Privacy Policy

1. Introduction

Welcome to Org Chart Studio ("we," "our," or "us"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our organizational chart creation and management service.

By using Org Chart Studio, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

Data controller / processor note: Org Chart Studio acts as a data processor for the employee and organizational data you enter into charts. You, as the account holder, are the data controller for that information and are responsible for ensuring you have appropriate authority to store and process it.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name
• Email address
• Authentication credentials (managed securely by our authentication provider, Stytch)
• Profile information you choose to provide

2.2 Organizational Chart Data

When you use our service, we store:

• Organizational chart structures you create
• Employee/person data you input (names, titles, departments, manager relationships)
• CSV files you import
• Chart metadata (creation dates, modification history, versions)
• Layout preferences and visual settings

2.3 Usage Information

We automatically collect certain information when you use our service:

• Device information (browser type, operating system)
• IP address and general location data
• Usage patterns and interactions with our service
• Session data and authentication timestamps

2.4 Local Storage

Our application stores draft charts locally in your browser's localStorage to preserve your work between sessions. This data remains on your device and is not transmitted to our servers unless you explicitly save to the cloud.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our service
• Authenticate your identity and manage your account
• Store and retrieve your organizational charts
• Process your chart exports (PNG downloads)
• Process payments for export passes via our payment provider (Stripe)
• Enforce plan limits and entitlements (chart counts, node limits, features)
• Improve and optimize our service through usage analysis
• Communicate with you about service updates, security alerts, and support
• Detect, prevent, and address technical issues or security vulnerabilities
• Comply with legal obligations and enforce our Terms of Service

We do not use your data to train AI models. Your organizational chart data and employee information are never used to train, fine-tune, or improve any artificial intelligence or machine learning system.

4. Third-Party Services

4.1 Google OAuth (Sign in with Google)

We offer Google OAuth as an authentication option, allowing you to sign in using your Google account. When you choose to sign in with Google, we access the following information from your Google account:

• Email address (to create and identify your account)
• Name (to personalize your experience)
• Profile picture (optional, for display purposes)

We do not use your Google data for advertising, data brokering, or any other commercial purposes. Your Google account information is processed through our authentication provider (Stytch). You can revoke access at any time through your Google Account permissions page.

4.2 Authentication Provider (Stytch)

We use Stytch to manage user authentication, registration, and session management. Stytch processes your email address, name, and authentication credentials. Stytch's privacy practices are available at https://stytch.com/legal/privacy.

4.3 Database Provider (Neon)

We store your organizational chart data in a PostgreSQL database hosted by Neon. Data is encrypted in transit and at rest. Neon's privacy practices are available at https://neon.tech/privacy-policy.

4.4 Hosting Provider (Vercel)

Our application is hosted on Vercel's infrastructure. Vercel may collect certain usage and performance data. Their privacy policy is available at https://vercel.com/legal/privacy-policy.

4.5 Payment Processing (Stripe)

We use Stripe to process payments for export passes. When you purchase a pass, Stripe collects your payment card details directly — we never see or store your full card number. Stripe may also collect billing name, email, and IP address for fraud prevention purposes. Stripe's privacy practices are available at https://stripe.com/privacy.

4.6 Analytics and Session Recording

With your consent, we use Google Analytics to analyze website traffic and LogRocket for session replay to improve your experience. These services collect information such as your IP address, browser type, and interactions with our application.

Employee data is masked from session recordings. LogRocket is configured to scrub the text content of all org chart node cards — employee names, titles, and departments are replaced with asterisks before any data leaves your browser. We can see how you use the canvas (drag, resize, zoom) but not the actual employee information it contains. All chart data API responses are also excluded from network recordings.

Analytics and session recording cookies are optional. You can manage your cookie preferences at any time using the cookie settings link in our footer. If you decline, Google Analytics and LogRocket will not be loaded.

For more information: Google's Partner Sites Privacy Policy · LogRocket Privacy Policy

5. Data Security

We implement appropriate technical and organizational security measures to protect your data:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for database storage
• Secure authentication protocols (passwordless magic links and Google OAuth)
• Regular security updates and monitoring
• Content Security Policy headers to mitigate injection attacks
• PII scrubbing in session replay tools (see Section 4.6)

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide you services. You can delete your account at any time from your account settings. Upon deletion:

• Your organizational charts and associated data will be permanently deleted
• Your account information will be removed from our systems
• Local browser data (drafts) remains on your device until you clear browser storage
• Backup copies may persist for up to 30 days as part of our disaster recovery procedures
• Payment records are retained as required by financial regulations (typically 7 years)

7. Your Rights

Depending on your location, you may have certain rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (or delete your account directly from settings)
• Portability: Export your organizational chart data as CSV or PNG
• Objection: Object to certain processing of your data
• Restriction: Request restriction of processing your data
• Withdrawal: Withdraw consent for optional analytics cookies at any time

To exercise these rights, please contact us using the information provided in Section 12. EU/EEA residents may also lodge a complaint with their local supervisory authority.

8. Cookies and Tracking

We use two categories of cookies and browser storage:

8.1 Strictly Necessary (no consent required)

• Authentication session cookies (Stytch) — required to keep you signed in
• Draft chart localStorage — stores unsaved work on your device only; never transmitted

8.2 Analytics (consent required)

• Google Analytics — traffic and page-view analysis
• LogRocket — session replay for UX improvement (with employee data masked)

Analytics cookies are only loaded after you give consent via the cookie banner. You can update your preference at any time using the cookie settings link in our footer. Declining analytics cookies will not affect your ability to use the service.

9. Children's Privacy

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws different from those in your country. We rely on our sub-processors (Stytch, Neon, Vercel, Stripe) to maintain appropriate transfer mechanisms, including Standard Contractual Clauses where required.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the service after changes are posted constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: