Privacy Policy

1. Introduction

This Privacy Policy describes how Ontora Inc. (“Ontora,” “we,” “us,” or “our”) collects, uses, discloses, and protects information about you when you visit our website, create an account, or use our services (collectively, the “Services”). The Services include our web application, desktop application, browser extensions, APIs, voice and chat agents, and related features.

This policy is designed to comply with the U.S. California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), other U.S. state privacy laws, the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”), the German Federal Data Protection Act (“BDSG”), the Swiss Federal Act on Data Protection (“FADP”), and the South African Protection of Personal Information Act (“POPIA”). Region-specific rights are described in Section 12.

By using the Services, you acknowledge that your information will be handled as described in this policy.

2. Who We Are

Ontora Inc. is a Delaware corporation and acts as the “controller” (GDPR/UK GDPR), “business” (CCPA/CPRA), and “responsible party” (POPIA) for personal information processed through the Services, except where we process customer content on behalf of a business customer, in which case we act as a “processor” or “service provider” and that customer is the controller.

Ontora Inc.
1111B S Governors Ave # 51197
Dover, DE 19901
United States
Email: info@ontora.com
Privacy contact: privacy@ontora.com

3. Information We Collect

a. Information you provide

• Account information: name, email address, password (hashed), organization, role, and profile preferences
• Content you submit: documents, files, messages, notes, prompts, chat conversations, meeting transcripts, voice recordings, interview responses, and other materials uploaded to or generated within the Services
• Billing information (name, billing address, tax identifiers, and payment card details, processed by our payment provider; we do not store full card numbers)
• Communications you send us (support requests, sales inquiries, survey responses, and feedback)

b. Information collected automatically

• Usage data: pages viewed, features used, queries issued, actions taken, error events
• Device and log data: IP address, browser type and version, device identifiers, operating system, referring URLs, language preference, timestamps
• Approximate location derived from IP address (city-level)
• Cookies and similar tracking technologies (see Section 11)

c. Information from third-party integrations you authorize

When you connect a third-party service through our integrations layer, we access and process the data you authorize us to access. Sources currently supported include:

• Google Workspace (Gmail, Google Drive, Google Calendar) — email messages, attachments, documents, files, and calendar events
• Notion — pages, databases, and content from workspaces you connect
• Slack — channels, messages, and threads you authorize
• Granola — meeting transcripts and notes
• Attio — CRM records, contacts, deals, and notes
• Cal.com — scheduling and meeting metadata

We access only the data you explicitly grant via OAuth scopes, and you may revoke access at any time from your integrations settings or directly with the source provider.

d. Voice and audio data

If you use our voice interview or voice agent features, we collect and process audio recordings, voice transcripts, and derived metadata (such as turn timing and detected sentiment). Where required by law (including German BDSG and U.S. two-party-consent states), we ask you and any participants to provide explicit consent before recording. Participants are informed at the start of any recorded session and can decline to participate.

e. Information we do not intentionally collect

We do not ask for special-category data under GDPR Art. 9 (including health, biometric identifiers used for unique identification, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or data concerning sex life or sexual orientation) or financial account numbers. If you upload such data into the Services as your own content, you instruct us to process it on your behalf and remain responsible for ensuring a valid legal basis under applicable law.

4. How We Use Information

• Provide, operate, maintain, and improve the Services
• Authenticate users and secure accounts
• Process transactions and handle billing
• Generate AI outputs you request (embeddings, retrieval, summaries, extractions, transcriptions, and synthesized speech)
• Communicate with you (support, service notices, product updates, and marketing where permitted by law and your preferences)
• Monitor and analyze usage and trends
• Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our terms
• Comply with legal obligations, respond to lawful requests, and enforce our agreements

We do not use your content to train foundation models for our own benefit or for the benefit of our AI subprocessors. Our AI subprocessors are contractually prohibited from training models on your content (see Section 8).

5. Legal Bases for Processing (EEA, UK, Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under GDPR Art. 6 (and equivalent UK and Swiss law):

• Contract (Art. 6(1)(b)): to deliver the Services you have signed up for, manage your account, and provide support
• Legitimate interests (Art. 6(1)(f)): to secure the Services, prevent abuse, improve product quality, and conduct limited marketing to existing customers. We have weighed these interests against your rights and freedoms
• Consent (Art. 6(1)(a)): for non-essential cookies, audio recording where required, and direct marketing to non-customers. You may withdraw consent at any time
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other legal requirements

6. Categories of Personal Information (California)

For California residents, we have collected the following categories of personal information in the past 12 months. We collect each category from you directly, from your device, or from third-party integrations you authorize, and we disclose each category to our service providers as listed in Section 7.

• Identifiers (name, email, IP address, online identifiers)
• Customer records (information described in Cal. Civ. Code § 1798.80(e), including contact details and billing information)
• Commercial information (subscription and billing records)
• Internet or network activity (browsing history within the Services, interactions with content)
• Geolocation data (approximate, derived from IP)
• Audio recordings (where you use voice features)
• Professional or employment-related information (when provided)
• Inferences drawn from the above to provide and improve the Services
• Content and files you submit to the Services

We do not knowingly collect “sensitive personal information” (as defined by the CPRA) beyond account credentials needed to authenticate you, and we use those credentials only for the purposes permitted by Cal. Civ. Code § 1798.121.

