Privacy Policy

1. Introduction

Welcome to Orbit AI ("Orbit AI," "we," "us," or "our"). Orbit AI operates the website located at orbitforms.ai and provides a suite of tools including form building, contact management, workflow automation, scheduling, sequences, and AI-powered data processing (collectively, the "Services").

This Privacy Policy describes how we collect, use, store, share, and protect information when you interact with our Services—whether you are an account holder creating forms and workflows, a team member collaborating within an organization, or an end user who submits responses through an Orbit AI-powered form embedded on a third-party website.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use of our Services immediately.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, configure your workspace, or otherwise interact with our Services, you may provide:

• Account information: Your name, email address, password, profile photo, and organization details.
• Billing information: Payment card details, billing address, and transaction history, processed through our payment processor.
• Form and survey content: Questions, logic rules, themes, and media you upload when building forms, surveys, or quizzes.
• Contact records: Names, email addresses, phone numbers, tags, notes, and any custom fields you store within Orbit AI's contact management features.
• Communication content: Messages you compose for email sequences, SMS outreach, or automated follow-ups sent through the platform.
• Scheduling details: Availability windows, meeting type configurations, calendar connections, and booking page preferences.
• Support correspondence: Information you provide when contacting our support team, including attachments and screenshots.

2.2 Form Submission Data

When end users complete a form, survey, or quiz built with Orbit AI, we collect the responses they submit. The nature of this data depends entirely on the fields configured by the form creator and may include personal information such as names, email addresses, phone numbers, or any other information the form is designed to capture. Form creators are responsible for providing appropriate privacy disclosures to their respondents.

2.3 Automatically Collected Information

When you access our Services, certain technical information is gathered automatically:

• Device and browser data: Operating system, browser type and version, screen resolution, and device identifiers.
• Hashed IP addresses: We hash IP addresses before storage to support fraud detection and geographic analytics without retaining raw IP data.
• Usage telemetry: Pages visited, features used, click paths, session duration, timestamps, and referring URLs.
• Performance metrics: Page load times, error logs, and API response times used for reliability monitoring.

2.4 Data from Third-Party Integrations

When you connect external services through our integration features (such as CRM systems, spreadsheet tools, marketing platforms, or calendar services), we may receive data from those services in accordance with the permissions you grant. This data is used solely to operate the integration you configured and is governed by both this Privacy Policy and the privacy policies of the connected services.

2.5 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to maintain session state, remember preferences, and collect analytics data. For full details, see Section 5: Cookies and Tracking Technologies below.

3. How We Use Your Information

We process the information we collect for the following purposes:

• Service delivery: To operate, maintain, and provide all features of our platform, including form building, contact management, workflow execution, sequence automation, scheduling, and embedded form rendering on your websites.
• Improvement and development: To analyze usage patterns, diagnose technical issues, and develop new features that enhance the platform.
• Communication: To send transactional emails (account verification, password resets, billing receipts), product updates, security alerts, and—where you have opted in—marketing communications.
• Analytics and reporting: To generate form performance analytics, submission reports, workflow execution summaries, and other insights available in your dashboard.
• AI-powered processing: To deliver AI-driven features such as form optimization suggestions, intelligent workflow routing, lead scoring, and conversational AI interactions. See Section 4 for details.
• Security and fraud prevention: To detect and prevent unauthorized access, abuse, spam submissions, and other malicious activity through rate limiting, IP hash analysis, and anomaly detection.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service.
• Team collaboration: To facilitate multi-user workspaces, permission management, activity audit trails, and shared resource access within your organization.

4. AI-Powered Features and Data Processing

Orbit AI incorporates artificial intelligence throughout its platform. This section describes how AI processes your data, the safeguards in place, and your options for control. For our complete AI governance framework, please review our AI Policy.

4.1 Form Optimization

Our AI analyzes form structure, completion rates, and respondent behavior to suggest improvements such as question reordering, field type recommendations, and conditional logic enhancements. This processing uses aggregated and de-identified submission patterns and does not expose individual responses to other users.

4.2 AI Agent Nodes in Workflows

Workflow automation in Orbit AI allows you to insert AI agent nodes that analyze, classify, enrich, score, and route data as it flows through your configured workflow. When a contact or form submission enters an AI agent node, the relevant data fields are sent to our AI processing infrastructure for analysis. The AI agent operates strictly within the parameters and instructions you define in your workflow configuration—it does not take autonomous actions beyond what you have specified.

4.3 Conversational AI Communication

Orbit AI offers a conversational AI feature that enables AI-powered communication with end users (such as form respondents or contacts in your CRM) after those individuals provide explicit opt-in consent. This feature allows AI to engage in follow-up conversations, answer questions, qualify leads, or provide information on your behalf.

