Privacy Policy

- Last updated at October 10, 2024

Time to read: 26 min

Introduction

At Ory, we take data privacy seriously. This Privacy Policy (this “Privacy Policy”) describes how we collect, receive, process, or store information in connection with our business operations (“Business Operations”), including the services we provide that reference this Privacy Policy (collectively, the “Services”). The Services include (i) our application programming interfaces; (ii) our website available at https://www.ory.sh/ (the “Website”); and (iii) our mobile application (“App”). In addition, this Privacy Policy outlines your rights and choices regarding processing your Personal Data.

In this Privacy Policy “Ory”, “we”, “us”, or “our” each mean Ory Corp or an affiliate or subsidiary of Ory Corp; please refer to Section 2 (“Ory’s Roles and Responsibilities”) for details.

We use the term “Personal Information” to mean any information that identifies you as an individual, is about you as an individual, or is otherwise defined as personal information, personal data, or similar under applicable law.

1. Scope of this Privacy Policy

It is important to understand the scope of this Privacy Policy. Except as provided in this Section, this Privacy Policy applies to anyone who interacts with our Business Operations or uses the Services (collectively, “you”). If you are interacting with our Business Operations or using the Services on behalf of a company or other legal entity (“Your Organization”), then (i) you represent and warrant that you have the authority to act on behalf of and to bind Your Organization, and (ii) for all purposes in this Privacy Policy, the term “you” means Your Organization on whose behalf you are acting. Please note, however, that this Privacy Policy does not apply to the extent that you have entered into an agreement, privacy policy, or other terms with a third party that governs your provision of Personal Information through our Services. In such context, we will collect, use, share, and otherwise process your Personal Information on behalf of the applicable third party to fulfill our obligations under our agreement with such third party. In such circumstances, please contact the applicable third party if you have inquiries regarding the Personal Information that we collected on behalf of such third party or if you would like to exercise any rights that You may have with respect to such Personal Information under applicable law. If you are unsure if this Privacy Policy applies to you, please contact us using the contact information set out in Section 17 (“Contact Information”).

2. Ory’s Roles & Responsibilities

The controller, i.e., the entity that is responsible for the processing of your Personal Information, and which is referred to by the term “Ory”, “we”, “us” or “our” in this Privacy Policy, is Ory Corp, with offices at Ory Corp, 15169 N. Scottsdale Rd., Suite 205, Scottsdale, AZ 85254, USA132-A Veterans Lane, Suite 129, Doylestown, Pennsylvania, USA 19901. If the controller is one of our affiliates or subsidiaries (collectively, our “Affiliates”), this will be explicitly stated at the point where the data is collected or, respectively, where you have been referred to this Privacy Policy, and the full address of the respective controller will be given at the same location. For Ory Corp's representative in the European Union / European Economic Area (“EEA”) see Section 9.3.2 (“Representative”).

3. Collection of Information

Here are the types of information that we collect about you and how we collect it from you:

3.1 Information That You Provide

We collect information that you provide to us, including when you interact with us in the course of our Business Operations or when we provide the Services. Information that you may provide includes your name, employment information, mailing address, telephone number, email address, and date of birth. If you choose to use social login functionality, we will collect your social account information from you. Ory also collects information that you provide to us by email. If you visit our office in person and meet with our employees, we may ask you to provide us with information, including Personal Information (“Offline Personal Information”). Offline Personal Information may be collected using:

  1. in-person communications and interactions with us;
  2. paper forms; and
  3. other information you provide to us in person or via mail, fax, telephone, or other means.

If you provide Offline Personal Information to us, we will provide you with a written notice of this Privacy Policy or will provide you with a reference to this Privacy Policy, so that you can familiarize yourself with its terms.

3.2 Device Identifiers; Logs; Tags

We may automatically collect certain information from you, including certain technical information from your computer or mobile device when you use certain Services, such as your Internet Protocol address, your web browser type and version, the name and version of your operating system, the pages you view on the Website, the pages you view immediately before and after you access the Website, and the search terms you enter on the Website (if any). This information allows Ory to provide the Website to you and improve the Business Operations, the Website, and the Services.