7. How We Share Information — Categories of Service Providers

We share information with service providers (“subprocessors”) that help us operate the Services under written contracts requiring confidentiality, security, and processing only on documented instructions. We use service providers in the following categories:

• Cloud infrastructure and hosting — frontend hosting, backend application platforms, and the underlying cloud compute, networking, and storage that runs the Services
• Databases and storage — managed relational database, file storage, and managed knowledge graph
• Authentication and identity — user authentication, session management, and organization management
• AI and machine learning providers — large language models, embeddings, speech-to-text transcription, and text-to-speech synthesis used to generate AI outputs from your content
• Third-party integration connectors — OAuth and data-sync infrastructure for the third-party sources you authorize (e.g., email, document, and CRM platforms)
• Communications — transactional email delivery for account notices, invitations, and product communications
• Analytics and product measurement — product usage analytics and web analytics for our marketing site
• Consent management — cookie consent banner and preference management
• Scheduling and customer operations — meeting scheduling for sales and customer success, and our internal CRM

We maintain a current, named list of the specific companies in each category and provide it to business customers under our Data Processing Agreement (see Section 17). Material additions or replacements are notified to DPA-bound customers with sufficient lead time to object. The named list is also available on request by emailing privacy@ontora.com.

We may also share information:

• With your consent or at your direction
• To comply with applicable laws, legal processes, or government requests, while challenging overbroad requests where appropriate
• To protect the rights, property, or safety of Ontora, our users, or others
• In connection with a merger, acquisition, financing, or sale of assets, in which case we will provide notice before personal information becomes subject to a different privacy policy

We do not sell your personal information in exchange for monetary consideration. Limited disclosures to analytics providers may constitute “sharing” under the CCPA/CPRA. You may opt out as described in Section 13.

8. AI and Automated Processing

Ontora is an AI-powered platform. When you use the Services, your content (including documents, messages, transcripts, and prompts) is sent to AI and machine-learning subprocessors (see Section 7 and our named subprocessor list) to generate responses, extract entities, build knowledge graphs, transcribe speech, and synthesize voice. Each AI subprocessor is bound by contract to:

• Process your content only to provide outputs back to us
• Not use your content to train, fine-tune, or evaluate their models (zero-retention or short-retention API tiers are used where available)
• Apply appropriate technical and organizational security measures
• Honor international transfer safeguards (Standard Contractual Clauses) where relevant

AI outputs can be inaccurate. You should review them before relying on them for material decisions. We do not use the Services to make solely automated decisions producing legal or similarly significant effects on you within the meaning of GDPR Art. 22.

9. Voice and Audio Processing

Voice features (such as interview agents and meeting assistants) capture and process audio. We use specialized speech-to-text and text-to-speech providers (named in our subprocessor list) to transcribe, synthesize, or analyze speech. We retain recordings and transcripts for as long as your account or organization configures, with a default retention aligned with the workspace settings. You can delete a recording from your workspace at any time, after which we instruct subprocessors to delete any cached copies in accordance with their published retention windows.

Consent. Before recording a call or interview, we display a clear notice and (where required by law, including Germany under § 201 StGB and BDSG, and U.S. two-party-consent states) ask each participant to consent. Participants can decline and use unrecorded alternatives.

10. International Data Transfers

Ontora is headquartered in the United States, and most of our subprocessors are based in the United States. If you access the Services from the EEA, the United Kingdom, Switzerland, South Africa, or other regions outside the United States, your information will be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your jurisdiction.

For transfers from the EEA, UK, and Switzerland to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC addendum, supplemented by technical measures (encryption in transit and at rest, access controls, logging) and contractual safeguards. Where applicable, we also rely on subprocessors' certification under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

For transfers from South Africa, we rely on POPIA section 72 and binding contractual commitments to maintain equivalent protection.

You can request a copy of the transfer mechanisms we use by emailing privacy@ontora.com.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to authenticate users, remember preferences, measure usage, and improve the Services. We classify cookies as:

• Strictly necessary — required for login, session security, and core functionality
• Functional — remember preferences such as language and UI state
• Analytics — help us understand product usage. In the EEA, UK, and Switzerland, we only set these cookies after you give consent via our cookie banner

Our cookie consent banner and preference center are powered by c15t, an open-source consent management platform. When operated in the standard client-side mode, c15t stores your preferences in your browser and does not transmit personal data to c15t's servers.

You can control cookies through your browser settings, and you can change your consent at any time via the cookie banner on our site. Disabling strictly necessary cookies may break parts of the Services.

You can opt out of web analytics by installing the Google Analytics Opt-out Browser Add-on. We honor recognized opt-out preference signals (such as the Global Privacy Control) where required by law.

