Privacy Policy

    Effective Date: August 19, 2025

    This Privacy Policy (the "Policy") explains how Orena LLC ("Orena," "we," "us," or "our") collects, uses, discloses, and protects information about you when you use our websites, web/app experiences, and related services (collectively, the "Service"). This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

    Who we are. Orena is a technology company. We license BrainCheck, Inc.'s BrainCheck Assess™ digital assessment and present results inside our platform with Orena‑authored educational explanations and wellness insights. We are not a healthcare provider and do not provide medical advice. For medical questions, contact a qualified professional.

    If you do not agree with this Policy, please do not use the Service.

    1) Information We Collect

    We collect information directly from you, automatically when you use the Service, and from third parties (e.g., BrainCheck, payment processors, analytics/ad partners). Examples include:

    CategoryExamplesSourcesWhy we collect/useTypical retentionDisclosed to
    IdentifiersName, email, mobile number (used for SMS login), IP address, cookie IDsYou; automatic; partnersCreate/manage accounts; authenticate; support; security/fraud; communicationsFor life of account + up to 2 years after closure (unless law requires longer)Service providers; security/fraud vendors; analytics/ad partners (as described below)
    Commercial infoPurchases, refunds, order historyYou; payment processorFulfillment, receipts, tax, chargeback preventionTax/records requirements (typically 3–7 years)Payment processors; fraud prevention vendors
    Internet / network activityDevice type, OS/browser, pages viewed, referral URLs, events, crash/error logsAutomatic; analyticsOperate, debug, measure, and improve the Service; security/fraudUp to 24 months (logs/analytics)Analytics and security vendors
    Approx. locationCountry/region inferred from IPAutomaticLocalization, fraud prevention, legal complianceUp to 24 monthsSecurity/anti‑fraud vendors; analytics
    Assessment‑related outputsScores/metrics and related meta‑data received from BrainCheck for your use in OrenaBrainCheck; youDisplay in Orena; provide educational explanations and wellness insights at your directionFor life of account (unless you request deletion and exceptions don't apply)Service providers supporting the Service; BrainCheck (as needed/contracted)
    Support contentEmails, in‑app messages, call recordsYouCustomer support; training/QA; complianceUp to 24 months after resolutionSupport platforms; quality/analytics vendors
    InferencesHigh‑level categories we derive to personalize educational content (e.g., "needs retest reminder")OrenaPersonalize UX/notifications; reduce frictionWhile relevant to your account (typically ≤24 months)Service providers operating product features
    Sensitive data (limited)Mobile number (authentication); assessment results you choose to use in OrenaYou; BrainCheckAuthentication; to provide the features you requestWhile needed to provide features or as required by lawService providers under contract; BrainCheck as applicable

    We do not collect precise GPS, biometric identifiers, or government ID numbers.

    2) Sources of Personal Information

    • You (forms, checkout, support, assessment usage).
    • Automatic collection (cookies, SDKs, pixels, server logs).
    • Third parties (e.g., BrainCheck for assessment outputs; payment processors; analytics/ads; security/fraud vendors).

    3) How We Use Information

    We use information to:

    • Provide, authenticate (via SMS one‑time passcodes), and maintain the Service.
    • Show your BrainCheck assessment outputs and Orena's educational explanations.
    • Process purchases, receipts, accounting, and tax/legal obligations.
    • Communicate with you about your account, transactions, and support.
    • Personalize and improve features; perform analytics and research (using aggregated and/or de‑identified data where possible).
    • Detect, investigate, and prevent security incidents, abuse, and fraud.
    • Comply with law, enforce our Terms, and protect the rights, property, and safety of Orena, our users, and the public.

    4) AI Features & Data Use (Training Opt‑Out)

    We may use third‑party AI tools to power educational features (e.g., summaries, explanations). We may process your prompts, feedback, and chat history to operate, secure, and improve these features.

    Training Opt‑Out. You can opt out of having your personal data used to improve AI models by emailing privacy@getorena.com with the subject "AI Training Opt‑Out."

    AI outputs may be inaccurate, incomplete, or outdated and are not medical advice.

    5) SMS Authentication & Account Communications

    When you purchase and create an account, you consent to receive SMS for: (i) login/authentication one‑time passcodes, (ii) account and transaction notifications, and (iii) limited customer‑support follow‑ups. Message frequency varies. Msg & data rates may apply. Carriers are not liable for delayed or undelivered messages. Reply STOP to opt out (this will disable SMS login); reply HELP for help. For questions, contact support@getorena.com.

    6) Cookies & Similar Technologies; Analytics & Advertising

    We and our partners use cookies, pixels, SDKs, and similar tech to operate and secure the Service, remember preferences, measure performance, debug, and (where permitted) deliver more relevant ads. You can control cookies in your browser settings; note that essential cookies are required for core functionality.

    Analytics/ads partners (examples): Google Analytics, Meta (Facebook/Instagram), and similar.

