Privacy Policy
Effective Date: May 27, 2026
Last Updated: June 11, 2026
Vora IQ, Inc. ("Vora IQ," "we," "us," or "our") provides an AI-native operating system for founders, comprised of an iOS application, a web application, and thirteen specialized AI agents that assist with business planning, execution, and growth (the "Service"). This Privacy Policy explains what personal and business information we collect, how we use it, who we share it with, how AI processing works, and the rights you have over your data.
This policy applies to all users of the Service, including visitors to our websites (voraiq.com and related domains), users of the Vora IQ iOS app, and users of the Vora IQ web application.
Vora IQ is the controller of personal data processed through the Service. If you are an enterprise customer with a separate Data Processing Addendum (DPA), the terms of that DPA control where they conflict with this policy.
1. Information We Collect
1.1 Account and Authentication Information
We use third-party authentication providers (Sign in with Apple, Google Sign-In). We do not store passwords. From these providers, we receive:
- •Email address
- •Unique account identifier
- •Name (if you choose to share it)
- •Profile photo (optional, only if you share it)
1.2 Business Context Layer (BCL) Data
The Service includes a Business Context Layer that, with your permission, ingests information about your business so the AI agents can provide tailored guidance. BCL data may include:
- •Business ideas, strategies, plans, and roadmaps you create or input
- •Market, industry, and competitor information you provide
- •Documents, notes, links, and customer feedback you upload
- •Outputs generated by Vora IQ agents on your behalf
BCL data is treated as your confidential business information. We do not use BCL data to train foundation models, and we do not use it for any purpose other than providing the Service to you.
1.3 Connected Account Data
If you connect third-party accounts to enable agent functionality, we receive data from those accounts solely for the purposes you authorize. Currently supported connections include:
- •Stripe — transaction history, balance, payout, and subscription data used by Ledger, Pivot, Insight, and Forge agents to provide financial analysis and forecasting
- •Meta (Facebook, Instagram, Threads) — page access tokens and content metadata used by the Echo agent to draft and publish social content on your behalf
Additional integrations (QuickBooks, GA4, HubSpot) may be added in the future and will be disclosed in this policy when launched. You can disconnect any account at any time from the Service settings. Disconnection revokes our token and stops new data ingestion; previously ingested data remains until you delete it.
1.4 Usage and Device Data
- •Device type, model, operating system, and browser
- •IP address and approximate location derived from it
- •Feature usage patterns, click events, screen views, and session duration
- •Log data, performance metrics, and error reports
- •Push notification tokens (if you enable notifications on iOS)
1.5 Payment Information
Payments are processed by Stripe. We do not store full payment card numbers. We receive transaction confirmations, subscription status, billing address, and the last four digits and brand of your payment method.
1.6 Communications
If you contact us by email or through in-product support, we retain those communications to respond and improve the Service.
2. How We Use Information
We process your information for the following purposes. Where required by law (including GDPR), the legal basis for each purpose is noted.
| Purpose | Legal Basis (GDPR users) |
|---|---|
| Provide, operate, and personalize the Service, including AI agent outputs | Performance of contract |
| Process payments and manage subscriptions | Performance of contract |
| Maintain security, prevent fraud, enforce terms | Legitimate interests |
| Improve the Service through aggregated, de-identified analytics | Legitimate interests |
| Send product updates, transactional emails, and (with consent) marketing emails | Legitimate interests / Consent |
| Comply with legal obligations | Legal obligation |
3. How AI Processing Works
Vora IQ is an AI-native platform. Understanding how AI processes your data is central to understanding our privacy practices.
3.1 Foundation Model Sub-Processors
Our agents are orchestrated through Langbase and run on foundation models provided by Anthropic, OpenAI, and Google. When you interact with an agent, your prompt and relevant BCL context are sent to one or more of these providers to generate the response. We have contractual commitments from each provider that:
- •Your inputs and outputs are not used to train their foundation models
- •Data is retained only for the time required to deliver the response (zero or short-window retention)
- •Data is encrypted in transit and at rest
3.2 Training and Model Improvement
We do not use your BCL data, prompts, agent outputs, or connected account data to train, fine-tune, or improve any foundation model or any third-party model. We do not use your data to train our own AI models without your explicit, opt-in consent. If we offer such a program in the future, participation will be voluntary, separately disclosed, and revocable at any time.
This restriction applies to identifiable data. We may use aggregated and de-identified data — data that cannot reasonably be linked back to you or your business — as described in Section 6.
