ORIS

Privacy Policy

Effective date: March 23, 2026. Last updated: March 23, 2026.

Summary. Fluxa Ventures LLC collects the minimum personal data necessary to provide the Oris platform and to meet its legal obligations, including AML compliance and sanctions screening. We do not sell your personal data. We do not use it for advertising. Full details are below.

1. Overview and Data Controller

This Privacy Policy describes how Fluxa Ventures LLC ("Fluxa Ventures LLC," "we," "us," or "our"), a Washington limited liability company, collects, uses, stores, and discloses personal data in connection with the Oris platform accessible at useoris.xyz and useoris.xyz.

Fluxa Ventures LLC is the data controller for personal data processed in connection with developer accounts, API access, and compliance operations. For the purposes of EU General Data Protection Regulation (GDPR) processing, Fluxa Ventures LLC is the controller of personal data submitted by EU-resident users.

If you have questions about this policy or wish to exercise your data rights, contact us at privacy@useoris.xyz or our Data Protection Officer at dpo@fluxa.ventures.

2. Data We Collect

2.1 Account and Registration Data

When you create a developer account on Oris, we collect: full name, email address, company name, country of residence or incorporation, and billing information (processed by our payment processor; we do not store full payment card numbers).

2.2 Agent and Transaction Data

The Oris platform processes data about the AI agents you register and the transactions they initiate. This includes: agent identifiers, wallet addresses, transaction amounts, counterparty wallet addresses, transaction timestamps, blockchain network identifiers, and transaction hashes. This data is used to provide the Services and to fulfill our compliance obligations.

2.3 KYA Verification Data

As part of the Know Your Agent (KYA) process, we collect information about the agents you register, including the scope of authority, developer authorization records, and any documentation submitted in connection with KYA Level 2 or Level 3 verification. Where KYA processes require collecting personal data about individuals associated with your organization, we collect only the minimum data necessary to complete verification.

2.4 Compliance and AML Screening Data

To meet our legal obligations under applicable AML and sanctions laws, we process transaction data through the Veris Engine, which includes screening wallet addresses and associated entities against global sanctions lists and risk databases maintained by third-party compliance data providers. This processing is a legal obligation and cannot be opted out of.

2.5 Usage and Technical Data

When you use the Oris platform or API, we collect technical data including: IP addresses, API request logs, response times, error codes, user agent strings, session identifiers, and feature usage patterns. This data is used to operate, maintain, and improve the Services.

2.6 Communications Data

If you contact our support team, we collect records of those communications including email content, support ticket data, and any attachments you provide.

3. How We Use Your Data

Purpose Data Used Legal Basis
Providing the Oris platform and APIAccount data, agent data, transaction dataContract
AML and sanctions screeningWallet addresses, transaction data, KYA dataLegal obligation
Billing and fee collectionAccount data, transaction volume dataContract
Fraud prevention and securityUsage data, IP addresses, behavioral signalsLegitimate interests
Compliance reporting (SAR, regulatory filings)Transaction data, compliance screening resultsLegal obligation
Platform improvement and model trainingAggregated, anonymized usage and transaction dataLegitimate interests
Customer supportCommunications data, account dataContract / legitimate interests
Legal and regulatory complianceAll categories as required by applicable lawLegal obligation

4. Legal Bases for Processing (GDPR)

For users subject to the EU General Data Protection Regulation, Fluxa Ventures LLC processes personal data on the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary to perform the contract we have with you, including account management, API access, and billing.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable law, including AML legislation, sanctions regulations, financial record-keeping requirements, and mandatory regulatory reporting.
  • Legitimate Interests (Article 6(1)(f)): Processing for fraud prevention, platform security, product improvement using anonymized data, and customer support, where our interests are not overridden by your fundamental rights and freedoms.
  • Consent (Article 6(1)(a)): For optional communications such as product newsletters or marketing emails, where we rely on your express consent, which you may withdraw at any time.

5. Data Sharing and Disclosure

We do not sell your personal data. We share your data only in the following circumstances:

5.1 Compliance Data Providers

We share wallet address and transaction data with third-party blockchain analytics and compliance data providers, including providers such as Chainalysis, Elliptic, or TRM Labs, for the purpose of AML screening, sanctions checking, and risk scoring. These providers act as data processors under agreements that comply with applicable data protection law.

