Who this applies to

This policy covers Orbit — the app, our marketing website, and any data we hold about the families who use them. "We" means Orbit; "you" means the parent or child account holder or the adult visiting the website.

What we collect

Short list, no surprises:

  • Account details. Email address and chosen password (hashed with Argon2id — we can't see the plaintext), username, optional display name, and the family graph (which parents and children belong to the same Orbit).
  • Public encryption keys. So other devices in your family can find each other. Public halves only; private keys never leave your device.
  • Encrypted message blobs. We store ciphertext on our servers only until the recipient's phone is online to fetch it. Once delivered, it's deleted.
  • Routing metadata. Who sent to whom, when, and to which device. This is inherent to any messaging system — we can't route a message without knowing the destination.
  • Device information. Device type (iOS / Android), app version, approximate region derived from the request IP address. Used for session management and approved-login flows.
  • Your content-filter rules. Word lists and approval settings you've configured, so we can apply them on your child's device.
  • Server logs. Request path, status code, timestamp, IP address. Used to operate the service and investigate abuse.

What we don't collect

  • Plaintext of your messages. Ever. Messages are encrypted on your child's phone before they reach us; only the phones in the conversation can decrypt them.
  • Your private encryption keys. They live on the device that made them. If you delete the app, they're gone.
  • Contacts from your phonebook or other apps. We don't read your address book.
  • Behavioural profiles. We do not build advertising profiles, we do not share or sell any data with marketers, and there's no advertiser on the other end of Orbit.
  • Third-party analytics. No Google Analytics, no Facebook Pixel, no Segment, no anything-else-SDK watching what your child does.
  • Biometrics, ID photos, age-verification data. We don't ask for them.

Why we have it

Each category above exists for one of three reasons:

  1. To provide the service. Delivering a message requires routing metadata. Authentication requires your password hash.
  2. To keep the service safe. Logs help us identify abusive patterns and stop spam / harassment accounts.
  3. To meet legal obligations. If compelled by a court, we'll disclose what we hold — which, by design, is not much.

If a piece of data doesn't fit one of those three, we shouldn't have it. If you spot one, tell us — it's a bug.

How long we keep it

  • Encrypted message blobs: deleted immediately after delivery. Undelivered blobs are purged after 30 days.
  • Server logs: rotated out after 30 days.
  • Account data: kept while the account is active. On account deletion, purged within 30 days (some backups may persist longer before being rotated out, but are never restored).
  • Content-filter rules: kept while the parent-child link exists.

Children's data

Orbit is designed for family messaging, which means most children using it are under the adult age of consent. A child account on Orbit is created by a parent, lives inside that parent's Orbit, and is controlled by the parent until they decide otherwise.

  • No child can sign up without a parent creating the account first.
  • We don't ask children for their email, phone number, real name, or ID.
  • Parents can review the list of their child's contacts, change filter rules, and delete the child's account at any time.
  • We do not use any child's data for advertising, analytics, or profiling — for any purpose beyond delivering the service they're using.

Who we share it with

Almost no one. Specifically:

  • Service providers we depend on to operate — cloud hosting, transactional email for OTP codes, push-notification infrastructure. Each handles only what it needs to do its job, and is under a data-processing agreement that prohibits further use.
  • Law enforcement, only when required by a valid legal process. We will push back on over-broad requests. We publish nothing we aren't legally forced to disclose. Because we can't read messages, we cannot produce message contents even if asked.
  • Never advertisers. Never data brokers. Never "partners."

Cookies & tracking

This website uses zero analytics cookies and zero third-party trackers. The only browser storage we use is:

  • localStorage — remembers your light/dark theme preference (`orbit-theme`).
  • Session storage — only inside the Orbit app itself, to keep you signed in.

No consent banner, because there is nothing to consent to.

Your rights

You can, at any time:

  • Access the account information we hold about you.
  • Correct anything we have wrong (display name, email, etc.).
  • Delete your account. Deletion removes the account and all associated metadata within 30 days.
  • Export your account metadata in a machine-readable format. (Messages are only readable on your devices; they're not server-side to export.)
  • Object to any processing you disagree with, or ask us to restrict it.
  • Lodge a complaint with your local data-protection authority if you believe we've mishandled your data.

Email the address in the "How to reach us" section to exercise any of these. We respond within 30 days.

Changes to this policy

When we change this policy, we'll update the "Last updated" date at the top and — if the change materially affects how we handle your data — email every account holder at least 14 days before it takes effect. You can reject the change by deleting your account during that window.

How to reach us

Email privacy@orbit.family (address reserved at launch) for any privacy question, access request, deletion request, or concern. For security disclosures, see the Security page.