    Do Not Track: We currently do not respond to DNT signals.

    Global Privacy Control (GPC): Where legally required, we treat a valid GPC signal as a request to opt out of "sale"/"share" or targeted advertising to the extent those concepts apply.

    Opt‑outs: Use your cookie preferences and partner tools (e.g., Google Analytics opt‑out, industry tools like NAI/DAA). Some options are device/browser specific.

    "Sale"/"Share." We do not sell personal information for money. Some laws define "sale" or "share" to include data transfers for cross‑context behavioral advertising. Where that occurs, you may opt out via your cookie preferences, by sending a request (see Your Privacy Rights), or by using supported browser signals (e.g., GPC) in jurisdictions where required.

    7) Disclosure of Information

    We disclose information in the following contexts:

    • Vendors/service providers (e.g., hosting, analytics, customer support, security, payments) under contracts requiring them to use data only to provide services to us.
    • BrainCheck, Inc. to enable your use of BrainCheck Assess and related features as allowed by our agreement with BrainCheck and applicable law.
    • Legal and safety (to comply with law or valid process; detect/prevent fraud, abuse, or security incidents; protect rights, property, and safety).
    • Business transfers (e.g., merger, acquisition, financing, or asset sale).
    • With your direction or consent.
    • Aggregated/de‑identified information that does not identify you.

    We do not disclose assessment outputs to third parties for their independent marketing.

    8) Health Information; HIPAA

    Orena is not a healthcare provider and generally is not subject to HIPAA. BrainCheck and any affiliated healthcare providers may be subject to HIPAA. If we receive PHI from a HIPAA‑covered entity or their business associate, we will use and disclose it only as permitted by our contracts and applicable law. Otherwise, information you submit to Orena is governed by this Policy and is not PHI.

    9) Your Privacy Rights & Choices (U.S. state laws)

    Depending on where you live, you may have rights to access, delete, correct, and obtain a portable copy of certain personal information; to opt out of certain processing such as "sale," "share," or targeted advertising; and to limit use/disclosure of sensitive personal information.

    How to submit requests. Email privacy@getorena.com or use in‑product privacy controls (where available). We will verify your request (e.g., via email/SMS on file). We aim to respond within 45 days; we may extend 45 days with notice where permitted.

    Authorized agents. Agents must provide proof of authority to act on your behalf; we may also require you to verify directly with us.

    Appeals. If we deny your request, you may appeal by emailing privacy@getorena.com with subject "Privacy Appeal." If your appeal is denied, you may contact your state regulator.

    GPC and Ad Choices. Where required, we honor Global Privacy Control signals as opt‑out requests for the browser/session that sends the signal. You can also manage preferences via cookies and industry tools.

    Sensitive data. We use sensitive data only to provide the Service (e.g., phone number for authentication) and do not use it to infer characteristics.

    10) Data Retention

    We retain personal information for as long as needed to provide the Service, comply with legal/financial obligations, resolve disputes, and enforce our agreements. Typical periods include: identifiers (account life + up to 2 years), analytics/logs (up to 24 months), support records (up to 24 months after resolution), and purchase/transaction records (3–7 years). We may preserve data when legally required or to protect safety, security, and integrity.

    11) Security

    We employ administrative, technical, and physical safeguards intended to protect personal information. No system is 100% secure. If we discover a security incident affecting personal information, we will investigate, take steps to mitigate harm, and notify you and/or regulators as required by law.

    12) International Data Transfers

    We and our service providers may process information in the United States and other locations with different data protection laws than your place of residence. Where required, we take steps designed to protect personal information in connection with such transfers.

    13) Children's Privacy

    The Service is intended for adults 18+ and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided information, contact privacy@getorena.com and we will take appropriate steps to delete it.

    14) Changes to This Policy

    We may update this Policy from time to time. If we make material changes, we will notify you (e.g., by email and/or in‑Service notice) and indicate the effective date at the top. Your continued use of the Service after the effective date means you accept the updated Policy.

    15) Contact Us

    Orena LLC
    Support: support@getorena.com
    Privacy: privacy@getorena.com
    Legal: legal@getorena.com

    16) State‑Specific Disclosures & Notice at Collection (California and others)

    Notice at Collection (California). We collect the categories of personal information listed in Section 1 for the purposes described in Sections 3–7, retain it for the periods in Section 10, and disclose it as described in Section 7. We do not sell personal information for money. We may "share" identifiers, internet/network activity, and inferences with analytics/ads partners for cross‑context behavioral advertising, which you may opt out of as described in Section 9 and Section 6.

    Your CPRA rights include access, deletion, correction, portability, opt‑out of sale/share, limit use of sensitive personal information, non‑discrimination for exercising rights, and the right to appeal. Submit requests as described in Section 9.

    Other state laws (e.g., CO, CT, UT, VA, OR, TX, DE, IA, IN, MT, TN) provide similar rights. We will honor applicable rights consistent with state law.

    By using the Orena Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.