Orizone.io LogoOrizone.io

Privacy Policy

How Orizone.io collects, uses, and protects your personal data when you use Ori.

Back to home

Privacy Policy – Orizone.io

Last updated: 2025-12-08

This Privacy Policy explains how Orizone.io ("Orizone", "we", "us") processes personal data when you use:

  • our websites (the "Website"), including any landing or marketing pages, and
  • our productivity and assistant application (the "App"), which includes our virtual assistant called "Ori" (the "Assistant"),

together referred to as the Services.

If there is any discrepancy between the English and French versions of this Privacy Policy, the French version will prevail for EU/EEA users.

1. Data Controller and Contact

Unless otherwise indicated in a specific contract or regional notice, the data controller is:

Orizone.io

Address: 60 rue François 1er, 75008 Paris, France

Email: privacy@orizone.io

If we appoint a Data Protection Officer (DPO), we will update this section accordingly.

You can contact us for any question about this policy or to exercise your data protection rights (see section 9).

2. What Data We Collect

We collect the following categories of personal data.

2.1 Data you provide directly

  • Account data: name, email address, password or authentication tokens (through our identity provider), language and time zone, and any account preferences.
  • Profile and settings: notification preferences, assistant behavior preferences, and other configuration options.
  • Content in the App: tasks, projects, goals, notes, labels/tags, comments, attachments you upload, and any text or voice prompts you send to the Assistant in the App.
  • Support and communication: content of emails or messages you send us, feedback you share, and any other information you provide through forms, surveys, or chats on the Website or in the App.

2.2 Data from connected services

If you choose to connect the App to third-party services (for example Google Workspace):

  • Gmail: subject, sender, recipients, timestamps, labels, and email body of messages that the Assistant needs to analyse to detect tasks, decisions, or information relevant to your productivity flows.
  • Google Calendar: event titles, descriptions, participants, times, reminders, and other metadata needed to help you plan and prioritise your work.
  • Other integrations (if/when enabled): data strictly necessary to provide the integration’s features (e.g. other task managers, storage services).

You can revoke such access at any time via the third-party provider’s settings (e.g. Google Account > Security > Third-party access).

2.3 Data collected automatically

When you use our Services, we automatically collect:

  • Usage and log data: IP address, browser type and version, operating system, device information, pages viewed, actions performed in the App, date and time of requests, and error logs.
  • Cookies and similar technologies: identifiers that allow us to maintain your session, remember your preferences, and (subject to your consent) measure audience and improve the product. See section 5.

2.4 Billing and payment data

If you subscribe to a paid plan:

  • We receive limited billing information (e.g. billing name, email, country, last four digits of the card, expiry date) from our payment provider.
  • Full payment card details are processed directly by our payment provider and are not stored by us.

3. For What Purposes and On What Legal Bases?

Under the GDPR, we must identify the legal bases on which we process your personal data.

3.1 Providing and maintaining the Services

  • Purposes: create and manage your account, authenticate you, provide core functionality (tasks, projects, planning, inbox review, assistant responses), ensure availability and security of the Services.
  • Legal basis: performance of a contract (Article 6(1)(b) GDPR).

3.2 Connecting to third-party services

  • Purposes: access and process data from Gmail, Google Calendar or other services you choose to connect, in order to extract tasks, propose actions, and build your productivity workspace.
  • Legal basis: performance of a contract (providing the requested feature) and your consent when you authorise the integration via OAuth or similar mechanisms (Article 6(1)(a) and (b) GDPR).

3.3 AI-powered assistance and automation

  • Purposes: analyse content (emails, tasks, notes, events) to detect tasks, classify them, summarise information, draft responses, propose priorities, and generally provide the assistant features of the App.
  • Legal basis: our legitimate interest in providing a smart productivity assistant and improving the Services, balanced against your rights and expectations (Article 6(1)(f) GDPR), and where required, your consent (Article 6(1)(a) GDPR).

3.4 Communication and support

  • Purposes: respond to your requests, send important service information (e.g. security alerts, changes in terms), manage your support tickets.
  • Legal basis: performance of a contract and our legitimate interest in ensuring good customer support (Articles 6(1)(b) and 6(1)(f) GDPR).

3.5 Analytics, product improvement, and marketing

  • Purposes: understand how the Services are used, improve user experience, prioritise features, and (if you opt in) send you product news and tips.
  • Legal basis: our legitimate interests (Article 6(1)(f) GDPR) and, where required for non-essential cookies and email marketing, your consent (Article 6(1)(a) GDPR).

3.6 Compliance and legal obligations

  • Purposes: comply with our legal obligations (e.g. accounting, tax), respond to lawful requests from authorities, prevent fraud or abuse.
  • Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR) and our legitimate interests in protecting our rights (Article 6(1)(f) GDPR).