3.3 Automated Outputs and Decisions
Several agents produce outputs that may influence your business decisions — for example, Ledger provides financial analysis, Pivot suggests strategic pivots, Insight analyzes data, and Apollo provides growth recommendations. These outputs are AI-generated and may contain errors. You should not rely on them as professional financial, legal, tax, or investment advice. You retain full control over every business decision. If you are in the EU, UK, or a jurisdiction with similar laws, you have the right to request human review of any automated decision that produces a legal or similarly significant effect on you.
3.4 Agent-Specific Disclosures
- •Echo (social automation) publishes content to your connected social accounts when you direct it to. You can review and approve before publishing.
- •Ledger, Pivot, Insight, and Forge access connected financial accounts to provide analysis. They do not move money or execute transactions.
- •Sarrif generates brand and visual design outputs through Google Gemini.
- •All other agents (Vora, Axis, Scribe, Shield, Vibe, Pulse/Reflect/Brief) operate on the prompts and BCL context you provide.
4. Sub-Processors
We share information with the following categories of sub-processors, each of whom is contractually obligated to protect your data and process it only as instructed by Vora IQ. We maintain an up-to-date sub-processor list at voraiq.com/subprocessors.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Microsoft Azure | Hosting, database, storage | United States |
| Langbase | AI agent orchestration | United States |
| Anthropic | Foundation model (Claude) | United States |
| OpenAI | Foundation model | United States |
| Foundation model (Gemini), authentication | United States | |
| Apple | Authentication, App Store distribution, push notifications | United States |
| Stripe | Payment processing, connected account data | United States |
| Meta | Social account integration (user-initiated) | United States |
| Mixpanel | Product analytics | United States |
| Mailchimp | Email marketing and campaign delivery | United States |
We will notify users of material changes to our sub-processor list with at least 30 days' notice for enterprise customers who have signed a DPA.
5. How We Share Information
We do not sell your personal information to any third party. We do not share your personal information with third parties for their independent marketing purposes. We do not use your data to train AI models without your explicit consent. We may use aggregated and de-identified data as described in Section 6. We share information only:
- •With sub-processors listed above, under contracts requiring confidentiality and security
- •To comply with valid legal process (subpoena, court order, government request) — we evaluate each request and challenge overbroad demands where appropriate
- •To protect the rights, safety, and property of Vora IQ, our users, or the public
- •In connection with a merger, acquisition, financing, or sale of assets, where the recipient is bound to honor this policy
- •With your direction or consent (for example, when Echo publishes to your social accounts, or when an AI client you connect reads your business context through the Vora IQ MCP connector — see Section 5.1)
5.1 AI Clients You Connect (MCP Connector)
Vora IQ offers a connector built on the Model Context Protocol (MCP), an open standard, that lets you give AI products you already use — such as Anthropic's Claude — read access to selected business context from your Vora IQ account. Connecting requires signing in with your Vora IQ credentials and explicitly approving a single venture; the connection is scoped to that venture only.
A connected AI client can read exactly five context resources: brand voice, brand kit, customer segments, positioning, and the hook framework. Access is read-only — a connected client cannot create, modify, or delete anything in your account — and no other data (payment information, connected account data, conversations, usage data) is available through the connector.
Once context is delivered to an AI client at your direction, it is handled under that client's own privacy policy (for example, Anthropic's policy for Claude). The connector service itself does not store your business context; it retains only the OAuth grant records needed to operate the connection (tokens are stored hashed) and an audit log of access metadata — which resource was read, when, and by which client — so you and we can verify how the connector has been used.
You can end a connection at any time by removing the connector in the AI client. Access tokens expire automatically within 24 hours and refresh tokens within 30 days; you can also email privacy@voraiq.com to have a grant revoked immediately. For setup instructions and technical details, see our MCP connector documentation.
6. Aggregated and De-Identified Data
We may create aggregated and de-identified datasets from information collected through the Service. Aggregated and de-identified data is not personal information — it cannot reasonably be linked back to you, your business, or any other individual user.
Examples of how we may use this data:
- •Industry benchmarks (for example, average time from idea to first revenue across founders in a given sector)
- •Trend reports on startup formation, pivot rates, funding patterns, and growth metrics
- •Research publications, blog posts, and marketing content
- •Product analytics to improve the Service
- •Commercial trend products that may be licensed or sold to investors, analysts, accelerators, or other third parties
Before any data is included in an aggregated or de-identified dataset, we apply technical and procedural safeguards to remove identifiers and prevent re-identification, including removal of direct identifiers, aggregation thresholds (no insights derived from fewer than a minimum number of users), and contractual prohibitions on re-identification by any recipient.
If you do not want your data included in aggregated datasets, you may opt out at any time by emailing privacy@voraiq.com. Opting out will not affect your access to the Service.