12. Your Privacy Rights

Depending on where you reside, you have the following rights regarding your personal information. We will not discriminate against you for exercising any of these rights.

EEA, United Kingdom, and Switzerland (GDPR, UK GDPR, FADP)

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / “right to be forgotten” (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing, including direct marketing (Art. 21)
• Right not to be subject to a solely automated decision producing legal or similarly significant effects (Art. 22)
• Right to withdraw consent at any time, where processing is based on consent
• Right to lodge a complaint with a supervisory authority, including the data protection authority in your country of residence, place of work, or place of the alleged infringement

Germany (BDSG)

In addition to the GDPR rights above, German residents may contact the supervisory authority responsible for their federal state (Landesdatenschutzbeauftragte) or the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The competent supervisory authority for Ontora's services offered to German residents is typically the authority for the federal state in which the data subject resides. We comply with the additional requirements of the BDSG, including provisions on employee data and audio recording (§ 201 StGB).

California (CCPA / CPRA)

• Right to know what personal information we collect and how we use it
• Right to access a copy of your personal information
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information
• Right to limit the use of sensitive personal information
• Right to non-discrimination for exercising your rights

Other U.S. states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, New Jersey, and other states with comprehensive privacy laws have similar rights under their respective laws, including rights to access, correct, delete, port, and opt out of targeted advertising, sale, or certain profiling.

South Africa (POPIA)

South African data subjects have the following rights under POPIA:

• Right to be notified that personal information is being collected (s 18) and that it has been accessed by an unauthorized person (s 22)
• Right of access to personal information held about you (s 23)
• Right to request correction or deletion of personal information that is inaccurate, out of date, incomplete, misleading, or obtained unlawfully (s 24)
• Right to object, on reasonable grounds, to the processing of your personal information (s 11(3))
• Right not to be subject to a decision based solely on automated processing intended to provide a profile (s 71)
• Right to submit a complaint to the Information Regulator

Information Regulator (South Africa) — JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001; email enquiries@inforegulator.org.za.

How to exercise your rights

To exercise any of these rights, email privacy@ontora.com from the address associated with your account. We will respond within the timeframes required by applicable law (within one month under GDPR, with possible extension; within 45 days under CCPA/CPRA, with possible extension). We may need to verify your identity before fulfilling your request. You may also designate an authorized agent to submit a request on your behalf, subject to verification.

If we process your personal information on behalf of a business customer (for example, your employer's workspace), please direct rights requests to that customer first; we will support them in responding.

13. Do Not Sell or Share My Personal Information

We do not sell your personal information for monetary value. If you would like to opt out of any “sharing” (as defined by the CCPA) for cross-context behavioral advertising or analytics, email privacy@ontora.com. We honor recognized opt-out preference signals (such as the Global Privacy Control) where required by law.

14. Children's Privacy

The Services are not directed to children. We do not knowingly collect personal information from anyone under 16 in the EEA, UK, or Switzerland, anyone under 16 in California, or anyone under 18 in South Africa for whom parental consent is required under POPIA. In the United States outside California, we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will take reasonable steps to delete it.

15. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control, least privilege, and principle-of-least-access for production systems
• Logging and monitoring of access to production systems
• Single sign-on (SSO) and multi-factor authentication (MFA) for employee access to internal systems
• Workspace-level data isolation (every record is tagged with a workspace identifier and queries are filtered accordingly)
• Personal vaults are scoped to the owning user and are not visible to other members of the same workspace
• Regular security reviews and patching of dependencies
• Incident response procedures, including notification of affected users and supervisory authorities within statutory timeframes (72 hours under GDPR/POPIA where applicable)

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

16. Data Retention

We retain personal information for as long as needed to provide the Services and as required by law. Default retention windows:

• Account and workspace data: retained while your account or organization is active. Deleted within 30 days of account closure, except where longer retention is required by law
• Content you submit (documents, transcripts, chats): retained until you or your organization administrator deletes it, or until account closure
• Voice recordings: retained per workspace configuration, deleted on request or at account closure
• Application and security logs: typically retained for up to 12 months
• Billing records: retained for the period required by tax and accounting law (typically 7–10 years)
• Backups: rolling backups are typically retained for up to 35 days and are then overwritten

You may request deletion of your account and associated personal information as described in Section 12.

17. Data Processing Agreements

If you are a business customer subject to GDPR, UK GDPR, FADP, or POPIA, we offer a Data Processing Agreement (DPA) that incorporates the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss FDPIC addendum, and POPIA operator clauses as applicable. Request a DPA by emailing privacy@ontora.com.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date above. For material changes, we will provide additional notice (such as an email to account holders or an in-product banner) as required by applicable law and, where required, obtain renewed consent.

19. Contact

Questions, requests, or complaints about this Privacy Policy or your personal information:

Ontora Inc., Attn: Privacy
1111B S Governors Ave # 51197
Dover, DE 19901, United States
Email: privacy@ontora.com

If you are not satisfied with our response, you may lodge a complaint with your local data protection authority or, in South Africa, with the Information Regulator.