Privacy Policy

How we handle the information you share with us.

Plain English. No dark patterns. We collect what we need to respond to your enquiry, generate a draft BRD/customer plan, and keep the site free of spam.

Last updated

June 2026

This page uses the same surface rules as the rest of the public site, including dark mode.

Short version

We collect what you submit (name, work email, company, workflow description, and reference URLs). We use it to reply, generate a draft BRD, and meet our own legal record-keeping needs. We share clean planning context with the configured AI provider to draft the BRD, with Resend to send your OTP, and with the hosts that run the site. We do not sell, advertise, or profile.

What we collect

When you fill in the project planner, the contact form, or the email-verification flow we collect: your name, work email, phone (if you provide it), company name, country, the workflow description you write, reference URLs you provide, and the page you came from (portfolio slug or service slug, so we can answer with context).

When you use the chat assistant ("Aora") we store the messages of that session in your browser's sessionStorage so the conversation survives a refresh. We do NOT log Aora chat messages on our servers by default.

Server-side, we keep an anti-spam ledger of hashed IP addresses tied to OTP sends, BRD Planner submissions, and portfolio likes. The IPs are HMAC-hashed before storage — we cannot reverse them back to the original address.

Standard server logs from our hosting provider (Vercel) may briefly retain your IP, user-agent, and the URL you requested for operational and security purposes.

How we use it

To respond to your enquiry — review your intake, follow up by email or phone, and prepare a scope of work if it leads to a project.

To enforce anti-abuse limits (rate-limiting OTP sends, preventing the same email from generating repeated BRD drafts, blocking obvious bots).

To verify that the email you supplied is a real, reachable work address before we generate a draft BRD. We use OpenAI's API to check that the email's domain looks like a legitimate company domain (not a known public webmail or one-time disposable provider).

To send transactional emails — your OTP code, lead notifications to our team, the occasional follow-up on a project enquiry. We do NOT send marketing newsletters from this site.

Where it lives

Form submissions, email-verification rows, BRD requests, legacy quote records, and quota ledger entries are stored in Supabase (managed Postgres). The database is restricted by row-level security so only AorBorC staff with the service-role key can read it.

The public BRD planner does not accept file uploads. You may provide up to three HTTPS reference URLs; each URL is capped, checked for unsafe hosts and file types, scanned before model use, and excluded from the model context unless it is clean.

Email is sent through Resend. Resend retains delivery metadata according to their own privacy policy.

Our infrastructure runs on Vercel (US/EU edge regions). Operational logs are retained for the period Vercel specifies in its terms.

Third parties we share with

OpenAI or the configured AI provider — we send your project description and clean extracted reference text, when available, in order to generate a draft BRD/customer plan and to validate that your email domain is a real company domain. We do NOT send your name, phone, or address in the validation request — only the domain portion.

Resend — we use Resend to deliver OTP codes and lead notifications. The recipient address and the email body are processed by Resend for delivery.

Zoho SalesIQ — our site embeds the Zoho SalesIQ live-chat widget. If you interact with that widget, Zoho receives whatever you type into it, plus standard analytics data their widget collects.

Vercel Analytics — we use Vercel's privacy-friendly analytics to count page views. It does not use cookies and does not identify you individually.

Cloudflare Turnstile — the project planner uses Cloudflare Turnstile (in invisible mode) to tell humans from bots before we send a verification code or generate a BRD. Turnstile may process device and interaction signals to make that determination. See Cloudflare's Turnstile Privacy Addendum at https://www.cloudflare.com/turnstile-privacy-policy/.

We do NOT sell your personal information. We do NOT share it with advertising networks.

Cookies and similar storage

aorborc_email_verified — an HMAC-signed token, set for 1 hour after you successfully verify an email via OTP. It is used to gate the BRD generation step. HTTP-only, SameSite=Lax, secure in production.

Supabase session cookies — set only if you sign into the admin area (employees only).

sessionStorage (browser-only) — used to remember the open chat conversation and to remember if you've already seen the Aora nudge tooltip.

aorborc_visitor_v1 (browser-only localStorage) — only if you accept the privacy banner: your name, email, phone, and company are saved on YOUR device so our forms prefill and you type less. It never leaves your browser; clear it anytime with the control below.

aorborc_consent_v1 (browser-only localStorage) — records whether you accepted that banner.

We do not set tracking cookies or third-party advertising cookies.

How long we keep it

BRD and legacy request records: retained indefinitely for our internal project history. We will purge yours on request — see "Your rights" below.

Email verification rows: code hashes expire 10 minutes after creation; the row itself is purged after 30 days.

Anti-abuse rate-limit events: 24 hours.

Reference URL security results: retained with the BRD request so we can explain what was included, excluded, flagged, or queued for review.

Legacy signed document links, where present, expire according to their token settings. The current public BRD planner does not create customer-facing PDF, quote, or proposal links.

Your rights

You can ask us at any time to: tell you what data we hold about you, correct anything that's wrong, delete your record, or restrict how we use it. Submit the request through our /contact form using the same email address we have on file and we'll confirm within 7 working days.

If you're in the EU, UK, or India, you have additional rights under GDPR / DPDPA. We honour them regardless of where you write to us from.

If you believe we've mishandled your data, you can complain to your local supervisory authority.

Contact

Data protection enquiries: submit through /contact and put "Privacy" in the subject line.

Company: AorBorC Technologies, Shyamala Tower, Regus 3rd Floor, Arcot Rd, Saligramam, Chennai — 600093, India.

Phone: +1 (872) 267-2672 (872-AORBORC)

Your data on this device

Clear the contact details we saved in your browser to prefill forms. This affects only this device and browser.

Changes to this policy

We update this page when our processing materially changes. The date at the top reflects the latest revision. There's no commit history pop-up — submit a request through our contact form if you want to see what changed.