7. International Data Transfers
Vora IQ is based in the United States, and our infrastructure is primarily located in the United States. If you access the Service from outside the United States, your information is transferred to and processed in the United States.
For users in the European Economic Area, United Kingdom, or Switzerland, transfers are made under the Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards where applicable. You may request a copy of the transfer mechanism by contacting privacy@voraiq.com.
8. Data Retention
We retain information only as long as needed to provide the Service or meet legal obligations.
| Data Category | Retention Period |
|---|---|
| Account information | For the life of your account, plus 30 days after deletion request |
| BCL and user-generated content | For the life of your account; deleted within 30 days of account deletion or per your direct deletion request |
| Connected account data (Stripe, Meta) | Until you disconnect the integration; cached data deleted within 30 days of disconnection |
| MCP connector grants and access log (Section 5.1) | Tokens expire automatically (access: 24 hours; refresh: 30 days); access audit log retained 12 months |
| AI prompts and outputs | Stored with your account until you delete the conversation or your account |
| Payment records | 7 years for tax and accounting compliance |
| Usage and log data | 13 months in identifiable form, then aggregated or deleted |
| Support communications | 3 years from last interaction |
9. Data Security
We protect your information with industry-standard safeguards:
- •Encryption in transit (TLS 1.2+) and at rest (AES-256)
- •Per-user encryption keys for sensitive BCL data, isolated from other users
- •Role-based access controls and least-privilege access for our team
- •Multi-factor authentication for internal access to production systems
- •Continuous monitoring and logging of access to user data
- •Regular security reviews and dependency scanning
No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities as required by law. For users in the EEA and UK, we will notify the relevant supervisory authority within 72 hours where required by GDPR Article 33.
10. Your Rights
Depending on where you live, you have some or all of the following rights regarding your personal information:
- •Access — request a copy of the personal information we hold about you
- •Correction — update or correct inaccurate information
- •Deletion — request that we delete your personal information
- •Portability — receive your data in a structured, machine-readable format
- •Restriction or objection — limit how we process your information or object to certain processing
- •Withdraw consent — where processing is based on consent, you can withdraw it at any time
- •Human review — request human review of an automated decision that produces a legal or similarly significant effect
- •Opt out of marketing communications
To exercise any of these rights, email privacy@voraiq.com. We will respond within 30 days (45 days for California requests, with one possible 45-day extension). We may need to verify your identity before responding.
You also have the right to lodge a complaint with a data protection authority. EU users can find their local authority at edpb.europa.eu. UK users can contact the Information Commissioner's Office at ico.org.uk.
11. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights in addition to those above:
- •Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with
- •Right to delete personal information
- •Right to correct inaccurate personal information
- •Right to opt out of the sale or sharing of personal information — we do not sell or share personal information as defined by CCPA
- •Right to limit use of sensitive personal information
- •Right to non-discrimination for exercising your rights
Categories of personal information collected in the past 12 months: identifiers (email, account ID, IP address), commercial information (subscription and transaction history), internet activity (usage and device data), professional or employment information (business context you provide), and inferences drawn from the above to personalize the Service.
We honor Global Privacy Control (GPC) signals as a valid opt-out request.
Authorized agents may submit requests on your behalf with written authorization. Submit requests to privacy@voraiq.com.
12. Children and Teens
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we discover that we have collected information from a child under 13, we will delete it promptly.
If you are between 13 and 17, you may only use the Service with the consent of a parent or guardian. We apply heightened protections to information of users under 18, including not selling or sharing their information, regardless of jurisdiction.
13. Cookies and Tracking
We use cookies, local storage, and similar technologies to operate the Service and understand how it's used. Categories include:
- •Strictly necessary — required for authentication, security, and core functionality. Cannot be disabled.
- •Functional — remember your preferences and settings.
- •Analytics — help us understand usage (Mixpanel, and Google Analytics 4 when connected). You can opt out via in-product cookie settings or browser controls.
- •Marketing — used only with your consent to measure campaign performance.
You can manage cookies through our in-product cookie banner or your browser settings. Disabling cookies may affect Service functionality.
14. Third-Party Links and Services
The Service may link to or integrate with third-party websites and services we do not control. Their privacy practices are governed by their own policies. We encourage you to review them.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service, by email to the address associated with your account, or by posting a prominent notice on our website at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
16. Contact Us
If you have questions about this Privacy Policy or our privacy practices, contact:
Vora IQ, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
United States
Privacy questions: privacy@voraiq.com
General questions: hello@voraiq.com
For EU/UK users, we are not currently required to appoint a Data Protection Officer under GDPR Article 37; we will update this section if that changes.