Founding Partner

50% off setup for the first 5 clients — monthly stays standard. A few spots remain.

The SystemProductsPricingSee a Demo
Get a Free AI AuditBook a Call
Trust & compliance

Privacy, handled the way we handle everything.

We built ORACA AIfor regulated, high-stakes work — so your data is treated as evidence: documented, secured, and never sold. Here's exactly what we collect, why, and the control you keep over it.

Last updated · June 2026Applies to · ORACA AI & deployed agentsAligned with · PIPEDA · CASL

Encrypted end to end

Data is encrypted in transit and at rest. Access is logged and least-privilege.

Never sold

We don't sell or rent your data. Ever. No ad networks, no data brokers.

Consent-first

We only contact you with your consent — and you can withdraw it anytime.

AI, disclosed

When you talk to an AI agent, we tell you — and explain how it uses your input.

01 · Overview

Who we are & what this covers

ORACA AI — represented by Nael, Founder, ORACA AI provides AI-assisted services through this website and chat interface. This policy explains how we handle personal information across this website, our booking tools, and the AI agent we operate.

In plain English

When you message our agent, book a call, or submit a form, we collect only what's needed to help you — and we protect it the way the regulated industries we serve demand.

When ORACA AI operates an AI agent, your data is handled under this policy. We act as the data controller for the information you provide — we determine how it is used and are responsible for protecting it.

02 · What we collect

Information we collect

We collect only what each interaction requires. We don't buy personal data or build hidden profiles.

CategoryExamples
You give usName, email address, phone number, and anything you type into the chat, booking form, or inquiry form.
Conversation dataMessages exchanged with our AI agent, the goal or topic you shared, and the outcome (booked, redirected, etc.).
Collected automaticallyBrowser type, approximate region, and session identifiers needed to run and secure the service.

We do not intentionally collect health records, payment card numbers, or government ID through this service. However, our AI chat accepts free-text input — if you type sensitive information, it is received and stored as conversation content.

03 · How we use it

How we use your information

  • To respond to your enquiry and connect you with Nael.
  • To send booking confirmations, reminders, and — with your consent — follow-up communications about your request.
  • To operate, secure, and improve our AI-assisted services.
  • To meet our legal and regulatory record-keeping obligations.

We do not use your conversations to train third-party public AI models, and we do not sell your information.

04 · AI & automation

AI & automated processing

Our chat interface is powered by an AI assistant. We tell you when you're talking to one.

  • Disclosure: the AI agent identifies itself before you share details. The widget displays a clear “AI assistant” label at all times.
  • Scoring: enquiries may be assessed by an AI model to help prioritize follow-up. This supports — it does not replace — professional judgement.
  • Human review: conversations may be reviewed by our team to ensure quality and accuracy.
Your control

You can ask to speak with a human at any time. You can also request that a significant decision not be made by automated means alone.

06 · Security

How we protect your information

Security isn't a feature here — it's the premise. We apply the safeguards our regulated clients require:

  • Encryption in transit and at rest — all data moves over TLS; data stored in our database is encrypted at rest (AES-256).
  • Least-privilege, logged access — every touch of your data is attributable. Our database enforces access controls at the row level.
  • Append-only audit trail — every material action (capture, AI processing, email send, deletion) is logged and retained for accountability.
  • Secret management — API keys and credentials are stored in encrypted environment vaults, never in source code or version control.
  • Ongoing monitoring — we have defined processes for detecting and handling security incidents.

No system is perfectly secure, but we design, document, and audit ours so issues are containable and traceable.

07 · Retention

How long we keep it

We keep personal information only as long as needed for its purpose, to meet legal obligations, and to resolve disputes — then we delete or anonymize it. Retention is tiered and enforced automatically:

Record typeRetention period
Leads with contact info & appointments6 years
Anonymous chat sessions (no email collected)6 months — data minimization: no ongoing relationship basis
Conversation logs6 months
Compliance & audit logExtended — retained to preserve a defensible chain-of-custody record
Unsubscribe recordsPermanent — CASL requires suppression lists to be kept indefinitely

You can ask us about any specific record at any time using the request form in §09.

08 · Sharing

Who we share it with

We share personal information only as needed to run the service. Our sub-processors are bound by contract to process data only on our behalf:

Sub-processorPurpose & data involved
Hosting & database (Vercel, Supabase)Running the application and storing lead, conversation, and appointment records securely. Data resides on US-based servers.
AI model provider (OpenAI)Generating agent responses. The full text of your chat messages is sent to OpenAI's API to produce replies.
Email delivery (Gmail)Booking confirmations, reminders, and consented follow-up emails. Includes your name, email, and appointment details.
Calendar & scheduling (Google)Creating calendar events and meeting links when you book. Includes your name, email, and appointment goal.
Internal notifications (Slack)Notifying our team of new enquiries. Includes your name, email, and a summary of your message.

All sub-processors listed above are based in the United States. When your information is processed outside Canada, it may be subject to the laws of that jurisdiction, which may differ from Canadian privacy law. By using our services, you acknowledge this cross-border transfer.

We never sell or rent personal information, and we don't share it with advertising networks or data brokers. We may share with legal or safety authorities when required by law.

09 · Your rights

Your rights & choices

Under PIPEDA, you have the right to:

  • Access — request a copy of the personal information we hold about you. We will respond within 30 days (PIPEDA s.8(3)).
  • Correction — request that inaccurate or incomplete information be corrected (PIPEDA s.12).
  • Deletion — request that your personal information be deleted from our active systems. We will honour requests except where law requires retention.
  • Withdrawal of consent — withdraw consent to our use of your personal information at any time, which may limit our ability to serve you.
  • Unsubscribe — reply STOP to any commercial email to be permanently removed from our contact list.

We'll verify your identity before disclosing records, and respond within 30 days. You may also raise a concern directly with the Office of the Privacy Commissioner of Canada.

Privacy request · access, correction or deletion

ORACA AI will respond within 30 days as required by PIPEDA s.8(3). We may ask you to verify your identity before disclosing records.

10 · Contact

Talk to us about your privacy

Questions, requests, or concerns about this policy or your data — reach our Privacy Officer directly.

Privacy Officer

Mead · ORACA AI
Halifax, Nova Scotia
Response within one business day
Email the Privacy Officer