Privacy Policy

Last Updated: December 21, 2025

Who We Are

Orchestra Engine Inc (Orchestra, We, Us) provides law firms and legal professionals with Shadow AI detection and prevention technology. We deliver software for monitoring and controlling GenAI interactions in professional settings. We operate the Ovna platform available for sign up at https://orchestraengine.com and its associated services (collectively referred to as our "Platform").

Our Privacy Policy

We respect your privacy and want to be clear about what information we collect, why we collect it, and what we do with it. We follow the Personal Information Protection and Electronic Documents Act ("PIPEDA"), which is Canada's privacy law for businesses collecting and handling Personal Information.

This Privacy Policy ("Policy") applies to the Personal Information we collect from those who use our Platform ("Users"). Please read this Policy carefully. If you have any questions about the Policy or our privacy practices, you can reach out to team@orchestraengine.com.

If you are located in a jurisdiction outside Canada with specific privacy laws, you may have additional rights not described in this Policy. We recommend you seek independent legal advice to determine whether our privacy practices are compatible with your local legal privacy legislation before using our Platform. If our practices do not meet your local legal requirements, do not use our Platform or provide any Personal Information. Continued use of our Platform constitutes your acknowledgment of these limitations and your voluntary assumption of any associated risks.

Platform use and any dispute over privacy are subject to the terms of this Policy, our Terms of Service, and the terms of any other agreement you have entered into with us.

By using our Platform, you acknowledge you have read and understood this Policy and consent to the collection and use of Personal Information as described in this Policy. If you do not consent, you must not use the Platform.

What We Collect

"Personal Information" is any information that could be used to identify you as an individual. Personal Information includes information that could identify you when combined with other details.

We collect Personal Information from all Users of our Platform, including those who visit our website, those who install our browser extension, and those who register an account.

Visitors

You are a "Visitor" when you visit our website and its subdomains and interact with the content of our website. From Platform Visitors, we may collect:

• IP address
• Timestamp
• Pages visited
• Interactions with content
• Session duration
• Geolocation
• Information about browsers and devices
• Internet and network activity

Browser Extension Users

You are a "Browser Extension User" when you install and use our Chrome extension for real-time GenAI detection. From Browser Extension Users, we collect:

• The same information we collect from Platform Visitors
• Browser type and version
• Extension configuration settings
• AI platform access patterns (e.g., ChatGPT, Claude, Gemini)
• Timestamps and frequency of AI platform interactions
• User context selections (client, matter assignments)
• Policy decision acknowledgments and user overrides

IMPORTANT: We monitor content entered into AI platforms to enforce organizational policies. We do NOT collect, store, or transmit the actual content of your prompts or AI responses unless explicitly configured by your organization's administrator for audit purposes. Our extension analyzes content locally and only transmits detection metadata and policy decision information to the backend services.

Registered Users

You are a "Registered User" when you register for an account and interact with or configure services through our Platform. From Registered Users, we collect:

• The same information we collect from Platform Visitors and Browser Extension Users
• Personal identifiers including name, email address, and employee/user ID
• Role and permission information (administrator, compliance officer, user)
• Organizational assignment information (client, matter, group associations)
• User preferences and notification settings
• Information about Platform use, including Personal Information shared when you provide comments or feedback about your Platform experiences

Organization Administrators

Organization administrators who configure the Ovna platform may provide:

• Policy documents and compliance requirements
• Client and matter information for organizational hierarchy
• AI tool allowlists and blocklists
• User assignment information
• Custom detection rules and risk thresholds
• Audit and reporting configurations

ORGANIZATION ADMINISTRATORS REPRESENT AND WARRANT THAT THEY HAVE OBTAINED ALL NECESSARY CONSENTS FROM THEIR USERS AND CLIENTS TO COLLECT, USE AND DISCLOSE PERSONAL INFORMATION THROUGH OUR PLATFORM, AND THAT SUCH CONSENTS COMPLY WITH ALL APPLICABLE PRIVACY LAWS, INCLUDING BUT NOT LIMITED TO ATTORNEY-CLIENT PRIVILEGE REQUIREMENTS AND PROFESSIONAL RESPONSIBILITY RULES.

