1. Introduction and Scope
This Privacy Policy describes how OrgMyx, Inc. (“OrgMyx,” “we,” “us,” or “our”) collects, uses, stores, and protects personal information through OrgMyx (orgmyx.com), a collaborative workspace for organizational design and scenario planning. This policy applies to all users of our platform, including administrators at customer organizations and their authorized end users (editors and viewers).
OrgMyx is a B2B SaaS platform. When we process data on behalf of our customers (“Customer Organizations”), we act as a data processor. Customer Organizations are the data controllers for the data they submit to the Service. This Privacy Policy should be read alongside our Terms of Service and Data Processing Agreement.
2. Information We Collect
We collect information in three ways: information you provide directly, information collected automatically, and information from third-party sources.
2.1 Information You Provide
| Data Category | Examples | Collection Method | Purpose |
|---|---|---|---|
| Account Registration | Full name, work email address, organization name | Signup form | Service delivery, authentication |
| Company Details | Country, industry, company size, billing email | Onboarding form | Service customization, compliance |
| Organizational Data | Employee rosters, org charts, staffing plans, role assignments, department structures | Admin upload and session creation | Core service functionality |
| Session Content | Scenario models, comments, annotations, organizational change proposals | User input during sessions | Collaboration and planning |
| Billing Information | Payment card details (processed by Stripe), subscription plan | Payment form | Billing and subscription management |
| Communication Data | Support requests, feedback | Email and in-app channels | Customer support |
| Attribution Data | How you heard about OrgMyx (e.g., search, referral, event) | Signup form (optional) | Product improvement |
2.2 Information We Collect Automatically
| Data Category | Examples | Collection Method | Purpose |
|---|---|---|---|
| Authentication Data | Login timestamps, authentication method (SSO, password) | System logs | Security and access control |
| IP Addresses | IPv4 and IPv6 addresses | Request headers (X-Forwarded-For) | Security, audit logging, IP restrictions |
| Device Information | Browser type and version, operating system | User-Agent header | Security monitoring, audit trail |
| Usage Activity | Last login date, activity status, pages accessed | Application logs | Account management, security |
| Audit Trail | All significant actions with actor, timestamp, and change details | Application audit system | Compliance, security monitoring |
2.3 Information from Third-Party Sources
| Data Category | Source | Examples | Purpose |
|---|---|---|---|
| SSO Identity Data | Customer's Identity Provider (via WorkOS) | SAML NameID, OIDC subject, IdP groups, IdP attributes | Authentication, access control |
| Profile Information | WorkOS (authentication provider) | Email verification status, profile picture URL | Account management |
3. How We Use Your Information
We use personal information for the following specific purposes:
Providing and maintaining the Service — delivering the collaborative workspace, processing organizational data, enabling scenario planning, and facilitating team collaboration.
Authentication and authorization — verifying user identity, enforcing role-based access controls (account-level and session-level), managing SSO and MFA configurations, and enforcing per-user permissions.
Security monitoring — logging authentication events, tracking IP addresses for access restriction enforcement, detecting unauthorized access attempts, enforcing rate limits, and maintaining audit trails.
Billing and payments — processing subscription payments through Stripe, managing subscription tiers and billing cycles, handling trial-to-paid conversions.
Customer support — responding to support requests, troubleshooting issues, and communicating about service updates.
Service communications — sending invitation emails, comment mention notifications, verification codes, and service-related announcements via Postmark.
Product improvement — analyzing aggregate, de-identified usage patterns to improve the Service. We do not use Customer Data for this purpose in any individually identifiable form.
Compliance — maintaining audit logs, enforcing data export controls and watermarking, supporting Customer compliance requirements, and responding to legal obligations.
We do not use Customer Data to train machine learning models or artificial intelligence systems. We do not sell personal information.
4. How We Share Your Information
4.1 Service Providers (Sub-Processors)
We engage third-party companies (“Sub-Processors”) to perform services on our behalf. These Sub-Processors are authorized to use personal information only as necessary to provide services to us and are contractually obligated to protect it. We conduct security and privacy assessments of all Sub-Processors before engagement and review their compliance certifications at least annually.
A current list of our Sub-Processors, including their names, locations, and purposes of processing, is available at /subprocessors. We provide customers at least 30 days’ advance notice before adding new Sub-Processors.
4.2 Customer Organizations
In our role as a data processor, we make Customer Data available to the Customer Organization’s administrators as directed. Administrators can view user activity status, manage permissions, access audit logs, and export compliance reports.
4.3 Within Collaborative Sessions
When Authorized Users participate in sessions, their name, email, and avatar are visible to other session participants. Comments and mentions generate email notifications to the mentioned user. Session owners and editors can see who has access to a session.
