Loading...
Orvilo

Privacy Policy

Last updated: February 21, 2026

1. Introduction

Orvilo ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Software-as-a-Service (SaaS) platform.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us, including:

  • Account Information: Name, email address, username, password, and profile information. If you sign up with Google, we receive your name, email address, and profile picture from Google.
  • Business Information: Company name, address, phone number, tax ID, banking details, and logo. Sensitive data is encrypted at rest.
  • Client Data: Client names, contact information, company details, and notes that you enter. We process this data on your behalf as a data processor. You are responsible for ensuring you have a lawful basis to collect and use your clients' data. If you invite clients to the client portal, they may create accounts or access their data via invitation links; we process their data as necessary to provide the portal.
  • Content: Proposals, invoices, contracts, tasks, notes, time entries, and other content you create or upload
  • Contract and Signature Data: When contracts are signed, we store the signer's name, email, signature image data, timestamp, and IP address. Signers may include your clients or other parties who do not have Orvilo accounts.
  • File Attachments: Files you upload to tasks and comments; stored securely
  • Payment Information: Billing details for Orvilo subscriptions, processed through Stripe. Invoice payments from your clients go directly to your connected Stripe account—we do not receive or hold those funds.
  • Custom API Keys: If you provide your own OpenAI API key, it is stored securely and used solely for your AI requests.

2.2 Automatically Collected Information

When you use our Service, we automatically collect:

  • Usage Data: How you interact with the Service, features used, and time spent
  • Device Information: IP address, browser type, device type, and operating system
  • Log Data: Access times, pages viewed, and actions taken
  • Proposal and Invoice View Tracking: When shared proposals or invoices are viewed (including by non-Orvilo users via public links), we collect IP address, device type, referer, and whether the link was forwarded—for analytics and fraud prevention
  • Contract Signing: When a contract is signed (including by non-Orvilo users via signing links), we collect IP address, device information, timestamp, and signature data—for audit trails and legal compliance
  • Analytics: We use Google Analytics to understand usage patterns. See Section 2.3 for cookies.

2.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

  • Session and CSRF: Maintain your session and authentication state; protect against cross-site request forgery
  • Preferences: Remember your preferences and settings (e.g., workspace selection)
  • Analytics: Google Analytics (gtag.js) to analyze usage patterns and improve our Service. Google's privacy policy applies: policies.google.com/privacy

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Provision: To provide, maintain, and improve our Service
  • Account and Workspace Management: To create and manage your account and workspaces, process subscriptions, and handle billing. Data is organized by workspace; workspace members (if applicable) may have access to workspace data.
  • Contracts and Electronic Signing: To facilitate contract creation, delivery of signing links, collection of signatures, storage of signed documents, and audit trails (signer identity, timestamp, IP).
  • Client Portal: To provide invited clients access to their projects, tasks, invoices, and contracts. Client portal access is controlled by you.
  • Communication: To send you service-related notifications, updates, and support responses
  • AI Features: To generate proposals and other AI-powered content using your data and preferences
  • Analytics: To analyze usage patterns, improve features, and enhance user experience
  • Security: To detect, prevent, and address security issues and fraudulent activity
  • Legal Compliance: To comply with legal obligations and enforce our terms

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service Providers: With trusted third-party service providers who assist in operating our Service (e.g., cloud hosting and file storage, Stripe for subscriptions, email delivery). Contract PDFs and signed documents are stored in our cloud storage.
  • Stripe Connect: When you connect your Stripe account for invoice payments, Stripe collects your business and bank details directly. We store only your connected account ID. Invoice payments from your clients go directly to your Stripe account—we do not receive or hold those funds.
  • AI Services: With AI service providers (e.g., OpenAI) to generate proposals and content. If you use your own OpenAI API key, requests go to OpenAI under your account; if you use our system key, we send content to OpenAI on your behalf. Subject to OpenAI's privacy policy.
  • Legal Requirements: When required by law, court order, or government regulation
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly authorize us to share your information

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Secure authentication and access controls
  • Regular security assessments and updates
  • Limited access to personal data on a need-to-know basis
  • Secure cloud infrastructure with industry-standard protections
  • File attachments stored securely in cloud storage with access controls

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to:

  • Provide our Service to you
  • Comply with legal obligations
  • Resolve disputes and enforce agreements
  • Maintain business records

When you delete your account, we will delete or anonymize your personal information within a reasonable timeframe, except where we are required to retain it for legal purposes.

7. Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: Request access to your personal information
  • Correction: Update or correct inaccurate information through your account settings
  • Deletion: Request deletion of your account and associated data
  • Data Portability: Request a copy of your data in a machine-readable format
  • Opt-Out: Unsubscribe from marketing communications (service-related emails may still be sent)
  • Cookie Preferences: Manage cookie settings through your browser

To exercise these rights, please contact us through our contact page.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our cloud infrastructure may store data in regions such as the European Union or United States, depending on configuration. Third-party services (Stripe, OpenAI, Google) process data in accordance with their own data location practices. These countries may have data protection laws that differ from those in your country. We ensure appropriate safeguards (e.g., standard contractual clauses, adequacy decisions) are in place to protect your information in accordance with this Privacy Policy.

9. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Third-Party Services

Our Service may contain links to third-party websites or integrate with third-party services, including:

  • Google: For sign-in and account creation; Google Analytics for usage analytics. When you sign up or log in with Google, we receive your name, email address, and profile picture. Google's privacy policy applies: policies.google.com/privacy
  • Stripe: For Orvilo subscription billing and for Stripe Connect (invoice payments). When you connect Stripe, Stripe collects your business and bank details directly. Invoice payments go to your Stripe account. Stripe's privacy policy applies: stripe.com/privacy
  • OpenAI: For AI-powered proposal generation. Content is sent to OpenAI when you use AI features. If you provide your own API key, requests go under your OpenAI account. OpenAI's privacy policy applies: openai.com/privacy
  • Cloud infrastructure providers: For hosting and file storage (e.g., attachments).

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

11. AI and Machine Learning

We use artificial intelligence (e.g., OpenAI) to:

  • Generate proposals based on project descriptions
  • Enhance and improve content
  • Provide personalized recommendations

AI processing involves sharing your content with OpenAI. If you use your own OpenAI API key, requests go directly to OpenAI under your account. If you use our system key, we send content to OpenAI on your behalf. OpenAI is contractually obligated to protect your data and use it in accordance with their privacy policy. We do not use your content to train OpenAI's general models.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending an email notification to your registered email address
  • Displaying a notice within the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information is collected
  • The right to delete personal information
  • The right to opt-out of the sale of personal information (we do not sell personal information)
  • The right to non-discrimination for exercising your privacy rights

14. GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including:

  • Right to access, rectification, and erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at info@iwl.no or through our contact page.

16. Data Controller

The data controller is Iw Løvold. For any privacy-related inquiries, please contact us at info@iwl.no.