Privacy Policy
Security Orchestra — Last updated March 2026
Security Orchestra ("we", "us", "our") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights regarding your data.
1. Information We Collect
| Category | What We Collect | Why |
|---|---|---|
| Account | Email address | Account creation, API key delivery, billing communication |
| Payment | Payment method details (processed and stored by Stripe — we never see raw card numbers) | Subscription billing and credit purchases |
| Usage | Tool invocations, credit deductions, timestamps | Credit tracking, fraud prevention, service improvement |
| Technical | IP addresses, HTTP request logs, user agent strings | Security, abuse prevention, access logging |
We do not collect names, phone numbers, or physical addresses beyond what Stripe may require for payment processing.
2. How We Use Your Information
- Service delivery: Issuing API keys, tracking credit balances, processing tool requests.
- Billing: Charging subscriptions, processing top-up purchases, sending receipts.
- Communication: Sending your API key, verification emails, low-credit warnings, and account notices.
- Fraud and abuse prevention: Monitoring for unusual usage patterns and unauthorized access.
- Legal compliance: Retaining payment records as required by applicable law.
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
3. Third-Party Services
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, payment method details. Stripe is PCI-DSS compliant. See Stripe Privacy Policy. |
| SendGrid | Transactional email delivery | Your email address and email content. See Twilio/SendGrid Privacy Policy. |
| Render | Cloud hosting and infrastructure | Application logs (including IP addresses) stored on Render's servers. See Render Privacy Policy. |
4. Data Retention
- Account data (email, API key, credit balance): retained until you request account deletion.
- Access and request logs (IP addresses, tool usage): retained for 90 days, then purged.
- Payment records: retained for 7 years as required by financial regulations.
5. Your Rights
- Delete your account: Request deletion of your account and all associated data (except payment records retained for legal compliance).
- Export your data: Request a copy of the personal data we hold about you.
- Opt out of marketing: We send only transactional emails. To stop receiving low-credit warnings or promotional messages, email us or use the unsubscribe link in any email.
- Correction: Request correction of inaccurate personal data.
6. Cookies
We use session cookies only — small files stored in your browser to keep you logged in during a session. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cross-site tracking occurs.
7. Children's Privacy
The Service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the Service after changes are posted constitutes acceptance.
9. Contact
Questions or concerns about your privacy? Contact us at:
Security Orchestra
P.O. Box [Placeholder]
contact.securityorchestra@gmail.com