Privacy Policy

Version 1.0 · Effective 12 June 2026

You hold other people's secrets for a living. This policy explains — in plain language — what we collect, what we do with it, and the lines we never cross.

1.Who we are

In this policy, "Orivo", "we", "us" and "our" mean the operator of orivo.legal and of the Orivo platform (together, the "Service"), including our successors and permitted assigns. We build AI-assisted software for legal professionals.

We wear two hats, and the difference matters. For account and usage data (who you are, how you use the Service) we decide the purposes of processing — the role of a data fiduciary under India's Digital Personal Data Protection Act, 2023, or a data controller under comparable laws. For matter content (your clients' information, documents and communications inside the platform) we act only as a processor on your instructions — your firm remains the fiduciary or controller of that data. The Data Processing Agreement governs that second hat in full.

2.What this policy covers

It covers this website (orivo.legal) and the Orivo platform (app.orivo.legal). It is written to align with the Digital Personal Data Protection Act, 2023 (India) and, where they apply to you, the GDPR and US state privacy laws.

3.What we collect

On this website. If you request early access, we collect what you type into the form: your name, work email, jurisdiction, and (optionally) practice area and city. We use privacy-first, cookie-less analytics that tell us page views and referrers — not who you are. We do not set tracking cookies.

On the platform.

• Account data — name, email, firm affiliation, role.
• Matter content — documents you upload, conversations with Lorven, drafts, briefs, dates and tasks: the substance of your work. Processed only as described in clauses 4 and 5.
• Usage events — actions like "matter created" or "suggestion dismissed", so we know which features earn their place. Usage events never include the contents of your matters.
• Error reports — if something breaks, we capture a technical report. A scrubber strips matter titles, client names and document text before the report leaves your session.

4.How we use it

• To run the Service — store your documents, run the research and drafting you ask for, keep your matters in order.
• To keep it reliable — diagnose errors and performance problems.
• To understand what's useful — aggregate feature usage, never matter content.
• To meet legal obligations that apply to us.

We do not sell personal data. We do not use it for advertising. We do not track you across other websites.

5.The AI commitment

Your matters, documents and conversations are never used to train any AI model — ours or anyone else's. Where matter content is sent to an AI provider to fulfil a request you made (for example, to draft the document you asked for), it is processed under commercial terms that prohibit the provider from using it for model training. Work product generated for you belongs to you.

6.Service providers

We use a small number of vetted providers to operate the Service — cloud hosting and storage, AI model inference, authentication, error monitoring, usage analytics and transactional email. Each is bound by a data-processing agreement and confidentiality obligations commensurate with legal work product. When you run legal research, your search terms are sent to licensed case-law services; your client files are not.

A current list of providers is available on request at [email protected], and platform customers receive at least 14 days' notice before any provider handling matter content is added or replaced (see the DPA).

7.Your rights

• Access — ask for a copy of your personal data.
• Correction — fix anything we hold that's wrong; most of it you can edit directly in the app.
• Erasure — delete your account and data (clause 8 explains the timeline).
• Portability — exports are provided in standard formats, alongside your original uploaded files.
• Withdrawal — withdraw a consent you've given, with effect going forward.

Exercise any of these from the platform's data settings or by writing to [email protected]. If you believe we've mishandled your data, our grievance contact is [email protected]; we respond within 30 days. You may also complain to your supervisory authority — in India, the Data Protection Board.

8.Retention

Account and matter data is kept while your account is active. When you delete your account, we start a 30-day soft-delete window (so an accidental deletion can be reversed), after which matter content is purged from primary storage; copies in backups are removed within 90 days of deletion. Early-access requests from this website are kept until the early-access programme concludes or you ask us to remove them, whichever is sooner. We keep records longer only where the law requires it (for example, billing and tax records).

9.Where data lives

Primary storage is placed in the region closest to your primary jurisdiction. Where data crosses borders — for example between India, the US and the EU — the transfer is made under recognised safeguards such as standard contractual clauses or an applicable adequacy decision.

10.Security

Data is encrypted in transit (TLS 1.2+) and at rest. Every matter is isolated at the database layer, so one firm's data is never visible to another. Access is gated by managed authentication, and every significant action is recorded in an append-only audit log. A fuller description of our security posture is available to firms on request.

11.Changes to this policy

We may update this policy as the Service evolves. Material changes are notified by email and, on the platform, in-app, before they take effect. The version and effective date at the top always tell you what you're reading.

12.Contact

Privacy questions: [email protected] · Grievances: [email protected] · Everything else: [email protected].