LEGAL // PRIVACY
Privacy Policy
Orizu Studio takes your privacy seriously. This policy explains what data we collect, why we collect it, and the rights you have under UK GDPR, EU GDPR, and applicable US state privacy laws (including the California Consumer Privacy Act / CPRA).
Last updated · 26 May 2026
1. Who we are
For the purposes of the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable state privacy laws, the data controller (or, under CCPA, the "business") is:
Orizu Studio
Based in London, United Kingdom
Contact: orizustudio@gmail.com
EU representative (Article 27 EU GDPR): Orizu Studio is a small UK-based business whose processing of EU resident data is occasional and low-risk. We currently rely on the Article 27(2)(a) exemption. If your data protection rights require a dedicated EU-based contact, write to us at the address above and we will route your request appropriately.
2. What data we collect
Account data
When you create an account we collect your email address and a hashed password. If you sign in with Google, we receive your email and Google account ID.
Profile data
Information you add to your profile so it can pre-fill invoices — your company name, address, phone, tax/VAT number, payment method, logo image, and invoice prefix.
Invoice and client data
Invoices, line items, prices, due dates, notes, and the contact details (name, email, address, company) of the clients you bill. You are the data controller (or business) for your clients' data; Orizu Studio processes it on your behalf as a data processor (or, under CCPA terminology, a "service provider").
Payment data
If you subscribe to a paid plan, payment is processed by Stripe Payments Europe Ltd. or Stripe Payments Company (depending on your location). We never see or store your full card details — Stripe handles payment data directly as an independent controller. We do store a Stripe customer ID and the subscription metadata (tier, status, renewal date) needed to operate your account.
Usage data
Records of API and MCP tool calls you make (timestamp, endpoint name, your user ID) so we can meter against your plan's quotas and surface usage reports to you.
Technical data
Standard server logs (IP address, browser user-agent, request paths, error traces). Used for security, abuse prevention, and debugging.
Categories of personal information under CCPA
For California residents, the categories above map to the following CCPA personal-information categories: identifiers (account email, IP), commercial information (subscription tier, billing history), internet activity (API call logs, page views), and professional or employment-related information (the From: profile fields you fill in for your invoices). We do not collect sensitive personal information such as government IDs, geolocation beyond IP, biometrics, health, sexual orientation, religion, or union membership.
3. Legal basis for processing (UK / EU GDPR)
- Contract (Article 6(1)(b)) — most processing is needed to deliver the Orizu Studio service you signed up for: storing your invoices, running the API, hosting your PDFs.
- Legitimate interests (Article 6(1)(f)) — security logging, fraud prevention, basic analytics, and improving the product.
- Legal obligation (Article 6(1)(c)) — UK and EU tax and accounting laws require us to keep certain billing data for up to 6 years (UK: VAT records under HMRC rules; EU: varies by Member State, typically 6 — 10 years).
- Consent (Article 6(1)(a)) — used only for optional marketing emails. You can withdraw consent at any time.
4. Purposes of processing (CCPA / US state laws)
For users in the United States, we collect and process personal information for the following business purposes (per CCPA §1798.140(e)):
- providing, maintaining, and improving the Orizu Studio service
- processing subscription payments
- preventing fraud, abuse, and security incidents (including rate limiting and key-revocation flows)
- complying with legal obligations (tax records, court orders)
- sending transactional communications (billing receipts, subscription notices)
We do not sell personal information, and we do not share it for cross-context behavioural advertising. We have not done so in the preceding 12 months and have no plans to start.
5. How we share your data (sub-processors)
We share data with the following sub-processors. Each is bound by a data processing agreement that meets UK GDPR / EU GDPR standards (Article 28) and acts as a service provider under CCPA — meaning they cannot use your data for their own purposes.
- Supabase Inc. — hosts our database, auth, and file storage. Data is stored in the EU (eu-west-1, Ireland).
- Stripe Payments Europe, Ltd. / Stripe Payments Company — processes subscription payments and stores card data on your behalf. Stripe is its own data controller for payment data and complies with PCI-DSS Level 1, UK/EU GDPR, and US state privacy laws.
- Resend, Inc.— sends transactional emails (sign-in confirmations, billing receipts, subscription notices, invoice reminders). US-based; transfers to the US are made under the EU–US Data Privacy Framework (DPF) and the UK Extension to the DPF.
- Vercel Inc.— hosts the application servers and CDN. US-based with EU edge nodes; UK/EU traffic is served from EU regions where available. Transfers covered by the EU–US DPF + UK Extension.
- Anthropic PBC / OpenAI, L.L.C. — only invoked if you connect your own AI agent (Claude, ChatGPT, etc.) via our MCP server. The agent operator becomes the data controller for the content of your prompts in that interaction; we are not party to it.
We do not sell your personal data and we do not share it with advertisers.
6. International transfers
Personal data is stored primarily in the EU (Ireland, via Supabase). Some sub-processors (Resend, Vercel) are US-based, and your data may be transferred there or to other locations where those providers operate. We rely on the following mechanisms, in order of preference:
- Adequacy decisions — where the destination country has been formally recognised by the UK government or the European Commission as providing adequate protection.