3.3 Cookies

We may collect certain information using “cookies,” which are small text files that the Website saves on your computer or mobile device or similar technologies that allow us to recognize your computer or mobile device. We will always ask for your consent before we place cookies on your device, except for cookies that are strictly necessary to provide Website features explicitly requested by you. For further information, see the Cookie Privacy Policy in Section 7 (“Cookie Privacy Policy”) below.

3.4 Web Beacons and Tags

The Services may use certain data collection technologies that rely on: (i) beacons; (ii) pixel tags and object hyperlinking tags; and (iii) other means to link an object to an Internet address, a remote software application, a remote database, or other remote means of receiving or processing information. We may use these technologies to tell us what portions of the Services have been visited or to measure the effectiveness of searches that users perform via the Services. We will always ask for your consent before we use these technologies to collect data that is stored on your device.

3.5 User-Generated Content

We may provide you with the ability (either directly or through a third-party service that may include social media channels) to engage with us and others in public exchanges, and these may include opportunities for you to provide comments, reviews, recommendations, information related to the Services, and other input (collectively, “User-Generated Content”). Please understand that anything you supply as User-Generated Content will be accessible to others to read, collect, re-publish, and otherwise freely use. We will only take down, remove, or edit User-Generated Content in our sole discretion, except as required by applicable law. If you include any information relating to others in your User-Generated Content, then you represent that you have full permission and authority to do so.

3.6 Geolocation Information

The Services may determine your location (your “Geolocation Information”) using your device or browser features and/or through the information provided by a third party, such as Google or Facebook. We will always ask for your consent before we access Geolocation Information on your device or browser. You may revoke consent for accessing your Geolocation Information at any time, in particular by disabling the GPS and other applicable features in your device or browser settings. To the extent Your Geolocation Information is combined with any Personal Information (to the extent that Geolocation Information itself does not constitute Personal Information under applicable law), we will treat it as Personal Information. We may use Your Geolocation Information to send communications to you, and for other purposes set out in this Privacy Policy.

3.7 Anonymous Information

We may also collect, process, and use information that does not identify you or your devices, and which is neither stored on your device or already present on your device, including information that has been made anonymous by: (i) removing identifying fields and aggregating the information with other information so that individuals cannot be re-identified, or (ii) anonymizing the information with techniques (such as via GA4) that remove or modify the identifying data so as to prevent re-identification of the anonymized information (collectively, “Anonymous Information”). Information that meets these criteria might include, for example, demographic information, statistical information (e.g., page views and hit counts), and general tracking information.

4. How We Use Your Information

4.1 Business Operations and Services

We use your Personal Information for Business Operations. This includes, providing you with the Services you request or access, such as accessing or using the Services, creating and managing your user accounts, and communicating with you about our Services.

4.2 Analysis and Improvement

We may use your Personal Information and Anonymous Information to perform internal administration, auditing, operation, and troubleshooting in connection with Business Operations, including to evaluate and improve our Services, and to develop and test Services.

4.2.1 PostHog

We use PostHog, a product analysis service provided by PostHog Inc., 2261 Market St., #4009, San Francisco, CA 94114, USA (hereinafter referred to as "PostHog"). PostHog processes the following data about your use of our website:

  • Identification: name, user name
  • Computer device: IP address, MAC address, browser footprint
  • Contact: email address
  • Location: country, area, city
  • Behavior : website usage (page views, clicks, browsing behavior )

Purposes of Processing

The processing of this data is necessary to:

  • Analyze your use of our website.
  • Compile reports on website activities.
  • Provide other services related to website usage and internet usage.
  • Conduct surveys (e.g. NPS) and collect user feedback.

PostHog processes this data on our behalf for these purposes. The data helps us improve the functionality and user experience of our website.

Legal Basis for Processing

The processing of your personal data by PostHog is based on Article 6(1)(f) GDPR (Legitimate Interests). Our legitimate interest lies in analyzing the usage of our website to optimize its performance and improve user experience. The processing of your data is necessary to provide insights that enhance the effectiveness of our services, without infringing upon your privacy rights.

