IntroductionInformation We CollectHow We Use Your InformationData Storage and SecurityInformation Sharing and DisclosureCalifornia Privacy Rights (CCPA/CPRA)Other U.S. State Privacy RightsEuropean Privacy Rights (GDPR)Data RetentionArtificial IntelligenceChildren's PrivacyData Breach NotificationDo Not Track SignalsThird-Party LinksChanges to This Privacy PolicyContact Us

Privacy Policy

Effective Date: February 10, 2026
Last Updated: February 23, 2026

1. Introduction

Orbital (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, do not use the Service.

We do not sell your personal information.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you voluntarily provide to us, including:

  • Account Information: Email address and password when you create an account
  • Profile Information: Name, timezone preferences, and optional profile photo (uploaded to Supabase Storage and stored as a public URL)
  • Service Data: Information about your SaaS subscriptions that you choose to add (service names, URLs, costs, billing cycles, renewal dates, categories, tags, and notes). URLs and notes are stored as entered by you. We recommend avoiding the inclusion of passwords, API keys, or other sensitive credentials in these fields.
  • Payment Information: Billing details processed securely through Stripe (we do not store your complete credit card number)
  • Communications: Information you provide when you contact us for support or feedback

2.2 Information Collected Automatically

When you access the Service, we automatically collect certain information, including:

  • Usage Data: Information about how you interact with the Service (pages visited, features used, time spent)
  • Device Information: Browser type and version, operating system, device type
  • Log Data: IP address (anonymized where possible), access times, pages viewed, referring URLs

2.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service:

  • Essential Cookies: Required for authentication and basic Service functionality. These cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with the Service. We use PostHog for privacy-focused analytics.
  • Preference Cookies: Remember your settings (theme preference, filter selections)

You can manage your cookie preferences through the cookie consent banner or your browser settings. Blocking essential cookies may prevent you from using certain features of the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: To deliver and maintain the Service functionality, including storing your subscription data, processing payments, and syncing across devices
  • User Support: To respond to your inquiries and provide customer support
  • Service Improvement: To understand usage patterns and improve the Service
  • Communications: To send you transactional emails (welcome emails, password resets, subscription confirmations, renewal reminders)
  • Security: To detect, prevent, and address technical issues and security threats
  • Legal Compliance: To comply with legal obligations and protect our legal rights
  • Analytics: To analyze trends and user behavior in aggregate, anonymized form

4. Data Storage and Security

4.1 Cloud Infrastructure

Your data is stored securely using the following infrastructure:

  • Database: Supabase (PostgreSQL), with data centers in the United States
  • Authentication: Supabase Auth with secure session management
  • Application Hosting: Render, with servers in the United States
  • Payment Processing: Stripe, PCI-DSS Level 1 certified
  • Email: Resend, for transactional email delivery

4.2 Security Measures

We implement comprehensive security measures to protect your information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Encryption at Rest: Your data is encrypted at rest using AES-256 encryption
  • Access Controls: Row Level Security (RLS) policies ensure you can only access your own data
  • Authentication: Secure password hashing and session management
  • Regular Audits: Our infrastructure providers undergo regular security audits

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

4.3 Data Location

Your data is stored and processed in data centers located in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate safeguards as described in Section 8.3 (International Data Transfers).

4.4 User-Entered Data

Service URLs, notes, and other text fields you populate within the Service are stored as entered. This data is not client-side encrypted. While we apply encryption at rest (AES-256) and in transit (TLS), the plaintext content is accessible within our database infrastructure. We strongly recommend that you do not enter passwords, API keys, secret tokens, or other sensitive credentials into any fields within the Service.

5. Information Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following limited circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

  • Supabase: Database hosting and authentication (stores your account and service data)
  • Stripe: Payment processing (processes your payment information)
  • Render: Application hosting
  • Resend: Transactional email delivery (receives your email address for sending account-related emails)
  • PostHog: Privacy-focused analytics (receives anonymized usage data)

These service providers are bound by their own terms of service and privacy commitments to protect your information. Where applicable, we have executed Data Processing Agreements with key providers.

5.1.1 Sub-Processor List

The following is a complete list of sub-processors that may process your personal data on our behalf:

Sub-ProcessorPurposeLocation
Supabase Inc.Database hosting, authenticationUnited States
Stripe, Inc.Payment processingUnited States
Render, Inc.Application hostingUnited States
PostHog Inc.Product analyticsUnited States
Google LLCFont delivery (Google Fonts), AI-powered service parsing (Gemini API)United States
Resend Inc.Transactional emailUnited States

We are committed to providing at least 30 days' notice before adding any new sub-processors that will process your personal data on our behalf. Such notice will be provided by updating this Privacy Policy and, for material changes, by email notification.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).

5.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different Privacy Policy.

5.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

6.1 Right to Know

You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.

6.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as completing a transaction or complying with legal obligations).

6.3 Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

6.4 Right to Opt-Out of Sale/Sharing

We do not sell or share your personal information for cross-context behavioral advertising purposes. Therefore, there is no need to opt out.

6.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

6.6 Exercising Your California Rights

To exercise these rights, contact us at legal@getorbital.dev with “CCPA Request” in the subject line. We will respond to your request within 45 days. We may need to verify your identity before processing your request.

