Rotate Your Device

This site doesn't support landscape mode. Please rotate your phone to portrait.

Origami Privacy Policy

Last updated: June 29, 2026


1. Introduction

This Privacy Policy explains how Airsplash Inc., doing business as Origami ("Origami," "we," "us," or "our") collects, uses, discloses, and retains information when you use the Origami websites (including origami.chat and origamiagents.com), applications, APIs, and related services (collectively, the "Service").

This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

A note on the two kinds of personal data in Origami. Origami is a lead-generation and data-enrichment platform, so personal data flows through it in two distinct roles:

  • Your data - information about you, your account, and your Organization, which we process as a controller. This Policy primarily describes that processing.
  • Customer Data and Third-Party Data - information you upload, generate, or instruct us to retrieve about other people and companies (your prospects and contacts). For that data, you are the controller and we act as your processor on your documented instructions. How we handle it is governed by the Terms and, where applicable, a Data Processing Addendum ("DPA"). See Section 12.

2. Information We Collect

2.1 Information you provide

  • Account and profile data. When you sign up, our authentication provider (Clerk) collects your email address and, optionally, your first and last name, and verifies your email by one-time code. Passwords (if you use one) are handled by the authentication provider and are not stored in our database.
  • Organization data. Your team/Organization name, invited members' email addresses, and Organization settings.
  • Onboarding and attribution data. Information you give during onboarding, such as your company domain, your role or segment, how you found us ("attribution"), and any optional free-text note.
  • Billing data. When you add a payment method, your card details are collected and stored by our payment processor (Stripe). We store your Stripe customer identifier and limited, non-sensitive billing metadata; we retrieve (but do not store) card brand, last four digits, and expiration from Stripe to display them to you. Billing address, tax ID, and similar details you enter are managed in Stripe's billing portal.
  • Support communications. Information you send us through in-app chat (Intercom), email, or other support channels.
  • Voice input. If you use voice in the chat, your audio is sent to a transcription provider to produce text. We do not retain the audio after transcription; only the resulting text (which becomes part of your chat) and basic metadata (such as size and duration) are processed.

2.2 Customer Data and Third-Party Data (processed on your behalf)

  • Customer Data. The data you upload to or generate in the Service - lead lists, uploaded files/CSVs, table/row/cell values, chat prompts and messages, exclusion lists, knowledge-base documents, and code you run in the sandbox.
  • Third-Party Data. At your direction, the Service retrieves and enriches professional and company information about your prospects (such as names, job titles, employers, business email addresses, phone numbers, social profiles, and buying signals) from third-party data providers and publicly available sources.
  • Connected-account content and credentials. When you connect a mailbox, LinkedIn account, CRM, or other integration, we process the credentials needed to operate it (OAuth tokens, IMAP/SMTP passwords, LinkedIn session) and the message content you send and receive through the Service (recipients, subjects, bodies, replies). Sensitive credentials such as IMAP/SMTP passwords are encrypted at rest.

2.3 Information collected automatically

  • Usage and device data. Pages and features used, actions taken, timestamps, browser and device type, and similar diagnostic information.
  • IP address and approximate location derived from it.
  • Cookies and similar technologies, and analytics identifiers. See Section 6.
  • Logs and telemetry. Server logs, performance traces, and error reports used to operate, secure, and debug the Service. We maintain a denylist that redacts common personal fields (such as email, name, phone, and billing address) and secrets from application logs.

3. How We Use Information

We use the information described above to:

  • Provide, operate, maintain, and secure the Service and your account;
  • Authenticate you and manage Organization membership and access;
  • Process payments, manage subscriptions and credits, and prevent fraud;
  • Execute the features you invoke - including running enrichment and AI tasks, sending and receiving outreach from your connected accounts, and delivering webhooks;
  • Provide customer support and respond to your requests;
  • Analyze usage to understand, improve, troubleshoot, and develop the Service (including aggregated and de-identified analytics);
  • Send service, transactional, and (where permitted) marketing communications;
  • Measure and attribute marketing and advertising; and
  • Comply with legal obligations and enforce our Terms.

