Privacy

Local-first.
Not a marketing line.

Your prompts, your files, your credentials — they live on your machine. ORA talks to providers using your own keys, with approval prompts before anything risky leaves your laptop.

The manifesto

We built ORA because we were tired of pretending a chat window was a workspace. Real workspaces are quiet, focused, and yours. They don't ship your thoughts to someone else's server by default.

So ORA is a desktop app — not a tab. It runs on your machine, it stores its state on your disk, and it speaks to AI providers using credentials you control. We do not see your prompts. We do not see your files. We do not proxy your traffic through us. We don't run a back-end you log into.

Privacy isn't a feature we layered on top. It's the shape of the thing.

Four guarantees

How we enforce it — not just promise it.

Architecture, not policy. Every guarantee maps to code we ship.

Your keys, in your keychain

API keys are stored in the OS keychain (Keychain Access on macOS, Credential Manager on Windows). ORA reads them at runtime; they never touch our servers because we don't have servers.

Approval before action

File writes, network calls outside the chat, shell commands, and browser automations all stop at an approval prompt. Approve once, approve always, or deny — visible in the Approval Center.

Folder consent, revocable

Local file search only sees folders you explicitly approve. Revoke a folder and ORA wipes its embeddings on the next start. Sensitive paths (SSH, dotenv, keychains) are auto-redacted.

Offline-capable by default

Switch on ORA Local AI and the whole workspace works without internet. Your laptop is the model — no ad tracking, no analytics, and nothing about your work leaves your device.

Architecture

Three layers — each with a clear privacy boundary.

1. Client. The Tauri app on your desktop. Native binary, signed by us, sandboxed by your OS. Holds all your data: chat history, indexes, agent definitions, settings. Persists to your local app-data directory, which you can inspect or wipe.

2. Providers. Direct connections from your machine to Claude, OpenAI, Google, xAI, Perplexity, Mistral, DeepSeek, and ORA Local AI running on-device. Your prompts go to the providers you choose, signed by your keys. No proxy.

3. Update channel. When you allow it, ORA fetches updates from a signed release manifest hosted on our CDN. The fetch is the only network call ORA makes to us, and it carries no identifiers.

What goes where

A plain-English data map.

If it isn't on this list, ORA doesn't collect it.

DataWhere it livesWho sees it
Your prompts & chatsYour machineYou + the providers you chose
API keysOS keychainYou
File search embeddingsYour machineYou
Custom agentsYour machineYou (until you share them)
App settingsYour machineYou
Update checksOur CDNNo personal data sent
Crash reportsOpt-in onlyUs, anonymised
Email at purchaseCloudflare KV (India + EU edge)Us — to deliver licence + receipts
Name + phone (optional)Cloudflare KVUs — only with your consent
Marketing consent recordCloudflare KV (audit-logged)Us — proof of your choice
Razorpay payment IDRazorpay + KV referenceYou + Razorpay + us
Connect form requestsheyora.in data folderUs — to reply and qualify business/support requests
IP at consent timeHashed (SHA-256 prefix) onlyUs — never raw
Crash reportsOpt-in onlyUs, anonymised

DPDP Act 2023 · Your rights

Marketing happens only with your explicit consent.

India's Digital Personal Data Protection Act is the bar we hold ourselves to.

Two kinds of email

Transactional (always sent). Your purchase receipt, the licence email, refund confirmations. We need to send these to do business with you — DPDP categorises this as legitimate purpose.

Marketing (only with your consent). Product updates, launch news, occasional offers. The checkbox at checkout is off by default. Tick it if you want these. Untick anytime from your account at heyora.in/account.

Your DPDP rights

Right to access. Sign in at heyora.in/account to see every device, licence, payment, and consent record we hold on you.

Right to correction. Reply to any email from us or write to [email protected] — we fix mistakes within 48 hours.

Right to withdraw consent. One click in your account. Effective immediately. No questions asked.

Right to erasure. Email [email protected] with subject "Delete my data". We delete within 30 days, log the action, confirm in writing.

Grievance redressal. If we mess up, [email protected] is the founder's inbox. Replied within 48 hours.

We don't believe AI belongs in someone else's cloud.
It belongs on your desk — running on your terms.

Privacy you can audit.

No account required. No ad tracking, no data sold. Telemetry stays off by default — and your prompts go only to the providers you choose.