Privacy Policy

Last updated: 6 June 2026 · Version 2.0

This Privacy Policy explains how Orova AI, Inc. ("Orova", "we", "us", or "our"), a Delaware corporation with its principal office at 2261 Market Street, San Francisco, California 94114, United States, collects, uses, shares, and protects personal data when you use the Orova platform, websites, APIs, and related services (collectively, the "Service"). By accessing or using the Service, you agree to the practices described here.

1. Information we collect

We collect information that you provide directly, information generated through your use of the Service, and information from third parties. This includes account information (name, work email, organization, role, billing details), Customer Content (data you or your end users submit, including audio recordings, transcripts, prompts, and knowledge bases), usage information (feature interactions, telephony metadata, error logs), technical information (IP address, browser, device), and call metadata (called and calling numbers, duration, disposition). We do not knowingly collect data from children under 16.

2. How we use information

We use information to provide, operate, secure, and improve the Service; to support customers and respond to enquiries; to detect, prevent, and respond to fraud, abuse, or platform violations; to comply with legal obligations; and to communicate with you about your account, billing, security, and product updates. We do not sell personal data and we do not use Customer Content to train foundation models, our own models, or our subprocessors' models.

3. Roles: controller and processor

For account, billing, marketing, and website data, Orova acts as a data controller. For Customer Content processed through the Service on behalf of an enterprise customer, Orova acts as a data processor (or service provider under California law). Customers are the controller of that Customer Content and are responsible for the lawful basis to process it, including obtaining consent from data subjects where required.

4. AI processing and Customer Content

Customer Content is processed solely to deliver the features you request, including transcription, voice synthesis, conversational AI, and analytics. We have contractual zero-retention or no-training agreements with our AI model providers so that prompts, transcripts, and recordings sent to those providers are not used to train their models and are not retained beyond what is required to return a response. AI outputs may be inaccurate or incomplete and you are responsible for human review before acting on them in high-stakes contexts.

5. Subprocessors

We use the following categories of subprocessors to deliver the Service: AI model providers — OpenAI, Anthropic, Microsoft Azure, AWS Bedrock, ElevenLabs, Cartesia, Deepgram, Together AI, and Cerebras; telephony — Twilio and Infobip; and cloud infrastructure for hosting and storage. Each subprocessor is bound by contractual confidentiality, security, and privacy obligations. The current subprocessor list is available on request and material additions are notified in advance.

6. Data residency and international transfers

Orova operates infrastructure in the United States, the United Arab Emirates, and the European Union. Enterprise customers can elect EU residency for EU end users, US residency for US end users, or UAE residency where applicable. Cross-border transfers are governed by our Data Processing Addendum, which incorporates the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent transfer mechanisms where required.

7. Recordings and disclosure

Customers configure call recording inside the Orova platform, choosing whether to enable or disable it per deployment. Where applicable law requires two-party consent or AI disclosure (for example California, Florida, Illinois, Massachusetts, Pennsylvania, Washington, the EU under the AI Act, California SB 1001, and Utah's AI Disclosure Act), the customer is responsible for collecting consent and providing disclosure. Orova provides configurable disclosure prompts and recording controls to support these obligations.

8. Data sharing

We share information with subprocessors who help deliver the Service, with the customer organization that controls your account (for end users), with auditors and professional advisors under confidentiality, and with law enforcement or regulators when legally required or to protect rights, property, or safety. We do not sell personal data and we do not engage in cross-context behavioral advertising.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit and at rest, role-based access controls, audit logging, vulnerability management, and incident response procedures. SOC 2 Type II and ISO 27001 are in progress, and HIPAA-aligned configurations are available for healthcare customers under a BAA. No system is perfectly secure, and you are responsible for keeping account credentials confidential.

10. Data retention

We retain personal data only as long as needed to deliver the Service, comply with legal obligations, resolve disputes, or enforce agreements. Customer Content retention is configured by the customer in the Service. Upon termination, we delete or return Customer Content as set out in the Data Processing Addendum, subject to legally required retention.

11. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data; to object to processing; to withdraw consent; and to lodge a complaint with a supervisory authority. End users of an Orova-powered service should contact the customer organization first; we will support that organization in responding. Verified requests can be sent to privacy@orova.ai. EU and UK data subjects can contact eu-privacy@orova.ai.

12. California privacy disclosures

Under the California Consumer Privacy Act (as amended by the CPRA), California residents have the right to know what categories of personal information we collect and how we use them, to delete their personal information, to correct inaccurate information, and to limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. Authorized agents may submit requests on your behalf with proper documentation.

13. Cookies and analytics

We use cookies and similar technologies on the Orova website to remember preferences, support sign-in, secure the site, and understand aggregate usage. You can control cookies through your browser settings. We do not use advertising cookies. The Service itself (after sign-in) does not rely on advertising trackers.

14. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we will provide reasonable advance notice by email or in-product notification before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

Privacy questions: privacy@orova.ai.

EU and UK data subject requests: eu-privacy@orova.ai.

Security and incident reports: security@orova.ai.

Postal: Orova AI, Inc., 2261 Market Street, San Francisco, CA 94114, United States.