Oratoh

Privacy Policy

Effective May 13, 2026

1. Who we are

Oratoh ("Oratoh", "we", "us", or "our") is the controller of personal data processed through the Oratoh website, apps, ticketing services, and event rooms (the "Service"). For event-specific data you submit when buying a ticket or joining an event, the organizer of that event is a joint or independent controller for their own purposes.

2. Data we collect

  • Account data: email address, display name, optional profile (party/serious personas, bio, avatar).
  • Authentication data: one-time codes, login timestamps, IP address, device and browser metadata.
  • Order & ticket data: events purchased, ticket tier, price, currency, order ID. Card details are processed by our payment processor (Stripe) and not stored by Oratoh.
  • Event participation: events you follow, RSVPs, room messages, Q&A submissions and votes, attendance.
  • Communications: emails we send you (confirmations, reminders, updates) and your response preferences.
  • Technical data: cookies, log files, error reports, performance and analytics events.

3. Why we use your data (legal bases)

  • Performance of a contract - to create your account, process orders, deliver tickets, and run event rooms.
  • Legitimate interests - to secure the Service, prevent fraud, improve features, and provide aggregated analytics. You can object at any time.
  • Consent - for optional marketing emails, non-essential cookies, and certain device permissions. You can withdraw consent at any time.
  • Legal obligations - for tax, accounting, consumer protection, and responding to lawful requests.

4. Sharing your data

We share personal data only as needed to operate the Service:

  • Event organizers receive the attendee data necessary to fulfill your ticket (name, email, ticket tier, order metadata).
  • Service providers (processors) such as cloud hosting, database, email delivery, analytics, and payment processing operate under written data-processing agreements.
  • Authorities when required by law, court order, or to protect rights, safety, and security.
  • Corporate transactions in the event of a merger, acquisition, or asset sale, subject to continued protection of your data.

We do not sell your personal data.

5. International transfers

Your data may be processed in countries outside your own. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on lawful transfer mechanisms such as the European Commission's Standard Contractual Clauses and equivalent safeguards.

6. Retention

We keep personal data only for as long as needed for the purposes described above, to comply with legal obligations (e.g., tax records typically 6-10 years depending on jurisdiction), to resolve disputes, and to enforce our agreements. Account data is deleted or anonymized after extended inactivity or upon valid deletion request.

7. Your rights

Depending on your jurisdiction (including GDPR, UK GDPR, CCPA/CPRA, LGPD), you may have the right to:

  • access the personal data we hold about you and receive a copy;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing, including profiling and direct marketing;
  • data portability;
  • withdraw consent at any time without affecting prior lawful processing;
  • opt out of "sale" or "sharing" of personal data (we do not engage in either, but you may still send a request);
  • not be subject to solely automated decisions producing legal effects;
  • lodge a complaint with your local data protection authority.

Submit requests to privacy@oratoh.app. We may need to verify your identity before responding.

8. Cookies and similar technologies

We use strictly necessary cookies to operate the Service and, with your consent where required, analytics or performance cookies. You can control cookies through your browser and any in-product cookie banner.

9. Marketing emails

Transactional emails (order confirmations, event updates, account security) are sent based on contract and legitimate interest. Marketing emails are sent only with your consent and you can unsubscribe at any time using the link in the email or in your account settings.

10. Security

We use industry-standard technical and organizational measures including encryption in transit, access controls, row-level security on our database, and continuous monitoring. No method of transmission or storage is 100% secure; please use a strong, unique email password and keep your devices protected.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Automated decisions

We may use rules-based automation for fraud detection and content moderation. These do not produce legal effects without human review. You may contact us to request human review of any automated decision.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or an in-product notice before they take effect. The "Effective" date above indicates the latest revision.

14. Contact

Privacy questions and requests can be sent to privacy@oratoh.app. For general legal matters, contact legal@oratoh.app.