Privacy policy
Last updated: May 27, 2026. Boilerplate placeholder. Replace with the version reviewed by counsel before signing customers.
What we collect
Metadata only on our infrastructure: install identifiers, software version, OS family, count of tenants (no names), connection timing. We do not see workflow contents, command bodies, output, or any tenant data — these are end-to-end encrypted between the operator and their own agents.
What you collect
On your operator laptop and on your managed servers, you collect and process whatever data your workflows touch. We are not a data processor for that data; you are. Our DPA describes the edge cases.
Cookies
On orchhq.com we use no third-party trackers. The application uses first-party session cookies for portal authentication; no marketing cookies, no fingerprinting.
Data subject rights
You can request export or deletion of your account metadata at privacy@orchhq.com. We respond within 30 days; usually within 2 business days.
Subprocessors
Today: Cloudflare (DNS), Vultr (compute, object storage), Resend (transactional email), Stripe (invoicing). All EU-region where available. We notify customers before adding new subprocessors.
Contact
privacy@orchhq.com · GTM Development Johansen · Tromsø, Norway · Org. 937103794.