6.7 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers (email address, IP address)
  • Commercial information (subscription data you input, billing history)
  • Internet activity (usage data, pages visited)
  • Inferences drawn from the above (none currently)

7. Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights to those described above for California residents, including:

  • Right to access your personal data
  • Right to delete your personal data
  • Right to correct inaccurate personal data
  • Right to data portability
  • Right to opt out of targeted advertising (we do not engage in targeted advertising)
  • Right to opt out of sale of personal data (we do not sell personal data)
  • Right to opt out of profiling (we do not engage in profiling for automated decision-making)

To exercise these rights, contact us at legal@getorbital.dev. If your request is denied, you may appeal by contacting us with “Privacy Appeal” in the subject line.

8. European Privacy Rights (GDPR)

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain data protection rights under the General Data Protection Regulation (GDPR):

8.1 Your Rights

  • Right to Access: Request copies of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data (“right to be forgotten”)
  • Right to Restrict Processing: Request limitation of data processing
  • Right to Data Portability: Request transfer of your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

8.2 Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service you requested (account management, data storage)
  • Legitimate Interests: To improve our Service, ensure security, and prevent fraud
  • Consent: Where you have given explicit consent (e.g., marketing communications)
  • Legal Obligation: To comply with legal requirements

8.3 International Data Transfers

Your personal data is transferred to and processed in the United States. We employ appropriate safeguards to protect such transfers in compliance with applicable data protection laws:

  • Data Processing Agreement (DPA): We have executed a Data Processing Agreement with Supabase Inc. (our primary database provider), which includes Standard Contractual Clauses (SCCs) as the transfer mechanism for personal data from the EEA, UK, and Switzerland.
  • EU-U.S. Data Privacy Framework (DPF): Where applicable, we rely on our other sub-processors' self-certification under the EU-U.S. Data Privacy Framework as a transfer safeguard. Stripe, Render, Resend, PostHog, and Google maintain active DPF certification.
  • Encryption: All data is encrypted in transit (TLS) and at rest (AES-256).
  • Data Minimization: We process subscription management metadata, not special category data, which limits the risk profile of any transfer.

If you have questions about the safeguards applied to your data, please contact us at legal@getorbital.dev.

8.4 Exercising Your Rights

To exercise any of these rights, contact us at legal@getorbital.dev with “GDPR Request” in the subject line. We will respond within 30 days.

9. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

  • Active Account Data: Retained while your account is active
  • Canceled Subscription Data: Retained indefinitely in read-only mode to allow for potential reactivation (you may delete your account at any time to remove all data)
  • Deleted Account Data: Permanently and immediately erased upon account deletion
  • Payment Records: Retained as required for tax and accounting purposes (typically 7 years)
  • Log Data: Retained for up to 90 days for security and troubleshooting purposes
  • Analytics Data: Retained in anonymized, aggregated form indefinitely

10. Artificial Intelligence

10.1 Current AI Usage. The Service offers an optional AI Import feature that uses Google's Gemini API to parse unstructured text (such as bank statements or subscription lists) into structured subscription data. When you use this feature:

  • Only the text you explicitly paste or files you upload into the AI Import field are sent to Google's Gemini API
  • If you upload a file (.txt, .csv, or .pdf), the file contents are processed identically to pasted text. Uploaded files are not stored on our servers beyond the duration of the request
  • The data is processed solely to extract subscription service information and is not used to train AI models
  • We use Google's paid Gemini API tier, which under Google's API Terms of Service prohibits using API data for model training
  • No data is stored by Google beyond the duration of the API request
  • You can review and modify all parsed results before importing them into your account
  • This feature is entirely optional — you can always add services manually instead

10.2 Future AI Features. If we implement AI-powered features in the future (such as spending predictions or service recommendations), we will:

  • Update this Privacy Policy with clear disclosure
  • Explain what data is used and how
  • Provide an option to opt out where feasible
  • Maintain human oversight over any AI-generated recommendations
  • Not input your data into AI systems that train on user data without explicit consent

11. Children's Privacy

Our Service is not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at legal@getorbital.dev. If we discover that a child has provided us with personal information, we will delete such information from our systems.

12. Data Breach Notification

We are committed to protecting your data and to transparency in the event of a security incident.

12.1 Notification Timeline

In the event of a confirmed data breach that affects your personal information, we will notify affected users within 72 hours of confirming the breach, in alignment with GDPR Article 33 requirements.

12.2 Notification Method

Breach notifications will be sent via email to the address associated with your registered account.

12.3 Information Disclosed

Our breach notification will include:

  • The nature and scope of the breach
  • The types of personal data affected
  • Steps we have taken to address and mitigate the breach
  • Recommended actions you can take to protect yourself

12.4 Regulatory Notification

We will notify relevant supervisory authorities as required by applicable law, including data protection authorities under the GDPR where the breach is likely to result in a risk to the rights and freedoms of individuals.

12.5 California Notification

For California residents, we comply with the breach notification requirements under California Civil Code Section 1798.82, which requires timely notification when unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.

13. Do Not Track Signals

Some web browsers incorporate a “Do Not Track” (DNT) feature. Because there is not yet an accepted standard for how to respond to DNT signals, our Service does not currently respond to DNT browser signals. However, you can manage your cookie preferences through our cookie consent banner or your browser settings.

14. Third-Party Links

The Service may contain links to third-party websites and services (including the SaaS applications you track). We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the “Last Updated” date at the top of this Privacy Policy
  • Sending an email notification to the address associated with your account (for material changes)

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Orbital

Email: legal@getorbital.dev

Marin County, California, United States

For GDPR-related inquiries: Use subject line “GDPR Request”

For CCPA-related inquiries: Use subject line “CCPA Request”

For general privacy inquiries: Use subject line “Privacy Inquiry”

Questions about this policy?

Contact us at legal@getorbital.dev or use our contact form.

← Back to Home