AI processing. To provide AI features (the chat agent, cell enrichment, and related capabilities), we transmit relevant prompts, instructions, and Customer Data to our AI gateway and underlying model providers solely to generate the outputs you request. We do not sell your Customer Data, and we contract with providers to process it only to provide the Service.


4. How We Collect It (Sources)

We collect information directly from you, automatically through your use of the Service and our cookies/analytics, from your connected accounts and integrations (at your direction), and from third-party data providers and public sources when you instruct the Service to retrieve or enrich data.


5. Legal Bases (EEA/UK)

Where the GDPR or UK GDPR applies to our processing as a controller, we rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, analyze, and improve the Service and for direct marketing, balanced against your rights); consent (for certain cookies and marketing, where required); and legal obligation (for tax, accounting, and compliance). For Customer Data and Third-Party Data, you are responsible for establishing the legal basis for your processing.


6. Cookies, Analytics, and Tracking Technologies

We and our providers use cookies, local/session storage, pixels, and similar technologies on our marketing site and in the app.

  • Strictly necessary. Authentication and session cookies (set by our authentication provider) and security and load-related cookies that are required for the Service to function.
  • Product analytics and session replay. We use PostHog for product analytics, feature flags, error tracking, and session replay. Session replay masks password fields; we use it to understand and debug product usage.
  • Marketing and advertising. On our marketing site and, in production, in the app, we use Google Tag Manager, Google Analytics 4, the Meta Pixel (and Meta's server-side Conversions API), and the TikTok, LinkedIn, and X (Twitter) advertising tags to measure and attribute marketing. Some signup/purchase conversion events include a hashed version of your email for ad matching.
  • Attribution storage. We store a marketing-attribution cookie (capturing UTM parameters and ad click identifiers) for up to approximately 400 days, plus related values in browser storage, so we can attribute signups.
  • Support. Intercom sets cookies/storage to provide in-app and on-site messaging.

Your choices. You can control cookies through your browser settings and, in many cases, through the opt-out tools of the advertising networks listed above (and via the Global Privacy Control / "Do Not Track" signals your browser may send). Blocking some cookies may affect how the Service works. We currently do not display a separate cookie-consent banner; where consent is legally required, we will honor applicable requirements and you may direct cookie-related requests to privacy@origamiagents.com.


7. How We Share Information

We do not sell your personal data for money. We share information in the following ways:

  • With service providers and subprocessors who process data on our behalf to operate the Service (see Section 8).
  • With AI providers to generate the outputs you request, as described in Section 3.
  • With third-party data and outreach providers that you direct us to use (for enrichment, search, scraping, email/LinkedIn sending, and warmup).
  • With integrations you connect - for example, when you sync data to your CRM, or when we deliver webhook events to endpoints you configure, we send the data those destinations require.
  • With payment, authentication, and support providers to run billing, login, and support.
  • For legal, safety, and compliance reasons - to comply with law, enforce our Terms, protect rights and safety, and respond to lawful requests.
  • In a business transfer - in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
  • Aggregated or de-identified data that does not identify you may be used and shared for any lawful purpose.

8. Subprocessors and Third-Party Providers

We use a limited set of trusted third-party providers to host and operate the Service. Specific vendors may change over time; a current list is available on request at privacy@origamiagents.com. Our key providers include:

  • Supabase
  • Render
  • Clerk
  • Stripe
  • Vercel
  • OpenAI
  • Anthropic
  • PostHog
  • Intercom
  • Resend
  • Cloudflare
  • Composio
  • Unipile
  • Mailivery
  • Porkbun
  • Google
  • Meta
  • TikTok
  • LinkedIn
  • X (Twitter)

To fulfill enrichment, search, and research requests you initiate, we also work with a range of specialized third-party data and search providers. We do not sell your personal data or your Customer Data, and we do not share it with these providers for their own marketing, advertising, or product-development purposes. They are engaged only to perform the specific lookups and tasks you direct, and process information solely to return the results you request.

