Privacy Policy

1. Who We Are

Ordísio is an ADHD-first productivity system operated by PsyFi Technologies. We provide web and mobile apps that help you capture brain dumps, manage tasks, run focus sessions, and review weekly patterns. If you have questions about this Privacy Policy, you can contact us at support@ordisio.com.

2. Scope

This Privacy Policy applies to the Ordísio marketing site at ordisio.com, the web application and dashboard, and the backend API at api.ordisio.com when accessed by first-party clients. Separate notices in the iOS and Android apps complement this Policy and describe platform-specific behavior.

3. Information We Collect

We collect information in three main ways: (a) you provide it directly, (b) it is generated as you use Ordísio, and (c) it comes from services you choose to connect, such as Google Gmail and Calendar.

3.1 Account and Profile Information

When you create or update an account, we may collect:

• Email address (used as your login identifier).
• Username.
• Optional profile details such as first and last name, phone number, practice or business name, and profile image.
• Billing profile information such as business name, billing contact details, and billing address if you choose to provide them for invoices.

3.2 Authentication and Security Information

To keep your account secure, we process authentication and security-related data, including:

• Passwords stored only in hashed form (never in plain text).
• Access and refresh tokens used to authenticate API requests, including tokens stored in secure cookies managed by NextAuth for the web app (not localStorage).
• Password reset tokens, login sessions, and "remember me" preferences.
• Security metadata such as IP address, browser user-agent, device name, and audit logs of logins, logouts, and account changes.

3.3 Productivity Content You Provide

Ordísio is built around your tasks, brain dumps, and planning data. We store:

• Tasks and subtasks, such as titles, descriptions, status (NOW/NEXT/LATER/Completed), AI effort estimates, AI-generated "first steps", and scheduling details.
• Brain dumps and notes, including raw text you type or that we transcribe from your audio recordings, plus AI-assigned categories.
• Brain-dump-derived events, including event titles, descriptions, start and end timestamps, locations, and links back to the source brain dump.

Because you control what you enter, your content may include sensitive information (for example, about mental health or finances). Ordísio is not intended to store medical records or protected health information subject to HIPAA, and you should avoid entering such information unless you have confirmed with your own legal counsel that this is appropriate for your use case.

3.4 Focus, Planning, and Analytics Data

We store focus and planning data so that we can provide daily and weekly insights, including:

• Focus session metadata such as start and end times, duration, and whether a session completed or was interrupted.
• Daily planning information and weekly summary metrics used to generate charts and insights.
• Aggregate usage metrics, like how often you use brain dumps, complete tasks, or run focus sessions.

3.5 Integrations and Connected Accounts

If you connect Gmail or Google Calendar, we store the minimum data needed to provide those integrations:

• Gmail: OAuth access and refresh tokens, the connected Gmail address, integration settings, Gmail message and thread IDs, sender email and name, subject lines, received timestamps, classification labels, confidence scores, your feedback, and daily summary data such as counts of important and unimportant messages and short snippets used in summaries. We avoid storing full email bodies in our database.
• Google Calendar: OAuth tokens, calendar email address, selected calendar ID, cached copies of event metadata (title, description, start and end times, location), conflict detection data, and metadata about whether events were created from brain dumps.

3.6 Subscription and Billing Information

When you upgrade to a paid plan, we and our payment partners process:

• Subscription tier (Free, Pro, Enterprise), billing period (monthly, yearly), status (trialing, active, past due, canceled, expired), trial eligibility and dates, and renewal dates.
• Billing identifiers such as Stripe customer IDs, Stripe subscription IDs, and RevenueCat/App Store/Play Store transaction or entitlement IDs.
• Payment history including amounts, currencies, platform payment IDs, receipt URLs, and high-level descriptions.

We do not store your full card number or CVV. Web payments are processed by Stripe. In-app purchases on mobile devices are processed by Apple or Google via RevenueCat, under their own terms and privacy policies.

3.7 Device Tokens and Notifications

To send push notifications, we store Expo or platform-specific device tokens, the device type (iOS, Android, Web), and optional device names. We also keep notification logs that record what was sent, when, and whether delivery succeeded, along with any error details needed for debugging.

