Privacy policy and security

oorja built with your privacy in mind, ensuring the content and communications stay confidential among collaborating users.

• All content-data is encrypted in transit and rest. By content-data we mean terminal-stream-text, chat-messages, diagrams, code or any data created among room-participants using the collaborative apps.
• Content-data is synced among participants using secure transports (TLS) when they are online in the room. Content-data is also end-to-end encrypted using 128-bit AES-GCM: oorja servers, and even trusted certficate authorities cannot read into it without the secret key (kept is room's secret link's fragment. The application does not send the secret key to any server or third party).
  It is the responsibility of the room-participants to share room-links with trusted peers over trusted channels.
• Collaborative apps store content-data on users personal devices (browser storage) encrypted with room-key.
  To facilitate collaboration in scenarios where participants are online at different times, content-data is also uploaded to the server as an encrypted snapshot and synced to the participants when they come back online.
• Some apps may involve use of external APIs (eg. GPT configured with OpenAI), in such cases the room host must authorize the app to use the API. Such apps will ask for your consent before accessing any other content in the room. (Eg. GPT app asks for consent to view diagrams in the whiteboard app)
  Data sent to external APIs is is not end-to-end encrypted, it only uses TLS (Be sure to read the privacy policy of the external API provider)
• Media comms (camera, mic, screen) are end to end encrypted using the room key. For voice transcriptions (eg. in the GPT app), the audio clip is sent to the server for processing. The audio is not stored on the server. We use in-house speech-to-text models, no external APIs are involved.
• We provide a secure vault (dashboard) for users to store private information like room keys. This vault is protected using strong 256-bit AES-GCM encryption, with a key created from the user's password. The password never leaves your device, and all vault changes are made on-device. If you lose or forget your password, you won't be able to access your vault. The encrypted version of the vault syncs to our server, enabling access from multiple devices while maintaining security.
• How you do you collect, store and secure user data ?We collect the user's email and profile from the identity provider they choose during sign-in - Google/Github. There can be other identity providers in the future. The sign-in process is used as an authentication challenge (to prove you're not a robot), to ensure fair-use, or payment accounting if any. Your email is not visible to the room participants you collaborate with.
  Data is stored within the US, and not shared with any third party. There are no ads or tracking on this website.
• Payment processingStripe for Payment Processing: We use Stripe, a leading online payment service provider, to process payments made through our app. Stripe specializes in secure online transactions. Please note that we do not store or have access to your credit card details. This information is directly managed by Stripe, which adheres to the highest industry standards for data security and privacy. For more information on Stripe’s security practices, please visit their website.
• How can users access, update or request the deletion of any personal data collected about them.You can email akshay@oorja.io from the email you used to sign-up.
• Does this website use cookies ?No
• Is my IP address accessible to other participants in the room?No
• How are users are notified of updates to your policy ?While we don't see policy values changing, we're working on notifications so that users are up to date on any minute changes.
• Contact details, so that users can make enquiries about their data, submit a privacy complaint, or submit a secruity vulnerability report.You can email akshay@oorja.io