GDPR Compliance

1. Our Commitment to GDPR

Orbit AI is built with data privacy as a foundational principle. We are fully committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and ensuring that every individual whose personal data we process is afforded the protections guaranteed under European data protection law.

This page explains how Orbit AI aligns with GDPR requirements across our form building platform, contact management, workflow automation, AI-powered features, sequences, scheduling tools, and integrations. Whether you are a customer using Orbit AI to collect data, or an end user submitting information through a form powered by our platform, this page is designed to help you understand your rights and how we protect your data.

The GDPR applies to the processing of personal data of individuals located in the European Economic Area (EEA), regardless of where the data processor or controller is established. Because Orbit AI serves customers and end users globally, including within the EEA, we apply GDPR-level protections to all personal data we process — not just data originating from the EU.

2. Orbit AI as Data Controller and Data Processor

Under the GDPR, organizations that handle personal data are classified as either data controllers or data processors. Orbit AI operates in both capacities depending on the context of the data being processed.

When Orbit AI Acts as a Data Controller

We are the data controller for personal data that we collect and process for our own purposes. This includes:

• Account registration information (name, email address, password credentials)
• Billing and subscription data necessary to provide our services
• Usage analytics and telemetry we collect to improve the Orbit AI platform
• Communications between you and our support or sales teams
• Data generated through your use of our marketing website at orbitforms.ai

When Orbit AI Acts as a Data Processor

We act as a data processor when handling personal data that our customers collect through the Orbit AI platform. In this capacity, our customers are the data controllers and they determine the purposes and means of processing. This includes:

• Form submission data collected by our customers from their end users
• Contact records managed within our customers' contact databases
• Data processed through customer-configured workflow automations
• Sequence communications (email and SMS) sent on behalf of our customers
• Scheduling and meeting data facilitated through our platform
• Data routed through customer-configured integrations to third-party services

When acting as a data processor, we process personal data solely in accordance with our customers' documented instructions and the terms of our Data Processing Agreement (DPA). We do not use customer-submitted data for our own purposes beyond what is necessary to provide the contracted service.

3. Lawful Bases for Processing

The GDPR requires that every instance of personal data processing be grounded in a lawful basis. Orbit AI relies on the following lawful bases depending on the nature and context of the processing activity:

Consent (Article 6(1)(a))

We rely on consent when an individual has freely, specifically, and unambiguously agreed to the processing of their personal data. Examples include end users opting into communications through our upcoming conversational AI features, subscribing to marketing emails, or accepting non-essential cookies via our cookie consent mechanism. Consent can be withdrawn at any time, and we provide clear mechanisms to do so.

Performance of a Contract (Article 6(1)(b))

Processing is necessary when it is required to fulfill our contractual obligations. This includes creating and maintaining your Orbit AI account, processing subscription payments, providing access to the platform's features, delivering customer support, and executing the services described in our terms of service.

Legitimate Interest (Article 6(1)(f))

We process certain data based on our legitimate interests, provided those interests are not overridden by the rights and freedoms of the data subject. This includes analyzing aggregated usage patterns to improve platform performance, detecting and preventing fraudulent or abusive activity, maintaining platform security and integrity, and conducting internal analytics to guide product development. We perform balancing tests to ensure our legitimate interests do not unduly impact individual rights.

Legal Obligation (Article 6(1)(c))

We process personal data when required to comply with applicable legal obligations. This includes retaining financial records for tax and accounting requirements, responding to valid legal requests from law enforcement or regulatory authorities, and maintaining records as required by data protection regulations.

4. Data We Process

Orbit AI processes several categories of personal data across the platform. The specific data collected depends on which features a customer uses and how end users interact with those features.

Account Data

Information provided during registration and account management, including full name, email address, hashed password credentials, team membership details, role assignments, and billing information. This data is necessary to operate your account and deliver the service.

Form Submission Data

Any information that end users submit through forms built on the Orbit AI platform. The nature and sensitivity of this data is determined entirely by our customers, who design the forms and decide what fields to include. This may range from basic contact information to more detailed responses depending on the form's purpose.

Contact Data

Records stored within our customers' contact management system, including names, email addresses, phone numbers, tags, custom fields, ownership assignments, and interaction histories. Contacts may be created through form submissions, manual entry, or imported through integrations.

