Privacy Policy

2. Hosting & data location

Although Orama is operated from Switzerland, the service is hosted in the United States. The application, API, database and file storage run on US-based infrastructure (Vercel, Neon, Upstash, Vercel Blob). Personal data of users located in Switzerland or the EU is therefore transferred to the United States. These transfers rely on the EU/Swiss Standard Contractual Clauses and the EU–US / Swiss–US Data Privacy Framework.

3. Information we collect

• Account information: name, email address, hashed password, profile photo.
• Usage data: tasks, projects, notes and other content you create.
• Integration data: OAuth tokens and synced data from services you connect (Google, GitHub, Notion, Todoist, Trello, Asana, Zoom). Tokens are stored encrypted.
• Device data: browser, IP address, operating system.
• Communication data: messages you send us for support.
• Optional analytics: anonymized usage statistics, only if you consent via the cookie banner.

4. How we use your information

• Provide, maintain and improve Orama.
• Manage your account and process payments.
• Sync data with the integrations you connect.
• Send service-related communications.
• Respond to support requests.
• Prevent fraud, secure the platform and comply with legal obligations.

5. Third-party processors

• Vercel — hosting (United States).
• Neon — PostgreSQL database (United States).
• Upstash — cache and rate limiting (United States).
• Stripe — payment processing; we never store card data.
• Resend — transactional email delivery.
• Groq — AI inference for smart features.
• Google LLC (Google Analytics & Tag Manager) — anonymized audience and usage analytics; loaded only after analytics consent (see §6).
• Vercel Analytics — privacy-friendly page-view analytics; loaded only after analytics consent (see §6).

We transmit only the minimum data necessary for each service and do not sell your data.

6. Cookies & analytics

Orama uses three categories of cookies and similar storage. You choose which categories to allow via the cookie banner the first time you visit, and you can change your choice at any time by reopening the preferences:

a. Essential (always on)

Authentication cookies (auth_token), CSRF protection and locale preference. Without them the application cannot function. No consent is required for these under Swiss nFADP and EU GDPR (Art. 5(3) ePrivacy Directive).

b. Analytics (optional, opt-in)

Loaded only after you accept the Analytics category in the cookie banner.

• Vercel Analytics — first-party, IP-anonymized page-view counts. No cross-site tracking. See Vercel's privacy policy.
• Google Analytics 4 (loaded through Google Tag Manager, container GTM-5JBDT546). Used to measure audience and feature usage in aggregate. Typical cookies it sets: _ga (2 years), _ga_<container> (2 years), _gid (24 hours), _gat (1 minute). The data is processed by Google LLC in the United States under the EU–US / Swiss–US Data Privacy Framework. See Google's privacy policy and Google cookie usage.

c. Marketing (optional, opt-in)

Reserved for future marketing measurement (e.g. ad campaign attribution). No marketing cookies are currently active even if you opt in.

Refusing analytics or marketing has no impact on your access to Orama.

7. Data security

Data is encrypted in transit (HTTPS/TLS) and sensitive data — including OAuth tokens — is encrypted at rest (AES-256-GCM). Passwords are hashed with bcrypt. We use row-level security, CSRF protection, input validation, rate limiting and optional two-factor authentication. No method of transmission is completely secure, so we cannot guarantee absolute security.

8. Your rights (GDPR & Swiss nFADP)

• Access: request a copy of your data (JSON export from your account).
• Rectification: correct inaccurate data.
• Erasure: delete your account and associated data.
• Portability: receive your data in a machine-readable format.
• Restriction & objection: limit or object to certain processing.
• Withdraw consent: at any time, including analytics consent.

Requests: contact@orama.li — answered within 30 days. You may also lodge a complaint with the Swiss FDPIC (edoeb.admin.ch) or your local EU data protection authority.

9. Contact

Nova Corporation — Switzerland.
All requests (privacy, support, legal): contact@orama.li
Company: nova-corporation.ch