Privacy Policy

1. Who we are

For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, the data controller is:

Orizu Studio
Based in London, United Kingdom
Contact: orizustudio@gmail.com

2. What data we collect

Account data

When you create an account we collect your email address and a hashed password. If you sign in with Google, we receive your email and Google account ID.

Profile data

Information you add to your profile so it can pre-fill invoices — your company name, address, phone, tax/VAT number, payment method, logo image, and invoice prefix.

Invoice and client data

Invoices, line items, prices, due dates, notes, and the contact details (name, email, address, company) of the clients you bill. You are the data controller for your clients' data; Orizu Studio processes it on your behalf as a data processor.

Payment data

If you subscribe to a paid plan, payment is processed by Stripe Payments Europe Ltd. We never see or store your full card details — Stripe handles payment data directly. We do store a Stripe customer ID and the subscription metadata (tier, status, renewal date) needed to operate your account.

Usage data

Records of API and MCP tool calls you make (timestamp, endpoint name, your user ID) so we can meter against your plan's quotas and surface usage reports to you.

Technical data

Standard server logs (IP address, browser user-agent, request paths, error traces). Used for security, abuse prevention, and debugging.

3. Legal basis for processing

• Contract (Article 6(1)(b)) — most processing is needed to deliver the Orizu Studio service you signed up for: storing your invoices, running the API, hosting your PDFs.
• Legitimate interests (Article 6(1)(f)) — security logging, fraud prevention, basic analytics, and improving the product.
• Legal obligation (Article 6(1)(c)) — UK tax and accounting records require us to keep certain billing data for up to 6 years after the end of the relevant tax year.
• Consent (Article 6(1)(a)) — used only for optional marketing emails. You can withdraw consent at any time.

4. How we share your data

We share data with the following sub-processors. Each is bound by a data processing agreement that meets UK GDPR standards.

• Supabase Inc. — hosts our database, auth, and file storage. Data is stored in the EU (eu-west-1, Ireland).
• Stripe Payments Europe, Ltd. — processes subscription payments and stores card data on your behalf. Stripe is its own data controller for payment data.
• Resend, Inc.— sends transactional emails (sign-in confirmations, billing receipts, subscription notices). US-based; we rely on the EU–US Data Privacy Framework for transfers.
• Vercel Inc. — hosts the application servers and CDN. Operates globally; UK/EU traffic is served from EU edge nodes.

We do not sell your personal data and we do not share it with advertisers.

5. International transfers

Where data is transferred outside the UK or EEA (for example to the United States for Stripe or Resend), we rely on either an adequacy decision recognised by the UK government, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, as appropriate.

6. How long we keep your data

• Active accounts — for as long as your account is open.
• After you delete your account — invoice and profile data is deleted within 30 days, except records we are required to retain by law (typically Stripe payment records and VAT-relevant billing data, kept for up to 6 years).
• Server logs — kept for 90 days then purged.

7. Your rights

Under UK GDPR you have the right to:

• access the personal data we hold about you
• have inaccurate data corrected
• have your data erased (the "right to be forgotten")
• restrict or object to processing
• receive your data in a portable format
• withdraw consent at any time (where consent is the legal basis)
• lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, email orizustudio@gmail.com. We'll respond within 30 days.

8. Cookies and tracking

We use only the cookies required to keep you signed in (a session cookie set by Supabase Auth) and to remember preferences you choose in the app (e.g. selected currency). We do not use third-party advertising or cross-site tracking cookies. No cookie banner is needed because every cookie we set is strictly necessary for the service.

9. Security

All traffic is encrypted in transit (TLS 1.2+). Passwords are stored as salted bcrypt hashes by Supabase Auth. API keys are stored as SHA-256 hashes and never displayed after the moment of creation. Database access is restricted by row-level security so users can only read and write their own data.

10. Children

Orizu Studio is not directed at children. If you are under 18, please do not create an account.

11. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced by email to account holders at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact

Questions about this policy or about how we handle your data: orizustudio@gmail.com.