We handle your startup's most sensitive information -- financial data, legal documents, team credentials. Here is exactly what we collect, why we collect it, and how we protect it.
Six commitments we make to every founder who trusts us with their organisation's data.
Privacy is not a compliance checkbox at Orgvatar -- it is an architectural principle. Every feature is designed with data minimisation and purpose limitation as first-order constraints, not afterthoughts.
All startup data, consultation transcripts, and tool credentials are encrypted at rest using AES-256. All data in transit uses TLS 1.3. Credential vault secrets are encrypted before storage and never logged.
Your startup's data -- consultation history, org blueprints, tool credentials, and documents -- belongs to you. We do not sell it, share it with third parties, or use it to train models without explicit consent.
We collect only what is necessary to deliver the service. Enrichment data (LinkedIn profiles, website content) is used solely to personalise your V-Avatar consultations and is never shared externally.
You can request deletion of your account and all associated data at any time. Deletion is permanent and irreversible. We retain anonymised, aggregated usage statistics that cannot be linked back to you.
Every action taken by a V-Avatar on your behalf is logged in an immutable execution log. You have full visibility into what your virtual team has done, when, and why.
The table below is a complete inventory of every category of data Orgvatar collects, the purpose for which it is collected, and how long we retain it. There are no hidden data practices.
| Category | What We Collect | Why | Retention |
|---|---|---|---|
| Account Data | Name, email address, OAuth identity | Authentication and account management | Until account deletion |
| Startup Profile | Company name, industry, stage, team size, runway | Personalising V-Avatar consultations | Until account deletion |
| Enrichment Data | LinkedIn profiles, company website content (scraped) | Pre-populating Ava's consultation context | Until account deletion or manual removal |
| Consultation Data | Chat transcripts, stage outputs, confidence scores | Delivering and improving the consultation experience | Until account deletion |
| Org Blueprint | Recommended avatar team, job scopes, ROI analysis | Deploying and configuring your virtual organisation | Until account deletion |
| Tool Credentials | API keys and OAuth tokens for connected tools (e.g., Xero, GitHub) | Enabling V-Avatars to take actions in connected systems | Until credential is removed or account deleted |
| Execution Log | Records of actions taken by V-Avatars in connected tools | Audit trail and founder accountability | 90 days rolling, then anonymised |
| Payment Data | Subscription tier, Stripe customer ID (no card numbers) | Billing and plan management | As required by financial regulations (7 years) |
| Usage Analytics | Page views, feature usage, session duration (anonymised) | Product improvement | 24 months, anonymised |
Orgvatar is built on a security-first architecture. The following controls are in place for every production deployment.
Tool credentials (API keys, OAuth tokens) are encrypted with AES-256 before storage. Keys are never logged or transmitted in plaintext.
All data between your browser and Orgvatar's servers is encrypted using TLS 1.3. HTTP connections are automatically redirected to HTTPS.
Authentication sessions use signed JWT tokens with short expiry windows. Tokens are rotated on every login and invalidated on logout.
High-risk actions (payroll runs, infrastructure changes, payment links) require explicit founder approval via a cryptographically signed email token before execution.
Every action taken by a V-Avatar is written to an append-only execution log. Records cannot be modified or deleted by any user.
Generated documents (employment agreements, financial models, pitch decks) are stored in encrypted S3 buckets with access controlled by signed URLs.
Under GDPR, CCPA, and equivalent data protection laws, you have the following rights with respect to your personal data held by Orgvatar. To exercise any of these rights, contact us at [email protected].
Request a complete export of all personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your account and all associated data.
Receive your data in a structured, machine-readable format.
Request that we limit how we use your data while a dispute is resolved.
Object to processing of your data for direct marketing or profiling purposes.
Our Data Protection Officer is available at [email protected]. For the full legal text, read our Privacy Policy.