4. Use of AI and External Providers

To provide the Assistant’s AI capabilities within the App, Orizone uses third-party AI providers (such as OpenAI) acting as data processors on our behalf.

  • We may send parts of your content (tasks, notes, email excerpts, calendar information, and prompts) to these providers to generate suggestions, summaries, classifications, and responses.
  • According to these providers’ public documentation, API inputs and outputs may be retained for a limited period to provide the services and detect abuse, and are not used to train models or improve services unless you are on specific opt-in programmes.
  • We implement data-minimisation: only the content necessary to perform the requested operation is sent, and where possible we limit or pseudonymise personal identifiers.

We maintain written data processing agreements with these providers to ensure appropriate confidentiality, security, and GDPR-compatible safeguards.

5. Cookies and Similar Technologies

We use cookies and similar technologies on the Website and the App:

  • Strictly necessary cookies: required for the functioning of the Services (session cookies, security, load balancing). These do not require consent under ePrivacy rules.
  • Preference cookies: to remember your choices (language, theme).
  • Analytics and performance cookies: to measure usage and improve our Services.
  • Marketing cookies (if any): to measure campaigns on the landing page.

When required by law, we obtain your consent before placing non-essential cookies and provide you with a way to change your choices at any time through a cookie banner or settings page.

You can configure your browser to block or delete cookies; however, some features of the Services may not function properly without them.

6. How We Share Your Data

We do not sell your personal data.

We may share your data with:

  • Service providers and processors: hosting providers, database/storage providers, authentication and identity providers, email and notification providers, analytics tools, payment service providers, AI/LLM providers, and customer support tools. They may only process data on our instructions and under appropriate confidentiality and security obligations.
  • Connected services: when you act on suggestions from the Assistant (e.g. sending an email draft, creating a calendar event), data is processed by the third-party services (such as Google) under their own terms and privacy policies.
  • Professional advisers and legal authorities: if necessary to comply with legal obligations, respond to lawful requests, protect our rights or those of users.
  • Business transfers: in the event of a reorganisation, merger, acquisition, or sale of all or part of our assets, your data may be transferred as part of the transaction, subject to similar safeguards.

7. International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA), including in countries that may not provide a level of data protection equivalent to the GDPR (for example, the United States).

When we transfer personal data outside the EEA, we implement appropriate safeguards, such as:

  • the use of standard contractual clauses (SCCs) adopted by the European Commission, and/or
  • relying on adequacy decisions where applicable.

You can obtain more information about these safeguards by contacting us.

8. Data Retention

We keep your personal data only for as long as necessary for the purposes described in this policy, and to comply with our legal obligations. In particular:

  • Account and App data: retained for the duration of your account’s existence. If you close your account, we will delete or anonymise your data within a reasonable period, except where we must retain certain data for legal, accounting, or security purposes.
  • Data from connected services: stored as long as the integration remains active and needed to provide the related features. If you disconnect an integration, we stop collecting new data and will progressively delete or anonymise existing related data, subject to legal obligations.
  • Logs and security data: typically retained for up to 12–18 months, unless longer retention is justified to investigate incidents.
  • Billing and legal data: retained for the periods required by applicable law.

We may store anonymised or aggregated data that does not identify you, for statistical and product improvement purposes.

9. Your Rights

Under the GDPR, you have several rights regarding your personal data.

Subject to conditions and limitations in the law, you may:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict the processing of your data.
  • Object to the processing of your data on grounds relating to your particular situation, especially where we rely on legitimate interests.
  • Withdraw your consent at any time, when processing is based on consent (this does not affect prior processing).
  • Data portability: receive data you provided in a structured, commonly used and machine-readable format and transmit it to another controller.
  • Define post-mortem instructions on the fate of your data, where applicable.

You also have the right to lodge a complaint with your local supervisory authority. In France, this is the CNIL (Commission Nationale de l’Informatique et des Libertés): www.cnil.fr.

To exercise your rights, please contact us at privacy@orizone.io. We may ask you for additional information to confirm your identity.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, taking into account the state of the art, implementation costs, the nature of the data, and the risks.

These measures may include, among others:

  • encryption in transit (HTTPS/TLS) and, where appropriate, at rest;
  • strict access controls and authentication on our systems;
  • least-privilege access for our teams and processors;
  • logging and monitoring of critical operations;
  • regular backups and recovery procedures.

No system is perfectly secure, but we strive to maintain a high level of protection and to respond promptly in case of incident.

11. Children

The Services are not directed at children under 16, and we do not knowingly collect personal data from them. If you believe that a child has provided us with personal data, please contact us so that we can delete it or obtain parental consent where required.

12. Third-Party Websites and Services

The Services may contain links to other websites, services, or applications. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on the Website and indicate the date of the latest revision. If changes are material, we will notify you through the App or by email, where appropriate.

Your continued use of the Services after the updated policy becomes effective constitutes acceptance of the changes.