Privacy Policy

Last updated: May 21, 2026

Privacy and security are too important for legalese. We don't sell your data. We don't use it for advertising. It's your data, period.

We don't train shared models on your data. We train your model on your data.

Orchid is an executive assistant that works across your tools (email, calendar, drive, code, billing, support) to help you get your work done. Connecting tools is what makes Orchid useful, so we ask for the access required for the actions you've enabled, and nothing more.

After account creation you'll be asked to connect at least one external account. Each connection has specific protections to ensure Orchid only uses the data necessary for the product, and you can revoke any connection at any time.

This policy applies to all information collected or submitted on Orchid's website and our apps for web, desktop, and any other devices or platforms.

Sign in with Google

What does Orchid do with my Google account at sign-in?

We use Sign in with Google to verify your identity and securely log you in. We collect your name, primary Google account email address, and profile image for this purpose only.

How do you protect my privacy?

  • We request only the minimum identity scopes (name, email, profile image) at sign-in.
  • Sign in with Google handles all credentials. We never see or store your Google password.
  • We support and recommend two-factor authentication on your Google account.

Gmail

What does Orchid do with my email?

Connected Gmail accounts let Orchid help you read, organize, draft, and send messages. This is how Orchid helps with triage, drafts replies for your review, files messages, and surfaces threads that need your attention.

How do you protect my privacy?

  • Orchid requests the minimum Gmail scopes required to perform the actions you've enabled.
  • Drafts created by Orchid are reviewable before they're sent. You always control the send action.
  • Your email never trains a model anyone else uses.
  • Our use of Gmail data complies with the Google API Services User Data Policy, including its Limited Use requirements.
  • You can revoke Orchid's access to your Gmail at any time at myaccount.google.com/permissions.

Google Calendar

What does Orchid do with my calendar?

Connected calendars let Orchid help you read meetings, schedule events, send invites, and respond to invitations.

How do you protect my privacy?

  • Orchid requests the minimum Calendar scopes required for the actions you've enabled.
  • Your calendar never trains a model anyone else uses.
  • You can revoke Orchid's access to your Calendar at any time at myaccount.google.com/permissions.

Google Drive

What does Orchid do with my Drive files?

Connected Drive accounts are used so Orchid can read and write files that you authorize Orchid to access, including files Orchid creates as part of a workflow you've enabled.

How do you protect my privacy?

  • Orchid only accesses files you explicitly authorize or files Orchid has created.
  • Your files never train a model anyone else uses.
  • You can revoke Orchid's access to your Drive at any time at myaccount.google.com/permissions.

GitHub

What does Orchid do with my GitHub account?

Connected GitHub accounts are used to read repositories, pull requests, issues, and reviews, and to perform actions like commenting or updating status as you've configured.

How do you protect my privacy?

  • Orchid requests the minimum GitHub scopes required for the actions you've enabled.
  • Your code never trains a model anyone else uses.
  • You can revoke Orchid's access at any time at github.com/settings/applications.

Linear

What does Orchid do with my Linear workspace?

Connected Linear workspaces are used to read and update issues, projects, and team data as you've configured.

How do you protect my privacy?

  • Orchid requests the minimum Linear scopes required for the actions you've enabled.
  • Your project data never trains a model anyone else uses.
  • You can revoke Orchid's access in your Linear workspace settings at any time.

Stripe

What does Orchid do with my Stripe account?

Connected Stripe accounts are used to read customer, subscription, and invoice data so Orchid can surface billing context for your work.

How do you protect my privacy?

  • Orchid requests read-only access to Stripe data unless you've explicitly enabled write actions.
  • We never see or store full payment card numbers. Stripe handles all card data directly.
  • Your billing data never trains a model anyone else uses.
  • You can revoke Orchid's access in your Stripe account settings at any time.

Language models

How does Orchid process my data?

Orchid sends relevant portions of your data to model providers to generate a response for the action you initiated. Nothing more.

How do you protect my privacy?

  • We don't train shared models on your data.
  • We may train your personal model on your data. Only yours. Never anyone else's.
  • Model providers are contractually prohibited from training on your data.
  • Where the provider supports zero-retention or no-training, we enable it.
  • No partner or third party may use your data for any other purpose.
  • Drafts and proposed actions surface for your review before they go out. The audit trail lets you roll back.

Technical information

Email and notifications

Orchid uses your account email for product features like summaries, important account notifications, and transactional notices such as subscription receipts and support replies. You can unsubscribe from non-transactional emails at any time.

Analytics and metrics

The Orchid web and desktop apps collect usage metrics such as feature usage, performance, and error rates, for the sole purpose of improving the product and identifying issues. This telemetry never includes sensitive content like message bodies, file contents, or chat messages. We use PostHog for first-party product analytics and Sentry for error monitoring.

