Privacy Policy

ORYX Inc. Last Updated: May 17, 2026 Effective Date: May 17, 2026

Introduction and Scope
Who We Are
Key Definitions
Information We Collect
How We Collect Information
How We Use Your Information
Legal Bases for Processing (GDPR)
How We Share Your Information
Sub-Processors and Third-Party Service Providers
Customer Data and Data Processing
Cookies and Tracking Technologies
Data Retention
Data Security
International Data Transfers
Your Privacy Rights
California Privacy Rights (CCPA/CPRA)
GDPR Rights for EEA and UK Users
Children's Privacy
AI and Automated Processing
Platform-Specific Disclosures
Business Transfers
Third-Party Links and Integrations
Do Not Track
Legal Disclosures and Law Enforcement
Changes to This Privacy Policy
Data Protection Officer
Contact Us
Jurisdiction-Specific Addenda

1. Introduction and Scope

Welcome to ORYX. We take your privacy seriously, and this Privacy Policy is designed to be thorough, honest, and clear about exactly how we handle information - whether you are a business customer, an end user, a visitor to our website, or a job applicant.

This Privacy Policy applies to:

The ORYX platform, accessible at tryoryx.ai and related subdomains
The chat.dahdah.cloud interface and related services
All ORYX mobile applications, APIs, and integrations
All autonomous agent workflows and automation services operated by ORYX
Communications between you and ORYX, including email, support tickets, and in-product messaging

This Privacy Policy does not apply to:

Third-party services, websites, or applications that you access through ORYX integrations. Those services have their own privacy policies, and we encourage you to review them.
Information processed by our customers using our platform on behalf of their own end users. In those cases, the customer is the data controller and their privacy policy governs. Please see Section 10 for more details.

By accessing or using ORYX, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue your use of our services.

2. Who We Are

ORYX Inc. is a technology company incorporated in the State of Delaware, United States. We provide a business-to-business platform for customer communication management, workflow automation, and autonomous agent operations.

For the purposes of applicable data protection law:

Where ORYX collects and processes personal data of its own customers and visitors, ORYX acts as a data controller.
Where ORYX processes personal data on behalf of its customers (i.e., data belonging to a customer's own end users), ORYX acts as a data processor.

Registered Address: ORYX Inc. [Street Address] [City, State, ZIP] United States

Contact: privacy@tryoryx.ai

3. Key Definitions

Throughout this Privacy Policy, the following terms have specific meanings:

"Personal Data" means any information that relates to an identified or identifiable natural person. This includes names, email addresses, IP addresses, device identifiers, and any other data that can be linked to an individual, directly or indirectly.

"Customer Data" means all data - including Personal Data - that you or your end users submit to or generate through the ORYX platform in the course of using our services.

"Usage Data" means data automatically collected about how you interact with our platform, including log files, feature usage, session duration, and technical diagnostics.

"Account Data" means information you provide when registering for an account, including your name, business name, email address, and payment information.

"Sub-Processor" means any third-party service provider that ORYX engages to process Personal Data on ORYX's behalf in connection with providing the services.

"Aggregate Data" means data that has been de-identified and combined with data from other users such that it no longer identifies or is reasonably linkable to any individual.

"Services" refers collectively to the ORYX platform, APIs, integrations, applications, and all related services described in Section 1.

4. Information We Collect

We collect information in several categories depending on how you interact with us.

4.1 Account and Registration Data

When you create an account or register for ORYX, we collect:

Full name and business name
Email address and phone number
Billing address and payment information (processed securely via our payment processor; we do not store full card details)
Account credentials (password is stored in hashed form; we never store plaintext passwords)
Company size, industry, and role (where provided)
Profile photo or avatar (where uploaded)

4.2 Customer Data

When you use ORYX to manage communications, automate workflows, or deploy autonomous agents, we process data that you or your end users provide through the platform. This may include:

Customer contact information (names, phone numbers, email addresses)
Conversation histories and messaging data
Booking, reservation, and transaction records
Business operational data uploaded or generated through the platform
Files, documents, and attachments processed through ORYX workflows
Any other data you choose to store or process on the platform

As described in Section 10, you are the data controller for this data. We process it solely on your behalf and in accordance with your instructions and this Privacy Policy.

