OORT Labs
OORT Flows/Privacy Policy
OORT Flows

Privacy Policy

How OORT Labs collects, uses, stores, shares and protects personal data in the context of the OORT Flows product.

Last updated: April 22, 2026Version: 1.0
Notice

This document is a technical template reflecting the product's current data-processing practices. It does not replace legal review. Before publication, submit it to OORT Labs' legal department and Data Protection Officer (DPO) for adequacy with LGPD (Law 13,709/2018), GDPR (Regulation 2016/679), CCPA and other applicable rules.

1.Introduction

This Privacy Policy describes how OORT Labs ("OORT", "we") collects, uses, stores, shares and protects personal data in the context of the OORT Flows product ("Service", "Platform").

This Policy should be read together with the Terms of Use and the OORT Hub Privacy Policy, which governs user identity and authentication.

2.Controller and Data Protection Officer (DPO)

  • Controller: OORT Labs, [CNPJ 00.000.000/0001-00], headquartered at [full address].
  • Data Protection Officer (DPO): [Name] — [dpo@oortlabs.com].

For European users, the representative in the European Union is: [representative name and address, if applicable].

3.Processing Roles

OORT Flows acts in distinct roles according to the nature of the data:

ScenarioOORT's RoleUser/Organization Role
Account data received from OORT Hub (identifiers, email, role)Joint controller with OORT HubData subject
User Content processed by the flows (files, documents, third-party integration data, personal data of the Organization's customers)Processor (data processor)Controller
Operational logs and usage metricsControllerData subject

When OORT acts as Processor, processing is carried out strictly in accordance with the Organization's instructions, recorded through flow configuration.

4.Data Collected

4.1.Data Received from OORT Hub

OORT Flows does not create its own accounts. The following data arrives via JWT issued by the Hub:

  • user_id — user identifier
  • tenant_id — tenant identifier
  • email — email address
  • role — user role within the tenant (e.g. tenant_admin)
  • product_access — list of products the user can access
  • jti, exp, iat — standard JWT claims

4.2.Data Provided by the User

When using the Platform, the User may provide:

  • Flow definitions: name, description, nodes, connections, parameters;
  • Integration credentials: OAuth tokens (Google, Microsoft, Slack, Jira, Zendesk, DocuSign, Notion, etc.), stored encrypted at rest with Fernet/AES;
  • Uploaded files: PDFs, spreadsheets, images and other files loaded as flow inputs;
  • Messages exchanged with AI agents (Ortis, Flow Builder, specialized agents);
  • User preferences (theme, language, UI settings);
  • Tenant settings: credit limits, internal policies.

4.3.Data Generated by the Service

  • Flow execution logs: inputs, intermediate outputs, timestamps, duration, status;
  • Audit logs (MongoDB `audit_events`): action, tenant, actor, result, IP, timestamp — events such as login, logout, integration connect/disconnect, configuration changes, authentication failures;
  • Usage and billing metrics: consumed credits, calls to AI providers, calls to third-party integrations;
  • Technical data: IP address, user-agent, session identifiers (oort_flows_session cookie), performance telemetry (via Logfire).

4.4.Data Processed Through Flows

When the User configures flows, personal data of third parties (the User's customers, leads, employees) may be routed through the Service. In these cases, OORT acts as Processor, and the User/Organization is the Controller.

5.Purposes and Legal Bases

Processing takes place for the following purposes and legal bases (LGPD art. 7 / GDPR art. 6):

PurposeLegal Basis
Authenticate access and enforce permission controlsContract performance (LGPD VII / GDPR 6(1)(b))
Execute flows configured by the UserContract performance
Store integration credentials securelyContract performance
Submit data to AI providers for processingContract performance
Generate security audit logsLegal obligation / Legitimate interest (security)
Apply rate limits and prevent abuseLegitimate interest (Service integrity)
Perform billing and financial managementContract performance / Legal obligation (tax)
Operational and support communicationsContract performance
Improve the Service (aggregate metrics, no re-identification)Legitimate interest
Comply with legal requests and defend in proceedingsLegal obligation / Exercise of rights

OORT Flows does not use User Content to train its own AI models.

6.Third-Party Sharing

Data may be shared with the following categories of third parties, strictly for the purposes above:

6.1.AI Providers

Data routed through AI nodes is sent to the provider selected by the User, among:

ProviderPurpose
OpenAILLM inference
AnthropicLLM inference
Google GeminiLLM inference and embeddings
AWS BedrockManaged LLM inference
CohereInference and embeddings
GroqAccelerated LLM inference

Each provider has its own retention and usage policy. The User must review them and select providers compatible with their internal policy.

6.2.Services Integrated by the User

When the User connects an integration (Google Workspace, Slack, Jira, Zendesk, Microsoft Dynamics, Microsoft Teams, DocuSign, Notion, among others), relevant data is transmitted to the corresponding service according to the OAuth scopes granted.

6.3.Cloud Infrastructure

  • AWS S3 — file storage;
  • Microsoft Azure — hosting infrastructure (per operational documentation);
  • MongoDB Atlas / managed Postgres / Redis — operational databases (per environment);
  • Logfire (Pydantic) — observability and telemetry.

These providers act as sub-processors, bound by data processing agreements (DPA) and contractual clauses compatible with LGPD/GDPR.