You may also connect additional third-party tools and integrations (for example, your CRM, custom MCP servers, or webhook endpoints). When you do, data flows to those destinations under your control and subject to their terms.


9. Data Retention

We retain personal data for as long as needed to provide the Service and for legitimate business and legal purposes. Specific practices in the Service today include:

  • Deleted Customer Data. When you delete a row, table, workspace, chat, document, or your account, the records are first soft-deleted and then permanently purged about 30 days later by an automated cleanup job. During that window, deletion can generally be undone via restore where supported.
  • Account deletion. Deleting your account soft-deletes your membership and, if you are the last member of an Organization, cascades to that Organization's data on the same ~30-day schedule. You can request immediate, irreversible removal of your authentication identity via the "delete forever" / reset flow. Authentication cache entries are tombstoned for about 31 days to prevent re-creation during the retention window.
  • Credits. Credit balances and ledgers expire on a schedule - for active paid plans, credits are retained for roughly three billing cycles; for lapsed or canceled Organizations, on a rolling window of about 60 days.
  • Connected sending accounts. After a subscription ends, connected sending accounts are disconnected and torn down approximately 30 days after the end of the billing period.
  • Voice audio. Not retained after transcription (see Section 2.1).
  • Operational records, logs, and backups. Logs, queue/cache data, and infrastructure backups may persist for a limited additional period for security, debugging, and disaster-recovery purposes, and certain operational or message records may be retained longer than the 30-day window. We may also retain information where required to comply with law, resolve disputes, or enforce our agreements.

Because we are not a system of record, you remain responsible for keeping your own copies of important Customer Data. Data held by third-party providers and your connected integrations is also subject to their own retention practices.


10. Data Security

We use technical and organizational measures designed to protect personal data, including encryption in transit (TLS), encryption at rest for sensitive credentials (such as IMAP/SMTP passwords, using AES-256-GCM), access controls, secret management, and redaction of personal fields and secrets from logs. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.


11. International Data Transfers

We operate in the United States and use providers in the United States and other countries. When we transfer personal data across borders, we rely on appropriate safeguards where required (such as the Standard Contractual Clauses). By using the Service, you understand that your information may be processed in the United States and other jurisdictions, which may have different data-protection laws than your own.


12. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, to object to certain processing, and to withdraw consent. Residents of the EEA/UK (GDPR), California (CCPA/CPRA), and other jurisdictions with privacy laws may have additional rights, including the right to opt out of "sales" or "sharing" of personal data and targeted advertising, and the right not to be discriminated against for exercising your rights.

To exercise your rights for your own data, you can manage much of it directly in the Service (profile, integrations, and account deletion) or contact us at privacy@origamiagents.com. We will verify your request and respond as required by applicable law. You may appoint an authorized agent where permitted.

Requests about prospect / Third-Party Data. If you are an individual whose information was processed in Origami on behalf of one of our customers (for example, you received outreach), the customer is the controller of that data. Please direct your request to that customer; we will assist them as their processor. If you contact us, we will refer your request to the relevant customer where appropriate.


13. Children's Privacy

The Service is intended for business use and is not directed to children. You must be at least 18 years old to use the Service, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.


14. Third-Party Sites and Services

The Service links to and integrates with third-party websites and services that we do not control. Their privacy practices are governed by their own policies, and we are not responsible for them.


15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide additional notice where required. Your continued use of the Service after an update means you accept the revised Policy.


16. Contact Us

If you have questions or requests regarding this Privacy Policy or our data practices, contact us at:

Airsplash Inc. (dba Origami) Privacy: privacy@origamiagents.com General: hello@origamiagents.com

← Back to home