4.3 Usage and Technical Data

We automatically collect technical information when you access or use our platform:

IP address and approximate geolocation (country/region level)
Browser type, version, and operating system
Device type and device identifiers
Pages visited, features used, and time spent
Session start and end times
Referring URLs and exit pages
Error logs and crash reports
API request logs including endpoints accessed and response times
Feature flags and A/B test cohort assignments

4.4 Communication Data

When you communicate with ORYX - including via email, in-app chat, support tickets, or video calls - we collect:

The content of those communications
Metadata such as timestamp, communication channel, and topic
Attachments and files shared with our support team
Survey responses and feedback submissions

4.5 Legal Acceptance Records

When you accept our Terms of Use, this Privacy Policy, or any other legal agreement through the platform, we record:

The specific version of the agreement accepted
Timestamp of acceptance (UTC)
Your login session timestamp
Your IP address at time of acceptance
Your user agent string (browser and operating system information)
The acceptance method (checkbox, click-through, or API acknowledgment)

These records are maintained as legally binding electronic records of your agreement and are retained indefinitely for legal and compliance purposes.

4.6 Payment and Billing Data

We collect information necessary to process payments and manage subscriptions:

Billing name and address
Payment method type (e.g., credit card, ACH)
Transaction amounts and dates
Subscription plan details and billing cycle
Refund and dispute history

Full payment card details are transmitted directly to our payment processor and are not stored on ORYX systems.

4.7 Marketing and Preference Data

If you interact with our marketing communications or opt into marketing:

Email open and click tracking data
Preferences and opt-out records
Event attendance and webinar participation
Content download history

4.8 Job Applicant Data

If you apply for a position at ORYX:

Resume, CV, and portfolio materials
Contact information
Employment history and references
Interview notes and evaluation records

This data is used solely for recruitment purposes and is subject to applicable employment privacy laws.

5. How We Collect Information

We collect information through the following methods:

Directly from you - when you register, configure your account, interact with the platform, contact support, or communicate with us in any way.

Automatically - through cookies, web beacons, server logs, and similar technologies when you access our platform. See Section 11 for details on cookies.

From your end users - when your customers or contacts interact with ORYX-powered workflows, agents, or communication tools that you have deployed.

From third-party integrations - if you connect ORYX with third-party services (such as CRM systems, calendar tools, or communication platforms), we may receive data from those services as part of the integration.

From payment processors - we receive confirmation and transaction data from our payment processor when you make purchases.

From publicly available sources - we may supplement account data with information from publicly available business directories or professional networks to improve our understanding of your organization, where permitted by applicable law.

6. How We Use Your Information

We use the information we collect for the following purposes:

6.1 Providing and Operating the Services

Creating and managing your account
Delivering the core platform functionality, including workflow automation, agent operations, and communication management
Processing payments and managing subscriptions
Sending service-related communications including receipts, invoices, and account notifications
Providing technical support and responding to inquiries

6.2 Security and Fraud Prevention

Detecting, investigating, and preventing fraudulent activity, abuse, and security incidents
Authenticating users and protecting account integrity
Monitoring for unauthorized access or breaches
Enforcing our Terms of Use and Acceptable Use Policy
Maintaining audit logs for security and compliance purposes

6.3 Platform Improvement and Development

Analyzing usage patterns to understand how customers use the platform
Identifying bugs, performance issues, and areas for improvement
Developing new features and services based on customer needs
Conducting internal research and analytics

6.4 Personalization

Customizing your experience based on your settings, preferences, and usage history
Remembering your configurations and workflow preferences
Providing contextually relevant recommendations within the platform

6.5 Communications

Sending product updates, release notes, and maintenance notifications
Delivering invoices and billing communications
Responding to your support requests
Sending marketing communications where you have opted in or where we have a legitimate interest (with opt-out available at all times)

6.6 Legal and Compliance

Maintaining records required by applicable law
Responding to legal requests, court orders, and regulatory inquiries
Enforcing our rights under our agreements
Establishing, exercising, or defending legal claims

6.7 Business Operations

Evaluating and improving our customer acquisition and retention
Conducting financial reporting and business planning
Performing due diligence in connection with potential business transactions

We will not use your Personal Data for purposes incompatible with those described above without providing prior notice and, where required, obtaining your consent.

