ORBIT PRIVACY & SECURITY POLICY
Last updated: June 16, 2026
This policy explains what Orbit collects, how it's used, how it's protected, and who it's shared with. It's written for the people who use Orbit and for the security and procurement teams evaluating it on their behalf. Where a claim has a real limit or an open item, we say so.
WHAT ORBIT IS, IN ONE PARAGRAPH
Orbit is a single web application built on Supabase (PostgreSQL, with row-level security policies enforcing data access) and hosted on Vercel. There is one database. Your data lives in your own rows, scoped to your account by Postgres row-level security — not in a separate database or a separate company instance. Orbit does not currently operate multiple customer editions, embedded third-party surfaces, or federated single sign-on. If and when any of those are built, this policy will be updated before they ship, not after.
INFORMATION ORBIT COLLECTS
Account information. Name, email address, and authentication credentials (handled by Supabase Auth) needed to create and secure your account.
Content you provide. This is the largest category, and the one most relevant to your evaluation: initiative names and descriptions, stakeholder names, titles, and organizations you choose to add, your own leadership-style assessment answers, message drafts, meeting notes, voice debrief recordings and their transcripts, and any other text or audio you submit for coaching, drafting, or analysis.
Usage data. Which features you use, timestamps, and session activity, used to operate, secure, and improve the product.
Billing data. Your plan (Free or Pro) and subscription status, processed through Stripe and our funnel management provider. Orbit's servers store your plan status, not your card number — card details are handled directly by Stripe.
Device and access data. IP-derived location signals, browser metadata, and session data, used for security monitoring (for example, detecting unusual login activity).
HOW ORBIT USES INFORMATION
Orbit uses your information to run the product you're using: authenticating you, assembling the context a coaching request needs (your leadership style, the stakeholder you're asking about, the initiative involved), generating drafts and briefs, enforcing free-tier limits, and logging activity for billing and abuse prevention.
We do not use your private workspace data to train models, and we do not use it as context for any other customer's session. There is no feature or function that searches or surfaces one user's content to another user.
WHERE YOUR DATA ACTUALLY GOES: THIRD-PARTY PROCESSORS
Orbit sends certain content and meta-data to the following third parties to deliver specific features:
— Anthropic (Claude API) — receives the context needed to generate coaching guidance, message drafts, briefs, and other AI-assisted output. This is the core of the product; nearly everything you do in Orbit that produces written guidance goes through this call.
— Perplexity (Sonar) — receives stakeholder name, title, and organization when you ask Orbit to enrich a stakeholder profile (pulling public information to help infer their likely decision-making style). Sonar's responses are sanitized before storage — they pass through a filtering step that strips formatting and validates content before it's saved to your stakeholder record.
— OpenAI (Whisper) — receives audio when you use voice input (debriefs, voice notes) and returns a text transcript.
— Stripe — receives payment information directly when you upgrade to Pro. Orbit's servers do not see or store your card number.
— Resend — sends transactional email (verification, notifications) on Orbit's behalf, and necessarily processes your email address to do so.
Every call to Anthropic, Perplexity, and OpenAI is logged — which endpoint was called, when, and by which user — in an internal table used for cost tracking and operational review. This log exists primarily for engineering and billing visibility, not as a customer-facing audit trail today, though the data needed for one exists.
We do not have zero-retention agreements in place with these providers today. If your organization requires that for a specific deployment, ask us — it's a reasonable thing to negotiate before relying on Orbit for highly sensitive content, and we'll tell you plainly if we can't accommodate it yet.
DATA ISOLATION BETWEEN CUSTOMERS
Orbit is a single-tenant-per-row, multi-customer system: one database, with PostgreSQL row-level security policies that scope every query to the authenticated user's own data. There is no cross-customer search feature, and no code path today that intentionally surfaces one user's stakeholders, initiatives, or coaching history to another user.
