Orisu

Privacy Policy

Last updated: June 24, 2026

1. Overview

This Privacy Policy explains how Orisu (“Orisu,” “we,” “us”) collects, uses, shares, and protects personal data when you use our AI creative-workflow platform (“the Service”). Orisu lets you build node-based workflows that generate images, video, audio, and text, then review and share the results. We serve a global audience, and this policy is written to address the requirements of the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others.

2. Data We Collect

Account information: Your name, email address, password credentials (stored hashed), and organization membership. Authentication is handled by Better Auth.

OAuth profile data: If you sign in with Google, we receive basic profile information (name, email, profile image) from Google to create and identify your account.

Workspace content: The node graphs, workflows, prompts, configuration, uploaded files, and other content you create or import into Orisu.

Generated assets: The images, video, audio, and text produced by your workflows, stored so you can review, edit, and share them.

Usage and analytics data: Product interaction events, device and browser information, and approximate location derived from IP. Analytics are collected via PostHog and are gated behind your consent (see Section 6).

Payment information: Billing is processed by Polar. We do not store full card numbers; we retain transaction metadata (plan, amount, status) needed to manage your subscription and credits.

Communications: Messages you send us (e.g. support requests) and records of transactional emails we send you.

3. How We Use Your Data & Legal Bases

To provide the Service (contract): Creating and securing your account, running your workflows, generating and storing assets, processing payments and credits, and providing customer support. This processing is necessary to perform our contract with you.

To operate and improve the Service (legitimate interest): Maintaining reliability and security, preventing abuse and fraud, debugging, and understanding aggregate usage to improve features. We balance these interests against your rights and freedoms.

Product analytics (consent): Optional analytics that help us understand how Orisu is used. We process this data only where you have given consent, and you may withdraw consent at any time.

Legal compliance: Where we are required to retain or disclose data to comply with applicable law.

4. Who We Share Data With

We share data with third-party processors only as needed to operate the Service. Each processor receives the minimum data required for its function and is bound by its own data-protection obligations.

  • Polar — payment processing, subscriptions, and credit purchases.
  • FAL.ai — running image, video, and audio generation models on the prompts and inputs in your workflows.
  • Anthropic and OpenRouter — large language model inference for text generation and the in-product copilot.
  • ElevenLabs — voice and audio generation, transcription, and voice features.
  • PostHog — product analytics (consent-gated; see Section 6).
  • Resend — sending transactional email (e.g. sign-in, verification, account notices).
  • Cloudflare R2 — object storage for uploaded and generated files; Cloudflare Workers — brand extraction / scraping.
  • Railway — hosting and managed database infrastructure.
  • Inngest — orchestrating background and long-running jobs.
  • Apify — social/web scrapers used by certain source nodes.
  • Composio and Google — Google Drive integration (import/export) and Google OAuth sign-in.

We do not sell your personal data. We may disclose data if required by law or to protect the rights, safety, or property of Orisu, our users, or the public.

5. AI Model Providers & Your Content

When you run a workflow, the prompts, inputs, and uploaded media required for that step are transmitted to the relevant AI provider (e.g. FAL.ai, Anthropic, OpenRouter, ElevenLabs) to produce the output. Your use of generated content is also subject to those providers’ terms. We do not use your private workspace content to train our own models.

6. Cookies & Analytics

We use cookies and similar technologies that are strictly necessary to run the Service (e.g. keeping you signed in via Better Auth). We also use PostHog for product analytics, which is consent-gated and opt-in — analytics cookies and tracking are only set after you accept. You can change your choice at any time. For full detail, see our Cookie Policy.

7. Data Retention

We retain your account and workspace data for as long as your account is active and as needed to provide the Service. Generated assets and run history are retained until you delete them or close your account. We may retain limited data after account closure where required to comply with legal, tax, accounting, or fraud- prevention obligations, after which it is deleted or anonymized. Analytics data is retained in aggregate or pseudonymized form according to our analytics provider’s retention settings.

8. International Transfers

Orisu and its processors operate in multiple countries, including the United States. When we transfer personal data outside your country or region (such as from the EU/UK), we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, to protect your data.

9. Your Rights

Depending on where you live, you have rights over your personal data, including the right to access the data we hold about you, rectify inaccurate data, erase your data, obtain a portable copy, and object to or restrict certain processing. You also have the right to withdraw consent for analytics at any time, and to lodge a complaint with your local data- protection authority.

Erasure and data export: Self-serve deletion and export are not yet available in-app. To request erasure of your data or a portable copy of it, email privacy@orisu.ai. We will verify your identity and action your request within 30 days.

10. Security

We use industry-standard measures to protect your data, including encryption in transit, access controls, and trusted infrastructure providers. No method of transmission or storage is completely secure, but we work to protect your data and to notify you of material breaches as required by law.

11. Children’s Privacy

Orisu is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the Service. The “Last updated” date above reflects the most recent revision.

13. Contact

Questions about this Privacy Policy or your data? Contact us at privacy@orisu.ai.