Monitored AI Interactions

When configured by your organization for audit purposes, we may collect:

• Content of prompts submitted to AI platforms (for policy violation detection)
• AI platform responses (for output verification)
• Risk scores and policy violation flags
• Detection metadata (detected sensitive content types, violated policies)
• User decisions (accept, override, cancel)
• Justification text for policy overrides

YOUR ORGANIZATION CONTROLS WHAT INTERACTION DATA IS COLLECTED AND RETAINED. Contact your organization's administrator to understand what data is being monitored and stored.

We may collect other information which may be used in combination with identifying or potentially identifying information. We will treat combined information as Personal Information.

Why We Collect Personal Information

We collect Personal Information for the following purposes:

1. To provide and administer our Platform and services, including:
   • Real-time GenAI detection and policy enforcement
   • Hierarchical policy resolution and decision-making
   • User context management (client/matter assignments)
   • Personalizing your experience and providing requested services
2. To create, maintain and monitor user accounts and organizational hierarchies
3. To provide technical support, respond to communications and feedback, and communicate updates and necessary information regarding your use of our Platform
4. To enforce organizational policies and detect policy violations, including:
   • Detecting sensitive legal content (attorney-client privilege, work product)
   • Identifying unauthorized AI tool usage
   • Preventing inadvertent disclosure of confidential information
   • Generating explainable policy decisions
5. To generate audit trails and compliance reports, including:
   • Tamper-resistant decision logging
   • Regulatory compliance reporting
   • Attorney ethics compliance documentation
   • Bar association requirement fulfillment
6. To share with third-party service providers to support service provision, administration, and improvement of our Platform
7. To undertake research and development activities to improve our existing or to create new products, features and services, and/or to expand our user base
8. To fulfill the purposes described to you when the information was collected; and/or
9. To comply with necessary laws, including in support of fraud prevention, security investigations, risk assessments, and regulatory compliance

We will ask for your permission before using your Personal Information for any purpose not described in this Policy. You can withdraw your consent at any time by contacting us using the information provided below.

We do not sell Personal Information to third parties. We do not use your prompt content or AI interaction data to train AI models or for any purpose other than providing the Ovna service to your organization.

How We Collect Personal Information

We collect Personal Information:

1. Automatically, directly or through third-party plugins and integrations when you visit or interact with our Platform, including:
   • Server logs, cookies and other tracking technologies that gather information about Users and User activity
   • Browser extension content scripts that monitor AI platform interactions
   • Cookies are small files stored on your device by your web browser. Cookies allow the Platform to store information that will recognize you each time you visit. You may refuse to accept cookies or delete stored cookies through your browser.
   • You may change privacy settings in your browser to limit or request sites not to track your activity.
2. When you provide such information to us, such as when you:
   • Create an account or complete user profiles
   • Configure the browser extension with context information
   • Interact with features on our Platform
   • Complete forms or respond to surveys
   • Post comments or reviews
   • Upload policy documents or configure detection rules
3. Through the browser extension, when you:
   • Access AI platforms (ChatGPT, Claude, Gemini, etc.)
   • Submit prompts or interact with AI tools
   • Acknowledge policy decisions or request overrides
   • Set user context (client/matter selection)
4. Through direct communications with us, including:
   • Communications received via email or support channels
   • Customer service records and support tickets
   • User feedback and feature requests
   • Live chat and other online support interactions

How We Store and Protect Personal Information

We take safeguarding your information very seriously. We have implemented commercially reasonable administrative, technical and physical safeguards to protect against unauthorized access, use, modification and disclosure of Personal Information in our custody and control.

All Personal Information we collect is stored as data on third-party servers. We take reasonable steps to ensure our server providers adhere to industry security standards for the protection of Personal Information. These servers are located in Canada and the United States of America. When Personal Information is transferred to the United States, it becomes subject to the U.S. CLOUD Act and other U.S. laws that may permit U.S. government authorities to access such data.

Security Measures

We protect the Personal Information of our Users using:

• Encryption: AES-256 encryption for sensitive data at rest
• Secure Transmission: TLS/SSL encryption for data in transit
• Authentication: JWT-based authentication with role-based access control
• Audit Trails: Tamper-resistant logging with cryptographic integrity verification
• Network Security: Firewalls and intrusion detection systems
• Access Controls: Principle of least privilege with multi-factor authentication
• Third-party Security: Supabase, Redis Cloud, and other enterprise-grade service providers

Data Location

Some of our third-party service providers are located outside of Canada. For Users located in Quebec, data may be stored outside of Quebec. Data may be transferred to or processed in the United States of America. We take steps to safeguard data and keep Personal Information secure when it is shared with third-party service providers outside Canada. The laws in other places may differ from those in Canada. Government authorities in jurisdictions outside Canada may access Personal Information in accordance with local laws.

