Orova

/ Legal

Privacy Policy

Last updated: 2026-05-27

This Privacy Policy explains how Orova ("we", "us") collects, uses, and protects your information when you use our platform at orova.vn (the "Service"). It also describes your rights over your data and how to exercise them.

1. Information we collect

Account information you provide: name, email, password, and billing details (processed by our payment provider). Connection data from services you authorize Orova to access — Google Search Console, Google Analytics, Google Ads, Google Drive (per file), your Meta and TikTok advertising accounts, and your website — strictly within the OAuth permissions you grant. Usage information such as activity logs, device and browser data, IP address, and error reports, which we use to operate, secure, and improve the Service. We do not knowingly collect special-category (sensitive) personal data.

2. How we use your information and our legal bases

We use your information to provide and operate the Service (to perform our contract with you): to run marketing and advertising work on your behalf, measure results, generate reports, and send service notifications. We also process data to bill your subscription, to comply with legal obligations, and — based on our legitimate interests — to prevent abuse, secure the platform, and improve our features. Where required, we rely on your consent (which you can withdraw at any time), for example when you connect a third-party account. We do not sell your information, and we do not use your content to train foundation AI models.

3. Cookies and tracking technologies

We use strictly necessary cookies to keep you signed in and to secure the Service, and a limited set of analytics cookies to understand usage so we can improve it. We do not use advertising or cross-site tracking cookies. You can control or clear cookies in your browser; disabling strictly necessary cookies may break core features such as login.

4. Automated decisions and AI

Orova uses AI to analyze your marketing data and to suggest or carry out optimizations — for example adjusting budgets, bids, and targeting, or turning campaigns on or off. You stay in control: you choose which assistants and which actions are enabled, and you can set any action to 'advisory only' so it merely recommends rather than acts. Actions that change your live campaigns require your authorization, and you can review, pause, or reverse them at any time. We do not make decisions that produce legal or similarly significant effects about you without meaningful human oversight.

5. Service providers and sub-processors

We rely on a small set of vetted partners for server hosting, payment processing (PayPal), email delivery, and AI processing. Each partner receives only the data needed for its task and is bound by confidentiality and data-protection obligations. A current list of sub-processors is available on request.

6. When we share information

We share personal data only: with the service providers above; when you direct us to (for example, the campaigns and accounts you connect); to comply with applicable law, legal process, or enforceable governmental requests; to protect the rights, safety, and security of Orova, our users, or the public; and in connection with a merger, acquisition, or sale of assets, with notice to you. We never sell your personal data.

7. Google API Services — Limited Use

Orova's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: (a) we use Google Search Console data only to surface keyword, traffic, and indexing insights inside the user-facing Orova SEO dashboard; (b) we use Google Analytics data only to render traffic and conversion reports inside the user-facing Orova SEO dashboard; (c) we use Google Ads data only to monitor and optimize campaigns the user has authorized us to manage, inside the user-facing Orova Ads dashboard; (d) we use Google Drive data only on a per-file basis (drive.file scope) — Orova reads only the specific documents a user explicitly picks via the Google Picker to feed into article generation. We do not transfer Google user data to third parties except to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users. We do not use Google user data for serving ads, including retargeting, personalized, or interest-based advertising. We do not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models. Human access to Google user data is prohibited except (i) with the user's explicit consent, (ii) for security investigations or to comply with applicable law, or (iii) where data has been aggregated and anonymized for internal operations.

8. Meta and TikTok Marketing APIs — data use

When you connect a Meta (Facebook/Instagram) or TikTok advertising account, Orova accesses that data only through the official Marketing APIs and only within the permissions you grant via OAuth. We use Meta and TikTok advertising data solely to: (a) read campaign, ad set/ad group, ad, audience, and reporting/insights data to show performance dashboards and analytics inside the user-facing Orova Ads experience; and (b) manage the campaigns you authorize us to manage — adjusting budgets, bids and targeting, turning campaigns on or off, and creating or refreshing audiences and creatives — on your behalf. We do not sell or share Meta or TikTok data with third parties, we do not use it for advertising unrelated to your own accounts, and we do not use it to train generalized AI/ML models. You can revoke access at any time from the provider, after which Orova stops accessing your data. Our use complies with the Meta Platform Terms and Developer Policies and the TikTok Marketing API Terms and data-use policies.

9. International data transfers

Orova is built for global use. Your data may be processed in the region closest to your workspace, including outside your country of residence. Where data is transferred internationally, we protect it using appropriate safeguards such as standard contractual clauses, and we take steps to ensure it receives an adequate level of protection.

10. Data retention

We keep account and connection data while your account is active, and for a reasonable period after closure to meet legal, tax, and financial obligations and to resolve disputes. Activity logs are kept for 90 days unless a specific security incident requires a longer period. When data is no longer needed, we delete or anonymize it.

11. Data security

Data is encrypted in transit and at rest. Credentials for third-party connections are stored in protected form and access tokens are isolated per account. Internal access is limited to the minimum necessary and is logged. No method of transmission or storage is completely secure, but we work continuously to protect your data.

12. Data breach notification

If a personal-data breach occurs that is likely to affect your rights, we will notify the relevant supervisory authority and, where required, affected users without undue delay, describing what happened and the steps we are taking.

13. Your rights and controls

Depending on where you live, you have the right to access, correct, delete, or receive a portable copy of your personal data, to object to or restrict certain processing, and to withdraw consent. You can revoke any third-party connection from the provider's side at any time — Orova then stops accessing it, with no impact on your account. You can also export your data, request deletion, or close your account from Settings. To exercise any right, contact us at the address below; you also have the right to lodge a complaint with your local data-protection authority.

14. Children's data

The Service is intended for businesses and professionals and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us data, contact us and we will delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the date above and, where appropriate, notify you by email or through the Service. Your continued use after an update means you accept the revised policy.

16. Contact

For any privacy question or to exercise your rights, email contact@orova.vn. We respond within five business days.