Privacy Policy

1. Who this applies to

This policy applies to visitors and registered users of the service. The data controller is whoever operates the Orasan instance you use (e.g. the company or individual running the production deployment and Supabase project).

2. Information we collect

Depending on how you use Orasan, we may process:

• Account and profile — e.g. email, display name, and settings you provide (including business and client details for invoicing where you choose to store them).
• Authentication — when you sign in with a provider (such as Google or GitHub), we receive identifiers that provider shares with the app, subject to that provider's terms.
• Time and work data — projects, tasks, time entries, work sessions, invoice-related data, and similar content you create in the product.
• Technical data — server logs, IP address, and similar information typically collected by the hosting and database provider for security and operations.

3. How we use information

We use the information above to:

• Provide, maintain, and improve the service;
• Authenticate you and keep your data separated from other users;
• Process subscriptions and entitlements (where Pro billing is enabled);
• Send service-related or transactional messages (e.g. account or billing notices);
• Comply with law and protect the security and integrity of the service.

4. Where data is stored and subprocessors

Orasan is built to run on external infrastructure, typically including:

• Supabase (or compatible backend) for authentication, database storage, and row-level security;
• Freemius (or similar) for checkout, customer portal, and subscription management when you purchase or manage a Pro plan;
• Email delivery (e.g. Resend) for transactional emails the operator configures;
• Application hosting (e.g. Vercel or another host) for running the web application.

Each of these has its own terms and privacy practices. We recommend reviewing their documentation if you need detail on data location and transfers.

5. Data retention and deletion

We keep your data for as long as your account is active and as needed to provide the service. You may be able to delete your account or request deletion through in-app features (e.g. account deletion with confirmation), subject to any legal or billing retention requirements the operator must meet.

6. Your choices

Where applicable, you may access, update, or export your data through the app (for example, data export in user settings) and remove items you control. You may also disconnect OAuth providers at the identity provider, though you may need an account session to use the app.

7. Security

We use industry-standard practices such as encrypted connections (HTTPS) and database row-level security so users can only access their own data, where the deployment is configured correctly. No method of transmission or storage is 100% secure.

8. Children

The service is not directed at children under 18 (or the age required in your jurisdiction). We do not knowingly collect personal information from children.

9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will change when we do. Continued use of the service after changes may constitute acceptance, depending on applicable law and how we notify you.

10. Contact

For privacy questions, contact the operator of this service using the information below. If you use a different Orasan deployment (e.g. self-hosted), that deployment's administrator is the appropriate contact.