Scope

This policy applies to Orpheus websites, product interfaces, invite-only accounts, spawned client platforms, support interactions, billing operations, and connected workflows that reference or route through Orpheus-operated infrastructure.

Some spawned platforms are branded and operated for specific customers. In those environments, Orpheus provides the platform layer and related infrastructure, while the customer operating that spawned platform may separately control the end-user, client, or business data collected inside that environment.

Information We Collect

We collect information directly from you, from workspace and tenant administrators, from connected providers, and automatically from your use of the service.

• Account and identity data, including name, email address, login identifiers, invite records, membership status, role assignments, and profile settings.
• Tenant, workspace, team, and operational data, including tenant records, workspace configuration, navigation settings, permissions, branding settings, content, communications, events, and audit-related activity.
• Billing and commercial data, including billing email, billing identifiers, payment terms, contract metadata, subscription status, invoices, usage signals, and storefront or Stripe Connect account details.
• Integration and provider data, including OAuth connection state, selected channels or workspaces, provider account labels, provider metadata, tokens or token references, and configuration needed to connect services such as Supabase, Vercel, Stripe, Slack, Resend, Webflow, Instagram, or similar customer-chosen integrations.
• Request-access and onboarding submissions, including email address, website, company or business description, goals, country, referral context, and related qualification details.
• Support, admin, and communications data, including emails, notifications, platform admin invite status, support requests, approval decisions, and troubleshooting records.
• Agent and automation interaction data, including prompts, tool context, approval state, run summaries, failure messages, and records needed to operate approval-gated or assisted workflows.
• Technical and device data, including IP address, user agent, referrer, page URL, locale, time zone, viewport details, session and auth cookies, browser storage, offline sync state, and related diagnostic metadata.
• Analytics and telemetry data, including Google Tag Manager-derived measurement where enabled, Vercel Speed Insights, operational event records, and service health or performance signals.

How We Use Information

• Provide, host, secure, and improve Orpheus and spawned platform environments.
• Authenticate users, enforce tenant and workspace access controls, and manage invitations, memberships, and approvals.
• Provision and operate customer infrastructure, custom domains, and connected provider workflows.
• Process billing, subscriptions, payment-related administration, and account standing workflows.
• Operate AI-assisted and agent-driven features, including review, approval, safety, and audit controls.
• Respond to support requests, communicate about the service, and administer customer relationships.
• Monitor performance, investigate incidents, prevent abuse, and maintain platform reliability and security.
• Analyze product usage, referral context, and conversion activity for service improvement and business operations.

Spawned Platforms and Customer-Controlled Data

Orpheus supports customer-branded spawned platforms. In this shared model, Orpheus remains responsible for operating the core platform, control plane, provisioning, hosting relationships, and certain shared service functions.

The customer operating a spawned platform may independently determine what data it collects from its own end users, clients, leads, or members; what notices it presents; which integrations it enables; and how it uses the data within that branded environment.

If you interact directly with a customer-branded spawned platform, the customer operating that environment may have separate terms, privacy notices, or instructions that also apply to your use of that platform.

How We Share Information

We share information only as reasonably necessary to operate the service, comply with law, protect rights and security, or complete customer-directed workflows.

• Infrastructure and hosting providers, including Supabase and Vercel.
• Analytics and measurement providers, including Google Tag Manager where enabled and Vercel Speed Insights.
• Payment and billing providers, including Stripe and Stripe Connect-related services.
• Messaging and communications providers, including Resend, Slack, and customer-selected notification destinations.
• Customer-authorized integrations and external providers connected through Orpheus workflows, such as Supabase, Webflow, Instagram, Reflag, or similar services.
• Professional advisors, auditors, insurers, and counterparties in connection with corporate transactions or legal obligations.
• Regulators, courts, law enforcement, or other third parties when required by law or when necessary to investigate fraud, abuse, security incidents, or misuse.

Cookies, Browser Storage, and Telemetry

Orpheus uses cookies and similar technologies for authentication, session continuity, security, and tenant-aware runtime behavior. We also use browser storage and offline state where product features require local persistence, synchronization, or recovery.

We do not add a separate cookie consent mechanism in this release. This page is intended to disclose the current analytics, telemetry, and session behavior already present in the product.

Retention

We retain information for as long as reasonably necessary to provide the service, maintain customer environments, satisfy billing and operational requirements, preserve security and audit records, resolve disputes, and comply with legal obligations.

Retention periods may vary based on the type of record, the customer relationship, the operational role of a spawned platform, and whether the information is needed for active accounts, support, fraud prevention, or compliance.

Security

We use administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, or alteration. These measures include role-based controls, approval workflows for higher-risk actions, provider-specific credentials handling, and infrastructure-level protections.

No system is completely secure, and we cannot guarantee absolute security.

International Transfers

Orpheus and its service providers may process or store information in jurisdictions outside your province, state, or country. By using the service, you understand that information may be transferred to and processed in other jurisdictions, subject to applicable safeguards and legal requirements.

Your Rights and Choices

• You may request access to, correction of, or deletion of personal information we control, subject to legal and contractual limits.
• You may ask to update account, profile, or billing details through your account administrator or by contacting us.
• If you interact with a customer-branded spawned platform, some requests may need to be directed to the customer operating that environment.
• You can limit certain analytics or browser-side behaviors using your browser or device controls, though some authentication and security functions are required for the service to operate.

Children

Orpheus is not directed to children under 16, and we do not knowingly collect personal information from children under 16 for general consumer use. If you believe a child has provided personal information to us, contact us and we will review the request.

Changes and Contact

We may update this Privacy Policy from time to time to reflect changes to the service, connected providers, legal requirements, or operational practices. The updated version will be posted with a revised effective date.

If you have questions or requests about this Privacy Policy, contact Orishnal Digital at hello@orpheus.build.