Data Transmission and Storage

This data is generally transmitted in encrypted form to a PostHog server in Frankfurt, Germany, where it is stored. Additionally, PostHog is certified under the Data Privacy Framework Agreement (DPF), a part of the agreement between the EU and the USA, ensuring that data protection standards equivalent to those in the EU are applied.

Data Retention Period

Your personal data will be stored by PostHog only as long as necessary to fulfill the purposes mentioned or as required by legal retention obligations. Once these purposes no longer apply or the legal periods have expired, your data will be deleted or anonymised.

4.2.2 reo.dev

Types of Data Processed

The data controller responsible for processing data in connection with the use of the tool "reo.dev" is:

ReoDotDev Inc. \ San Francisco, CA 94115 \ Email: [email protected]

When using "reo.dev", we process the following personal data:

Anonymous Users

  • IP Address
  • Browser variables [Browser Type, Version]
  • Pages viewed
  • Time spent
  • Pages viewed before and after
  • Search terms

Logged-in Users

For users who log into the Ory Network Console, we process in addition:

  • Name**
  • Email address

This data is required to ensure proper identification and the processing of queries within the tool. No further use of this data will be made unless explicit consent has been given.

Purposes of Processing

Your personal data is processed solely for the following purposes:

  • Use and operation of "reo.dev": Your name and email address are necessary for the proper functioning and identification while using the tool.
  • Handling user inquiries: The email address is used to respond to user inquiries and for necessary communication in relation to the use of the tool.

Legal Basis for Processing

The processing of your personal data is based on Article 6(1)(f) GDPR (Legitimate Interests). Our legitimate interest lies in ensuring the functionality of the "reo.dev" tool and providing you with a user-friendly platform. The processing of your data is necessary to efficiently handle your requests and ensure the proper functioning of the tool. This processing is carried out with due consideration of your interests and rights, ensuring no disproportionate infringement on your privacy.

Data Transfer to Third Countries

In the course of using "reo.dev", it may be necessary to transfer personal data to countries outside the European Union (so-called third countries). If such a transfer occurs, it will be based on EU Standard Contractual Clauses (SCC), in accordance with Article 46(2)(c) GDPR, which are recognized as appropriate safeguards for the protection of personal data.

These Standard Contractual Clauses ensure that the protection of your personal data is maintained at a level comparable to that in the EU, even in third countries. Data will be processed exclusively for the abovementioned purposes and in compliance with the applicable data protection regulations.

Data Retention Period

Your personal data will only be stored for as long as necessary to fulfill the purposes mentioned or as required by legal retention obligations. Your data will be deleted or blocked once these purposes no longer apply or the legal periods have expired.

4.3 Information and Notices

If you submit your Personal Information to us, we may provide you with information about Business Operations and the Services or required notices. Ory does not sell or share your Personal Information with other companies for purposes of marketing their goods or services to you. In some jurisdictions, you have the explicit right to request that we do not share your Personal Information with, or sell your Personal Information to, certain third-parties, and we will honor such requests in accordance with applicable law.

4.4 Security

We may use your Personal Information for safety and security purposes, including sharing of your information for such purposes, when it is necessary to pursue our legitimate interests in ensuring the security of Business Operations and the Services, including detecting, preventing and responding to fraud, intellectual property infringement, violations of agreements with Ory or its service providers, violations of law or other misuse of the Services. We may also share your Personal Information when we believe, in good faith, that disclosure is necessary to protect our rights, the rights of other users of the Services, the integrity of the Services, your safety, or the safety of others.

We may have legal obligations to collect, use, retain, or process your Personal Information. If those obligations exist, then we will use your Personal Information to satisfy such obligations.

4.6 Responding to Your Requests

We use your Personal Information to respond to your requests through various channels (which may include in-person, email, phone, and chat).

We may seek your consent to use your Personal Information for additional purposes that we communicate to you.

5. Sharing Information

This Section describes how we share the information we have collected about you. We are not in the business of selling your Personal Information, but we may share your Personal Information as described below in accordance with applicable laws. Unless otherwise required by applicable law, we take reasonable efforts to ensure that any entity that we share your Personal Information with has privacy practices at least as protective as those in this Privacy Policy.