Subscriptions

All payments and credit card information are handled by Stripe. Payment information is never stored on Orchid servers, is only used for your subscription, and is never shared with any third party.

Information usage

We use the information we collect to operate and improve the Service, and to provide customer support.

We do not share personal information with outside parties except to the extent necessary to deliver Orchid's functionality, or as described in this policy.

We may disclose your information in response to subpoenas, court orders, or other legal requirements; to exercise our legal rights or defend against legal claims; to investigate or prevent suspected fraud, abuse, or violations of our policies; or to protect our rights and property.

If Orchid is involved in a merger, acquisition, or sale of assets, user information may be among the transferred assets, and we will notify customers in advance where required by law.

Information isolation

Connected account data, including messages, calendars, files, and issues, is only accessible to the user account that authorized the connection. We enforce this isolation in software so that one user's connected data is never visible to another user.

Subprocessors

We use these vendors to run Orchid. Each is bound by data protection terms no less protective than this policy.

Authentication and sessions

Sign-in is handled through Sign in with Google. We never see or store your Google password. Sessions expire after 30 days of inactivity and require re-authentication. We recommend enabling two-factor authentication on your Google account.

Other

  • If you enable notifications, we store a delivery token to send them. We never use notifications for marketing.
  • We use cookies in the web app to keep you logged in. Our infrastructure may also log basic technical information like your IP address temporarily, for security and reliability.
  • For performance and overload protection, traffic is routed through Cloudflare before it reaches Orchid's servers. They have access to basic technical information to perform this role. Cloudflare's privacy policy is at cloudflare.com/privacypolicy.

Security Vulnerability Disclosure

If you believe you've discovered a security or privacy vulnerability that affects Orchid, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers.

You can report a vulnerability by emailing us at [email protected]. In your message, please include:

  • The specific product and version(s) you believe are affected
  • A description of the behavior you observed as well as the behavior you expected
  • A numbered list of steps to reproduce the issue, and a video demonstration if helpful

You'll receive a reply from us to acknowledge the report, and we'll contact you if we need more information.

For the protection of our customers, Orchid does not disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.

Accessing, changing, or deleting your information

You may access or change your information, or delete your account, from inside the Orchid app or by emailing [email protected].

When you delete your account:

  • OAuth tokens for connected services are revoked and the integrations are disabled within 72 hours.
  • Your account data is removed from production systems within 30 days.
  • Backup copies are retained for up to 30 days before they are overwritten.
  • Records we are required to retain by law (for example, financial records) are kept only for the period required, then deleted.

Orchid may delete your information at any time for legitimate operational reasons, including technical needs, legal compliance, abuse prevention, removal of idle accounts, or data loss.

Compliance Information

Security practices

Connections to the Service are made over HTTPS. Production access is limited to authorized personnel under the principle of least privilege, and administrative access requires multi-factor authentication. Dependencies are monitored for known vulnerabilities and patched on a continuous basis.

Third-party links and content

The Service may display content from third-party services and APIs you've connected. Those services have their own privacy policies, and we have no responsibility or liability for their content or activities.

California Consumer Privacy Act compliance

We comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We do not sell your personal information and we do not share it for cross-context behavioral advertising.

Children's Online Privacy Protection Act compliance

The Service is not directed to children under 13, and we do not knowingly collect information from anyone we know to be under 13. You must be at least 18 years old to register for an account.

Google API Services User Data Policy compliance

Orchid's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we use Google user data solely to provide user-facing features of Orchid; we do not transfer the data except as needed to provide the Service or comply with applicable law; we do not use the data for advertising; and we do not allow humans to read the data except with your affirmative consent, for security purposes, where required by law, or where the data has been aggregated and anonymized for internal operations.

Information for European Union customers

By using Orchid and providing your information, you authorize us to collect, use, and store your information outside the European Union. Where required by law, we rely on appropriate safeguards for international transfers, including the Standard Contractual Clauses approved by the European Commission.

International transfers of information

Information may be processed, stored, and used outside of the country in which you are located. Data privacy laws vary across jurisdictions, and different laws may apply to your data depending on where it is processed, stored, or used.

Your consent

By using the Service, you consent to this privacy policy.

Changes to this policy

If we change this policy, we'll post the changes on this page and update the "Last updated" date at the top. For material changes, we'll notify customers by email or in the app at least 30 days before the changes take effect.

Summary of changes:

  • May 21, 2026: Clarified that shared models are never trained on your data; your personal model may be, never cross-user. Added per-vendor links to privacy policies and trust/SOC 2 pages.
  • May 20, 2026: Rewrote the policy for clarity. Added explicit no-training commitment, subprocessor list, security vulnerability disclosure process, and detailed retention schedule.
  • January 16, 2026: Initial Orchid privacy policy.

Questions or Concerns

If you have questions or concerns about this policy, please contact us at [email protected].

Orchid is a product of Zero Email, Inc., a Delaware corporation.