Privacy Policy

We collect the following types of information:

Account information

• Email address — required to create an account.
• Password — hashed and managed by Supabase Auth. We never store or have access to your plaintext password.
• Display name — optionally provided during signup or in account settings.

Content you create or send

• Recordings — audio is captured in your browser and sent to OpenAI's Whisper API for transcription. Audio is not stored on our servers. The resulting transcript is encrypted and stored in your account.
• Notes — text you create directly in the app. Encrypted and stored in your account.
• Documents — files you upload (PDF, Word, images, plain text, CSV, Markdown). Files are stored in Supabase Storage. Extracted text content is encrypted.
• Emails — emails you forward to your Organism inbox. Email content is encrypted and stored in your account.

Automatically collected data

• Browser cookies — a visitor identifier (org-uid) and a version assignment cookie (org-v), both with 90-day lifetimes. Supabase Auth also sets session cookies for authenticated users.
• Behavioral data via PostHog — page views, button clicks, scroll depth, time on page, and feature usage events.
• Standard web request data — IP address, user agent, referrer URL, and approximate geolocation (country and city, derived from your IP by our hosting provider).

Feedback and bug reports

• Feedback — optional messages you submit to share your thoughts on the product.
• Bug reports — descriptions and steps to reproduce issues you report, along with your browser and page context.

Error data

When errors occur in the app, we automatically log the error type, message, and stack trace to help us identify and fix issues. If you are signed in, your account ID is included for debugging purposes.

All content you store in Organism — including recordings, notes, documents, and emails — is encrypted at rest using AES-256-GCM encryption before being written to our database. Content is decrypted only when you or your partner access it through the app.

Uploaded files (documents, images) are stored in Supabase Storage with access controlled by signed URLs. Extracted text from these files is encrypted in the same way as other content.

Metadata such as titles, tags, and action items derived from your content are stored unencrypted to enable search and organization features.

We use OpenAI's APIs to provide the following features. Data sent to OpenAI is not stored or used for model training per their API data usage policy.

• Transcription — audio is sent to OpenAI Whisper for speech-to-text conversion.
• Classification & tagging — content is sent to GPT-4o-mini to generate titles, tags, and categories.
• Action items & dates — key tasks and deadlines are extracted from your content using GPT-4o-mini.
• Summarization — optional summaries are generated by GPT-4o-mini.
• Search embeddings — content is sent to OpenAI's embedding model to create vector representations that power search across your library.
• AI chat — when you use the chat feature, your messages and relevant content from your library are sent to OpenAI to generate responses.

Organism lets you invite a partner to share a space. When you create a partnership:

• Your partner's email address is collected to send the invitation.
• Content within a shared space is accessible to both partners.
• Either partner can transfer content ownership to the other.
• Notifications are generated when your partner adds or modifies content.

You can forward emails to your personal Organism inbox address. When we receive an email:

• The sender address, subject, and body are captured and stored as a content item in your account.
• Email content is encrypted at rest using the same AES-256-GCM encryption as all other content.
• Inbound emails are processed via Resend's webhook service, which verifies the authenticity of each delivery.

Visitors may see different versions of the landing page as part of our optimization process. Version assignment is random and stored via the org-v cookie to ensure you see the same version on return visits.

A/B testing does not affect the types of information collected. All visitors are subject to the same data collection practices regardless of which version they see.

You have the right to:

• Delete your account — you can delete your account at any time from your account settings. This removes your profile, content, and associated data.
• Delete your content — you can delete individual recordings, notes, documents, and emails from your library at any time.
• Request a copy of your data — contact us to request a copy of the personal data we hold about you.
• Unsubscribe — you can unsubscribe from emails at any time via the unsubscribe link included in every email we send.

To exercise any of these rights, contact us at hello@tryorganism.com.

We take the security of your data seriously:

• All content is encrypted at rest using AES-256-GCM encryption.
• Database access is controlled via Row Level Security (RLS) policies.
• Passwords are hashed and managed by Supabase Auth.
• All connections use HTTPS/TLS encryption in transit.

We do not sell, trade, or share your personal information with third parties for advertising purposes.