5.1 Third-Party Service Providers

We may engage third-party service providers to perform functions on our behalf, and these may include maintaining the Website or App, responding to and sending email or other messages, data analysis, and other functions useful to Business Operations or the Services. Such third-party service providers will have access to Personal Information to the extent needed to perform their function, but will not be permitted to use Personal Information for other purposes.

5.2 Consultants

We may engage attorneys, accountants, and other consultants and subject matter experts to advise and assist it in connection with the Services. We will provide such consultants with access to Personal Information to the extent needed to perform their function, but will not permit them to use your Personal Information for purposes unrelated to their engagement with us.

5.3 Business Transfer

Ory may also transfer your Personal Information to a third party of Affiliate in the event of any reorganization, merger, acquisition, assignment, transfer or other disposition of all or any portion of Ory’s business or assets, provided that any such entity that Ory transfers Personal Information to will not be permitted to process your Personal Information other than as described in this Privacy Policy without providing you notice and, if required by applicable laws, obtaining your consent.

5.4 Our Affiliates

We may share information we collect with our Affiliates, which are any entity that is closely related to us, such as any entity that controls, is controlled by, or is under common control with Ory. Our Affiliates will be subject to the terms of this Privacy Policy. Our list of Affiliates can be found athttps://www.ory.sh/affiliate-list/

5.5 Other Disclosure

We may disclose Personal Information about you to others: (i) if we have your valid consent to do so; (ii) to comply with a valid subpoena, legal order, court order, legal process, or other legal obligation; (iii) to enforce any of our terms and conditions or policies; or (iv) as necessary to pursue available legal remedies or defend legal claims.

6. Storage

Securing and storing your information is important to us. In this Section, we describe how we store and secure your information.

6.1 Security

We have implemented reasonable measures to protect your information from unauthorized access, use or disclosure. Ory maintains administrative, technical and physical safeguards designed to protect the collected information that are appropriate to the nature, size, and complexity of our Business Operations. Ory is not responsible for the security of information that you transmit over networks that Ory does not control, including the Internet and wireless networks. Retention. Ory retains information (including associated Personal Information) in accordance with applicable law and accepted retention practices. We will keep your Personal Information for as long as necessary to fulfill the purposes for which we collected it, including any legal, accounting or reporting requirements.

6.2 Retention

Ory retains information (including associated Personal Information) in accordance with applicable law and accepted retention practices. We will keep your Personal Information for as long as necessary to fulfill the purposes for which we collected it, including any legal, accounting or reporting requirements. In particular:

  • Personal Information that we use to provide our Website to you will generally be deleted or anonymized after you leave our Website. In case of actual or suspected security incidents, we may keep the relevant information for up to seven days in order to investigate said incidents.
  • Personal Information processed for the purpose of performing a contract will generally be kept during the term of the contract and the subsequent statute of limitation period for claims arising out of the contract.
  • If there is a legal obligation to retain Personal Information, in particular for tax purposes, Personal Information will be kept for as long as required by the applicable laws.

6.3 Reviewing, Deleting, or Correcting Information

Ory is committed to empowering you to understand the information we have about you. In addition to any additional legal rights you may have that are described in Section 9.2 (“United States State-Specific Notices Regarding Your Privacy Rights”), Section 9.3 (“EEA-Specific Notices Regarding Your Privacy Rights”), or Section 10 (“Your GDPR Rights”) if you wish to review, correct, or request that we delete information about you (including incorrect Personal Information), you may send a written request to Ory using the contact information provided in Section 17 (“Contact Information”). Please understand that we may not be able to change or delete your information if the information is necessary for our Business Operations or necessary for compliance with applicable law.

This Section provides Ory’s cookie policy (“Cookie Privacy Policy”) and describes how Ory uses Cookies (as defined below) and similar technologies.