- EU–US Data Privacy Framework (DPF) — including the UK Extension, for transfers to certified US providers (Resend and Vercel are DPF-certified).
- Standard Contractual Clauses (SCCs)— the EU Commission's 2021 SCCs and the UK's International Data Transfer Agreement (IDTA) or UK Addendum, where neither of the above applies.
Copies of the transfer agreements in place with each sub-processor are available on request.
7. How long we keep your data
- Active accounts — for as long as your account is open.
- After you delete your account — invoice and profile data is deleted within 30 days, except records we are required to retain by law (typically Stripe payment records and tax-relevant billing data, kept for up to 6 years under UK VAT rules and a similar window under EU Member State tax law and US IRS / state tax requirements).
- Server logs — kept for 90 days then purged.
- Marketing email opt-ins — retained until you withdraw consent.
8. Your rights (UK / EU GDPR)
If you are in the UK or EEA, you have the right to:
- access the personal data we hold about you (Article 15)
- have inaccurate data corrected (Article 16)
- have your data erased — the "right to be forgotten" (Article 17)
- restrict or object to processing (Articles 18, 21)
- receive your data in a portable format (Article 20)
- withdraw consent at any time (Article 7) — where consent is the legal basis
- not be subject to decisions based solely on automated processing (Article 22) — we do not currently use any such processing
- lodge a complaint with your local supervisory authority — in the UK, ico.org.uk; in the EU, see the EDPB members list for your country's authority (e.g. CNIL in France, DPC in Ireland, BfDI in Germany)
9. Your rights (California — CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, the sources, purposes, and the categories of third parties with whom we share it (CCPA §§1798.100, 1798.110, 1798.115)
- Access a portable copy of the personal information we hold about you (§1798.130)
- Deletepersonal information we've collected, subject to limited exceptions for legal compliance (§1798.105)
- Correct inaccurate personal information (§1798.106)
- Opt out of sale or sharing — but note we do not sell or share your personal information, so there is nothing to opt out of (§1798.120)
- Limit use of sensitive personal information — we do not collect sensitive PI as defined in §1798.140(ae)
- Non-discrimination — we will not charge you more, give you a lower service tier, or otherwise penalise you for exercising any of these rights (§1798.125)
To exercise a CCPA right, email us at orizustudio@gmail.com with the subject line "CCPA request". We will verify your identity through your registered email and respond within 45 days (extendable once by another 45 days for complex requests, with notice). You may also designate an authorised agent to make a request on your behalf — they will need to provide written authorisation and we may still ask you to confirm directly.
10. Your rights (other US states)
A growing number of US states have enacted comprehensive consumer privacy laws giving residents rights similar to (but not identical to) the CCPA. These currently include — among others — Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Maryland (MODPA), and Minnesota (MCDPA).
If you reside in any of these states, you generally have rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising / sale / profiling (none of which we do). To exercise any of these rights, email us at orizustudio@gmail.com and we'll respond within the timeframe required by your state's law (typically 45 days). We honour state-recognised universal opt-out signalssuch as Global Privacy Control (GPC) where applicable — but since we don't sell or share personal data, no such signal currently changes our processing.
11. Cookies and tracking
We use only the cookies required to keep you signed in (a session cookie set by Supabase Auth) and to remember preferences you choose in the app (e.g. selected currency). We do not use third-party advertising or cross-site tracking cookies, and we do not respond to or require a separate cookie banner because every cookie we set is strictly necessaryfor the service. We honour Global Privacy Control (GPC) and Do Not Track (DNT) headers — though, again, since we don't sell or share data for advertising, those signals don't alter our behaviour.
12. Security
All traffic is encrypted in transit (TLS 1.2+). Passwords are stored as salted bcrypt hashes by Supabase Auth. API keys are stored as SHA-256 hashes and never displayed after the moment of creation. Database access is restricted by row-level security so users can only read and write their own data. OAuth tokens (for browser sign-in via MCP) are hashed at rest and rotated on every refresh per RFC 6749 §6.
If we ever suffer a personal-data breach that's likely to result in a risk to your rights and freedoms, we will notify our supervisory authority within 72 hours of becoming aware (UK / EU GDPR Article 33) and notify affected users without undue delay where the risk is high (Article 34) — and as required by applicable US state breach-notification laws.
13. Children
Orizu Studio is not directed at children. If you are under 18, please do not create an account. We do not knowingly collect personal information from children under 13 (US — COPPA threshold), under 16 (UK GDPR / EU GDPR threshold in some Member States), or as otherwise defined by applicable law. If you believe we have inadvertently collected such information, contact us and we will delete it.
14. Changes to this policy
We may update this policy as the product evolves. Material changes will be announced by email to account holders at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
15. Contact
Questions about this policy, requests to exercise any of the rights above, or other concerns about how we handle your data: orizustudio@gmail.com.