7. Legal Bases for Processing (GDPR)

For users located in the European Economic Area (EEA) or the United Kingdom, we process Personal Data only where we have a valid legal basis. The legal bases we rely on are:

Contract Performance - Processing necessary to provide the services you have subscribed to, including account management, service delivery, and billing.

Legitimate Interests - Processing necessary for our legitimate business interests, including security monitoring, fraud prevention, product improvement, and marketing to existing customers, provided these interests are not overridden by your rights and interests.

Legal Obligation - Processing necessary to comply with applicable law, including tax obligations, regulatory requirements, and responses to lawful legal requests.

Consent - Where we rely on consent, such as for certain marketing communications or optional data collection, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Vital Interests - In rare circumstances, processing may be necessary to protect the vital interests of a person.

Where we process Special Category data (which we do not routinely collect), we will rely on explicit consent or another applicable legal basis under Article 9 of the GDPR.

8. How We Share Your Information

We do not sell your Personal Data. We share information only in the circumstances described below.

8.1 With Your Authorization

We share information when you explicitly direct us to do so, including when you connect ORYX with third-party integrations or invite team members to your account.

8.2 With Sub-Processors

We engage third-party service providers (sub-processors) to help us deliver the services. These providers are contractually bound to process data only on our instructions and in accordance with appropriate data protection standards. See Section 9 for details.

8.3 Within ORYX

Data may be shared among ORYX employees and contractors who need access to perform their job functions. Access is granted on a least-privilege basis and is subject to confidentiality obligations.

8.4 For Legal Reasons

We may disclose information if we believe in good faith that such disclosure is necessary to:

Comply with applicable law, regulation, or legal process
Respond to a valid subpoena, court order, or government request
Protect the rights, property, or safety of ORYX, our customers, or the public
Detect, prevent, or address fraud, security, or technical issues
Enforce our Terms of Use or other agreements

We will attempt to notify you of any such request before disclosing your data, unless prohibited by law or court order from doing so.

8.5 Business Transfers

In connection with a merger, acquisition, asset sale, financing, or other business transaction, your information may be transferred to the acquiring entity. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy, and we will endeavor to ensure the receiving entity maintains equivalent protections.

8.6 Aggregate and De-Identified Data

We may share Aggregate Data or de-identified data that cannot reasonably be used to identify you for purposes such as industry research, benchmarking, and marketing.

9. Sub-Processors and Third-Party Service Providers

ORYX works with third-party service providers to operate our platform. Rather than disclose specific provider names in a manner that would reveal our technical infrastructure, we disclose the categories of sub-processors we engage, in accordance with industry-standard practice.

Categories of Sub-Processors

Cloud Infrastructure and Hosting - Providers that host our servers, databases, and storage infrastructure in secure data centers.

AI and Machine Learning Services - Providers whose models and APIs power ORYX's autonomous agent capabilities and language processing features. These providers process conversational and operational data solely to deliver responses; they do not use Customer Data to train their general models under our agreements with them.

Payment Processing - PCI-DSS compliant providers that handle payment card data and subscription billing on our behalf.

Email and Communication Delivery - Providers that deliver transactional emails, notifications, and in-app messages.

Analytics and Monitoring - Providers that help us understand platform performance, diagnose errors, and analyze usage patterns.

Customer Support Tooling - Providers that power our support ticketing and help desk systems.

Identity and Authentication - Providers that assist with secure login, multi-factor authentication, and session management.

Sub-Processor Changes

We may update our sub-processors from time to time. Enterprise customers may request our current sub-processor list by contacting privacy@tryoryx.ai. We will provide 30 days advance notice of any material changes to our sub-processors to customers who have subscribed to such notifications.

10. Customer Data and Data Processing

When you use ORYX to process data about your own customers, contacts, or users, you remain the data controller for that Customer Data. ORYX acts as your data processor.

10.1 Your Responsibilities as Data Controller

You are responsible for:

Providing legally required privacy notices to your end users
Obtaining any required consents before submitting data to ORYX
Ensuring your use of ORYX complies with applicable privacy law
Responding to data subject rights requests related to your Customer Data
Configuring retention and deletion settings in a compliant manner

10.2 ORYX Responsibilities as Data Processor

ORYX agrees to:

Process Customer Data only on your documented instructions
Use appropriate technical and organizational safeguards
Restrict access to authorized personnel with a need to know
Assist you with data subject rights and compliance requests where required
Notify you of confirmed data breaches without undue delay as required by law

10.3 Data Processing Agreement (DPA)

Where required by law, a Data Processing Agreement forms part of your contract with ORYX. If you require a signed DPA, contact privacy@tryoryx.ai.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate, secure, and improve our services.

11.1 Types of Cookies We Use

Strictly Necessary Cookies - Required for authentication, session management, and platform security.
Functional Cookies - Remember your settings and preferences.
Analytics Cookies - Help us understand usage and improve performance.
Marketing Cookies - Used for campaign measurement and personalization where permitted.

11.2 Cookie Management

You can manage cookie preferences through your browser settings. Blocking some cookies may affect platform functionality.

Where required by law, we present a consent mechanism before placing non-essential cookies.

11.3 Similar Technologies

We may use local storage, SDK identifiers, pixels, and server-side event tracking for similar purposes.

12. Data Retention

We retain Personal Data for as long as needed to provide services, comply with legal obligations, resolve disputes, and enforce agreements.

Retention periods vary by data type:

Account Data - retained while your account is active and for a reasonable period after closure
Customer Data - retained according to your account settings and contractual terms
Usage Logs - typically retained for security and diagnostics for limited periods
Billing Records - retained for accounting and tax compliance as required by law
Legal Acceptance Records - retained indefinitely for legal enforceability and audit evidence

When retention is no longer necessary, data is deleted or irreversibly de-identified, subject to backup lifecycle constraints.

13. Data Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Data, including:

Encryption in transit using TLS
Encryption at rest for sensitive systems where appropriate
Access controls and least-privilege permissions
Multi-factor authentication for internal administrative access
Logging and monitoring for suspicious activity
Regular vulnerability management and patching
Employee confidentiality and security training

No system is 100% secure. If you suspect unauthorized access to your account, contact us immediately at security@tryoryx.ai.

14. International Data Transfers

ORYX operates globally, and data may be processed in countries other than where you are located.

When we transfer Personal Data across borders, we use appropriate safeguards, which may include:

Standard Contractual Clauses (SCCs)
UK International Data Transfer Addendum where applicable
Additional contractual and technical protections as required

By using the services, you acknowledge that your information may be transferred to and processed in jurisdictions that may have different data protection laws than your country of residence.

15. Your Privacy Rights

Depending on your location and applicable law, you may have rights to:

Access Personal Data we hold about you
Correct inaccurate or incomplete Personal Data
Request deletion of your Personal Data
Restrict or object to certain processing
Receive a portable copy of your Personal Data
Withdraw consent where processing is based on consent
Lodge a complaint with a supervisory authority

To exercise rights, contact privacy@tryoryx.ai. We may need to verify your identity before completing your request.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Subject to applicable exceptions, you may request:

Disclosure of categories and specific pieces of personal information we collect
Disclosure of categories of sources, purposes, and third parties receiving data
Deletion of personal information
Correction of inaccurate personal information
Limitation of use of sensitive personal information (where applicable)
Non-discrimination for exercising privacy rights

ORYX does not sell personal information or share personal information for cross-context behavioral advertising as those terms are defined under California law.