7.1 Cookies

Cookies are small pieces of data that are stored on your computer, mobile phone, or other device when you first visit a page. Ory uses cookies, web beacons and similar technologies (collectively, “Cookies”) to enhance your user experience, understand your usage of the Website, detect if you have returned to the Website, and to perform analytics. Cookies may also be set by other websites or services that run content on the page you are visiting. The provision of your data via Cookies is based on your consent except for those Cookies that Ory places on your device that are strictly necessary for Website features requested by you. Ory uses “session cookies” and “persistent cookies.” Session Cookies are temporary Cookies that remain on your device until you leave the Website. A persistent Cookie may remain on your device for much longer until you manually delete it.

7.2 Use

Cookies can contain the following information about you and your use of the Website: browser type, search preferences, data relating to which pages of the Website that you have visited and the date and time of your use. Ory uses Cookies for the following purposes:

  • To enable and support security features, prevent fraud, and protect your data from unauthorized access.
  • To enable features and help us provide you with personalized content.
  • To analyze how you use the Website and to monitor site performance. These Cookies help us to identify and fix errors, understand and improve services, research and test out different features, and monitor how you reached the Website.

7.3 Third-Party Cookies

The list of third-party cookies Ory uses the on the Website can be found at https://www.ory.sh/thirdparty-cookies/ Your Choices Regarding Your Personal Information

8. Newsletter

Types of Data Processed

In connection with the subscription and distribution of our newsletter, we process the following personal data:

  • Email address (mandatory)
  • Name (optional, if provided for personalisation)
  • Any other voluntary information provided during the newsletter registration process.

Purposes of Processing

Your personal data is collected and processed solely for the following purposes:

  • Distribution of the newsletter: To inform you about our products, services, news, and offers.
  • Personalisation of the newsletter: If you provide your name, we use it to personalise the greeting in the newsletter.

Legal Basis for Processing

The distribution of our newsletter is based on your explicit consent in accordance with § 7(2) No. 3 UWG or Art. 6 I lit. a) GDPR. Your consent is obtained through the double opt-in process, where you will receive a confirmation email after subscribing, which you must actively confirm to be added to our mailing list.

Additionally, the newsletter may be sent in accordance with § 7(3) UWG if we have obtained your email address in connection with the sale of goods or services and if the newsletter contains information on similar products or services that may interest you. In this case, you can object to receiving the newsletter at any time without incurring any costs other than the transmission costs at basic rates.

Withdrawal of Consent and Right to Object

You may withdraw your consent to receive the newsletter at any time or object to further distribution. This can be done via the unsubscribe link included in every newsletter or by sending a message to: \ Email: [email protected]

Data Transmission and Retention

Your personal data will be used exclusively for the distribution of the newsletter and will not be shared with third parties. Your data will be stored for as long as you remain subscribed to the newsletter. Upon unsubscribing, your data will be promptly deleted unless legal retention obligations apply.

9. Your Choices Regarding Your Personal Information

9.1 Opt-Out of Marketing Communications

If you have chosen or otherwise consented to receive, bulletins, updates, or other marketing-related materials, we will provide you with the ability to decline – or “opt out” – of receiving such communications. instructions for opting-out will be provided if and when we determine to send you such a communication. For example, if you no longer wish to receive email messages from us, you can opt out of this Service by either (i) following the “unsubscribe” instructions located near the bottom of each email message, or (ii) contacting us as provided in Section 17 (“Contact Information”). Opt-outs will be free of charge; however, your telecommunications provider or the postal service may charge you normal rates for sending us your opt out request. Please understand that we may continue to communicate with you in connection with administrative notices concerning any transactions, operation of the Services and legal notices.

9.2 United States State-Specific Notices Regarding Your Privacy Rights

9.2.1 Shine the Light Law

California law requires certain businesses to respond to requests from California users who ask about business practices related to disclosing Personal Information to third-parties for direct marketing purposes. The California “Shine the Light” law further requires us to allow California residents to opt out of certain disclosures of Personal Information to third-parties for their direct marketing purposes.

