Privacy Policy

Last updated: February 28, 2026

1. Introduction

Welcome to Orior AI ("Company", "we", "our", "us"). Orior AI, accessible at www.oriorai.com, is the data controller responsible for your personal data. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide when you:

  • Register for an account (name, email address, profile photo via Google authentication)
  • Subscribe to a paid plan (payment information processed by Stripe; we do not store full card details)
  • Contact us for support (communication content)
  • Participate in our referral program (referral codes, referrer/referee relationship, subscription status for reward tracking)

2.2 Usage Data

We automatically collect certain information when you access the Service:

  • IP address and device information
  • Browser type and version
  • Pages visited and time spent
  • Features used and actions taken
  • Date and time of access

2.3 User Content and Biometric Data

We collect the text prompts you submit and reference photographs you upload to generate AI content. When you upload facial photographs to create a character, we process your facial features to build a digital face model. This constitutes biometric data (facial geometry identifiers) under certain data protection laws, including GDPR Article 9 and the Illinois Biometric Information Privacy Act (BIPA).

Important: We do not use your uploaded images, facial data, or any user content to train, improve, or develop AI models. Your images are processed solely through third-party AI services (Google AI / Gemini) to generate the outputs you request.

Your face model data is tied exclusively to your account and the specific character you create. It is permanently deleted when you delete the character or close your account.

3. How We Use Your Information

We use the information we collect for the following purposes, each with its corresponding legal basis under GDPR:

3.1 Contract Performance (GDPR Art. 6(1)(b))

  • Provide, operate, and maintain the Service
  • Process transactions and send related information
  • Manage your account and subscription
  • Process referral rewards and credits

3.2 Legitimate Interest (GDPR Art. 6(1)(f))

  • Monitor and analyze trends, usage, and activities to improve the Service
  • Detect, investigate, and prevent fraudulent transactions and abuse
  • Send you technical notices, updates, and support messages

3.3 Consent (GDPR Art. 6(1)(a) / Art. 9(2)(a))

  • Process your biometric data (facial photographs) to create AI-generated content
  • Send marketing communications (where applicable)

3.4 Legal Obligation (GDPR Art. 6(1)(c))

  • Comply with applicable laws, regulations, and legal processes
  • Retain financial records as required by tax and accounting laws

4. Sharing Your Information

We may share your information in the following situations:

  • Payment Processing: Your payment information is processed by our payment provider. We do not store full card details.
  • Hosting & Infrastructure: We use cloud hosting, authentication, and database services provided by third-party infrastructure providers.
  • AI Services: Your prompts and reference images are sent to third-party AI services to generate outputs, processed under their data processing terms.
  • Social Media: When you connect your social accounts, we store access tokens to post content on your behalf. See Section 5 for details.

We may also share your information in connection with a merger, acquisition, or sale of assets; when required by law or to protect our rights; or when you have given us permission to share.

We do not sell your personal information to third parties.

5. Social Media Integration

The Service allows you to connect your Instagram, X (Twitter), TikTok, Threads, YouTube, and Snapchat accounts to post AI-generated content directly from your library.

  • When you connect an account, we use OAuth authentication to receive an access token from the platform.
  • We store these tokens securely and use them solely to post content on your behalf when you initiate a post.
  • We may access basic profile information (username, profile picture) from the connected platform.
  • You can disconnect any social account at any time from your character settings, which immediately revokes our access and deletes the stored token.

Each platform has its own privacy policy governing how your data is handled on their end. We encourage you to review their respective privacy policies.

6. Data Retention

We retain your data for the following specific periods:

  • Account data — retained while your account is active. Deleted within 30 days of account deletion.
  • Generated images — stored until you delete them or close your account.
  • Face model data — deleted when you delete the character or close your account.
  • Payment records — retained for 7 years as required by tax and accounting regulations.
  • Usage logs — retained for 12 months, then automatically purged.
  • Social media tokens — deleted immediately when you disconnect the account.
  • Referral data — retained while your account is active; anonymized upon account deletion.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Our security measures include:

  • Encryption of data in transit (TLS) and at rest
  • Regular security assessments and audits
  • Access controls and authentication
  • Secure data centers and infrastructure (Google Cloud)

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights, we will also notify affected individuals without undue delay, as required by GDPR Article 34.

9. Your Privacy Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Portability: Request transfer of your data to another service
  • Objection: Object to processing of your personal data
  • Restriction: Request restriction of processing
  • Withdraw Consent: Withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • Automated Decisions: Not be subject to decisions based solely on automated processing that produce legal effects concerning you
  • Complaint: Lodge a complaint with a supervisory authority in your country of residence

To exercise these rights, please contact us at support@oriorai.com with the subject line "Data Protection Request". We will respond within 30 days.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information. These include:

  • Essential Cookies: Required for the Service to function (authentication, session management)
  • Analytics Cookies: Help us understand how you use the Service
  • Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.

11. International Data Transfers

Your data is processed on Google Cloud infrastructure located in the EU and the United States. When your data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as well as Google's data processing terms and certifications, to ensure an adequate level of protection for your personal data.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects concerning you. AI image generation is a user-initiated tool — you control the prompts and inputs, and the outputs are generated on your request. No automated decisions are made about your access, pricing, or account status based on profiling.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information within 72 hours. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@oriorai.com.

14. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For material changes, we will notify you via email or a prominent notice on the Service. You are advised to review this Privacy Policy periodically for any changes.

16. Contact Us

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your data protection rights, please contact us:

Email: support@oriorai.com

For data protection inquiries, please use the subject line "Data Protection Request".