Privacy Policy | Origin Run

This Privacy Policy explains how Origin Group ("Origin Run", "we", "us", or "our") collects, uses, discloses, and protects information when you use the Origin Run Platform - an AI-powered manufacturing ERP. The Platform processes sensitive operational information (e.g., production data, invoices, packing lists, batch records), AI-generated content (e.g., work order drafts, quality insights, smart reminders), digitally signed documents, and personal data (e.g., staff contact details, vendor contacts, signatory information).

Related: Terms and Conditions.

1. Roles: Controller vs. Processor

Customer Content: For Operational Data and documents uploaded by a Customer, Origin generally acts as a service provider / processor on the Customer's instructions.
Platform Operations: For account creation, authentication, billing/admin, fraud prevention, and platform security, Origin may act as a controller of certain personal data.

2. Information We Collect

2.1 Account and Identity Data

Name, email address, phone number, job title/role, organization identifiers.
Authentication signals (e.g., OTP verification events) and account settings.

2.2 Business and Manufacturing Workflow Data

Company profiles, customer records, vendor records, contacts, and relationship metadata.
Operational capture: products, quantities, units, schedules, pricing terms, delivery expectations, and workflow notes.
Production and planning records, including BOM/work-order references, status transitions, and completion events.
Inventory and dispatch data including stock movements, dispatch notes, transport references, and supporting documents.
Invoices, invoice numbers, tax/GST classification where applicable, and supporting documentation.
Approval and audit metadata tied to finance, quality, and operational workflows.

2.3 Document Generation Data

Inputs used to generate commercial invoices, proforma invoices, packing lists, credit/debit notes, and contract PDFs (e.g., line items, quantities, pricing, banking details, shipping marks).
Generated document metadata: document type, generation timestamps, version history, and distribution records.
Template selections, clause choices, and formatting preferences used during document creation.

2.4 Digital Signing Data

Signatory information: names, email addresses, job titles, and organizational affiliations of persons invited to sign documents.
Signing events: timestamps, IP addresses, completion status, and access logs for each signing session.
Document state: signed/unsigned status, signing order, and sealed document records.

2.5 AI and Insights Data

Inputs to AI features: operational data, workflow parameters, and natural language queries submitted through the dashboard or WhatsApp.
AI-generated outputs: document drafts, risk signals, workflow summaries, actionable insights, and executive summaries.
Smart reminder triggers: deadline dates, quality actions, payment due dates, approval timelines, and the reminder/alert events generated from them.
Conversation history for WhatsApp AI interactions (stored per-user within the organization's tenant).

2.6 Compliance and Verification Data (if enabled)

KYC/KYB information such as identification documents, beneficial ownership information, and screening outcomes where required for compliance.
Regulatory and license information maintained by your organization (where applicable), including registration IDs, filing references, and expiry dates.
Verification and attestation records related to onboarding, approvals, quality, or contractual workflows.

2.7 Technical and Usage Data

Device and browser metadata, IP address, timestamps, and basic telemetry logs.
Security logs and audit events (e.g., login attempts, permission changes, document access) to protect the Platform.

3. How We Use Information

Provide the Services: operate manufacturing and commercial workflows, generate business documents, and enable collaboration across teams and external stakeholders.
Document Generation: populate and render invoices, dispatch notes, packing lists, and related commercial documents from your Operational Data inputs.
Digital Signing: facilitate electronic signature workflows, authenticate signatories, record signing events, and maintain audit trails.
AI Features: generate drafts, operational risk signals, actionable insights, and smart reminders from your organization's data. Your data is processed within your tenant and is not used to train models for other customers.
Smart Reminders: monitor deadlines, certification expirations, payment due dates, and operational thresholds to proactively generate alerts and notifications.
Security and fraud prevention: detect abuse, protect accounts, and maintain audit logs.
Support: respond to requests and troubleshoot issues.
Compliance: meet legal obligations (e.g., AML/CTF, sanctions, record-keeping) where applicable.
Improve the Platform: debug, test, and improve performance and usability (using aggregated, anonymized data where possible).

