ORGANISM
AI APP FACTORY
PRIVACY POLICY
EFFECTIVE DATE: MAY 1, 2026

1. INTRODUCTION

Organism AI ("Organism," "we," "us," or "our") operates an autonomous AI application factory platform accessible at organism.ai (the "Platform"). This Privacy Policy describes how we collect, use, disclose, and safeguard information about you when you access or use our Platform.

By accessing the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this policy, you should discontinue use of the Platform immediately.

For questions or concerns about this Privacy Policy, contact us at: privacy@organism.ai

2. INFORMATION WE COLLECT

We collect information in the following categories:

  • Account Information: Email address and hashed password provided during registration, managed via Supabase Authentication.
  • Usage Data: Pages visited, features used, API calls made, workflow executions, timestamps, and interaction patterns within the Platform.
  • Technical Data: IP address, browser type, operating system, device identifiers, and session tokens stored in authentication cookies.
  • AI Interaction Data: Prompts submitted, AI-generated outputs, workflow configurations, and project metadata created through the Platform.
  • Financial Data: Billing information processed through Stripe. We do not store raw payment card data on our servers.
  • Communications: Support requests, feedback, and correspondence submitted through the Platform or our email channels.

3. HOW WE USE YOUR INFORMATION

We use collected information for the following purposes:

  • Providing, maintaining, and improving the Platform and its features
  • Authenticating your identity and managing your session via Supabase SSR cookies
  • Processing payments and managing your subscription through Stripe
  • Sending transactional communications including security alerts and account notifications
  • Monitoring system health, detecting abuse, and enforcing our Terms of Service
  • Analyzing aggregated usage patterns to improve AI workflow performance
  • Complying with legal obligations and responding to lawful requests from authorities

We do not sell, rent, or trade your personal information to third parties for their independent marketing purposes.

4. DATA STORAGE AND INFRASTRUCTURE

Your data is stored and processed using the following infrastructure providers, each subject to their own security and compliance frameworks:

  • Supabase (PostgreSQL): Primary database for account data, workflow records, project metadata, and application state. Supabase is SOC 2 Type II compliant. Data is encrypted at rest and in transit.
  • Anthropic: AI language model provider. Prompts and completions are processed via the Anthropic API. Anthropic's data use policies govern interactions with their models. We do not share personally identifying information in AI prompts.
  • Vercel: Serverless hosting and deployment platform. Application logs and edge network traffic are processed through Vercel infrastructure.
  • Redis (Upstash): Queue and caching layer for workflow execution. Data stored in Redis is transient and not used for long-term storage of personal information.
  • Stripe: Payment processing. Card details are tokenized by Stripe and never transmitted to or stored on our servers.

5. COOKIES AND SESSION MANAGEMENT

We use cookies and similar technologies to maintain authenticated sessions. Specifically:

  • Authentication Cookies: Set by Supabase SSR to maintain your login session. These are HTTP-only, secure cookies with a defined expiration. Removing these cookies will sign you out of the Platform.
  • Functional Cookies: Used to remember your preferences, such as selected autonomy levels and notification settings.
  • Analytics: We may use anonymized analytics tools to understand aggregate usage patterns. No personal identifiers are included in analytics data.

You can control cookie settings through your browser preferences. Disabling cookies may limit Platform functionality.

6. DATA RETENTION

We retain your personal information for as long as your account remains active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements.

  • Account data is retained until you request deletion or your account is terminated
  • Workflow logs and AI interaction records are retained for 90 days by default
  • Financial records are retained for 7 years in accordance with tax and accounting requirements
  • Backup data may persist for up to 30 days after primary data deletion

7. YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to retention requirements
  • Portability: Request a machine-readable export of your data
  • Objection: Object to certain processing activities, including direct marketing

To exercise any of these rights, email us at privacy@organism.ai. We will respond within 30 days.

8. SECURITY

We implement industry-standard technical and organizational measures to protect your information, including:

  • TLS/HTTPS encryption for all data in transit
  • AES-256 encryption for data at rest in Supabase
  • Row-level security (RLS) policies in PostgreSQL
  • HTTP-only, secure authentication cookies
  • Service role key isolation — client-facing code never exposes service credentials
  • Circuit breakers and rate limiting on all external API integrations

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. CHILDREN'S PRIVACY

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a minor, please contact us at privacy@organism.ai.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of material changes by updating the "Effective Date" at the top of this page and, where appropriate, by sending a notification to the email address associated with your account.

Your continued use of the Platform following notification of changes constitutes acceptance of the updated Privacy Policy.

For questions about this Privacy Policy or our privacy practices, contact: privacy@organism.ai

ORGANISM AI · EFFECTIVE MAY 2026