9.2.2 California Consumer Privacy Act Disclosure

The California Consumer Privacy Act (the “CCPA”) provides various rights to individuals and households with respect to the collection and use of Personal Information that we have collected about California residents. We use the term “resident” to refer to a California resident to whom the CCPA applies. Among other rights under the CCPA, as further set out in this Section, a resident has the right to request that we (i) disclose to the resident Personal Information that we have about such resident (including Personal Information about such resident that is sold), and (ii) subject to certain exceptions, delete Personal Information that we have about such resident. A resident may request a copy of the following using the mechanism set out in Section 9.2.3 (“Submission of a Consumer Request”): (a) the categories of Personal Information we collected about such resident; (b) the categories of sources from which the Personal Information is collected; (c) the business or commercial purpose for collecting or selling the Personal Information; (d) the categories of third-parties with whom we share Personal Information; and (e) the specific pieces of Personal Information we have collected about such resident. A resident may submit a request for such information no more than twice in any twelve (12) month period, and our disclosure of such requested information shall only cover the twelve (12) month period preceding our receipt of such request. Additionally, a resident may request that we delete such resident’s Personal Information using the mechanism set out in Section 9.2.3 (“Submission of a Consumer Request”). A resident’s rights as to such deletion requests are set out in Section 6.3 (“Reviewing, Deleting, or Correcting Information”).

9.2.3 Submission of a Consumer Request

We are in the process of implementing methods for residents to submit requests to us to access or delete their Personal Information. In the interim, please submit such requests to the email address provided in Section 17 (“Contact Information”). We will respond to your request within forty-five (45) days or as permitted by applicable law.

9.2.4 Other California Disclosures

We do not provide a financial incentive or a price or service difference to customers in exchange for the retention or sale of their Personal Information. We may send promotions and other offers to those individuals subscribing to our marketing communications and, unless an individual has opted out of such communications, the individual will continue to receive such communications irrespective of whether a disclosure, deletion, or “Do Not Sell” request has been submitted. We do not offer financial incentives to deter customers from making such requests.

  • We do not illegally discriminate against any customer for exercising their privacy rights.
  • If you are a job applicant submitting Personal Information to us in connection with an application for employment, you will be provided with a privacy notice regarding how we handle such information as part of the application process.
  • If you have any questions about our privacy practices in connection with the California Consumer Privacy Act, please contact Us as directed in Section 17 (“Contact Information”).

9.2.5 Nevada Disclosures

For Nevada residents, please note that We do not sell personal information as defined by Nevada law. You can submit a request to Us as set out in in Section 17 (“Contact Information”).

9.2.6 Further Resources

If you wish further information concerning privacy policies in general, you should visit the following site: www.ftc.gov/privacy/index.html.

9.3 EEA-Specific Notices Regarding Your Privacy Rights

9.3.1. GDPR

Regulation (EU) 2016/679 (General Data Protection Regulation) (“EU GDPR”) EEA, i.e., the European Union, Iceland, Liechtenstein and Norway when accessing our website or being offered products or services by us. It also applies where your data is processed by one of our Affiliates or other establishments in the EEA. Likewise, the UK General Data Protection Regulation tailored by the Data Protection Act 2019 (“UK GDPR”) applies when you are located in the United Kingdom of Great Britain and Northern Ireland (“UK”) under the same circumstances.

9.3.2 Representative

The representative of Ory Corp in the EEA is Ory Germany GmbH, Karlsplatz 3, 90355 Munich, Germany.

For purposes of the GDPR, the legal basis for the processing of your Personal Information is as follows:

