Legal

Privacy Policy

Last updated May 24, 2026

What Orion is

Orion is a personal intelligence assistant. It reads your connected data sources — email, calendar, health trackers, finances, code, and more — and synthesizes them into a daily brief personalized to you.

This policy explains what data we collect, how we use it, and what control you have over it. Questions? Email us at privacy@hi-orion.com.

Data we collect

Account data

Your email address and display name, collected when you create an account.

Integration tokens

When you connect a service (Gmail, Google Calendar, Strava, GitHub, Plaid, etc.), we store OAuth access and refresh tokens to read data on your behalf. These tokens are encrypted at rest. We request only the minimum permissions needed and do not write to third-party services except where you explicitly ask — for example, saving a draft email reply.

Content we read

To generate your brief, we read data from your connected integrations: email subjects and bodies, calendar events, health metrics, financial transactions, and similar. This content is processed to generate your brief and responses to your queries. We do not store full email or calendar data beyond what is needed to produce your brief.

Your vault

Notes, wiki entries, and content you create directly in Orion are stored in your personal vault. We access it only to generate your brief and respond to your assistant queries.

Usage data

Basic product analytics: brief ratings and feature usage. We do not sell this data or use it to build advertising profiles.

How we use your data

We use your data to:

  • ·Generate your daily brief and answer questions via the assistant
  • ·Run the morning review agent when you initiate it
  • ·Improve brief quality based on your ratings and feedback
  • ·Send you your brief by email, if you've enabled it
  • ·Provide customer support when you reach out

We do not use your data to train general AI models, sell it to third parties, or share it with advertisers.

Third-party services

Orion is built on infrastructure from:

  • ·Supabase — database and authentication (data hosted in the US)
  • ·Anthropic — AI model API used to generate your brief and power the assistant
  • ·Resend — transactional email delivery
  • ·Vercel — hosting and edge infrastructure

Each connected integration (Gmail, Strava, etc.) is governed by that provider's own privacy policy. We access only the scopes you grant and do not share your data with these providers beyond what is necessary to authenticate and fetch your data.

Data retention

Your briefs are retained so you can review past entries. Integration tokens are stored for as long as the integration is connected.

If you delete your account, all of your data — vault entries, briefs, integration tokens, and profile information — is permanently deleted within 30 days.

Security

OAuth tokens are encrypted at rest using AES-256-GCM before being stored. Data in transit is encrypted via TLS. Access to production data is restricted to core team members.

If you discover a security issue, please email security@hi-orion.com and we will respond promptly.

Your rights

You can:

  • ·Export your data — email us and we'll provide a copy of everything we hold
  • ·Delete your account — go to Settings → Account, or email us
  • ·Disconnect integrations — revoke access at any time from Settings → Integrations
  • ·Opt out of brief emails — unsubscribe from any brief email or adjust the setting in Settings

If you are in the EU or UK, you have additional rights under GDPR and UK GDPR, including the right to object to processing and to lodge a complaint with a supervisory authority.

Children

Orion is not intended for anyone under 16. We do not knowingly collect data from children.

Changes to this policy

If we make material changes, we will notify you by email or via an in-app notice before the changes take effect. The date at the top of this page reflects the most recent revision.

Contact

Questions, requests, or concerns: privacy@hi-orion.com