Privacy Policy

Orgvatar is the data controller responsible for your personal data. For all data protection enquiries, contact our Data Protection Officer at [email protected].

We collect the following categories of personal data:

Account Data: Name, email address, and authentication credentials provided when you create an account via Manus OAuth or direct registration.

Startup Profile Data: Company name, industry, business stage, team size, runway, and other information you provide during onboarding to personalise your V-Avatar consultations.

Enrichment Data: LinkedIn profile URLs and company website content that you optionally provide to help Ava personalise your consultation. Website content is scraped at the time of submission and stored to provide context to your V-Avatars.

Consultation Data: The full text of your conversations with V-Avatars, stage outputs, confidence scores, and generated documents (e.g., role specifications, financial models, legal agreements).

Org Blueprint Data: Your Virtual Organisation Blueprint, including recommended avatar configurations, job scopes, and ROI analysis generated by Ava.

Tool Credentials: API keys and OAuth tokens for third-party tools (e.g., Xero, GitHub, HubSpot) that you connect to enable V-Avatar execution. These are encrypted before storage.

Execution Log Data: Records of actions taken by V-Avatars in connected tools on your behalf, including timestamps, action types, and outcomes.

Payment Data: Subscription tier, Stripe customer ID, and invoice records. We do not store full card numbers, CVV codes, or card expiration dates -- these are handled exclusively by Stripe.

Usage Analytics: Anonymised data about how you use the platform, including page views, feature interactions, and session duration.

We process your personal data on the following legal bases:

Contract Performance (Article 6(1)(b) GDPR): Processing necessary to deliver the Orgvatar service you have subscribed to, including running V-Avatar consultations, generating blueprints, and executing actions in connected tools.

Legitimate Interests (Article 6(1)(f) GDPR): Processing for fraud prevention, security monitoring, and product improvement, where our legitimate interests are not overridden by your rights.

Legal Obligation (Article 6(1)(c) GDPR): Processing required to comply with financial regulations, tax obligations, and applicable law.

Consent (Article 6(1)(a) GDPR): Where we rely on consent (e.g., for marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

We use your personal data exclusively for the following purposes:

- Delivering and personalising the Orgvatar consultation experience
- Configuring and deploying your Virtual Organisation Blueprint
- Enabling V-Avatars to take actions in connected tools on your behalf
- Processing subscription payments and managing your account
- Providing customer support and responding to enquiries
- Improving the platform through anonymised usage analytics
- Complying with legal obligations and enforcing our Terms of Service

We do not use your data to train AI models without your explicit consent. We do not sell your data to third parties. We do not use your data for advertising purposes.

We share your data with third parties only in the following circumstances:

Service Providers: We use the following sub-processors to deliver our service: Manus (authentication and hosting infrastructure), Stripe (payment processing), Amazon Web Services (encrypted file storage), and TiDB (database hosting). All sub-processors are bound by data processing agreements and may not use your data for any purpose other than providing services to Orgvatar.

Connected Tools: When you connect third-party tools (e.g., Xero, GitHub, HubSpot) and authorise V-Avatars to act on your behalf, we transmit the minimum necessary data to those tools to execute the requested actions. You control which tools are connected and can revoke access at any time.

Legal Requirements: We may disclose your data if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Orgvatar, our users, or the public.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

We retain your personal data for as long as your account is active or as necessary to provide the service. Specific retention periods are:

- Account and startup profile data: Until account deletion
- Consultation and blueprint data: Until account deletion
- Tool credentials: Until credential removal or account deletion
- Execution log data: 90 days rolling, then permanently deleted
- Payment records: 7 years as required by financial regulations
- Anonymised usage analytics: 24 months

When you delete your account, we permanently delete all personal data associated with your account within 30 days, except where retention is required by law.

We implement the following technical and organisational security measures:

- AES-256 encryption for all data at rest, including tool credentials and consultation transcripts
- TLS 1.3 encryption for all data in transit
- Signed JWT session tokens with short expiry windows, rotated on every login
- Cryptographically signed approval tokens for high-risk V-Avatar actions
- Immutable execution logs that cannot be modified or deleted
- Encrypted S3 storage for generated documents with access-controlled signed URLs
- Regular security reviews and penetration testing

Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately at [email protected].

Under GDPR and equivalent laws, you have the following rights:

Right of Access: Request a copy of all personal data we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated personal data.

Right to Portability: Receive your personal data in a structured, machine-readable format (JSON or CSV).

Right to Restrict Processing: Request that we limit processing of your data while a dispute is resolved.

Right to Object: Object to processing of your data for legitimate interests or direct marketing.

Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time.

To exercise any of these rights, contact [email protected]. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Orgvatar uses the following cookies:

Essential Cookies: Session authentication cookies necessary for the platform to function. These cannot be disabled.

Analytics Cookies: Anonymised usage tracking to improve the platform. You may opt out of analytics cookies via your account settings.

We do not use advertising cookies or share cookie data with advertising networks.

Orgvatar operates globally. Your data may be processed in countries outside your country of residence, including the United States and Singapore. Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

Orgvatar is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a prominent notice on the platform at least 30 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

For all privacy-related enquiries, contact our Data Protection Officer:

Email: [email protected]
Address: Orgvatar, c/o Data Protection Officer, [Registered Address]

For general enquiries: [email protected]