6.4.OORT Hub

OORT Hub receives and issues identity and permission data (JWT). The Hub's policies apply as a complement to this Policy.

6.5.Competent Authorities

We may disclose data when required by court order, request from a competent authority, or for the regular exercise of rights in legal proceedings.

6.6.Corporate Transactions

In the event of a merger, acquisition, reorganization or asset sale, data may be transferred to the successor, with protection equivalent to this Policy maintained.

We do not sell personal data.

7.International Transfers

OORT Flows may transfer data outside Brazil and the European Economic Area, particularly for:

  • Execution on AI providers based in the USA and other countries;
  • Storage on global cloud infrastructure.

Transfers follow safeguards set out by LGPD (art. 33) and GDPR (Chapter V), including Standard Contractual Clauses (SCC), countries with adequacy decisions, or specific guarantees agreed with the sub-processor.

8.Retention

CategoryPeriod
Integration credentials (encrypted)While the integration is active; up to 30 days after revocation
Flow data and settingsWhile the tenant is active
Files uploaded by the UserPer tenant configuration; default until explicit deletion
Execution logsUp to [90] days, unless configured otherwise
Security audit logsUp to [12] months, or longer if required by law
Billing and tax dataFor the applicable legal period (minimum 5 years, LGPD art. 16 / tax law)
Data after account terminationDeletion or anonymization within 90 days, subject to legal obligations

The User may request early deletion, subject to legal bases that require retention.

9.Security

OORT Flows adopts technical and organizational controls compatible with CASA Tier 2 / OWASP ASVS Level 2, including:

  • Encryption in transit: TLS 1.2+ across all communication;
  • Encryption at rest: integration credentials encrypted with Fernet (AES-128-CBC + HMAC-SHA256), with keys managed via TOKEN_ENCRYPTION_KEYS and rotation supported;
  • Cookies: HttpOnly, Secure, SameSite=Lax;
  • Local JWT validation via oort-shared (HS256), without dependency on remote Hub calls per request;
  • Multi-tenant isolation: every query includes WHERE tenant_id = :tid, with automated tenant_isolation tests as a deploy gate;
  • Role-based access control (e.g. tenant_admin for configuration changes);
  • Brute-force protection (5 failures → 15-minute lockout), timing-attack mitigation via dummy password hash;
  • Upload validation by magic bytes (via python-magic), not just Content-Type;
  • Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy, Cache-Control no-store on sensitive routes;
  • PII masking in logs;
  • Static analysis with Bandit and Ruff on every commit;
  • Rate limiting per tenant/user, scaled by operation type;
  • Auditing of sensitive events in MongoDB (audit_events).

No system is 100% immune. In the event of a security incident with relevant risk or harm to data subjects, OORT will notify the ANPD and, when required, the affected data subjects, under LGPD art. 48 and GDPR arts. 33–34.

10.Cookies

OORT Flows uses cookies strictly necessary for operation:

CookiePurposeAttributes
oort_flows_sessionAuthenticated session (JWT issued by the Hub)HttpOnly, Secure, SameSite=Lax
OAuth state cookieCSRF protection during OAuth flowHttpOnly, Secure, short-lived

We do not use advertising-tracking cookies in the product.

11.Data Subject Rights

Under LGPD (art. 18) and GDPR (arts. 15 to 22), you may exercise:

  • Confirmation of the existence of processing;
  • Access to your data;
  • Correction of incomplete, inaccurate or outdated data;
  • Anonymization, blocking or deletion of unnecessary data or data processed in non-compliance;
  • Portability of data;
  • Deletion of data processed based on consent;
  • Information about public and private entities with which we share data;
  • Information about the possibility of not providing consent and its consequences;
  • Withdrawal of consent;
  • Objection to processing carried out on the basis of legitimate interest;
  • Review of automated decisions that affect your interests (LGPD art. 20 / GDPR art. 22).

How to exercise

  • Send a request to [dpo@oortlabs.com];
  • For data subjects whose data has been submitted by an Organization (acting as Controller), OORT will forward the request to the Organization or respond as per the contract.

We will respond within 15 (fifteen) days (LGPD) or 1 (one) month (GDPR), extendable under the law.

You may also file a complaint with the Brazilian Data Protection Authority (ANPD), your country's supervisory authority (EU), or another competent authority.

12.Minors

OORT Flows is not intended for those under 18 years of age and is not designed to process data from children and adolescents. If we identify inadvertent processing of minors' data, we will proceed with deletion, unless a legal obligation dictates otherwise.

13.Automated Decisions and AI

AI features may suggest or execute actions automatically. We strongly recommend maintaining human oversight over decisions that produce legal or material effects on third parties.

Data subjects have the right to request human review of automated decisions, under LGPD art. 20 and GDPR art. 22.

14.Changes to this Policy

We may update this Policy periodically. Material changes will be communicated via the Platform, email, or OORT Hub. The last update date appears at the top of this document.

Version history can be consulted at [repository address / link].

15.Contact

For questions about privacy and data protection:

  • Data Protection Officer (DPO): [Name] — [dpo@oortlabs.com]
  • General email: [privacy@oortlabs.com]
  • Address: [OORT Labs full address]
OORT Labs — All rights reserved.