4.4 Legal and Regulatory Disclosure
We may disclose personal information if required by law, regulation, subpoena, court order, or other governmental request. Where legally permitted, we will provide notice to the affected Customer before disclosure.
4.5 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, personal information may be transferred to the acquiring entity. We will provide notice of any such transfer and any choices you may have regarding your information.
4.6 With Consent
We will not share personal information with any third party for purposes not described in this Privacy Policy without obtaining consent from the applicable Customer Organization.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
5. Data Security
We implement industry-standard security measures to protect personal information, including:
Encryption in transit — all data transmitted between your browser and the Service is encrypted using TLS 1.2 or higher.
Infrastructure encryption — Customer Data is hosted on Amazon Web Services (us-east-2 region), which provides infrastructure-level encryption at rest.
Role-based access controls — three-tier access control at the account level (owner, administrator, member) and session level (owner, editor, viewer), with configurable per-user permissions for sharing, exporting, and commenting.
Audit logging — comprehensive, immutable audit logs capturing all significant actions with actor identification (denormalized for retention), timestamps, IP addresses, and user agents.
Rate limiting — tiered rate limiting across all API endpoints to prevent abuse, with specific limits for sensitive operations, authentication, and data exports.
Session security — configurable idle timeouts, IP-based access restrictions with CIDR notation support, and concurrent session limits.
Export controls — configurable data export policies with watermarking capabilities that embed user identity and timestamps into exported files.
Authentication security — delegated to WorkOS with support for enterprise SSO (SAML, OIDC), multi-factor authentication, and identity provider integration.
In the event of a confirmed data breach involving personal information, OrgMyx will: (a) notify the affected Customer Organization within seventy-two (72) hours of confirmation; (b) provide details of the breach and data affected; (c) cooperate with the Customer Organization’s incident response efforts; and (d) take reasonable steps to mitigate harm.
OrgMyx is pursuing SOC 2 Type I certification. We employ commercially reasonable security measures appropriate for the nature of the data we process. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
6. Data Retention and Disposal
We retain personal information only as long as necessary for the purposes described in this Privacy Policy or as required by law.
| Data Category | Retention Period | Disposal Method |
|---|---|---|
| Account and profile data | Duration of subscription + 30-day retrieval window | Secure deletion |
| Organizational/session data | Duration of subscription + 30-day retrieval window (default ~7 years / 2,555 days, configurable) | Secure deletion |
| Audit logs | Duration of subscription + retrieval window | Secure deletion with account data |
| Billing records | As required by tax/accounting laws (typically 7 years) | Secure deletion |
| Support communications | 3 years after resolution | Secure deletion |
| Backups | Rolling; overwritten within 30 days of primary data deletion | Automatic overwrite |
When a Customer account is terminated:
Customer has 30 days to export data using available export features;
After the retrieval window, all Customer Data is securely deleted within 30 additional days;
Backup copies are removed as they expire through normal rotation;
Written deletion certification is available upon request.
User accounts that are deactivated within a Customer Organization are soft-deleted (status set to “deactivated”), preserving the audit trail. The user’s personal data remains in the system until the Customer account itself is terminated. Customer administrators can request earlier deletion by contacting support.
7. Your Rights and Choices
7.1 Access and Correction
Authorized Users can access and update their profile information (display name, first name, last name, timezone) directly through the Service at any time. Email addresses are managed through the authentication provider (WorkOS) and can be updated there.
7.2 Data Export
Customer administrators can export audit logs in CSV format through the Service. Additional data export requests can be submitted to privacy@orgmyx.com.
7.3 Account Deletion
Customer administrators can deactivate individual user accounts within their organization. To request deletion of an entire Customer account and all associated data, contact privacy@orgmyx.com.
7.4 Notification Preferences
Authorized Users can configure their notification preferences within the Service, including opting in or out of email notifications for session invitations, comment mentions, review requests, and weekly digests.
7.5 How to Exercise Your Rights
For rights not available through self-service features, contact privacy@orgmyx.com. In a B2B context, data subject requests should generally be directed through the Customer Organization (data controller), which can then coordinate with OrgMyx as needed.
We will respond to verified data subject requests within 30 days.
8. Cookies and Tracking Technologies
OrgMyx uses essential cookies required for authentication and session management only. We do not use advertising, marketing, or third-party tracking cookies.
| Cookie Type | Purpose | Duration | Party |
|---|---|---|---|
| Authentication session | Maintains your login state (encrypted, managed by WorkOS) | Session duration | First-party |
| Staging gate (non-production only) | Restricts access to staging environments | 30 days | First-party |
We do not use Google Analytics, Mixpanel, PostHog, or any third-party analytics services. We do not serve targeted advertising. We do not participate in cross-site tracking.
Because we only use strictly necessary cookies, no cookie consent banner is required under most privacy regulations. However, we are transparent about our cookie usage in this policy.