Usage Analytics

Technical data collected to understand how the platform is used and to improve its performance. This includes hashed IP addresses (using SHA-256, making them non-reversible), browser type, device information, pages visited, feature usage patterns, and session duration. IP addresses are never stored in raw form.

AI Processing Data

Data processed by our AI-powered features, including inputs to AI scoring models, AI-generated enrichments, and data used within AI-assisted workflow nodes. AI processing is performed to enhance our customers' ability to manage and act on their data more efficiently. We do not use customer data to train general-purpose AI models.

Communication Data

Data associated with email and SMS sequences, including recipient addresses, message content, delivery status, and engagement metrics. As we develop our upcoming conversational AI feature — which enables AI-powered communication with end users — additional data may be processed, including conversation transcripts and user-provided inputs during those interactions. This feature will only be activated with explicit opt-in consent from end users.

5. Your Rights Under GDPR

If you are located in the European Economic Area, you are entitled to the following rights under the GDPR. Orbit AI is committed to facilitating the exercise of these rights promptly and transparently.

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes of processing, the categories of data involved, the recipients or categories of recipients, the envisaged retention period, and your rights regarding that data. You may request a copy of your personal data at no charge.

Right to Rectification (Article 16)

You have the right to request that inaccurate personal data concerning you be corrected without undue delay. You also have the right to have incomplete personal data completed, including by providing a supplementary statement. Account holders can update most of their information directly through the Orbit AI dashboard.

Right to Erasure (Article 17)

You have the right to request the deletion of your personal data when it is no longer necessary for the purpose it was collected, when you withdraw consent, when you object to processing and there are no overriding legitimate grounds, or when the data has been unlawfully processed. Orbit AI provides a self-service account deletion feature that allows you to permanently remove your account and all associated data directly from your profile settings, without needing to contact support.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you prefer restriction over erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification of legitimate grounds.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Orbit AI supports data export in JSON format, allowing you to download your data and transfer it to another service. This export can be initiated through your account settings, giving you direct control over your data portability without requiring manual intervention from our team.

Right to Object (Article 21)

You have the right to object to the processing of your personal data where we rely on legitimate interest as the lawful basis, or where data is processed for direct marketing purposes. Upon receiving an objection, we will cease processing the data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where Orbit AI's AI features involve automated processing, you have the right to obtain human intervention, express your point of view, and contest the decision. See Section 6 for further detail on how our AI features comply with this requirement.

6. AI Processing and GDPR

Orbit AI incorporates artificial intelligence across several platform features, including contact scoring, data enrichment, workflow automation nodes, and content assistance. We take our obligations under the GDPR seriously when deploying these capabilities.

Compliance with Article 22

Our AI features are designed to assist and augment human decision-making, not to replace it. AI-generated scores, enrichments, and recommendations are presented as suggestions to our customers, who retain full control over whether and how to act on them. No decisions with legal or similarly significant effects are made solely by automated means without meaningful human oversight.

Where automated processing plays a significant role in a decision, affected individuals have the right to:

• Receive meaningful information about the logic involved in the automated processing
• Request human review of any AI-influenced decision
• Express their point of view and challenge the outcome
• Opt out of AI-driven processing where an alternative method exists

Transparency in AI Processing

We are committed to transparency regarding how AI processes data within our platform. Our customers have visibility into which AI features are active, what data is being processed, and what outputs the AI generates. We do not use opaque decision-making systems, and we provide clear explanations of the factors that influence AI-generated results.

Upcoming Conversational AI Feature

Orbit AI is developing a conversational AI feature that will enable AI-powered communication with end users on behalf of our customers. This feature is designed with GDPR compliance at its core:

• End users must provide explicit opt-in consent before any AI-driven conversation begins
• Users will be clearly informed that they are interacting with an AI system, not a human
• Conversation data will be processed only for the stated purpose and retained according to our data retention policies
• Users may withdraw consent and end AI interactions at any time
• All conversational data is subject to the same encryption and access controls as other data on the platform

For additional information about our approach to responsible AI, please see our AI Policy.

7. Data Protection Measures

Orbit AI implements comprehensive technical and organizational measures to protect personal data in accordance with Article 32 of the GDPR. These measures are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of our processing systems.

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256-GCM, an industry-leading encryption standard. Database connections are secured with encrypted channels, and API communications between services are protected through encrypted protocols.