Authorized agents may submit requests on your behalf where permitted by law.

17. GDPR Rights for EEA and UK Users

If you are located in the EEA or UK, you may have the following rights:

Right of access
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object to processing
Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (subject to legal exceptions)

You also have the right to lodge a complaint with your local data protection authority.

To exercise GDPR rights, contact privacy@tryoryx.ai.

18. Children's Privacy

ORYX services are intended for business use and are not directed to children under 16 years of age (or higher age thresholds where required by local law).

We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data through our services, contact privacy@tryoryx.ai and we will take appropriate steps to investigate and delete the data where required.

19. AI and Automated Processing

ORYX provides AI-powered features, including autonomous workflows and language-based agent operations.

19.1 Use of Data in AI Features

Data you submit to AI-enabled features may be processed by trusted model providers acting as sub-processors under contractual restrictions.

Under our commercial agreements, Customer Data provided through ORYX is not used to train general third-party foundation models.

19.2 Automated Outputs and Human Oversight

AI-generated outputs may be probabilistic and may contain errors. You are responsible for reviewing outputs before relying on them in high-impact contexts, including legal, financial, medical, or safety-related decisions.

19.3 No Solely Automated Legal Decisions by ORYX

ORYX does not intentionally use solely automated decision-making to make legal or similarly significant decisions about individuals without meaningful human review, except where permitted by law and appropriate safeguards are in place.

20. Platform-Specific Disclosures

In addition to the primary ORYX platform, this policy also applies to supporting interfaces and branded environments operated by ORYX, including `chat.dahdah.cloud`, where these environments are controlled by ORYX and governed by the same legal terms.

Where a product-specific notice conflicts with this policy, the product-specific notice controls for that product.

21. Business Transfers

If ORYX is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your Personal Data may be transferred as part of that transaction.

If required by law, we will provide notice and explain any choices available to you.

22. Third-Party Links and Integrations

Our services may contain links to third-party websites or support integrations with third-party products. We are not responsible for the privacy practices of those third parties.

When you enable an integration, data may flow to and from that third party based on permissions you grant. You should review the third party's privacy policy and security practices before enabling integrations.

23. Do Not Track

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no universally accepted standard for responding to DNT signals, ORYX does not currently respond to DNT browser mechanisms.

You may still control tracking through cookie settings and browser controls as described in Section 11.

24. Legal Disclosures and Law Enforcement

We may disclose Personal Data to courts, law enforcement, regulators, or other governmental authorities where we believe disclosure is required by law or legal process.

Where legally permitted, we seek to limit disclosures to the minimum required scope and may challenge overbroad or invalid requests.

25. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

When we make material changes, we will provide notice through one or more of the following:

Posting the updated policy on our website
Updating the "Last Updated" date at the top of this policy
Sending email notice to account owners where appropriate
Requiring re-acceptance during login where legally or operationally necessary

Your continued use of the services after the effective date of the updated policy constitutes acceptance of the revised policy, unless a different acceptance mechanism is required by law.

26. Data Protection Officer

ORYX has designated a privacy contact responsible for overseeing data protection matters.

Privacy Contact / Data Protection Lead

Email: privacy@tryoryx.ai

If your jurisdiction requires a formally appointed Data Protection Officer, ORYX will maintain and provide those details upon request.

27. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, contact us:

ORYX Inc. Email: privacy@tryoryx.ai Security: security@tryoryx.ai Website: https://tryoryx.ai

For legal notices, include "Legal Privacy Notice" in the email subject line.

28. Jurisdiction-Specific Addenda

Additional disclosures may apply to you depending on your jurisdiction. ORYX may publish supplemental addenda from time to time, including for:

EEA/UK users (GDPR)
California residents (CCPA/CPRA)
Other U.S. state privacy laws (as enacted)
Country-specific privacy regimes where ORYX does business

Where a jurisdiction-specific addendum conflicts with this general policy, the addendum controls for users in that jurisdiction.

By using ORYX, you acknowledge that you have read and understood this Privacy Policy.