Privacy Policy

Last updated: February 2026

1. Introduction

Oris AI ("we," "us," or "our") is committed to protecting the privacy and personal data of our users, customers, and the end users who interact with our platform. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our AI customer experience platform and related services (the "Services"). This policy applies to all individuals whose data we process, including our enterprise customers ("Customers"), their employees who use our dashboard, and the end consumers ("End Users") who communicate with our AI agents through WhatsApp, voice, web chat, or other supported channels.

We process personal data in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL"), its implementing regulations, and where applicable, the DIFC Data Protection Law No. 5 of 2020. Where we process data of individuals located in the European Economic Area, we also comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Data Controller and Data Processor Roles

When our Customers use the Services to interact with their End Users, the Customer acts as the Data Controller, determining the purposes and means of processing End User personal data. Oris AI acts as the Data Processor, processing End User data on behalf of and under the instructions of the Customer. For data relating to our Customers' own accounts (such as billing information, account credentials, and usage analytics), Oris AI acts as the Data Controller.

3. Personal Data We Collect

We collect and process the following categories of personal data:

Account Data. When you register for the Services, we collect your name, email address, company name, job title, phone number, and billing information. This data is necessary for the performance of our contract with you.

Conversation Data. When End Users communicate through our platform, we process the content of messages, phone numbers, WhatsApp identifiers, timestamps, language preferences, and conversation metadata. This data is processed on behalf of our Customers to deliver the Services.

Knowledge Base Data. Customers may upload documents, FAQs, product catalogs, and other content to train their AI agents. This content may contain personal data, which we process solely to provide the retrieval-augmented generation (RAG) functionality.

Usage and Analytics Data. We automatically collect information about how you interact with the Services, including IP addresses, browser type, device information, pages visited, features used, and performance metrics. We use this data to maintain and improve the Services.

Voice Data. When End Users interact with our voice channel, we process audio recordings and transcriptions for the purpose of generating AI responses. Voice data is processed in real-time and retained only as necessary to complete the interaction and maintain conversation records.

4. Legal Basis for Processing

In accordance with Article 5 of the PDPL, we process personal data based on the following lawful grounds:

• Contractual necessity: Processing Account Data and Conversation Data is necessary for the performance of our contract with Customers to deliver the Services.
• Legitimate interest: Processing Usage and Analytics Data is necessary for our legitimate interests in maintaining, securing, and improving the Services, provided such interests are not overridden by the data subject's rights.
• Consent: Where required by applicable law, we obtain consent from data subjects before processing their personal data, particularly for marketing communications and the use of non-essential cookies.
• Legal obligation: We may process personal data to comply with applicable legal obligations under UAE law, including record-keeping requirements and law enforcement requests.

5. How We Use Personal Data

We use personal data for the following purposes: to provide, operate, and maintain the Services; to process and respond to End User conversations through AI agents; to perform retrieval-augmented generation using Customer knowledge bases; to generate analytics, reports, and insights for Customers; to process payments and manage billing; to communicate with you about your account, including service announcements and security alerts; to detect, prevent, and address fraud, abuse, and security incidents; to comply with legal obligations and respond to lawful requests from authorities; and to improve and develop new features for the Services.

We do not use Customer Data or End User personal data to train our general AI models. Customer Data is used solely to provide the Services to the applicable Customer.

6. PII Redaction and Data Minimization

Our platform includes automated personally identifiable information (PII) redaction capabilities. When enabled, the system automatically detects and redacts sensitive data including phone numbers, email addresses, UAE and Saudi national identification numbers, passport numbers, credit card numbers, IBAN codes, and IP addresses from conversation logs before storage. Customers can configure the scope of PII redaction through their dashboard settings. We apply the principle of data minimization and collect only the personal data that is necessary for the specified processing purposes.

7. Data Sharing and Sub-processors

We do not sell personal data to third parties. We share personal data only with the following categories of recipients, and only to the extent necessary:

• Cloud infrastructure providers: We use Supabase (PostgreSQL hosting) and Vercel (application hosting) to store and serve the Services.
• AI model providers: Conversation data is sent to Anthropic (Claude) for AI response generation and to Cohere for text embedding. These providers process data as sub-processors under our instructions.
• Communication providers: We use Twilio for voice and WhatsApp message delivery, and Meta (WhatsApp Business API) for WhatsApp channel integration.
• Authentication provider: We use Clerk for user authentication and identity management.
• Payment processors: Billing and payment data is processed by our payment service provider in compliance with PCI DSS requirements.
• Legal and regulatory: We may disclose personal data to law enforcement, regulatory authorities, or other parties where required by UAE law or valid legal process.

All sub-processors are bound by data processing agreements that require them to protect personal data to a standard consistent with this Privacy Policy and applicable law.

8. International Data Transfers

Our primary data storage is located within the UAE. However, certain sub-processors may process personal data in jurisdictions outside the UAE. In accordance with Article 22 of the PDPL and the regulations issued by the UAE Data Office, we ensure that any transfer of personal data outside the UAE is subject to appropriate safeguards, including data processing agreements incorporating standard contractual clauses, transfers to jurisdictions that have been recognized as providing an adequate level of data protection, or other transfer mechanisms approved by the UAE Data Office. Where data of DIFC-based individuals is involved, transfers comply with the requirements of Part 7 of DIFC Data Protection Law No. 5 of 2020.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The following retention periods apply:

• Account Data: Retained for the duration of the Customer's subscription and for a period of ninety (90) days following account termination, after which it is deleted.
• Conversation Data: Retained for the duration configured by the Customer (default: 12 months), after which it is automatically purged.
• Knowledge Base Data: Retained for the duration of the Customer's subscription and deleted within thirty (30) days of account termination or upon Customer request.
• Usage and Analytics Data: Retained in identifiable form for up to twenty-four (24) months, after which it is anonymized or deleted.
• Voice Data: Audio recordings are processed in real-time and are not stored beyond the duration necessary to complete the transcription. Transcriptions are retained as part of Conversation Data.

10. Data Subject Rights

In accordance with the PDPL and applicable data protection laws, data subjects have the following rights:

• Right of access: You may request confirmation of whether we process your personal data and obtain a copy of such data.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where processing is based on consent that has been withdrawn.
• Right to restrict processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: You may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object: You may object to the processing of your personal data where such processing is based on legitimate interest.

End Users should direct requests relating to their personal data to the applicable Customer (the Data Controller). Customers can manage data subject requests through the Oris AI dashboard or by contacting us at privacy@getoris.ai. We will respond to valid requests within thirty (30) days.

11. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit using TLS 1.2 or higher; encryption of data at rest using AES-256; role-based access controls and multi-tenant data isolation; regular security assessments and vulnerability testing; automated PII detection and redaction; secure API authentication using industry-standard protocols; monitoring and logging of access to personal data; and incident response procedures for prompt detection and handling of security breaches.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of personal data, but we commit to promptly notifying affected parties and the UAE Data Office in the event of a personal data breach, in accordance with Article 9 of the PDPL.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post the revised policy on our website and update the "Last updated" date at the top of this page. For material changes that significantly affect the processing of personal data, we will provide notice through the Services or via email to the address associated with your account at least thirty (30) days before the changes take effect. Your continued use of the Services after the effective date of the revised policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Privacy inquiries: privacy@getoris.ai
• Legal inquiries: legal@getoris.ai
• Address: Oris AI, Dubai, United Arab Emirates

If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the UAE Data Office or the relevant supervisory authority in your jurisdiction.