9. Children’s Privacy
The Service is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 13 (or under 16 in the European Economic Area). If we discover that we have inadvertently collected personal information from a child, we will promptly delete it.
10. International Data Transfers
All Customer Data is stored and processed within the United States on Amazon Web Services infrastructure (us-east-2 region). Our Sub-Processors also process data within the United States.
If Customer Organizations located outside the United States use the Service, personal information will be transferred to the United States. We rely on our Data Processing Agreement, which incorporates Standard Contractual Clauses where applicable, to provide appropriate safeguards for international data transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will provide notice of material changes by:
emailing the account administrator at the registered email address;
posting a notice within the Service;
updating the “Last Updated” date at the top of this policy.
We will provide at least 30 days’ advance notice before material changes take effect. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
12. Contact Information
For privacy inquiries, data subject requests, or complaints:
OrgMyx, Inc.
[ADDRESS — TO BE ADDED]
We will respond to privacy inquiries within 30 days.
Appendix A: SOC 2 Privacy Coverage Matrix
This matrix maps each section of this Privacy Policy to the AICPA Generally Accepted Privacy Principles (GAPP) categories.
| AICPA Privacy Category | Policy Section(s) | Key Controls Referenced |
|---|---|---|
| 1. Notice | Sections 1, 11 | Public posting; update notifications via email and in-app; effective date display |
| 2. Choice and Consent | Section 7 | Notification preferences; consent through Customer Organization; opt-out mechanisms |
| 3. Collection | Sections 2, 8 | Data minimization; categorized collection methods; essential cookies only; no third-party tracking |
| 4. Use, Retention, Disposal | Sections 3, 6 | Purpose-specific data use; defined retention periods; secure deletion; no ML training |
| 5. Access | Section 7 | Self-service profile access and correction; audit log export; data subject request process (30-day response) |
| 6. Disclosure & Notification | Sections 4, 10 | Named Sub-Processor list at /subprocessors; 30-day advance notice; breach notification within 72 hours; no data sales |
| 7. Security for Privacy | Section 5 | TLS 1.2+ in transit; AWS encryption at rest; RBAC; audit logging; rate limiting; session controls; watermarking |
| 8. Monitoring & Enforcement | Section 12 | Privacy contact (privacy@orgmyx.com); 30-day response commitment; complaint handling process |
Appendix B: CCPA/CPRA Addendum
This addendum applies to personal information of California residents.
Categories of Personal Information Collected
Identifiers — name, email address, IP address, account identifiers
Internet or electronic network activity — login history, feature usage, audit logs
Professional or employment-related information — organizational role, job title (when included in Customer Data)
Geolocation data — IP address (approximate location)
All personal information is collected for the business purposes described in Section 3 of this Privacy Policy.
We Do Not:
- Sell personal information (as defined by CCPA)
- Share personal information for cross-context behavioral advertising
- Use sensitive personal information for purposes beyond those permitted by CCPA
- Knowingly sell or share personal information of consumers under 16
Your California Rights
- Right to know what personal information is collected, used, and disclosed
- Right to delete personal information (subject to exceptions)
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information (we do not sell or share)
- Right to non-discrimination for exercising your rights
To exercise your rights, contact privacy@orgmyx.com. In a B2B context, data subject requests should generally be directed through your employer (the Customer Organization), which acts as the data controller.
Authorized agents may submit requests on your behalf with proper verification.
Appendix C: Healthcare Workforce Data
OrgMyx serves organizations across industries, including healthcare. This appendix clarifies the nature of data processed for healthcare customers.
OrgMyx is designed to process organizational workforce planning data, including employee rosters, organizational charts, staffing schedules, credentials, and role assignments. This data represents employment records held by an employer in its capacity as an employer.
The U.S. Department of Health and Human Services (HHS) has stated that HIPAA does not protect employment records, even if the information in those records is health-related, when held by an employer in its capacity as an employer. Accordingly, the workforce planning data processed by OrgMyx is generally not Protected Health Information (PHI) under HIPAA.
OrgMyx is not designed to create, receive, maintain, or transmit PHI. Customers should not upload clinical records, health plan claims data, group health plan enrollment information, or patient information to the Service. See Section 6 (Acceptable Use Policy) of our Terms of Service.
For healthcare customers who determine that a Business Associate Agreement is appropriate for their use case, OrgMyx will make a BAA available upon request. Contact privacy@orgmyx.com to initiate a BAA.
State privacy laws, including the Washington My Health My Data Act and CCPA/CPRA, may impose obligations on health-related employee data that fall outside HIPAA’s scope. Customer Organizations are responsible for determining the applicability of such laws to their use of the Service.
© 2026 OrgMyx, Inc. All rights reserved.