Access Controls

We enforce strict access controls through a team-based permission model with Row Level Security (RLS) enforced at the database layer. This ensures that data belonging to one team is never accessible to another. Internal access to production systems is restricted to authorized personnel, protected by multi-factor authentication, and logged for auditing purposes.

IP Address Hashing

In alignment with data minimization principles, we hash all IP addresses using the SHA-256 algorithm before storage. This allows us to detect patterns and prevent abuse without retaining personally identifiable IP addresses. The hashing process is one-way and irreversible, meaning original IP addresses cannot be recovered from stored hashes.

Audit Logging

All significant system actions are recorded in audit logs, including data access events, administrative changes, authentication events, and permission modifications. These logs support accountability and enable us to investigate and respond to security incidents effectively.

Security Headers and Infrastructure

Our web application implements security headers including Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Strict-Transport-Security to protect against common web vulnerabilities. Our infrastructure is designed with defense-in-depth principles, incorporating network segmentation, intrusion detection, and regular vulnerability assessments.

For a comprehensive overview of our security practices, please visit our Security page.

8. International Data Transfers

Orbit AI's infrastructure is primarily based in the United States. When personal data originating from the EEA is transferred to and processed in the United States, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR.

Transfer Mechanisms

We rely on the following mechanisms to ensure lawful international data transfers:

• Standard Contractual Clauses (SCCs): We incorporate the European Commission's approved Standard Contractual Clauses into our data processing agreements to provide contractual assurances for data transferred outside the EEA.
• EU-US Data Privacy Framework: We monitor and align with the EU-US Data Privacy Framework and any successor arrangements to ensure our transfer practices meet current regulatory expectations.
• Supplementary Measures: In addition to contractual safeguards, we implement technical measures including encryption in transit and at rest, pseudonymization where feasible, and strict access controls to protect transferred data.

Transfer Impact Assessments

We conduct transfer impact assessments to evaluate the legal framework of the destination country and to determine whether the safeguards we have in place effectively protect the rights of data subjects. These assessments are reviewed periodically and updated in response to changes in applicable laws or regulatory guidance.

9. Data Retention

Orbit AI retains personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the data minimization and storage limitation principles of the GDPR.

• Account Data: Retained for the duration of your active account and deleted upon account closure, subject to any legal retention obligations.
• Form Submission Data: Retained according to our customers' configured retention settings. Customers have the ability to define custom retention periods and enable automated purging of older submissions.
• Contact Data: Retained until deleted by the customer or until the account is closed.
• Usage Analytics: Retained in aggregated and anonymized form. Identifiable analytics data is purged on a rolling basis.
• Communication Data: Sequence logs and message history are retained for the customer-configured retention period, after which they are automatically purged.
• Audit Logs: Retained for a minimum period necessary for security and compliance purposes, after which they are systematically deleted.

You may exercise your right to deletion at any time. Account holders can delete their accounts through self-service, which triggers the permanent removal of all associated personal data. For further details, see our Privacy Policy.

10. Sub-Processors

In order to deliver our services, Orbit AI engages a limited number of third-party sub-processors who may process personal data on our behalf. Each sub-processor is carefully vetted and is bound by a Data Processing Agreement (DPA) that requires them to process data only in accordance with our instructions and to implement appropriate technical and organizational measures to protect that data.

Our sub-processors provide services in the following categories:

• Cloud hosting and infrastructure
• Database management and storage
• Email and SMS delivery services
• Payment processing
• Analytics and monitoring
• AI and machine learning processing

We maintain an internal register of all sub-processors. Before engaging a new sub-processor or making a material change to an existing one, we assess the sub-processor's data protection practices and update our records accordingly. Customers who have executed a DPA with Orbit AI will be notified of any changes to our sub-processor list in accordance with the terms of that agreement.

11. Data Breach Notification

Orbit AI maintains an incident response plan designed to detect, respond to, and recover from personal data breaches. In the event of a breach, we are committed to meeting the notification obligations set forth in Articles 33 and 34 of the GDPR.

Notification to Supervisory Authorities

Where Orbit AI acts as a data controller and a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to mitigate the impact.

Notification to Affected Individuals

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to affected data subjects without undue delay, in clear and plain language, along with guidance on steps they can take to protect themselves.

Notification to Customers (Processor Context)

When acting as a data processor, we will notify affected customers without undue delay upon becoming aware of a breach involving their data, providing sufficient information to enable them to meet their own notification obligations under the GDPR.

