Legal

Privacy Policy

How we handle your data.

Last updated: April 25, 2026

3D3D (“we,” “us,” “our”) operates ORA, a constitutional AI operating system. This Privacy Policy explains what data we collect when you use ORA, how we use it, and your rights. We comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU General Data Protection Regulation (GDPR) where applicable.

1. What We Collect

Account Data

  • Email address and authentication credentials
  • Name and organization (optional)
  • Billing information (processed by our payment provider; we do not store card numbers)
  • Communication history with our team

Usage Data

  • API request counts, error rates, and latency metrics (anonymized)
  • Feature usage patterns (which agents, tools, governance settings you use)
  • Device type, browser, and approximate geographic location (country level)
  • Cloudflare Web Analytics beacon data (cookie-free, no personal tracking)

Agent and Workflow Data

  • Session content (prompts, agent outputs, tool calls): Retained for 30 days by default for debugging. You can disable session logging in Settings.
  • MCP memory: Stored under your control. You can search, view, and delete memory entries at any time via the ORA interface.
  • Mission logs: Structured records of agent decisions and governance gate outcomes. Retained 90 days.

2. What We Do NOT Do

  • We do not train AI models on your data. Your prompts, agent outputs, and workflow content are never used to train ORA or any other AI system.
  • We do not sell your data. We do not sell, rent, or trade your personal information to any third party.
  • We do not use your data for advertising. We do not use your information for targeted advertising or build advertising profiles.
  • We do not share your content with third parties except as required to operate the Services (e.g., routing your requests to your configured model provider).

3. How We Use Your Data

  • To operate, maintain, and improve the ORA platform
  • To authenticate your identity and manage your account
  • To process payments and manage subscriptions
  • To communicate with you about your account, service updates, and security notices
  • To detect and prevent fraud, abuse, and security incidents
  • To generate aggregated, anonymized usage statistics that help us improve reliability
  • To comply with legal obligations

4. Third-Party Services and Sub-Processors

We share data with the following categories of service providers to operate ORA:

  • Model providers (NVIDIA NIM, or your configured endpoint): Your prompts and agent requests are routed to your configured AI model provider. These are governed by the respective provider’s terms.
  • MCP memory service: Local service running at your configured endpoint. By default, memory is stored locally.
  • Cloudflare: Web infrastructure, DDoS protection, and privacy-respecting analytics.
  • Payment processor: Credit card processing. We receive only transaction confirmations.

A full sub-processor list is available at our Sub-Processor page.

5. AI-Specific Data Disclosures

In compliance with FTC guidance (March 2026) and EU AI Act transparency requirements (effective August 2026):

  • Agent decisions are logged. Every governance gate decision (structural, evidence, consistency, consensus) is logged for auditability. These logs are accessible to you.
  • Human oversight is built-in. ORA’s governance kernel requires human approval for actions exceeding your configured authority level. You control authority settings.
  • Content labeling: Outputs from ORA agents are AI-generated content. When sharing agent outputs externally, you are responsible for appropriate disclosure as required by applicable law.
  • No automated profiling. We do not create automated profiles about you that produce legal or significant effects.

6. Data Retention

  • Session content: 30 days (configurable to 0-365 days)
  • Mission logs: 90 days
  • MCP memory: Until you delete it
  • Account data: Duration of account plus 60 days after deletion
  • Billing records: 7 years (legal requirement)
  • Cloudflare analytics: 90 days per Cloudflare’s data retention policy

7. Your Rights

Regardless of where you are located, you may:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (with exceptions for legal retention requirements)
  • Export your data in a machine-readable format
  • Withdraw consent for processing where consent is the legal basis
  • Object to certain processing activities

EU/EEA residents have additional rights under GDPR Articles 15–21, including the right to lodge a complaint with your local Data Protection Authority. To exercise any right, contact info@3d3d.ca. We respond within 30 days.

8. International Data Transfers

ORA is operated from Canada. If you access ORA from the EU/EEA, your data may be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing adequate data protection. For any transfers to other jurisdictions (e.g., to your configured model provider), we ensure appropriate safeguards through Standard Contractual Clauses or equivalent mechanisms.

9. Security

We implement industry-standard security measures including TLS encryption in transit, encryption at rest for stored data, access controls with least-privilege principles, and regular security reviews. No security measure is absolute. In the event of a data breach affecting your personal data, we will notify you within 72 hours of discovery in accordance with applicable law.

10. Children

ORA is not intended for persons under 18. We do not knowingly collect data from children. If you believe a minor has provided us with data, contact us immediately.

11. Changes

We may update this Privacy Policy. Material changes will be communicated by email at least 30 days before taking effect. The “last updated” date reflects the most recent revision.

12. Contact

Privacy Officer: Ken (Kenneth Murray McKnight)
Email: info@3d3d.ca
Location: Fredericton, New Brunswick, Canada