  • Where we use your Personal Information for Business Operations (Section 4.1 “Business Operations and Services”), the processing is generally necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR). Where you are not our actual customer but a contact person of our customer, the legal basis is our legitimate interest (Article 6(1)(f) of the GDPR) to communicate with our customer through you.
  • Where we use your Personal Information for internal administration, auditing, operation, and troubleshooting in connection with Business Operations (Section 4.2 “Analysis and Improvement”), the processing is generally based on our legitimate interest (Article 6(1)(f) of the GDPR) to (i) operate and improve our business efficiently; (ii) to enforce any of our terms and conditions or policies; or (iii) to pursue available legal remedies or defend legal claims. We may also ask for your consent (Article 6(1)(a) of the GDPR) to obtain additional information, in particular in connection with the operation of our Website and the use of Cookies.
  • For the use of your Personal Data to provide you with information about Business Operations and the Services (Section 4.3 “Information and Notices”), the legal basis is generally our legitimate interest (Article 6(1)(f) of the GDPR) to market our business to you. Notwithstanding, if you request more concrete information, the processing may also be necessary to take steps prior to entering into a contract (Article 6(1)(f) of the GDPR). For notices required by law, the processing of your personal data is necessary for compliance with such legal obligation (Article 6(1)(c) of the GDPR).
  • The use of your Personal Information for safety and security purposes (Section 4.4 “Security”) is generally based on our legitimate interest (Article 6(1)(b) of the GDPR) in ensuring said safety and security. In some situations, there may also be a legal obligation to implement such measures (Article 6(1)(c) of the GDPR).
  • In other cases where we need to comply with a legal obligation (Section 4.5 “Compliance with Legal Obligations”), the processing is based on the necessity to comply with such obligation (Article 6(1)(c) of the GDPR).
  • Where we use your Personal Information to communicate with you (Section 4.6 “Responding to Your Requests”), the legal basis will be one of the above depending on the purpose of such communication.
  • Where we seek your consent for other purposes (Section 4.7 “Other Purposes for Which We Seek Your Consent”), the legal basis is consent (Article 6(1)(a) of the GDPR).

10. Transfers to Third Countries

Ory is an international business with multi-national operations, systems and processes. In this context, the Personal Information that Ory collects from you may be transferred to and stored in the United States or another location outside of the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland.

With respect to Personal Information transferred outside the EEA, UK, or Switzerland, we will process Personal Information in accordance with applicable privacy laws by implementing appropriate safeguards.

Ory uses several mechanisms to lawfully transfer personal data from the European Union to other countries. These mechanisms include the following frameworks (together, the “Data Privacy Frameworks”):

  • the EU-U.S. Data Privacy Framework
  • the UK Extension to the EU-U.S. Data Privacy Framework, and
  • the Swiss-U.S. Data Privacy Framework.

Ory participates in the U.S. Department of Commerce self-certification process and adheres to the Data Privacy Framework Principles (“Principles”) with regard to the processing of personal data received from the EEA, the UK, and Switzerland in reliance on these Data Privacy Frameworks.

10.1 Our Obligations to You Under the Data Privacy Framework

  • Ory and its U.S. subsidiaries comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce regarding the collection, use and retention of Personal Information transferred from the EEA, UK, and Switzerland to the United States, respectively.
  • Ory has certified to the US Department of Commerce that it adheres to EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. Ory has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
  • Ory collects Personal Information in accordance with this Privacy Policy.
  • If there is any conflict between the terms in this policy and the EU-U.S. DPF Principles, UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, the DPF Principles shall govern.
  • The Federal Trade Commission has jurisdiction over Ory’s compliance with the DPF. Ory’s commitments under the DPF are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
  • Ory commits to cooperate with EU and UK Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner and to comply with the advice given to Ory by such authorities with regard to human resources data transferred from the EU, UK, and Switzerland in the context of the employment relationship.
  • To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/list.

10.2 Onward Transfers

Ory complies with the Principles for all onward transfers of personal data from the European Union, the United Kingdom, and Switzerland, including the onward transfer liability provisions.

10.3 Complaints and Recourse

In compliance with the DPF Principles, Ory commits to resolve complaints about your privacy and our collection or use of your Personal Information without charge to you.

  • European Union and Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact us using the contact information provided in Section 17 (“Contact Information”).
  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Ory commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.jamsadr.com for more information or to file a complaint.  The services of JAMS are provided at no cost to you.
  • Please note that if your complaint is not resolved through the above mechanism, in certain limited circumstances you may be able to invoke a binding arbitration proceeding before the DPF panel if Ory has failed to meet its obligations to you under the DPF and that failure has still not been remedied. Additional information about invoking binding arbitration is available online at the following link: https://www.dataprivacyframework.gov/.
  • In addition to participating in the above-mentioned Frameworks, Ory may also use contractual measures to ensure that the rights of European data subjects are respected. Ory may offer EU Standard Contractual Clauses to its Customers located in the EU, to facilitate the transfer and subsequent processing of EU Personal Information.

