Privacy Policy
Effective 29 April 2026
This Privacy Policy explains how BlueBridge Ai (“we”, “us”) handles your data when you use Ora, an AI-powered timesheet app for freelance consultants, available at oraconsultant.ai (the “Service”). We try to keep the language clear, the scope narrow, and the practices simple. If something here is unclear or you want a copy of the data we hold on you, email us at support@bluebridge.ai.
Information we collect
We collect only what we need to run the Service. Nothing is sold to third parties or used to power advertising.
Account information. Your email address, name, and a password hash (we never store your password in plaintext). Authentication is handled by Supabase. If you sign in with Google or another OAuth provider, we receive your email and name from that provider.
Timesheet data. The time entries you log: client name, hours worked, description of the work, date, and any associated fee or invoice metadata. Your client records (names, rates, currencies), expected payments, and invoice profiles fall under this.
Payment information. Subscription billing is handled by Stripe. We never see or store your full card details. We receive a Stripe customer ID, subscription status, and the last 4 digits of your card for display in the Account section.
AI input. When you type or speak a sentence to capture an entry, the text is sent to Anthropic's API for parsing. Voice transcription happens in your browser (Web Speech API) before any text leaves your device. We log that an AI call was made (count and timestamp) for billing and rate limiting, but do not retain the input text on our servers beyond what's needed to return the parsed result to you.
Usage data. Standard server logs: IP address, browser type, pages accessed, timestamps. We use this for security (detecting abuse) and to keep the service running. Logs are retained for up to 90 days.
How we use your information
We use your data to operate the Service: render your dashboard, generate your invoices, run AI parsing on the text you submit, process your subscription payments, and send you transactional emails (password resets, billing receipts, invoice notifications). That's the full list. We do not sell your data, we do not share it with advertisers, and we do not use it to train AI models.
Aggregate, fully-anonymized usage metrics may inform our product decisions (for example, how many users are on each tier, how often the AI capture is used) but never in a way that can identify you.
Third parties we work with
Ora uses a small set of trusted infrastructure providers. Each receives only the data needed for their function and is contractually bound by their own privacy and security practices.
Supabase hosts your account database, time entries, and client records. Supabase's privacy practices: supabase.com/privacy.
Stripe processes your subscription payments. Stripe's privacy practices: stripe.com/privacy.
Anthropic (Claude) parses your timesheet text into structured entries. Anthropic's privacy practices: anthropic.com/legal/privacy.
Vercel hosts the Ora web application. Vercel's privacy practices: vercel.com/legal/privacy-policy.
We do not use any analytics or advertising trackers.
Cookies and local storage
We use a small number of strictly-essential cookies for authentication (your session token) and use your browser's localStorage to remember UI preferences (theme, reporting currency, sort order, dismissed tips). We do not use third-party tracking cookies and we do not load any analytics scripts.
Data retention
We retain your account data for as long as your account exists. If you delete your account, we delete your time entries, clients, expected payments, and invoice profiles within 30 days. Database backups (managed by Supabase) follow Supabase's rolling 7 to 30 day retention policy before the deleted data is fully purged. Logs are retained for up to 90 days.
Your rights
Depending on your jurisdiction, you may have rights under GDPR (EU/UK), PIPEDA (Canada), CCPA (California), or other privacy laws. Ora supports the following regardless of jurisdiction:
Access. You can export every entry as a plain Excel file from the Reports page at any time.
Correction. You can edit your account info, clients, and entries directly in the app.
Deletion. You can clear all your time entries from Settings, and request full account deletion by emailing support@bluebridge.ai. We will confirm and complete the deletion within 30 days.
Complaint. If you believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority (for example, your national data protection regulator in the EU, or the Office of the Privacy Commissioner of Canada). We'd appreciate a chance to address it directly first if possible.
International data transfers
Our infrastructure providers operate servers in multiple regions, which may include locations outside your home country. Where your data is transferred from the EU/UK to countries that do not have an adequacy decision, transfers are protected by Standard Contractual Clauses or equivalent safeguards put in place by the providers we use.
Security
All connections to Ora use HTTPS (TLS). Your account data is stored in a database with row-level security policies that prevent any user from reading or writing another user's data, enforced at the database layer. Supabase encrypts data at rest. We follow standard practices for credential handling, secret rotation, and dependency updates. No service is breach-proof, but we work to keep the surface area small and the controls tight.
Children's privacy
Ora is not directed to children under 16, and we do not knowingly collect data from anyone under that age. If you believe a minor has signed up, contact us and we will delete the account.
Changes to this policy
When we make material changes to this Privacy Policy we will update the effective date at the top and notify you by email at least 14 days before the changes take effect, so you have time to review or close your account if you disagree.
Contact
Questions, concerns, or data requests: email support@bluebridge.ai. We aim to respond within two working days.