Privacy Policy

Orbitin — Last updated: 21 May 2026

1. Introduction

Orbitin is a messaging and group-organisation app built with privacy as a foundation. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights in relation to it.

Orbitin is operated by Orbitin Limited, a company incorporated in England and Wales (company number 17110412), registered address at 5 Brandon Road, Sutton, England, SM1 1RP. Orbitin Limited is the data controller for the purposes of UK GDPR and the Data Protection Act 2018.

If you have any questions, contact us at [email protected].

2. The Short Version

We do not sell your personal data.
We do not use your messages or files to serve you advertisements.
We do not share your content with third parties except as required to operate the service (e.g. cloud storage, push notifications).
Messages and voice notes are transmitted over encrypted connections.
You can delete your account and your data at any time.

3. Information We Collect

3.1 Information You Provide

Data	When	Why
Phone number	Registration	Account identity and authentication
Display name	Registration / profile setup	Shown to other users
Profile photo	Optional	Shown to other users
Email address	Optional (linked in settings)	Account recovery and notifications
Google / Apple account details	If you sign in via OAuth	Authentication only
Messages, voice notes, images, files	When you use the app	Delivery to intended recipients
Orbit names, descriptions, module content	When you create or edit content	Operation of the service

3.2 Information We Collect Automatically

Data	Why
Push notification token (FCM)	Deliver push notifications to your device
Device platform (iOS / Android)	Route notifications correctly
Language preference	Localise notifications in your language
Connection timestamps	Security logging, abuse detection

We do not collect device identifiers (IMEI, advertising ID), location data, or contacts from your address book unless you explicitly grant permission and use a feature that requires it (e.g. finding contacts already on Orbitin).

3.3 Information from Others

Other users may mention you in messages or add you to Orbits. We do not control what other users share about you in their messages.

4. How We Use Your Information

We use your information to:

Provide the Services — deliver messages, voice notes, files, and notifications; operate Orbit modules (Chat, Calendar, Tasks, Events, Expenses, Polls, Lists, Announcements, Vault, Itinerary, Meal Planner).
Authenticate you — verify your identity when you sign in.
Send notifications — push notifications for new messages, orbit invites, task assignments, and other activity you have chosen to receive.
Improve the Services — analyse aggregate, anonymised usage patterns to improve features and performance.
Ensure safety and security — detect and prevent abuse, fraud, spam, and other violations of our Terms.
Comply with legal obligations — respond to lawful requests from law enforcement or regulators.

We do not use your messages, files, or voice notes to train machine-learning models. We do not use your data for targeted advertising.

Legal Bases (UK GDPR)

Purpose	Legal basis
Delivering the service	Performance of contract (Art. 6(1)(b))
Security and abuse prevention	Legitimate interests (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))
Analytics (aggregated, anonymised)	Legitimate interests (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))

5. Messages and Content

Orbitin transmits all messages and files over TLS-encrypted connections between your device and our servers.

Messages and files are stored on our servers to allow syncing across your devices and delivery to recipients who are offline. They are not used for any purpose other than delivering them to the intended recipients.

Voice notes are stored in your Orbit's Vault. Only members of that Orbit can access them.

6. Who We Share Your Information With

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

6.1 Service Providers

We use carefully selected sub-processors to help operate the Services:

Category	Purpose	Location
Cloud hosting	Application servers, database, caching	EU
Object storage	File and media storage	EU
Push notifications (Firebase)	Deliver push notifications to your device	US
Email delivery	Transactional email (e.g. email verification)	US
AI processing	Document scanning, itinerary and meal plan generation	US
Payment processing (Apple / Google)	In-app subscription billing	US

Payment data: Orbitin does not collect or store your payment card details. All subscription billing is handled directly by Apple (App Store) or Google (Google Play). We only receive confirmation of a successful purchase and your subscription status — not your payment method or card details.

A detailed list of current sub-processors is available on request at [email protected]. These providers process data only as instructed by us and under data processing agreements that require them to keep your data secure and confidential.

Where data is transferred outside the UK / EEA, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by UK GDPR.

6.2 Other Users

By using Orbitin, the following is visible to other users:

Your display name and profile photo are visible to members of any Orbit you belong to.
Your phone number is used for account lookup but is not visible to other users by default.
Messages and files you send are visible to all members of the Orbit or direct message thread.

6.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or other governmental or regulatory authority with competent jurisdiction, provided the request is lawful and proportionate.

6.4 Business Transfers

If Orbitin Limited is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or in-app notice before your data is transferred and becomes subject to a different privacy policy.

7. Data Retention

Data	Retention period
Account data (name, phone number)	Until you delete your account
Messages and files	Until you or the Orbit owner deletes them, or your account is deleted
Push notification tokens	Until you sign out or revoke permission
Security logs	90 days
Anonymised analytics	Indefinitely (not linked to you)

When you delete your account, we permanently delete your profile, personal data, and private files within 30 days, except where retention is required by law or for legitimate security purposes. Content you shared in group Orbits (messages, shared files, expenses, etc.) may remain visible to other members of those Orbits.

8. Your Rights

Under UK GDPR, you have the following rights:

Right	What it means
Access	Request a copy of the personal data we hold about you
Rectification	Ask us to correct inaccurate or incomplete data
Erasure	Ask us to delete your personal data ("right to be forgotten")
Restriction	Ask us to restrict processing of your data in certain circumstances
Portability	Receive your data in a structured, machine-readable format
Objection	Object to processing based on legitimate interests
Withdraw consent	Where processing is based on consent, withdraw it at any time

You can exercise most of these rights directly within the app (e.g. editing your profile, deleting your account). For other requests, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Children's Privacy

Orbitin is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, we will delete it promptly.

If you believe a child under 13 has provided us with personal data, please contact us at [email protected].

10. Security

We take the security of your data seriously:

All data in transit is encrypted using TLS.
Passwords and authentication tokens are hashed and never stored in plain text.
We use Redis-based short-lived tokens for sensitive operations (e.g. email verification).
Access to production systems is restricted to authorised personnel only.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it responsibly to [email protected].

11. Cookies and Similar Technologies

The Orbitin mobile app does not use browser cookies.

If you use Orbitin via a web browser (web preview), we may use session storage or local storage solely to maintain your authenticated session. We do not use tracking cookies or third-party advertising trackers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the app or by email at least 14 days before the changes take effect. Your continued use of the Services after that date constitutes acceptance of the updated policy.

Previous versions of this Policy are available on request.

13. Contact and Data Controller

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Orbitin Limited
5 Brandon Road, Sutton, England, SM1 1RP
Company number: 17110412

Email: [email protected]
Legal enquiries: [email protected]

We aim to respond to all privacy-related enquiries within 5 business days.