11. Your GDPR Rights

Under the GDPR, you have the right to request to access, review, correct, update, suppress, restrict or delete Personal Information that you have provided to us. You have the right to request an electronic copy of Personal Information for the purpose of transmitting it to another company. You have the right to not be subject to a decision based solely on automated processing, including profiling. You may submit such requests by using the contact information provided in Section 17 (“Contact Information”). We will respond to your request in accordance with applicable law. In your request, you must advise what Personal Information you would like to access, review, correct, update, suppress, restrict or delete; or otherwise let us know what limitations you would like to put on our use of your Personal Information.

Where processing of your Personal Information is based on your consent (cf. Section 9.3.3 “Legal Basis for Processing”), you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on such consent before such withdrawal;

  • Where processing takes place for the purpose of direct marketing, you have the right to object to the use of your Personal Information (Article 21(2) of the GDPR) at any time;
  • Where processing is based on our legitimate interest (cf. Section 9.3.3 – Legal Basis for Processing), you have the right to object to the use of your Personal Information on grounds relating to your particular situation (Article 21(1) of the GDPR)and any time; we may, however, continue the processing if (i) we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or (ii) for the establishment, exercise or defense of legal claims.
  • If you wish to exercise any of your rights above, please contact us using the contact information provided in Section 17 (“Contact Information”). You also have the right to lodge a complaint with your local competent supervisory authority or any authority that applies to Ory.

12. Feedback

We respect our customers and we want to encourage your feedback. If you have a suggestion or concern you would like us to address, please contact us using the contact information provided in Section 17 (“Contact Information”). Certain jurisdictions may also provide you with additional avenues for lodging complaints. Please check with your jurisdiction’s consumer protection authority.

13. Third-Party Websites and Platforms

The Services and our communications may contain links to websites and platforms operated by third-parties. You acknowledge and agree that Ory is not responsible for the collection and use of your information by such websites or platforms that are not under Ory’s control. We encourage you to review the privacy policies of each website and platform you visit or access so you understand such website operator’s privacy practices.

14. Children’s Information

The Services are not directed to, nor does Ory knowingly collect information from, children under the age of 13 in connection with Business Operations. If you become aware that your child or any child under your care has provided information without your consent, please contact Ory immediately using the contact information provided in Section 17 (“Contact Information”).

15. Changes to this Privacy Policy

From time to time, we may change this Privacy Policy for our business purposes and to comply with changes in applicable law. If we make any substantive or material changes, then we will communicate these changes to you by posting the updated Privacy Policy on the Website, App and/or notifying you of the change via the Services, email, or other methods. Where permitted under applicable law, your continued use of the Services following such notice constitutes your agreement to follow and be bound by the updated Privacy Policy.

16. Relationship to Terms of Service

This Privacy Policy must be read in conjunction with (i) other agreements into which you and Ory may enter concerning the Services (if any), and (ii) our Terms of Service, available here: https://www.ory.sh/tos/. The provisions of our Terms of Service are incorporated herein. To the extent this Privacy Policy conflicts with our Terms of Service, the terms of this Privacy Policy shall control. Similarly to the extent this Privacy Policy conflicts with the terms and conditions of any specific agreement you enter with us, the terms and conditions of such specific agreement shall control.

17. Do Not Track Notice

Our Website does not change its behavior when receiving “Do Not Track” signals from browser software. We will instead ask for your explicit consent before we place Cookies that are not necessary for the Website features requested by you.

18. Contact Information

We welcome your feedback or suggestions. If you have any questions about this Privacy Policy or the collection or use of information about you, please contact Ory at [email protected] You may also contact us by other means at the address set out or referred to in Section 2 (“Ory’s Roles & Responsibilities”). If you are in the EU/EEA, you may also contact our representative at the address set out in Section 9.3.2 (“Representative”).

19. Effective Date

The effective date of this Privacy Policy is October 10th, 2024.

© 2021-2024 Ory Corp. All rights reserved. No part of this content may be reproduced or stored in any form without written permission from Ory.