Security

Last updated: May 2025 · How Ori keeps your most personal data safe

You are uploading the most intimate record of your life — your music, your photos, your messages, your memories. We take that trust seriously. Your data never leaves Ori. Ever. Here is exactly how we protect it.

What Ori does to protect you

Encryption everywhere

All data is encrypted at rest and in transit. Every connection to Ori uses HTTPS. Your data is unreadable to anyone who intercepts it.

Row level security

Your data is locked to your account at the database level. It is technically impossible for another user to access your data — even if they tried.

Passwords never stored

We never store your password in plain text. Your password is hashed using industry standard cryptography before it ever touches our database.

Automatic session timeout

Your session expires automatically after a period of inactivity. If you leave Ori open on a shared device you are protected.

Isolated storage

Your photos and files are stored in a private bucket with your unique user ID. No one else can access your storage — not other users, not Ori staff.

SOC 2 compliant infrastructure

Ori runs on Supabase and Vercel — both SOC 2 compliant infrastructure providers with independent security audits and certifications.

The promise that never changes: Your data never leaves Ori. We do not sell it. We do not share it. We do not use it to train AI models. The only thing your data does is power your personal experience inside Ori. That is it. That is everything.

Your password requirements

We enforce strong passwords to protect your most personal data. Every Ori account requires a password that meets all of these standards:

Every Ori password must include all of the following:

12+ characters One uppercase letter One lowercase letter One number One special character

We recommend using a password manager to generate and store a strong unique password for your Ori account. Never reuse a password from another service.

Two factor authentication

Two factor authentication adds a second layer of protection to your account. Even if someone has your password they cannot access your Ori account without also having your second factor.

Authenticator app

Use Google Authenticator, Authy or 1Password to generate a time-based one-time code when you sign in. This is the most secure option.

Biometric sign in

On supported devices use Face ID or fingerprint to sign in quickly and securely. Your biometric data never leaves your device.

You can enable two factor authentication in your profile settings. We strongly recommend all Ori users enable 2FA given the sensitivity of the personal data stored in your account.

What you can do to stay safe

AI processing and your data

Ori uses Anthropic's Claude AI to generate your personal feed, search responses and insights. When you use Ori relevant portions of your data are sent to the Anthropic API to generate your content. We send only the minimum data required.

Anthropic does not use API data to train their models. Your data is processed and discarded — it is not stored by Anthropic beyond the immediate processing of your request.

No other AI service, analytics platform or third party ever receives your data.

Third party data and your responsibility

When you upload messages from WhatsApp, Facebook, or Instagram, you are also uploading conversations that include other people. Ori processes this data only to generate insights about your own life — your communication patterns, your relationships, and how they changed over time. We never share this data with anyone and only you can access it.

However, we encourage all Ori users to be thoughtful about message uploads. The people you have messaged have not consented to their words being processed by an AI. Use your judgment about which conversations to include. Ori is designed to help you understand your own story — not to analyse or expose others.

Reporting a security concern

If you discover a security vulnerability or believe your account has been compromised please contact us immediately at security@helloori.ai. We take all security reports seriously and will respond within 24 hours.

Please do not publicly disclose security vulnerabilities before contacting us. We are committed to working with anyone who reports issues responsibly.