Key safeguards for conversational AI:

• Explicit opt-in required: End users must actively consent before AI-powered conversations are initiated. The AI will not contact individuals who have not opted in.
• Disclosure of AI identity: Conversations are clearly identified as AI-powered so that recipients understand they are interacting with an automated system.
• Scope limitations: Conversational AI operates within the boundaries and instructions set by the account holder. It does not make commitments, access external systems, or take actions beyond its configured scope.
• Opt-out at any time: End users may opt out of further AI communication at any point, and their preference will be honored immediately.
• Conversation logging: All AI-generated conversations are logged and accessible to the account holder for review, quality assurance, and compliance purposes.

4.4 Third-Party AI Providers

Certain AI features are powered by third-party AI service providers. When data is sent to these providers for processing:

• Data is transmitted securely using encrypted connections.
• Our agreements with AI providers contractually prohibit them from using your data to train, improve, or develop their own models or services.
• Data is processed solely for the purpose of delivering the requested AI feature and is not retained by providers beyond the duration necessary to complete the processing request.
• We select providers that maintain robust security and privacy certifications.

4.5 Your AI Choices

You have control over how AI interacts with your data. You may disable AI agent nodes in your workflows, opt out of AI-powered form optimization suggestions, and choose not to activate the conversational AI communication feature. Disabling AI features will not affect the core functionality of form building, contact management, or workflow execution.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, understand usage patterns, and deliver relevant content. When you first visit our website, a cookie consent banner allows you to manage your preferences.

5.1 Essential Cookies (Always Active)

These cookies are strictly necessary for the operation of our Services. They enable core functionality such as session authentication, CSRF protection, security tokens, and cookie consent preferences. Because they are essential to the functioning of the platform, they cannot be disabled.

5.2 Analytics Cookies (Optional)

Analytics cookies help us understand how visitors interact with our website by collecting information about page views, navigation paths, session duration, and feature usage. This data is aggregated and used to improve the design and functionality of our Services. You may opt out of analytics cookies through our cookie consent banner.

5.3 Marketing Cookies (Optional)

Marketing cookies are used to track visitors across pages to display relevant advertisements and measure campaign effectiveness. These cookies are only activated with your explicit consent and can be disabled at any time via the cookie consent banner.

5.4 Functional Cookies (Optional)

Functional cookies enable enhanced features and personalization, such as remembering your theme preference (light or dark mode), language selection, and dashboard layout configurations. While these cookies improve your experience, the Services will still function without them.

6. Data Sharing and Third Parties

We do not sell your personal information to anyone. We share information only in the following limited circumstances:

6.1 Service Providers and Sub-Processors

We engage trusted third-party companies to perform functions on our behalf, such as cloud hosting and infrastructure, payment processing, email delivery, AI processing, customer support tooling, and analytics. These service providers are contractually bound to use your data only for the services they provide to us, maintain appropriate security measures, and not disclose or use your data for any other purpose.

6.2 User-Configured Integrations

When you connect Orbit AI to third-party services through our integration features—such as CRM platforms, spreadsheet tools, marketing automation services, communication tools, or webhook endpoints—data will be shared with those services as directed by your integration configuration. You are responsible for reviewing the privacy practices of any third-party service you connect.

6.3 Legal Requirements

We may disclose your information if we believe in good faith that such disclosure is necessary to comply with applicable law, regulation, or legal process; respond to a valid subpoena, court order, or governmental request; protect the rights, property, or safety of Orbit AI, our users, or the public; or detect, prevent, or address fraud, security, or technical issues.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have.

7. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law. Our retention practices vary by data type:

• Form submissions: Retained according to the retention period configured by the form creator within their account settings. Form creators may set custom retention windows or manually delete submissions at any time.
• Account data: Maintained for the duration of your active account. Upon account deletion, your personal data is purged within 30 days, except where retention is required for legal, regulatory, or legitimate business purposes (such as resolving disputes or enforcing agreements).
• Contact records: Retained until manually deleted by the account holder or until the associated account is closed.
• Audit logs: Activity and security logs are retained in accordance with our compliance obligations and industry best practices, typically for a minimum of 12 months.
• Billing records: Transaction records are retained as required by applicable tax and financial regulations.
• AI conversation logs: Logs from conversational AI interactions are retained for the period configured by the account holder and are available for review and export.

8. Data Security

We implement comprehensive technical and organizational measures to protect your information. While no system can guarantee absolute security, we strive to employ industry-leading practices. For a detailed overview, visit our Security Practices page.

