We built ORACA AIfor regulated, high-stakes work — so your data is treated as evidence: documented, secured, and never sold. Here's exactly what we collect, why, and the control you keep over it.
Data is encrypted in transit and at rest. Access is logged and least-privilege.
We don't sell or rent your data. Ever. No ad networks, no data brokers.
We only contact you with your consent — and you can withdraw it anytime.
When you talk to an AI agent, we tell you — and explain how it uses your input.
ORACA AI — represented by Nael, Founder, ORACA AI provides AI-assisted services through this website and chat interface. This policy explains how we handle personal information across this website, our booking tools, and the AI agent we operate.
When you message our agent, book a call, or submit a form, we collect only what's needed to help you — and we protect it the way the regulated industries we serve demand.
When ORACA AI operates an AI agent, your data is handled under this policy. We act as the data controller for the information you provide — we determine how it is used and are responsible for protecting it.
We collect only what each interaction requires. We don't buy personal data or build hidden profiles.
| Category | Examples |
|---|---|
| You give us | Name, email address, phone number, and anything you type into the chat, booking form, or inquiry form. |
| Conversation data | Messages exchanged with our AI agent, the goal or topic you shared, and the outcome (booked, redirected, etc.). |
| Collected automatically | Browser type, approximate region, and session identifiers needed to run and secure the service. |
We do not intentionally collect health records, payment card numbers, or government ID through this service. However, our AI chat accepts free-text input — if you type sensitive information, it is received and stored as conversation content.
We do not use your conversations to train third-party public AI models, and we do not sell your information.
Our chat interface is powered by an AI assistant. We tell you when you're talking to one.
You can ask to speak with a human at any time. You can also request that a significant decision not be made by automated means alone.
We rely on two consent bases under CASL, and we treat them differently:
| Basis | What it means & how long it lasts |
|---|---|
| Implied consent | When you message our agent or submit an enquiry, that's implied consent to reply and follow up about it. Under CASL this lasts 6 months — after that, enquiry-based contacts are automatically excluded from outreach unless you've expressly opted in. |
| Express consent | When you explicitly opt in (for example, by ticking a consent checkbox), we may contact you about relevant services until you withdraw it. No 6-month expiry. |
If you reach out and then go quiet, our system stops contacting you after 6 months on its own — that's CASL, enforced in code, not left to memory.
Security isn't a feature here — it's the premise. We apply the safeguards our regulated clients require:
No system is perfectly secure, but we design, document, and audit ours so issues are containable and traceable.
We keep personal information only as long as needed for its purpose, to meet legal obligations, and to resolve disputes — then we delete or anonymize it. Retention is tiered and enforced automatically:
| Record type | Retention period |
|---|---|
| Leads with contact info & appointments | 6 years |
| Anonymous chat sessions (no email collected) | 6 months — data minimization: no ongoing relationship basis |
| Conversation logs | 6 months |
| Compliance & audit log | Extended — retained to preserve a defensible chain-of-custody record |
| Unsubscribe records | Permanent — CASL requires suppression lists to be kept indefinitely |
You can ask us about any specific record at any time using the request form in §09.
We share personal information only as needed to run the service. Our sub-processors are bound by contract to process data only on our behalf:
| Sub-processor | Purpose & data involved |
|---|---|
| Hosting & database (Vercel, Supabase) | Running the application and storing lead, conversation, and appointment records securely. Data resides on US-based servers. |
| AI model provider (OpenAI) | Generating agent responses. The full text of your chat messages is sent to OpenAI's API to produce replies. |
| Email delivery (Gmail) | Booking confirmations, reminders, and consented follow-up emails. Includes your name, email, and appointment details. |
| Calendar & scheduling (Google) | Creating calendar events and meeting links when you book. Includes your name, email, and appointment goal. |
| Internal notifications (Slack) | Notifying our team of new enquiries. Includes your name, email, and a summary of your message. |
All sub-processors listed above are based in the United States. When your information is processed outside Canada, it may be subject to the laws of that jurisdiction, which may differ from Canadian privacy law. By using our services, you acknowledge this cross-border transfer.
We never sell or rent personal information, and we don't share it with advertising networks or data brokers. We may share with legal or safety authorities when required by law.
Under PIPEDA, you have the right to:
We'll verify your identity before disclosing records, and respond within 30 days. You may also raise a concern directly with the Office of the Privacy Commissioner of Canada.
Questions, requests, or concerns about this policy or your data — reach our Privacy Officer directly.