12. Data Protection Impact Assessments

In accordance with Article 35 of the GDPR, Orbit AI conducts Data Protection Impact Assessments (DPIAs) before undertaking any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This is particularly relevant for:

• New AI features that involve automated decision-making or profiling
• Large-scale processing of personal data through workflow automations
• Processing of sensitive categories of data when submitted through customer forms
• Systematic monitoring of individual behavior through analytics or tracking
• New integrations or sub-processors that involve significant data sharing

Each DPIA evaluates the necessity and proportionality of the processing, assesses the risks to data subjects, and identifies measures to mitigate those risks. Where a DPIA indicates that processing would result in a high risk that cannot be adequately mitigated, we consult with the relevant supervisory authority before proceeding.

13. Cookie Compliance

Orbit AI complies with the ePrivacy Directive (2002/58/EC) and its national implementations regarding the use of cookies and similar tracking technologies.

Cookie Consent

We display a cookie consent banner to all visitors that provides clear and comprehensive information about the cookies we use. Non-essential cookies are not placed until the user has provided explicit, affirmative consent. Users can accept all cookies, reject non-essential cookies, or customize their preferences through granular controls.

Categories of Cookies

• Strictly Necessary Cookies: Required for the platform to function properly, including authentication tokens and session management. These do not require consent.
• Functional Cookies: Used to remember user preferences and settings, such as theme selection and language. Loaded only with consent.
• Analytics Cookies: Used to understand how visitors interact with our website and platform, helping us improve the user experience. Loaded only with consent.
• Marketing Cookies: Used to deliver relevant advertising and track campaign effectiveness. Loaded only with consent.

Managing Cookie Preferences

You can update your cookie preferences at any time through the cookie settings accessible from the footer of our website. You may also configure your browser to block or delete cookies, though this may affect the functionality of certain features.

14. Children's Data

Orbit AI is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children. In accordance with Article 8 of the GDPR, where the processing of a child's personal data is based on consent, the consent must be given or authorized by the holder of parental responsibility.

If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take immediate steps to delete that data. If you believe that a child under 16 has provided personal data to Orbit AI, please contact us at privacy@orbitforms.ai so that we can take appropriate action.

Our customers who use Orbit AI to collect data from individuals are responsible for ensuring that they do not collect data from children without proper consent mechanisms in place. We recommend that customers who may interact with users under 16 implement age verification and parental consent procedures in their forms.

15. How to Exercise Your Rights

You may exercise any of your GDPR rights by contacting us at privacy@orbitforms.ai. When submitting a request, please include sufficient information for us to verify your identity and locate the relevant data.

Response Timeline

We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt. If the complexity or volume of requests requires additional time, we may extend this period by up to 60 additional days, and we will inform you of the extension and the reasons for the delay within the initial 30-day period.

Identity Verification

To protect your privacy and prevent unauthorized access to your data, we may need to verify your identity before processing your request. This typically involves confirming your email address associated with your Orbit AI account. We will not request more information than is necessary for verification purposes.

End Users of Our Customers

If you submitted data through a form or communication powered by Orbit AI and wish to exercise your rights, we recommend contacting the organization that operates the form directly, as they are the data controller for your information. If you are unable to reach them, you may contact us and we will assist in routing your request to the appropriate party.

Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. We encourage you to contact us first so that we can attempt to resolve your concerns directly.

16. Updates to This Page

We may update this GDPR Compliance page from time to time to reflect changes in our data processing practices, new features, or updates to applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice through our platform or via email.

We encourage you to review this page periodically to stay informed about how we protect your data and comply with the GDPR. Your continued use of Orbit AI after any changes to this page constitutes your acknowledgment of the updated practices described herein.

17. Contact

If you have any questions, concerns, or requests regarding this GDPR Compliance page or our data protection practices, please reach out to us through the following channels:

• Privacy Inquiries: privacy@orbitforms.ai
• Security Concerns: security@orbitforms.ai
• Data Protection Officer: You may contact our Data Protection Officer for any matters relating to the processing of your personal data or the exercise of your rights under the GDPR by emailing privacy@orbitforms.ai with the subject line "DPO Inquiry."

For additional information about how Orbit AI handles your data, please review our Privacy Policy, Terms of Service, Security, and AI Policy.