By using our Platform, you agree to the transfer of your Personal Information for the purpose of storage and processing.

Your Responsibilities

Where you must complete sign-in processes to access certain features of our Platform, you are responsible for keeping your sign-in information confidential and secure. Do not share your sign-in information with anyone.

For browser extension users, protect your device and browser from unauthorized access.

Security Incidents

If we discover a security incident that compromises our storage and protection of Personal Information, we will notify Users and the appropriate regulatory authorities as required by applicable law. For legal professionals, we will also provide notice consistent with professional responsibility requirements.

Retention of Personal Information

We retain your Personal Information while it is needed to fulfill the intended purpose for which it was collected and for seven years following the cessation of its intended purpose. We may also retain Personal Information as necessary:

• For legitimate business purposes, such as auditing or account recovery
• To comply with applicable federal, provincial or other laws
• To meet legal professional retention requirements (for legal industry clients)
• To preserve attorney work product and litigation hold obligations
• To prevent fraud or future abuse
• By contract with a partner and/or institution

For legal professionals: Our retention periods are designed to meet or exceed state bar association requirements and federal rules of civil procedure. Contact your organization's administrator for specific retention configurations.

Use of Third-Party Providers

Third-party service providers are external, independent entities that offer technologies and services useful to our Platform. We may share Personal Information with third-party service providers.

We may transfer Personal Information to the following third-party service providers:

Data Storage & Infrastructure

• Supabase - Primary database and authentication
• Redis Cloud - Caching and session management
• Docker - Application containerization

AI & Processing

• Google Gemini AI - Document policy extraction and analysis
• Docling - Document OCR and text extraction

Analytics & Monitoring

• Sentry - Error tracking and performance monitoring
• PostHog - Analytics and user behavior insights

Security Services

• Third-party encryption and security providers

In addition to the third parties listed above, we may share your Personal Information with third parties for the following purposes:

• Cloud storage and infrastructure
• Analytics and performance monitoring
• Customer support and service delivery
• Research, including with third parties to conduct surveys or research projects in collaboration with us or on our behalf
• Safety and security
• Professional services, including accountants, consultants, lawyers and other professional service providers
• Insurance and compliance partners

By using our Platform, you consent to our sharing your Personal Information with third parties for the purposes described in this Policy. We will seek your consent before sharing Personal Information with a third party for a purpose not described in this Policy.

Our Platform includes links to third-party websites and AI platforms. We provide links to third-party websites as a convenience to the user. These links are not an endorsement of or referral to the third party. We are not responsible for the websites or privacy policies of these third parties. If you follow any of these links, please read the third party's privacy policy carefully.

IMPORTANT: When you use AI platforms (ChatGPT, Claude, Gemini, etc.), those platforms have their own privacy policies and terms of service. Ovna monitors and enforces policies regarding your use of these platforms but does not control how those platforms handle your data. Review each AI platform's privacy policy before use.

Risks

The transmission of information via the internet is not completely secure. While we use commercially reasonable security measures to protect our Users' Personal Information, no method of electronic storage or transmission over the Internet is 100% safe. The use of our Platform carries inherent risks that, despite our use of commercially reasonable security safeguards, we cannot completely eliminate. By using our Platform, you acknowledge that you understand and accept this risk.

For legal professionals: While Ovna is designed to prevent inadvertent disclosure of privileged or confidential information, no technological solution is foolproof. Attorneys and legal staff maintain independent professional responsibility for compliance with attorney-client privilege, work product doctrine, and applicable rules of professional conduct.

User Rights Under PIPEDA

Under PIPEDA, Users have the following rights when it comes to the collection and use of their Personal Information:

1. The right to confirm collection and use of your Personal Information. You have the right to confirm the collection of your Personal Information, the type of Personal Information collected, its use and whether it has been shared with third parties.
2. The right to access. You have the right to request access to your Personal Information.
3. The right to correct your Personal Information. You have the right to request that we correct or update any Personal Information about you that is inaccurate or incomplete.
4. The right to withdraw consent. You have the right to withdraw your consent to our use of your Personal Information. This includes requesting that we remove your Personal Information from our databases as well as opting out or unsubscribing from marketing and promotions.
5. The right to non-discrimination. We will not use your Personal Information to profile or categorize you in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law. We will not discriminate against you for exercising any of these rights.