3.8 Analytics, Cookies, and Tracking Technologies

On the web, we use PostHog and similar tools to understand how Ordísio is used so we can improve the experience. Analytics data may include pages you visit, actions you take, approximate location inferred from IP address where permitted by law, and basic device information such as browser type, operating system, and screen size.

We use first-party cookies and localStorage identifiers for analytics and session management. We do not use third-party ad tracking pixels inside the app, and analytics are hosted at analytics.psyfitechnologies.com.

3.9 Log and System Data

Our servers and applications generate logs that may contain IP addresses, user IDs, timestamps, URLs, error messages, and other diagnostic details. We use this information to operate, secure, and troubleshoot the Service.

4. How We Use Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Authenticate you and secure your account, including detecting and preventing fraud, abuse, and unauthorized access.
• Power core features such as tasks, brain dumps, focus sessions, weekly reviews, and integrations.
• Process payments, manage subscriptions, enforce quotas, and deliver entitlements attached to your plan.
• Communicate with you about your account, security issues, product updates, support requests, and, where permitted, limited product marketing.
• Analyze aggregated usage patterns to design better features, improve focus and planning recommendations, and maintain reliability.
• Comply with legal obligations and enforce our Terms of Service.

5. AI and Third-Party Services

Ordísio uses AI providers such as OpenAI to power features like task breakdown, effort estimation, weekly summaries, audio transcription, email classification, and calendar event extraction. When these features are used, we send relevant input data (for example, brain dump text, short email snippets, or audio files) to the AI provider and store the returned output.

We configure these services using our own API keys and, where possible, we instruct them not to use your data for their generic model training. However, you should review each provider's own documentation and terms to understand how they process data.

6. Legal Bases (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

• Contract: to provide the Service you have asked for, including core app functionality, integrations, and billing.
• Legitimate interests: to secure and improve the Service, prevent abuse, understand usage patterns, and develop new features, where these interests are not overridden by your rights and interests.
• Consent: for certain cookies, analytics, marketing communications, and integrations where required by law. You can withdraw consent at any time.
• Legal obligation: to comply with accounting, tax, and other legal requirements.

7. How We Share Information

We do not sell your personal information. We may share it:

• With cloud hosting, email, analytics, payment, and AI providers who help us operate the Service and are bound by contractual safeguards.
• With integration partners such as Google when you connect Gmail or Calendar, in accordance with their terms and privacy policies.
• With third parties in connection with a merger, acquisition, or sale of assets of PsyFi Technologies, subject to appropriate safeguards.
• When required by law, regulation, or legal process, or when we believe in good faith that disclosure is reasonably necessary to protect our rights, users, or the public.

8. International Transfers

Our infrastructure and some of our service providers may be located outside your home country. If you are in a region with data transfer restrictions, we implement appropriate safeguards, such as contractual clauses approved by regulators, where required by law.

9. Your Rights

Depending on your location, you may have rights such as access, correction, deletion, restriction, portability, and objection to certain processing. You may also have the right to withdraw consent where processing is based on consent.

You can exercise many of these rights by updating your account settings, disconnecting integrations, or contacting us at support@ordisio.com. We may need to verify your identity before fulfilling certain requests and may decline requests where an exemption applies.

10. Retention

We keep your personal data only as long as necessary for the purposes described in this Policy, including as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we will delete or anonymize it.

11. Security

We use a combination of technical and organizational measures to protect your data, including encryption in transit, access controls, and logging. No system is perfectly secure, and you are responsible for protecting your password and limiting access to your devices.

12. Children's Privacy

Ordísio is designed for adults and is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact us and we will take appropriate steps to delete it where required.

13. Cookies and Similar Technologies

We use cookies and similar technologies to keep you logged in, provide security, remember preferences, and understand product usage. You can control cookies through your browser settings and, where implemented, through in-product controls. Some features may not work if you disable certain cookies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by email. The date at the top of this page shows when it was last updated.