent to sharing

We do not share your data with: Advertisers, data brokers, or third parties for their own marketing purposes.

16. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes via email or through our services at least 30 days before they take effect. The "Last updated" date at the top indicates when changes were made. Continued use after changes constitutes acceptance of the updated policy.

17. Contact Information and Exercising Your Rights

Privacy Inquiries: privacy@myora.co
General Support: support@myora.co

To exercise your privacy rights, please contact us with:

  • • Your name and email address
  • • The specific right you wish to exercise
  • • Any additional information needed to process your request

We will respond within 30 days (or 45 days for complex requests). For EU residents, you can also contact your local supervisory authority.

Exercise Your Rights: To exercise any of your privacy rights under GDPR or other applicable laws, please contact us at privacy@myora.co with your request. We will respond within 30 days (or 45 days for complex requests). We do not sell your personal information.