4. Legal Bases (where applicable)

Depending on your jurisdiction, we may process personal data based on one or more of the following legal bases: performance of a contract, legitimate interests (e.g., platform security), compliance with legal obligations, and/or consent (where required).

For users and customers in India, we process personal data in line with applicable Indian law, including the Digital Personal Data Protection Act, 2023, and applicable rules notified thereunder.

5. How We Share Information

We do not sell personal data. We may share information as follows:

With business stakeholders: sharing documents and contact details required to execute workflows you initiate with customers, vendors, logistics partners, or authorized signatories.
With vendors/processors: hosting, storage, messaging/email delivery, analytics/monitoring, and verification providers under confidentiality and data processing obligations. Key sub-processors include:
- OpenAI: powers AI Copilot features (natural language queries, drafts, and insights). Operational data is sent to OpenAI's API under a data processing arrangement and is not used to train models for other customers.
- Sentry: application error monitoring. Error reports may include de-identified request context. No sensitive operational data is intentionally included in error payloads.
- Meta (WhatsApp Business API): message delivery and webhook processing for WhatsApp integrations. Messages sent via WhatsApp are routed through Meta's infrastructure and subject to Meta's data policies.
For legal reasons: when required by law, regulation, court order, or to protect rights, safety, and security.
Business transfers: in connection with a merger, acquisition, financing, or sale of assets (subject to appropriate safeguards).

6. Data Retention

We retain data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain business records. Operational and invoice records may be retained for extended periods due to commercial and regulatory requirements.

7. Security

We use administrative, technical, and organizational safeguards designed to protect data, including:

Multi-tenant data isolation (each organization's data is architecturally separated).
Role-based access controls and permission management.
Encryption in transit (TLS) and at rest for sensitive data.
Audit logging of document access, signing events, and administrative actions.
Secure signing links with unique tokens for recipient document access.
Session management and automatic session expiration.

No method of transmission or storage is completely secure; you should also use strong credentials and appropriate internal access controls.

7a. AI Data Processing

The following principles govern how we handle data in connection with AI Features:

Tenant Isolation: AI Features operate exclusively on your organization's data within your tenant. Your Operational Data is never shared with, visible to, or used to improve services for other customers.
No Cross-Tenant Training: We do not use your Content or Operational Data to train machine learning models for other organizations.
Third-Party AI Providers: Some AI capabilities may use third-party language model providers. When third-party AI services are used, data is transmitted securely and subject to data processing agreements that prohibit the provider from retaining or training on your data.
AI Output Retention: AI-generated outputs (insights, risk scores, contract drafts) are stored within your tenant and subject to the same data retention and deletion policies as other Content.
Human Oversight: AI Features are designed to augment, not replace, human decision-making. All AI outputs require user review before action.

8. International Transfers

Your data may be processed in countries other than where you are located. Where required, we implement appropriate safeguards for cross-border transfers.

9. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to processing of personal data, and to request portability.

Because much of the Platform content is business/operational data controlled by the Customer, requests may need to be handled via your organization's administrator.

You may submit privacy requests or grievances at privacy@theorigin.run. We will review and respond within timelines required by applicable law.

10. Cookies and Similar Technologies

We may use cookies or similar technologies for session management, security, preferences (e.g., theme), and basic analytics. You can control cookies through your browser settings, but some features may not function properly.

11. Children’s Privacy

The Services are not directed to children, and we do not knowingly collect personal data from children.

12. Contact

Questions about privacy? Contact privacy@theorigin.run.

For terms-related legal notices, contact terms@theorigin.run.

Registered correspondence address: Road No 6, Silpa Marvella, Kakateeya Hills, Hyderabad, Telangana - 500081.

Review our Terms: Terms and Conditions.