Note: Certain features of our Platform require Personal Information to function effectively (e.g. account registration, browser extension context management, policy enforcement). Where accurate Personal Information is a necessary technical and/or operational requirement for service delivery, not providing accurate Personal Information, deleting your Personal Information or withdrawing your consent for the collection, use or disclosure of your Personal Information may limit or prevent your access and use of our Platform.

6. The right to file a privacy-related complaint. You have the right to file a complaint with the Office of the Privacy Commissioner of Canada or the relevant provincial privacy authority in the event you believe Ovna's actions are in contravention of applicable privacy law.

Exercising Your Rights

You may access, update, delete, and/or correct inaccuracies in the Personal Information shared when you registered for your account, subject to limited exceptions prescribed by law. To make these changes, log into your account, go to your account profile, and make the necessary changes.

To access or delete browser extension data, contact your organization's administrator or use the extension settings interface.

You may exercise your right to access or correct your Personal Information or withdraw your consent to its use by submitting a written request using the contact information team@orchestraengine.com. We will respond to your request within 30 days of receiving the request and may verify your identity before fulfilling any such request. If we need more time, we will let you know and explain why.

When you make a privacy-related request that involves data collected by our third-party service providers, we may communicate with them as needed and to the extent permitted by law. We will keep you informed on the status of your request in such cases.

If you have a concern or complaint, you can contact our privacy officer (contact details below). We will respond to you within 30 days of receiving your complaint. If we need more time to resolve your complaint, we will let you know and provide you with an expected timeline for resolution.

Children's Privacy

Our services are not meant for people under 16 years old. We do not knowingly collect Personal Information from children under 16. If you are under 16, please do not use our services or provide any Personal Information to us. We encourage parents and legal guardians to monitor their children's internet usage and to help enforce this prohibition. If you have reason to believe that a child under the age of 16 has provided information to us, please contact our privacy officer as set out below.

Legal Professional Considerations

Ovna is designed specifically for use by law firms, legal departments, and legal service providers. Users in these contexts should be aware of additional privacy considerations:

Attorney-Client Privilege

Ovna monitors content to detect potential privilege violations. However, the transmission of privileged information through AI platforms may constitute waiver of privilege regardless of Ovna's monitoring. Consult with appropriate legal counsel regarding privilege implications.

Professional Responsibility

Attorneys using Ovna remain independently responsible for compliance with applicable rules of professional conduct, including duties of confidentiality, competence, and supervision of non-lawyer assistants.

Bar Association Requirements

Different jurisdictions have varying requirements regarding use of AI tools and technology competence. Ovna provides audit trails and compliance reporting to assist with bar association requirements, but users should independently verify compliance with local rules.

Client Confidentiality

Ovna helps enforce client confidentiality policies but does not replace independent professional judgment regarding confidentiality obligations. Attorneys must exercise independent judgment consistent with professional duties.

Changes to Our Privacy Policy

We update this Privacy Policy when necessary to reflect changes in our practices or legal requirements. When we make important changes that affect your privacy rights, we will:

1. Post the updated policy on our website with a clear summary of what has changed
2. Send you an email notification about the changes we make (if you have provided an email address)
3. Post a notice on our Platform about these changes
4. For significant changes affecting legal professional users, provide additional notice through appropriate channels

The updated policy will take effect 30 days after we post it, unless we specify a different date.

We strongly encourage you to check back frequently to see any updates or changes to our Privacy Policy.

Governing Law & Dispute Resolution

All issues and questions concerning the application, construction, validity, interpretation and enforcement of this Privacy Policy shall be governed by and construed in accordance with the laws of the Province of Ontario, and the federal laws of Canada applicable therein. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Ontario, provided nothing herein prevents us from seeking injunctive relief in any jurisdiction to protect our intellectual property or confidential information.

Contact Us

Please contact our privacy officer at team@orchestraengine.com directly if:

• You have any questions or comments about this Policy
• You need help accessing, updating, and/or correcting inaccuracies in your Personal Information
• You otherwise have a question or complaint about the treatment of your Personal Information
• You need information about data collected by your organization's Ovna deployment (contact your organization's administrator first)

To protect your privacy, we will verify your identity before providing access to your Personal Information or responding to your privacy requests. We will only ask for information necessary to verify your identity.

---

© 2025 Orchestra Engine Inc. All rights reserved.