Privacy policy

1. What this policy covers

This policy applies to the Orbis OS web application available at dashboard.orbisos.app, the marketing website at orbisos.app, and any related emails we send.

It does notcover websites we don't operate, even if we link to them.

2. The data we collect

2.1 Account data

• Email address (required to create an account).
• A hashed password (we never see or store your password in plain text — authentication is handled by Supabase Auth).
• Organisation name, role (owner, admin, manager, member), and team assignment.

2.2 People & employment data

If you invite employees into your workspace, you may store:

• Full name, preferred name, date of birth, gender, pronouns, nationality.
• Contact details (phone, personal email, address, emergency contact).
• Identity documents (government ID type + number, tax ID, right-to-work flag).
• Banking details for payroll handoff (account number, IBAN, SWIFT/ BIC, currency).
• Job title, department, compensation amount/currency/frequency, contract type, dates of joining and review.

Government IDs, tax IDs, and bank account numbers are encrypted at the application layer using AES-256-GCM before being written to the database, so they are not readable from raw SQL.

2.3 Operational data

• Time entries: clock-in / clock-out timestamps, breaks, manual time entries, project allocations, billable flags.
• Leave requests, balances, half-day records, overtime requests.
• Schedules, locations (including IANA timezone), teams, projects.
• Clients and project metadata that you create (name, color, rate, notes).

2.4 Technical data

• IP address (from request headers when you use the app).
• Browser user agent.
• Auth session tokens (cookies set by Supabase Auth).

We do not run a third-party product-analytics tracker today (no Segment, no Mixpanel, no Google Analytics in the dashboard app). If we ever add one, this section will list it.

2.5 Communication data

Any email you send us, plus any email we send you (account invites, password resets, the weekly Monday reminders digest). These are delivered through Resend; the message body lives in your inbox and Resend's short-term logs.

3. How we use it

• To run the service — render your dashboard, calculate hours, process leave balances, send invite and reminder emails.
• To keep it secure — detect abuse, debug errors, comply with legal requests when required.
• To improve it — diagnose bugs from anonymised logs, decide what to build next based on aggregate usage.
• To talk to you — answer support questions, notify you of important service changes.

We do notsell your data. We don't use it to train AI models. We don't share it with advertisers.

4. Legal basis (GDPR / UK GDPR)

Where the GDPR applies, we rely on the following bases:

• Contract — most processing is necessary to provide the service you signed up for.
• Legitimate interests— security, abuse-prevention, and product improvement, where these don't override your rights.
• Consent — for anything outside the above (we will ask first).
• Legal obligation— when we're required to retain or disclose data by law.

5. Who we share it with

We share data with subprocessors who help us operate the service. Each one is bound by a Data Processing Agreement or equivalent.

• Supabase (database, authentication, file storage). Supabase is the primary system of record for your data. (Region pending — we'll update this once confirmed in our Supabase dashboard.)
• Vercel (hosting and edge delivery for the web application and marketing site). Vercel processes request metadata to serve pages.
• Resend (transactional email delivery: invites, password resets, reminders).

Beyond this list, we share data only:

• With your explicit instruction.
• When required by a valid legal request (subpoena, court order, etc.).
• To enforce our Terms or protect Orbis OS, our users, or others from immediate harm.

6. International transfers

If you or your data are in the European Economic Area (EEA) / United Kingdom and our subprocessors are located outside that region, your data may be transferred internationally. Where required, we rely on Standard Contractual Clauses or the equivalent transfer mechanism in force.

7. How long we keep it

• Active accounts: we keep your data while your account is active.
• After deletion: when you (or your organisation owner) delete an account, we remove it from active databases within 30 days. Backups roll off within 90 days.
• Email logs: Resend retains delivery metadata for up to 30 days per their policy.

8. Your rights

If GDPR or UK GDPR applies to you, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Erase your data (subject to legal-retention exceptions).
• Restrict processing in specific cases.
• Export your data in a structured, machine-readable format.
• Object to processing based on legitimate interests.
• Lodge a complaint with your local data-protection authority.

Most of these can be exercised from inside the product. For anything you can't do yourself, email contact@orbisos.app; we respond within 30 days.

9. Security

Security is foundational to the product, not a feature:

• Per-organisation isolation— every database read and write is gated by Postgres row-level security policies. No application bug can let one organisation read another organisation's data, because the database itself enforces it.
• Encrypted sensitive fields — government IDs, tax IDs, and bank account numbers are encrypted at the application layer (AES-256-GCM) before storage.
• HTTPS everywhere — all traffic to dashboard.orbisos.app and orbisos.app is served over TLS.
• Password handling — we never see or store plain-text passwords. Supabase Auth handles hashing and login.
• Principle of least privilege — the application uses a non-superuser database role; admin scripts use a separate service-role credential.

10. Cookies

We use only the cookies necessary to run the app:

• Auth session cookies — set by Supabase Auth to keep you signed in. Required.
• Theme preference — a small cookie / local storage value that remembers whether you picked light or dark mode. Optional but defaulted on.

We don't run advertising cookies, tracking pixels, or cross-site analytics.

11. Children

Orbis OS is built for businesses; it isn't directed at children, and we don't knowingly collect data from anyone under 16. If you believe a child has signed up, email contact@orbisos.appand we'll remove their data.

12. Changes to this policy

We'll update this page when our practices change. The Last updated date at the top reflects the most recent change. Material changes will be notified by email to account owners at least 14 days before they take effect.

13. Contact

Questions about this policy? Email contact@orbisos.app.