Privacy Policy

We collect three kinds of data:

• Account data — email address, display name, avatar color, and authentication state. Supplied by you at signup.
• Usage data — which prompts and workflows you run, which models you use, token counts, latency, and estimated cost. Used to compute your rankings, show trending, and display your own dashboards.
• Encrypted API keys — your BYOK provider keys, stored with AES-256-GCM. Decrypted in memory only during outbound provider calls, never written to logs.

We do not store the content of your prompt bodies or model outputs for BYOK traffic. We retain the rendered prompt briefly during execution, then drop it.

We use your data to:

• Route your requests to the provider you selected
• Compute usage-weighted prompt rankings
• Surface analytics (runs, tokens, cost) inside your own dashboards
• Detect abuse or credential compromise and alert you
• Respond to support requests you initiate

We do not sell your data. We do not use your prompts or outputs to train our own models. We never will.

We retain each class of data only as long as we need it:

• Account data — kept for the lifetime of your account. Deleted permanently 30 days after you request deletion (the grace window lets you reverse an accidental request by signing in again).
• Run history — timestamp, model, token counts, and cost, kept for 365 daysthen purged. Individual run content (your prompt body, the model's response) is dropped immediately after execution for BYOK traffic.
• Audit log — authentication, role, and payment events are kept for 1 year to support security investigations and legal requests, then purged.
• Password-reset tokens — deleted within 24 hours of issue whether used or not.
• Stripe payment records — retained as required by Stripe and applicable tax law (typically 7 years). We store the minimum fields needed to reconcile receipts with your account.
• Server logs & error reports (Sentry) — retained for 30 days, then aggregated or deleted. IP addresses are truncated to the /24 level after 7 days.

Deletion is automated via a daily retention sweep. Anonymized aggregate statistics (e.g. "prompts run this month") may persist indefinitely — they contain no personal data.

Under GDPR, CCPA, and similar frameworks, you have the right to:

• Access — request a copy of the data we hold about you
• Correct — update inaccurate personal data
• Delete — request full erasure of your account and data
• Export — download your prompts, workflows, and run history in JSON
• Object — opt out of specific processing you don't consent to

You can exercise access, export, and deletion rights directly from Settings → Privacy & data — no email required. For correction, objection, or anything else, email privacy@oort.dev. We respond within 30 days.

We use two categories of cookies:

• Strictly necessary — a single session cookie (oort_session) that keeps you signed in, plus a preference cookie recording your consent choice. These are exempt from consent requirements under ePrivacy.
• Optional — product analytics — PostHog, for measuring which features people use. Only loaded after you click Accept all in the cookie banner. You can withdraw consent at any time by clearing your browser storage for this site.

No advertising cookies. No cross-site tracking pixels. No third-party data brokers. That's the entire list. For a per-cookie breakdown, see our Cookies notice.

When you run a prompt or workflow, your request is forwarded to the model provider you selected (Anthropic, OpenAI, etc.). That provider processes the request under its own privacy policy, using your API key. We recommend reading the privacy policy of whichever provider you route to.

We use the following infrastructure partners: Supabase (Postgres, auth), Cloudflare (CDN, DDoS), Stripe (payments), Sentry (error monitoring). Each is bound by a data processing agreement.

Oort is not for anyone under 18. If we discover a minor has created an account, we'll delete it promptly.

We'll post material changes at least 30 days before they take effect, via email and in-product notification.

Privacy questions, data requests, and complaints go to privacy@oort.dev. EU residents also have the right to lodge a complaint with their local data-protection authority.