Legal
Privacy Policy
Last updated:
This page explains what data Oreni collects, why we collect it, how long we keep it, and the rights you have over it.
1. Who we are
Oreni is operated by Oreni (“we”, “us”, “our”), with business address Mirabel Residence, Block C5, 1st Floor, Bir El Djir, Oran, Algeria. We are the data controller for personal data processed in connection with the service. For any privacy enquiry, write to contact@oreni.co.
2. Data we collect
Account data
- Email address — used to log you in (magic link or Google OAuth) and to contact you about your account.
- Authentication identifiers — provider IDs from Supabase Auth (and, if you log in with Google, the OAuth subject identifier).
- Display name — derived from your OAuth profile on sign-up. You can change or clear it.
- Plan and role — which Oreni plan your account is on and whether you have administrator privileges.
Course and learning data
- The URLs you submit for course generation, the structured courses Oreni produces from them, your progress (which sections you’ve completed, your quiz attempts, your recall responses), and any feedback you submit via the in-app “Report inaccuracy” buttons or rating prompts.
- Generated courses are stored in our database so you can resume them. Recall responses are versioned; older responses are preserved with an
is_current=falseflag rather than deleted, so you can review history.
Usage telemetry
- AI usage logs — for every AI call we make on your behalf we record the endpoint, model used, token counts, duration, cost, status, and (on failure) error code. Stored in the
gemini_usagetable. We use this for cost control, reliability monitoring, and capacity planning. - Transcript fetch logs — similar fields for each transcript pull, stored in
supadata_usage. - Daily activity — once-per-day, per-account heartbeat indicating that you used the app on a given date. Stored in
user_activity. - Product events — structured events such as course-started, quiz-passed, recall-completed, recorded in
user_events.
Operational data
- Error reports (Sentry) — uncaught exceptions and server-side AI failures. Reports include user ID, plan code, the stack trace, and the URL where the error happened.
- Support chat transcripts (Crisp) — if you start a chat with us via the in-app widget, Crisp stores the conversation and associates it with your email so we can follow up.
- Server logs — Vercel records standard HTTP request metadata (timestamp, path, method, status code, response time) for a short window for operational monitoring.
Anonymous-visitor data
Guests who generate a course without an account are subject to a daily per-IP quota. We hash your IP address with a per-day rotating salt before storing it in the anon_generation_attempts table. The hash cannot be reversed and rotates each calendar day, so the same IP appears under a different bucket on consecutive days.
3. Why we process this data — legal bases
For visitors in the European Economic Area, the United Kingdom, and other jurisdictions with comparable regimes, we rely on the following legal bases (GDPR Article 6 / equivalent):
- Performance of a contract — to provide the service you signed up for: account management, course generation, progress tracking.
- Legitimate interests — for usage telemetry, cost control, AI quality tuning, fraud and abuse prevention, security monitoring, and service improvement. We have balanced these interests against your privacy rights and consider the impact proportionate.
- Consent — for any optional channel (currently: opening the support chat widget loads Crisp; declining is as simple as not opening it).
- Legal obligation — to respond to lawful requests from competent authorities and to retain records where law requires.
4. Sharing your data — subprocessors
We do not sell your data. We share it only with the third-party providers we rely on to run the service. Each one is bound by a data processing agreement and processes data only on our instructions for the specified purpose.
| Subprocessor | Purpose | Data category | Region |
|---|---|---|---|
| Supabase | Authentication + Postgres database (account, course, progress, feedback, telemetry) | All of the above | EU / US (per project region) |
| Google (Gemini) | AI generation (course structure, lessons, recall, quizzes, content classification) | Submitted URLs, derived transcripts, prompts | US (with Gemini API regional routing) |
| Supadata | YouTube transcript retrieval | YouTube video IDs you submit | US |
| Sentry | Error monitoring | User ID, plan code, stack traces, request URL | EU / US (per Sentry project) |
| Crisp | In-app support chat (when opened) | Email, plan code, chat transcript | EU |
| Vercel | Hosting + edge compute + log storage | Request metadata, deployed app code | Global edge with primary regions per project |
Some of these providers are located outside the EEA. Where required, transfers rely on the European Commission’s Standard Contractual Clauses or an adequacy decision.
5. How long we keep your data
- Account data: while your account is active and for a short cool-off window after deletion in case you change your mind.
- Generated courses and progress: while your account is active. Deletion of your account cascades to your course enrolment rows, progress rows, recall responses, and quiz responses.
- Recall response history: previous attempts are retained with
is_current=falseuntil you ask us to delete them or your account is deleted. - Usage telemetry: indefinitely in aggregated form for cost and reliability analytics; individual rows are retained as long as the related course exists.
- Error reports: per Sentry’s default retention (currently 30–90 days depending on the event class).
- Support chat transcripts: per Crisp’s retention policy on our plan.
- Anonymous-visitor IP hashes: kept for the rolling 7-day quota window, then purged.
6. Your rights
You have the right to access the personal data we hold about you, to ask us to correct it, to request a portable copy, to ask us to delete it, to object to or restrict certain processing, and to lodge a complaint with a supervisory authority. To exercise any of these rights, email contact@oreni.co from the address on your account. We aim to respond within 30 days.
We will not sell your data, swap it for advertising profiling, or otherwise share it for purposes unrelated to running the service.
7. Security
We use industry-standard transport encryption (TLS) for all traffic. Login is handled by Supabase Auth using magic links or OAuth — we do not store passwords. Service-role database access is restricted to server-side code and is never exposed to the browser. We monitor production errors via Sentry and remediate security issues promptly. No system is perfectly secure; please report any suspected vulnerability to contact@oreni.co.
8. Children
Oreni is not directed at children under 13 (or the higher minimum age required by your local law). We do not knowingly collect data from children under that age. If you believe a child has provided us with personal data, please contact us and we will delete it.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via the in-app notice system or by email to the address on your account, with at least seven days’ notice for active users. The “Last updated” date at the top reflects the most recent revision.
10. Contact
Privacy contact: contact@oreni.co. Postal: Mirabel Residence, Block C5, 1st Floor, Bir El Djir, Oran, Algeria.