Last updated: 12 May 2026
Orval AI ("Orval", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our website and services at orval.ai (the "Service").
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The data controller responsible for your personal data is Orval AI. Orval.ai is a trading name of Siplifi Group Ltd. If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected].
When you create an account, we collect your email address via our authentication provider, Supabase. We use passwordless authentication (magic link / one-time password sent to your email), so we do not collect or store passwords.
Payments are processed by Stripe. When you subscribe or make a purchase, your payment card details are collected and processed directly by Stripe. We do not receive, store, or have access to your full card number. We receive only a Stripe customer ID and transaction metadata (plan type, amount, date) necessary to manage your subscription.
When you submit our contact form, we collect your name, email address, and message content. These are sent via MailerSend (our transactional email provider) and are not stored in a database.
We use the following cookies:
__cf_bm): Used by Cloudflare for bot management and security. These are strictly necessary.We do not use any advertising, tracking, or analytics cookies.
We use your personal data for the following purposes:
Under UK GDPR, we process your personal data on the following legal bases:
We share your personal data with the following third-party service providers who act as data processors on our behalf:
We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers.
Orval lets you connect your own accounts on third-party business platforms — for example, ServiceM8, Jobber, Microsoft Outlook, Google Calendar, Calendly, and Freshdesk — so the AI voice agent can take actions on your behalf during phone calls (booking jobs, scheduling appointments, creating tickets, and similar). Connections are made through each provider's standard OAuth 2.0 flow, where you grant Orval a specific, limited set of permissions. We only request the scopes we actually need to perform the features you have enabled.
When you connect your ServiceM8 account to Orval, you authorise us — via ServiceM8's OAuth 2.0 flow — to read and write a limited set of data on your behalf. Specifically, Orval accesses your ServiceM8 customers, jobs, schedule, staff list, and business locations so that the voice agent can find or create a customer record, register a new job from a phone call, and schedule a visit against the staff member you select as the default. We do not read or write data outside the scopes you grant at the point of connection, and we do not access financial, invoicing, or payment data in ServiceM8.
The OAuth access and refresh tokens issued by ServiceM8 are stored encrypted at rest on Orval's servers and are used only to make API calls on your behalf in response to inbound phone calls. They are never shared with third parties, sold, or used for advertising. You can revoke this connection at any time from your Orval agent's Integrations tab, or from within ServiceM8; doing so deletes our copy of your tokens and stops all further reads or writes against your account. We retain call transcripts and job-creation logs for 90 days for support and quality-assurance purposes, after which they are deleted from our systems. We comply with the UK GDPR / EU GDPR / applicable data-protection law in your region, and we honour ServiceM8's own Privacy Policy and Partner Agreement in handling any data sourced from your ServiceM8 account.
When you connect your Jobber account to Orval, you authorise us — via Jobber's OAuth 2.0 flow — to read and write a limited set of data on your behalf through Jobber's GraphQL API. Specifically, Orval reads basic account and user information so we can label the connection, looks up existing clients by phone number to avoid duplicates, and creates new Clients, Requests, Quotes, Jobs (with attached Properties), and scheduled Visits when callers want to make an enquiry or book work during a phone call. We do not read or write data outside the scopes granted at the point of connection, and we do not access invoicing, payment, or financial data in Jobber.
The OAuth access and refresh tokens issued by Jobber are stored encrypted at rest on Orval's servers and are used only to make API calls on your behalf in response to inbound phone calls. We handle Jobber's refresh-token rotation correctly, persisting only the most recently issued refresh token, and we do not share tokens with third parties, sell them, or use them for advertising. You can revoke this connection at any time from your Orval agent's Integrations tab, or from inside Jobber's app permissions screen; in either case, our copy of your tokens is deleted and all further reads or writes against your account stop. We respond to Jobber's APP_DISCONNECT webhook to ensure local cleanup happens promptly when revocation is initiated from Jobber's side. We retain call transcripts and booking-creation logs for 90 days for support and quality-assurance purposes, after which they are deleted from our systems. We comply with the UK GDPR / EU GDPR / applicable data-protection law in your region, and we honour Jobber's Privacy Policy and Developer Terms in handling any data sourced from your Jobber account.
Some of our third-party processors (Supabase, Stripe, Cloudflare) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO) or the processor's participation in recognised data protection frameworks.
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:
Under UK GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.
We implement appropriate technical and organisational measures to protect your personal data, including:
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information.
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date.
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
For any questions or concerns about this Privacy Policy, please contact us at: