Login

Privacy Policy

Last updated: January 16, 2026

Our Commitment to Privacy

At Orchid, we believe that privacy is a fundamental right. Orchid is a proactive AI agent that sits across your stack (email, calendar, chat, docs, CRM, code, billing, and analytics) to interpret signals as tasks, execute routine work, and escalate to you only for decisions, exceptions, and high-impact actions.

Because Orchid connects to multiple services on your behalf, we take data protection seriously. We collect and process only the data necessary to provide our services, maintain strict access controls, and give you full visibility into what Orchid does.

Our verified privacy commitments:

  • Minimal Data Collection: We only collect data necessary for Orchid to function
  • Secure Integrations: All connected services use OAuth 2.0 with least-privilege access
  • Audit Trails: Every action Orchid takes is logged and auditable
  • User Control: Approve, deny, or edit any action before it executes
  • Rollback Capability: Reverse actions where possible if something goes wrong
  • Data Deletion: You can disconnect integrations and delete your data at any time

What Orchid Does

Orchid is a proactive AI agent that replaces "fake work" (status pings, coordination, filing) with auditable outcomes and a single priority queue. It works by:

  • Ingesting signals: Listening to email, calendar, Slack, CRM, tickets, code, billing, and analytics via secure webhooks and APIs
  • Building a work graph: Normalizing data into entities, threads, tasks, owners, priority, and confidence scores
  • Planning and executing: Combining LLM planning with safe, deterministic actions across your connected tools
  • Escalating intelligently: Prompting you with short, contextual approvals when confidence is low or stakes are high

Connected Services & Integrations

Orchid connects to various services to provide its functionality. Each integration uses OAuth 2.0 authentication with the minimum required permissions:

Current Integrations

  • Gmail: Read and send emails, manage labels, track threads
  • Google Calendar: View and create events, manage scheduling
  • Slack: Read messages, send notifications, coordinate teams
  • CRM Systems: Update deals, track accounts, manage pipelines
  • Linear/GitHub: Triage issues, summarize PRs, track engineering work
  • Notion: Access and update documentation
  • Analytics (PostHog): Pull usage metrics for account health insights

Integration Permissions

  • Each integration requests only the permissions needed for its function
  • You can review and revoke any integration at any time
  • Per-app allowlists control what actions Orchid can take (e.g., may comment, must not merge)
  • All access tokens are encrypted and stored securely

Data Collection and Usage

Account Information

  • Your email address and basic profile information when you sign up
  • Organization and team information for workspace management
  • Account preferences, settings, and configured playbooks
  • Billing information for paid subscriptions (processed by our payment provider)

Integration Data

  • Data from connected services is processed to build your work graph
  • We maintain temporary caches as necessary for application functionality
  • Cached data is encrypted at rest using AES-256 encryption
  • We do not sell or share your data with third parties for advertising

Usage Analytics

  • We collect anonymized usage analytics to improve the service
  • Metrics include: decision latency, autonomy rate, outcome completion
  • Error logs are retained for 30 days to help diagnose issues

Governance & Safety

Access Controls

  • Least-privilege access via SSO/OAuth for all integrations
  • Role-based permissions within your organization
  • Per-app allowlists controlling what actions Orchid can take
  • Data scopes limiting what information Orchid can access

Autonomy Levels

  • Silent execution: Safe, low-risk actions execute automatically
  • Quick approvals: Medium-risk actions require a simple approve/deny
  • Full briefs: High-risk actions include context, diffs, and impact previews
  • You control confidence thresholds for each action type

Audit & Rollback

  • Every action is logged with rationale and timestamp
  • Reversible steps available where possible
  • Shadow mode for testing workflows before enabling
  • Full audit trails for compliance requirements

Data Protection and Security

Security Measures

  • Orchid is SOC 2 Type II certified and CASA (Cloud Application Security Assessment) certified
  • All data in transit encrypted using TLS 1.3
  • Encryption at rest for all stored data using AES-256
  • Secure OAuth 2.0 authentication for all integrations
  • Monthly third-party penetration testing
  • Real-time monitoring for suspicious activities
  • Automated security patches and dependency updates

Infrastructure Security

Our database layer is powered by Convex, which is SOC 2 Type II compliant, HIPAA compliant, and GDPR verified:

  • All customer data encrypted at rest using industry-standard 256-bit AES
  • All data in transit encrypted using TLS and SSH
  • Each customer database is isolated with random and unique credentials
  • Audited access control management with MFA for all critical internal systems
  • No customer data publicly accessible unless explicitly exposed by customer-authored functions
  • Automated vulnerability scanning and intrusion detection
  • Third-party penetration tests conducted at least annually
  • Hosted on AWS (certified for SOC 2 Type II, ISO 9001, GDPR, HIPAA, FedRamp)
  • Payment processing via Stripe (PCI Service Provider Level 1)

Data Residency

  • Data processing occurs in secure data centers in the United States
  • Enterprise customers can request specific data residency requirements
  • We comply with international data transfer regulations

Google API Services

When you connect your Google account (Gmail, Calendar), we adhere to Google's policies:

  • We request access only after receiving your explicit consent
  • We access only the necessary API scopes required for functionality
  • We use secure OAuth 2.0 authentication provided by Google
  • You can revoke access at any time through your Google Account settings

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Your Rights and Controls

  • Right to access: View all data Orchid has collected about you
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Request deletion of your data
  • Right to disconnect: Revoke any integration at any time
  • Right to export: Download your data and action history
  • Right to object: Opt-out of certain data processing
  • Right to audit: Review all actions Orchid has taken on your behalf

Pricing and Refund Policy

Our Refund Promise

  • We offer a 30-day money-back guarantee, no questions asked
  • If you're not satisfied within 30 days of purchase, contact us for a full refund
  • Annual subscribers can request a prorated refund within 60 days
  • We want you to be happy with Orchid, and we'll work with you to make it right

Subscription Management

  • Cancel your subscription at any time through account settings
  • Access continues until the end of your current billing period
  • Price changes are communicated 30 days in advance
  • Downgrade to a lower tier anytime without penalty

Contact

For privacy-related questions or concerns: nizzy@orchid.ai