Privacy Policy

Last updated: May 2025

This Privacy Policy describes how Orchard HQ ("we", "us", or "our") collects, uses, and protects information about you when you use the Orchard organizational health platform ("Service"). We are committed to an employee-first approach: individual data is never surfaced to managers without aggregation and anonymization.

1. Information We Collect

We collect information you provide directly, information from workplace integrations you authorize, and usage data:

Account information — name, work email address, job title, and timezone provided at signup
Slack presence data — active/away status signals collected via workspace-level integration (requires admin install)
Calendar data — meeting times, durations, and attendee counts from connected Outlook or Google Calendar accounts
Meeting data — meeting duration signals from connected Zoom accounts
Usage data — how you interact with the Service (pages visited, features used), collected via server logs

We do not collect meeting content, message content, email body text, or any communications data.

2. How We Use Your Information

We use the information we collect to:

Compute organizational health metrics (deep focus, recovery score, collaboration intensity, burnout risk)
Surface aggregated, anonymized insights to team administrators
Send transactional emails (invitations, password resets, subscription confirmations)
Improve the accuracy and reliability of our analytics models
Comply with legal obligations

3. Employee-First Data Principles

Orchard is built on a core principle: individuals own their work patterns data. We enforce this technically:

Managers and administrators see only aggregated metrics — individual data is never shown
Team-level views require a minimum cohort size to prevent reverse-engineering individual data
Individual users can view their own metrics at any time on their personal dashboard
You can request deletion of your data at any time by contacting us

4. Data Sharing

We do not sell your personal information. We share data only in the following limited circumstances:

Service providers — hosting infrastructure (AWS), email delivery (Resend), and payment processing (Stripe). These providers are contractually bound to protect your data
Within your organization — only aggregated metrics are shared with administrators, never raw individual data
Legal requirements — if required by law, court order, or to protect the rights and safety of Orchard or others

5. Data Retention

We retain your data for as long as your account is active. Raw integration events are retained for up to 12 months for trend analysis. Daily metric snapshots are retained indefinitely to enable longitudinal health tracking. You may request deletion of your account and associated data at any time by emailing [email protected].

6. Security

We protect your data using industry-standard measures including encryption in transit (TLS), encrypted storage of credentials and OAuth tokens, and role-based access controls. OAuth tokens for Slack, Outlook, and Zoom are stored encrypted and are never exposed outside our server environment. We conduct periodic security reviews and promptly address identified vulnerabilities.

7. Third-Party Integrations

When you connect integrations (Slack, Microsoft Outlook, Zoom, and others), you authorize Orchard to access specific data via those platforms' official APIs. The data we access is limited to the minimum required for health analytics — we never request access to message content, email bodies, or meeting recordings. Your use of those platforms is separately governed by their own privacy policies.

8. Your Rights

Depending on your location, you may have rights including:

Access to the personal data we hold about you
Correction of inaccurate data
Deletion of your data ("right to be forgotten")
Portability of your data in a machine-readable format
Objection to or restriction of certain processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies

Orchard uses only functional cookies and browser localStorage to maintain your login session. We do not use third-party advertising trackers or analytics cookies. You can clear localStorage at any time by logging out.

10. Children's Privacy

The Service is intended for use by businesses and their employees. We do not knowingly collect personal information from anyone under the age of 16. If you believe a minor has provided us with personal information, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy as the Service evolves. We will notify you of material changes by email or via a notice in the Service. Continued use after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at [email protected].