5.2 Cloud Infrastructure

The Oris platform operates on cloud infrastructure. Your data is processed on servers operated by our infrastructure providers in compliance with applicable data protection requirements.

5.3 Payment Processing

Billing data is processed by our payment processor (Stripe Inc.) under its own privacy policy. We do not store full payment card numbers.

5.4 Legal and Regulatory Disclosure

We may disclose your data to government authorities, regulatory bodies, or law enforcement where required by applicable law, court order, or regulatory direction. This includes the filing of Suspicious Activity Reports (SARs) under applicable AML regulations. We are not always permitted to notify you of such disclosures.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of Fluxa Ventures LLC's assets, your data may be transferred to the successor entity, subject to the same protections described in this policy.

6. International Data Transfers

Fluxa Ventures LLC is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data from the EEA to the United States or other third countries, we rely on appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms as applicable. You may request a copy of the applicable transfer safeguards by contacting dpo@fluxa.ventures.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Key retention periods:

  • Account data: Retained for the duration of your account and for five (5) years following account closure, to comply with financial record-keeping requirements.
  • Transaction and compliance data: Retained for a minimum of five (5) years following the transaction date, or longer where required by applicable AML or financial regulation.
  • API logs: Retained for ninety (90) days for security and debugging purposes; aggregate metrics are retained indefinitely.
  • Support communications: Retained for three (3) years following resolution of the support interaction.

We will delete or anonymize personal data when retention is no longer required, subject to any applicable legal holds.

8. Your Rights (EEA and UK Users)

If you are located in the EEA or United Kingdom, you have the following rights under the GDPR or UK GDPR:

  • Access: You may request a copy of the personal data we hold about you.
  • Rectification: You may request correction of inaccurate personal data.
  • Erasure: You may request deletion of your personal data, subject to our legal obligations and legitimate interests. We cannot erase data we are required to retain by law, including AML compliance records.
  • Restriction: You may request that we restrict processing of your personal data in certain circumstances.
  • Portability: You may request a machine-readable copy of personal data you have provided to us.
  • Objection: You may object to processing based on legitimate interests. You may not object to processing required by law.
  • Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact privacy@useoris.xyz. We will respond within thirty (30) days. You also have the right to lodge a complaint with your local supervisory authority if you believe we have processed your data unlawfully.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

  • Know: You have the right to know what personal information we collect, use, disclose, and sell about you.
  • Delete: You have the right to request deletion of your personal information, subject to certain exceptions including legal compliance obligations.
  • Opt-Out of Sale: Fluxa Ventures LLC does not sell personal information. No opt-out is required.
  • Non-Discrimination: We will not discriminate against you for exercising your California privacy rights.
  • Correct: You have the right to request correction of inaccurate personal information.
  • Limit Use of Sensitive Personal Information: We process sensitive personal information only as necessary to provide the Services and to fulfill legal obligations.

To exercise California privacy rights, contact privacy@useoris.xyz or write to us at the address in Section 14.

10. Security

Fluxa Ventures LLC implements technical and organizational measures designed to protect personal data from unauthorized access, disclosure, alteration, and destruction. These measures include: TLS encryption for data in transit; encryption at rest for sensitive data; access controls and audit logging; regular security assessments; and incident response procedures.

No security measure is infallible. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by applicable law.

11. Children's Privacy

The Oris platform is intended exclusively for users aged eighteen (18) and above. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under the age of eighteen, we will take prompt steps to delete that data. If you believe a child has provided us with personal data, contact privacy@useoris.xyz.

12. Cookies

We use cookies and similar technologies on the Oris website and developer portal. Please review our Cookie Policy for full details on what cookies we use and how you can manage your preferences.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will provide notice of material changes by email or by posting a notice on the platform. We will always indicate the effective date at the top of this policy. Your continued use of the Services after the effective date of the updated policy constitutes acceptance.

14. Contact and DPO

For privacy inquiries, data subject rights requests, or to contact our Data Protection Officer:

Data Protection Officer
Fluxa Ventures LLC
dpo@fluxa.ventures
privacy@useoris.xyz
useoris.xyz