Privacy Policy
Effective 23 May 2026
This Privacy Policy explains how PrismiQ OÜ (“we”, “us”) handles your data when you use Ora, an AI-powered timesheet app for freelance consultants, available at oraconsultant.ai (the “Service”). We try to keep the language clear, the scope narrow, and the practices simple. If something here is unclear or you want a copy of the data we hold on you, email us at support@oraconsultant.ai.
Information we collect
We collect only what we need to run the Service. Nothing is sold to third parties or used to power advertising.
Account information. Your email address, name, and a password hash (we never store your password in plaintext). Authentication is handled by Supabase. If you sign in with Google or another OAuth provider, we receive your email and name from that provider.
Timesheet data. The time entries you log: client name, hours worked, description of the work, date, and any associated fee or invoice metadata. Your client records (names, rates, currencies), expected payments, and invoice profiles fall under this.
Payment information. Subscription billing is handled by Stripe. We never see or store your full card details. We receive a Stripe customer ID, subscription status, and the last 4 digits of your card for display in the Account section.
AI input. When you type or speak a sentence to capture an entry, the text is sent to Anthropic's API for parsing. Voice transcription happens in your browser (Web Speech API) before any text leaves your device. We log that an AI call was made (count and timestamp) for billing and rate limiting, but do not retain the input text on our servers beyond what's needed to return the parsed result to you.
Usage data. Standard server logs: IP address, browser type, pages accessed, timestamps. We use this for security (detecting abuse) and to keep the service running. Logs are retained for up to 90 days.
How we use your information
We use your data to operate the Service: render your dashboard, generate your invoices, run AI parsing on the text you submit, process your subscription payments, and send you transactional emails (password resets, billing receipts, invoice notifications). That's the full list. We do not sell your data, we do not share it with advertisers, and we do not use it to train AI models.
Aggregate, fully-anonymized usage metrics may inform our product decisions (for example, how many users are on each tier, how often the AI capture is used) but never in a way that can identify you.
Third parties we work with
Ora uses a small set of trusted infrastructure providers. Each receives only the data needed for their function and is contractually bound by their own privacy and security practices.
Supabase hosts your account database, time entries, and client records. Supabase's privacy practices: supabase.com/privacy.
Stripe processes your subscription payments. Stripe's privacy practices: stripe.com/privacy.
Anthropic (Claude) parses your timesheet text into structured entries. Anthropic's privacy practices: anthropic.com/legal/privacy.
Vercel hosts the Ora web application. Vercel's privacy practices: vercel.com/legal/privacy-policy.
Google (Google Calendar API) lets users connect their Google Calendar accounts so meetings can be surfaced as candidate timesheet entries. We only request read-only access; see the Calendar integration section below for the full scope and data-handling description. Google's privacy practices: policies.google.com/privacy.
Microsoft (Microsoft Graph API) lets users connect their Microsoft 365 / Outlook calendars. Same read-only access and same data-handling description as Google; see the Calendar integration section below. Microsoft's privacy practices: privacy.microsoft.com.
We do not use any analytics or advertising trackers.
Calendar integration
If you connect a Google Calendar or Microsoft 365 / Outlook calendar to Ora, we use OAuth 2.0 to request read-only access to your calendar data.
Scopes requested. For Google we request calendar.readonly and userinfo.email. calendar.readonly lets us read meeting metadata (title, start time, duration, attendees, organizer); userinfo.email lets us display which connected Google account an event came from when you have multiple calendars connected. For Microsoft we request Calendars.Read, which grants the same read-only metadata access to your Outlook calendars.
How we use the data. We display upcoming and recent meetings on your Log page so you can convert them into billable timesheet entries with one click. We store the OAuth refresh tokens encrypted in our database so we can fetch new events without asking you to log in again.
What we never do. We never create, modify, or delete events on your calendar - the access is read-only. We do not read meeting bodies, descriptions, or attachments. We do not share, sell, or use your calendar data for any purpose other than displaying candidate timesheet entries to you. We do not use calendar data to train AI models or for advertising of any kind.
Disconnecting. You can disconnect any calendar at any time from Settings - Integrations. Disconnecting revokes our OAuth tokens at the provider and removes the stored credentials from our database. Once disconnected, no further calendar data is read.
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Our use of information received from Microsoft APIs adheres to the Microsoft Identity Platform terms and Microsoft Graph data-use policies.
Cookies and local storage
We use a small number of strictly-essential cookies for authentication (your session token) and use your browser's localStorage to remember UI preferences (theme, reporting currency, sort order, dismissed tips). We do not use third-party tracking cookies and we do not load any analytics scripts.
Data retention
We retain your account data for as long as your account exists. If you delete your account, we delete your time entries, clients, expected payments, and invoice profiles within 30 days. Database backups (managed by Supabase) follow Supabase's rolling 7 to 30 day retention policy before the deleted data is fully purged. Logs are retained for up to 90 days.
Your rights
Depending on your jurisdiction, you may have rights under GDPR (EU/UK), PIPEDA (Canada), CCPA (California), or other privacy laws. Ora supports the following regardless of jurisdiction:
Access. You can export every entry as a plain Excel file from the Reports page at any time.
Correction. You can edit your account info, clients, and entries directly in the app.
Deletion. You can clear all your time entries from Settings, and request full account deletion by emailing support@oraconsultant.ai. We will confirm and complete the deletion within 30 days.
Complaint. If you believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority (for example, your national data protection regulator in the EU, or the Office of the Privacy Commissioner of Canada). We'd appreciate a chance to address it directly first if possible.
International data transfers
Our infrastructure providers operate servers in multiple regions, which may include locations outside your home country. Where your data is transferred from the EU/UK to countries that do not have an adequacy decision, transfers are protected by Standard Contractual Clauses or equivalent safeguards put in place by the providers we use.
Security
All connections to Ora use HTTPS (TLS). Your account data is stored in a database with row-level security policies that prevent any user from reading or writing another user's data, enforced at the database layer. Supabase encrypts data at rest. We follow standard practices for credential handling, secret rotation, and dependency updates. No service is breach-proof, but we work to keep the surface area small and the controls tight.
Children's privacy
Ora is not directed to children under 16, and we do not knowingly collect data from anyone under that age. If you believe a minor has signed up, contact us and we will delete the account.
Changes to this policy
When we make material changes to this Privacy Policy we will update the effective date at the top and notify you by email at least 14 days before the changes take effect, so you have time to review or close your account if you disagree.
Contact
Questions, concerns, or data requests: email support@oraconsultant.ai. We aim to respond within two working days.