• Encryption at rest: All stored data is encrypted using AES-256-GCM, ensuring that data remains protected even in the unlikely event of unauthorized physical access to storage media.
• Encryption in transit: All data transmitted between your browser and our servers, as well as between our internal services and third-party providers, is encrypted using TLS (Transport Layer Security).
• IP address hashing: We hash visitor IP addresses before storage, preventing the retention of raw IP data while still enabling fraud detection and geographic analysis.
• Access controls: We enforce role-based access controls, the principle of least privilege, and regular access reviews to ensure only authorized personnel can access sensitive systems and data.
• Rate limiting: API endpoints and form submissions are protected by rate limiting to mitigate brute-force attacks, credential stuffing, and denial-of-service attempts.
• Multi-factor authentication (MFA): We support MFA for account access, providing an additional layer of security beyond passwords.
• Monitoring and incident response: We continuously monitor our infrastructure for suspicious activity and maintain an incident response plan to address potential security events promptly.

9. Your Rights and Choices

Regardless of where you are located, we provide all users with the following rights and self-service tools to manage their data:

• Right to access: You can request a summary of the personal information we hold about you. Much of this information is directly accessible through your account dashboard.
• Right to rectification: You can update or correct inaccurate personal information through your account settings at any time.
• Right to erasure: You can delete your account through the self-service account deletion feature in your profile settings. Account deletion removes your personal data, forms, contacts, and associated content, subject to our retention obligations.
• Right to data portability: You can export your data—including form submissions, contact records, and workflow configurations—in JSON format through the export tools available in your dashboard.
• Right to restrict processing: You can request that we limit how we process your personal information under certain circumstances, such as while we verify the accuracy of your data.
• Right to withdraw consent: Where processing is based on your consent (such as marketing communications or optional cookies), you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to object: You can object to the processing of your personal information for direct marketing or where we process your data based on legitimate interests.

To exercise any of these rights, you may use the self-service features within your account or contact us at privacy@orbitforms.ai. We will respond to verified requests within 30 days.

10. International Data Transfers

Our Services are primarily hosted and operated in the United States. If you access our Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and potentially in other jurisdictions where our service providers operate.

When we transfer personal data internationally, we implement appropriate safeguards to ensure that your information receives an adequate level of protection. These safeguards may include Standard Contractual Clauses approved by relevant authorities, data processing agreements with our sub-processors, and technical measures such as encryption and pseudonymization. For more details about our approach to international transfers, particularly as it relates to European data subjects, please see our GDPR Compliance page.

11. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect, solicit, or maintain personal information from anyone under 16 years of age. If you are a parent or guardian and become aware that your child has provided personal information to us without your consent, please contact us at privacy@orbitforms.ai. Upon verification, we will promptly delete such information from our systems.

Form creators using Orbit AI are responsible for ensuring that their forms do not knowingly collect information from children under 16 in violation of applicable laws, including the Children's Online Privacy Protection Act (COPPA) in the United States.

12. California Privacy Rights (CCPA/CalOPPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA):

• Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions permitted by law (such as completing a transaction or complying with a legal obligation).
• Right to opt out of sale: We do not sell personal information. However, you retain the right to direct us not to sell your personal information at any time.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level or quality of service for making privacy requests.

In the preceding twelve months, we have collected the categories of personal information described in Section 2 of this policy. To submit a verifiable consumer request, contact us at privacy@orbitforms.ai. You may also designate an authorized agent to make a request on your behalf.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you benefit from additional rights under the General Data Protection Regulation (GDPR) and equivalent local laws. For detailed information, visit our GDPR Compliance page.

13.1 Lawful Basis for Processing

We rely on the following legal bases to process your personal data:

• Performance of a contract: Processing necessary to provide the Services you have signed up for, including account management, form hosting, workflow execution, and billing.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving our Services, ensuring platform security, preventing fraud, and conducting aggregate analytics—provided these interests are not overridden by your rights and freedoms.
• Consent: Processing based on your explicit consent, such as sending marketing emails, enabling optional cookies, activating AI-powered communication features, or sharing data with integrations you configure. You may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable legal requirements, such as tax reporting, responding to lawful data requests, or maintaining audit logs.

13.2 Data Subject Rights

In addition to the rights described in Section 9, European data subjects have the right to lodge a complaint with a supervisory authority in the EU member state where they reside, work, or where they believe a violation has occurred. We encourage you to contact us first at privacy@orbitforms.ai so we can address your concern directly.

13.3 Data Controller and Processor Roles

When you use Orbit AI to collect data from form respondents, you act as the data controller, and Orbit AI acts as the data processor operating under your instructions. For data we collect directly about our account holders (such as registration and billing information), Orbit AI is the data controller.

14. Changes to This Policy

We may revise this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post the revised Privacy Policy on our website.
• Notify active account holders via email or in-app notification at least 15 days before material changes take effect.
• Where required by law, obtain your consent before applying changes to how we process your data.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please reach out using the appropriate channel:

• Privacy inquiries and data rights requests: privacy@orbitforms.ai
• Security concerns and vulnerability reports: security@orbitforms.ai
• General support and product questions: support@orbitforms.ai

You may also visit the following pages for additional information about our practices:

• Terms of Service
• GDPR Compliance
• Security Practices
• AI Policy