Security and Privacy • oorja

BETA

Privacy policy and security

A privacy policy should clearly explain to users how their personal information is collected, used and protected by the business.

Note from Our Team

We're working to make these sections clearer and more user-friendly.

Your privacy and security are fundamental to our collaborative spaces. We actively protect both your data and our platform against misuse. Have questions about how we safeguard your information? We'd love to hear from you at hello@oorja.io.

oorja built with your privacy in mind, ensuring the content and communications stay confidential among collaborating users.

All content-data is encrypted in transit and rest. By content-data we mean chat-messages, diagrams, code, terminal-stream-text or any data created among room-participants using the collaborative apps.
Content-data is synced among participants using secure transports (TLS) when they are online in the space. Content-data is also end-to-end encrypted using 128-bit AES-GCM: oorja servers, and even trusted certificate authorities cannot read into it without the secret key (kept is room's secret link's fragment. The application does not send the secret key to any server or third party).
It is the responsibility of the space-participants to share room-links with trusted peers over trusted channels.
Collaborative apps store content-data on users personal devices (browser storage) encrypted with room-key.
To facilitate collaboration in scenarios where participants are online at different times, content-data is also uploaded to the server as an encrypted snapshot and synced to the participants when they come back online.
Some apps may involve use of external APIs (eg. GPT configured with OpenAI), in such cases the space host must authorize the app to use the API. Such apps will ask for your consent before accessing any other content in the space. (Eg. GPT app asks for consent to view diagrams in the whiteboard app)
Data sent to external APIs only uses TLS (Be sure to read the privacy policy of the external API provider)
Media comms (camera, mic, screen) are end to end encrypted using the room key.
Voice transcriptions if enabled require explicit consent. (eg. in the GPT app). When enabled the audio clip is sent from your device to our server for processing (encrypted but not e2ee anymore since computer needs to process this). The audio is not stored on the server. We use in-house speech-to-text models, no external APIs are involved.
We provide a secure vault (dashboard) for users to store private information like room keys. When user password is set, this vault is protected using strong 256-bit AES-GCM encryption, with a key created from the user's password. The password never leaves your device, and all vault changes are made on-device. If you lose or forget your password, you won't be able to access your vault. The encrypted version of the vault syncs to our server, enabling access from multiple devices while maintaining security.
How do you collect, store and secure user data ?We collect the user's email and profile from the identity provider they choose during sign-in - Google/Github. There can be other identity providers in the future. The sign-in process is used as an authentication challenge (to prove you're not a robot), to ensure fair-use, or payment accounting if any. Your email is not visible to the space participants you collaborate with, however if you use email sign-in, the part of your email before the @ is visible to the space (set as your name).
Data is stored within the US, and not shared with any third party. There are no ads or tracking on this website.
Payment processingStripe for Payment Processing: We use Stripe, a leading online payment service provider, to process payments made through our app. Stripe specializes in secure online transactions. Please note that we do not store or have access to your credit card details. This information is directly managed by Stripe, which adheres to the highest industry standards for data security and privacy. For more information on Stripe’s security practices, please visit their website.
How can users access, update or request the deletion of any personal data collected about them.You can email hello@oorja.io from the email you used to sign-up.
Does this website use cookies ?No
Is my IP address accessible to other participants in the space?No
How users are notified of updates to the policy ?While we don't see policy values changing, we're working on notifications so that users are up to date on any minute changes.
Contact details, so that users can make enquiries about their data, submit a privacy complaint, or submit a security vulnerability report. (Note that we do not have a bug bounty program, please go for established ones if you're looking for a bounty)You can email hello@oorja.io
On premises / private cloud?We understand. As a business you may have certain requirements. Contact us.