Privacy Policy

Last updated: April 1, 2026

1. Introduction

Merlyn Labs (“we,” “our,” or “us”) operates the Orqestra platform (“the Service”) and the merlyn-labs.ai website. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and profile information through our authentication provider, Clerk. We do not store your password—authentication is handled entirely by Clerk.

2.2 Payment Information

When you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We receive and store your subscription status, plan tier, billing period, and invoice history. We do not receive or store your full credit card number, CVV, or bank account details.

2.3 Platform Data

We store the following data that you create through the Service:

• Agent configurations, names, and runtime settings
• Safety policies and guardrail rules
• Conversation history between you and your AI agents
• Audit logs of actions taken within your organization
• API keys you generate (stored as irreversible hashes; the full key is shown only once at creation)
• Runtime secrets such as third-party API keys (encrypted at rest with AES-256)

2.4 Infrastructure Data

When you use cloud-managed Gateways, we provision and manage server infrastructure on DigitalOcean on your behalf. We store the server IP addresses, provisioning status, and health check data associated with your Gateway instances.

2.5 Usage and Technical Data

We automatically collect:

• IP address and approximate location
• Browser type, device type, and operating system
• Pages visited and features used within the Service
• Timestamps of actions and API requests
• Error logs and performance data

2.6 Communications

We collect any communications you send to us via email, contact forms, or in-app support channels.

3. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the Service
• Process payments and manage your subscription
• Authenticate your identity and secure your account
• Provision and manage cloud infrastructure for your AI agents
• Enforce safety policies and guardrails for your AI agents
• Send transactional emails (account verification, billing receipts, security alerts)
• Send product updates and feature announcements (you may opt out at any time)
• Monitor and improve the performance, security, and reliability of the Service
• Respond to your inquiries and support requests
• Comply with legal obligations and enforce our Terms of Service
• Detect and prevent fraud, abuse, and security incidents

We do not use your data to train AI models. Conversation data and agent outputs remain yours and are used solely to provide the Service.

4. Third-Party Service Providers

We share data with the following trusted third-party providers solely to operate the Service:

• Clerk — Authentication and user management. Receives your email, name, and profile data. See Clerk's Privacy Policy.
• Stripe — Payment processing and subscription management. Receives payment method details. See Stripe's Privacy Policy.
• DigitalOcean — Cloud infrastructure for managed Gateways and the Orqestra API server. Hosts data in US data centers. See DigitalOcean's Privacy Policy.
• Vercel — Hosting for the Orqestra web application. See Vercel's Privacy Policy.

When you connect third-party AI providers (e.g., OpenAI, Anthropic, Google) through the Service, your prompts and agent interactions are sent directly to those providers using your own API keys. Merlyn Labs does not retain copies of data sent to third-party AI providers beyond conversation logs stored in your account.

We do not sell your personal information to any third party for any purpose.

5. Data Security

We implement the following security measures to protect your data:

• All data in transit is encrypted with TLS (HTTPS)
• Sensitive secrets (API keys, runtime credentials) are encrypted at rest using AES-256
• Database connections use SSL/TLS encryption
• API rate limiting (100 requests per minute per user) to prevent abuse
• Role-based access control (RBAC) to limit data access within organizations
• Cloud-managed Gateways are isolated within a Virtual Private Cloud (VPC) with firewall rules
• Security headers (Helmet.js) including Content Security Policy in production
• Input validation on all API endpoints

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain your data as follows:

• Account data: Retained while your account is active and for 30 days after deletion
• Conversation data: Retained while your account is active; deleted upon account deletion
• Audit logs: Retained according to your plan tier (7 days to 1 year)
• Billing records: Retained for 7 years for tax and legal compliance
• Cloud Gateway instances: Destroyed immediately when you delete the associated agent or account. Infrastructure records are purged within 24 hours

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data and account
• Export: Request an export of your data in a machine-readable format
• Opt out: Unsubscribe from marketing communications at any time

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you additionally have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

7.3 European Economic Area Residents (GDPR)

If you are in the EEA, you additionally have the right to:

• Restrict or object to processing of your personal data
• Data portability
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your local data protection authority

Our legal bases for processing are: (a) performance of our contract with you (providing the Service); (b) legitimate interests (security, improvement, fraud prevention); and (c) your consent (marketing communications).

To exercise any of these rights, contact us at support@merlyn-labs.ai. We will respond within 30 days.

8. International Data Transfers

Your data is processed and stored in the United States. If you are located outside the United States, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

9. Cookies and Tracking

We use essential cookies required for the Service to function (e.g., authentication session cookies set by Clerk). We do not use third-party advertising or tracking cookies. We do not participate in cross-site tracking or behavioral advertising.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or through the Service at least 15 days before the changes take effect. The “Last updated” date at the top reflects the most recent revision.

12. Contact Us

If you have questions about this policy or wish to exercise your privacy rights, contact us at:

• Email: support@merlyn-labs.ai
• Merlyn Labs, Miami, FL, United States