1. Overview
This Privacy Policy explains how [Legal Entity Name] (“Orkka,” “we, ” “us”) collects, uses, and shares information when you use our websites, applications, and services (the “Service”). It should be read together with our Terms of Service. By using the Service, you acknowledge the practices described here.
Orkka acts in two capacities. For account and billing information we are a data controller. For the source code, task content, and other material you connect or submit for agents to process (“Customer Content”), we act as a data processor that handles it on your instructions.
2. Who we are
The data controller for personal data described in this policy is [Legal Entity Name], [Registered Address]. For privacy questions or to exercise your rights, contact [privacy@orkka.com]. If we are required to appoint a Data Protection Officer or EU/UK representative, their details will be listed here: [DPO / Representative details].
3. Data we collect
3.1 Information you provide
- Account & identity data — name, email address, and profile details, handled through our authentication provider, Clerk. We do not store your password; Clerk manages credentials.
- Organization data — organization name, members, roles, permissions, and invitations.
- Billing data — payment method details are collected and stored by Stripe; we retain limited billing metadata (for example, the last four digits of a card, billing status, invoices, and usage records). We do not store full card numbers.
- Customer Content — repositories and code you connect, task descriptions, briefs, documents, design assets, messages to agents, and configuration.
- Support & communications — messages you send us.
3.2 Information collected automatically
- Usage & log data — actions in the product, feature usage, agent execution records, token-usage metering, timestamps, and error logs.
- Device & connection data — IP address, browser type, device information, and similar technical data.
- Cookies — see Section 13.
3.3 Information from third parties
- Identity provider — profile details from Clerk and, if you use social sign-in, from that provider.
- GitHub — repository metadata and content accessed through the Orkka GitHub App using scoped tokens, at your direction.
4. How we use data
We use personal data to:
- Provide, operate, secure, and maintain the Service;
- Create repository worktrees and run AI agents to plan, code, test, review, and deploy at your direction;
- Authenticate users, manage organizations, and enforce permissions;
- Meter usage, calculate charges, process payments, and prevent abuse or fraud;
- Provide support and respond to your requests;
- Monitor, debug, and improve the Service, including analyzing aggregated or de-identified usage; and
- Comply with legal obligations and enforce our Terms.
We do not sell your personal data, and we do not use your Customer Content to build or advertise to a marketing profile.
5. AI processing & your code
To fulfill your tasks, Orkka sends relevant Customer Content — which may include source code, file contents, task descriptions, and related context — to our AI model provider, Anthropic, through its API.
- No model training on your content. We use the Anthropic API under commercial terms that do not permit your inputs or outputs to be used to train Anthropic’s models. Orkka likewise does not train models on your Customer Content.
- Purpose-limited. Content is transmitted only as needed to generate the requested Output and to operate the pipeline you configured.
- Your controls. You choose which repositories to connect, which tasks to run, and whether to enable autonomous actions such as auto-merge or auto-deploy.
- Provider retention. Model providers may retain inputs and outputs for a limited period for abuse-monitoring and legal compliance in accordance with their terms.
Output generated by AI agents may be inaccurate or insecure; see the Terms of Service for the disclaimers that apply.
6. Legal bases for processing (GDPR/UK GDPR)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to provide the Service you request;
- Legitimate interests — to secure, maintain, and improve the Service and prevent abuse, balanced against your rights;
- Legal obligation — to comply with law (for example, tax and accounting); and
- Consent — where required, for example certain cookies; you may withdraw consent at any time.
7. How we share data
We share personal data only as described here:
- Subprocessors — vendors that process data on our behalf under contract (see Section 8);
- Within your organization — with other members according to the roles and permissions your organization owner configures;
- Legal & safety — when required by law, legal process, or to protect the rights, property, or safety of Orkka, our users, or the public; and
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
8. Subprocessors
We use the following third-party subprocessors to provide the Service. This list may change; we will update it and, where required, provide advance notice.
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Anthropic | AI model provider (Claude) for agent execution | Task context & code sent to fulfill requests |
| Clerk | Authentication & user identity | Name, email, profile, credentials |
| Stripe | Payment processing & invoicing | Payment method, billing details |
| Microsoft Azure | Cloud hosting, compute & PostgreSQL database | All platform data at rest and in transit |
| GitHub | Repository access via the Orkka GitHub App | Repository metadata & code you connect |
| Vercel | Deployment hosting for managed projects | Managed project code & deployment config |
9. Data retention
We retain personal data for as long as your account is active and as needed to provide the Service, then for the period required to comply with legal, tax, and accounting obligations, resolve disputes, and enforce agreements. When you delete Customer Content or your account, we delete or de-identify the associated data within a reasonable period, except for residual copies in backups (which age out on a rolling schedule) and aggregated or anonymized data.
10. Security
We use technical and organizational measures designed to protect personal data, including encryption in transit, encryption of sensitive secrets at rest, tenant isolation (every record is scoped to an organization and enforced at the data layer), scoped and rotating repository access tokens, dedicated per-project database roles with least privilege, and access controls and logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. International data transfers
We and our subprocessors may process data in countries other than your own, including the United States and the European Union. Where we transfer personal data across borders, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable), or other lawful transfer mechanisms. Contact us for more information on the safeguards we use.
12. Your rights & choices
Depending on where you live, you may have rights to access, correct, delete, or port your personal data; to restrict or object to certain processing; and to withdraw consent. If you are in the EEA/UK you have rights under the GDPR; if you are a California resident you have rights under the CCPA/CPRA, including the right to know, delete, correct, and to opt out of “sale” or “sharing” (we do not sell or share personal data as those terms are defined). We will not discriminate against you for exercising these rights.
To exercise your rights, contact [privacy@orkka.com]. You may also manage much of your data directly in the product. If you are covered by the Service as a member of an organization, some requests may be directed to that organization as the controller of its Customer Content. You have the right to lodge a complaint with your local data protection authority.
13. Cookies & tracking
We use cookies and similar technologies that are strictly necessary to run the Service (for example, authentication and session management via Clerk) and, where applicable, to understand product usage. You can control non-essential cookies through your browser settings or any in-product cookie controls we provide. Blocking essential cookies may prevent you from signing in or using core features.
14. Children
The Service is not directed to children under 16 (or the age required by your jurisdiction), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and, where appropriate, notify you by email or in-product notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
16. Contact us
For privacy questions or requests, contact us at [privacy@orkka.com], or by mail at [Legal Entity Name, Registered Address].
By creating an Orkka account you acknowledge that you have read this Privacy Policy and agree to our Terms of Service.