We want to be precise about what that does and doesn't guarantee. Row-level security is a real, enforced boundary at the database layer — it is not just an application-level convention that a bug could silently bypass. But it is also not the same as physically separate databases per customer, which is the strongest form of isolation and which Orbit does not currently use. For most mid-market and enterprise security buyers, RLS-enforced multi-tenancy is a normal and acceptable architecture; if your organization's policy specifically requires physical database separation, tell us before you rely on Orbit for sensitive initiatives, since that is not what's built today.
AUTHENTICATION
Orbit uses Supabase Auth, supporting email/password and magic-link sign-in. We do not currently support enterprise SSO (SAML/OIDC) or passkeys. If your organization requires SSO as a condition of adoption, let us know.
We strongly recommend a unique, strong password for your Orbit account regardless, since it is currently the primary thing standing between your account and anyone who guesses or reuses a leaked credential.
SECURITY PRACTICES THAT ARE ACTUALLY IN PLACE
— Row-level security policies enforce free-tier limits and data access server-side, not just in the app's interface — meaning a technically determined user can't bypass plan limits by calling the API directly.
— All outbound AI and paid-API calls are authenticated and logged.
— Stakeholder-enrichment text returned from Perplexity is sanitized before it's stored, reducing the risk of malformed or unexpected content reaching your data.
— Voice transcripts are processed and structured before they're used to update any initiative or stakeholder record, and you can always review and override what was captured.
— Schema changes are additive — we don't drop columns or tables that hold user data as part of normal iteration, which reduces the chance of accidental data loss during updates.
— Secrets (API keys, credentials) are stored as environment variables outside source control, not committed to the codebase.
SECURITY PRACTICES WE'RE HONEST ABOUT NOT HAVING YET
— No independent third-party security audit or penetration test has been completed as of this writing. Although, we have performed extensive internal testing.
— No SOC 2 or equivalent compliance certification exists yet.
— No formal incident response runbook has been published; if you believe you've found a security issue, email us directly and we will treat it as a priority.
— Subscription cancellation does not yet automatically downgrade an account if a payment fails — this is a known gap being addressed, not a hidden one.
We'd rather list these plainly than have a security reviewer find them first.
DATA RETENTION
We retain your account and content data for as long as your account is active. Cost and usage logs (the api_calls table referenced above) are retained for operational and billing purposes.
DATA DELETION
If you delete your account or request deletion, your profile, initiatives, stakeholder records, and associated content are removed from the primary database. We do not yet have a fully automated, single-action deletion pipeline that cascades through every related table — deletion today may involve a combination of automated and manual steps on our side to ensure everything tied to your account is actually removed. If you request deletion, we will confirm with you once it's complete.
YOUR CONTENT, AI OUTPUT, AND ACCURACY
Orbit's AI-generated coaching, drafts, and value-case content are built from the information you provide. We do not invent financial figures: the Value Case Builder works only with numbers you've supplied, and any derived calculation (totals, ROI, payback period) shows its work rather than presenting an unexplained number. Stakeholder operating-style inferences are always labeled as inferred, with a confidence level — never presented as verified fact about a real person, because they aren't.
You are responsible for reviewing AI-generated content before using it in a real conversation, email, or presentation. Orbit is a coaching and drafting tool, not a guarantee of outcome.
INTERNATIONAL USE
Orbit's infrastructure (Supabase, Vercel) operates in the United States. If your organization has data residency requirements outside the U.S., tell us before relying on Orbit for regulated data — this is not something we currently support natively, and we'd rather say that directly than gesture vaguely at "appropriate measures."
YOUR RESPONSIBILITIES
You're responsible for the strength of your own password, for not sharing your login, and for using judgment about what you submit — particularly around regulatory, legal, or extremely sensitive material that may carry its own handling requirements independent of Orbit. If your organization has policies about what can be entered into third-party AI tools, Orbit's third-party processor list above is what you need to check against those policies.
CHANGES TO THIS POLICY
We'll update this policy as the product changes — particularly as we close gaps listed above (SSO, formal audits, automated deletion). Material changes will be noted with an updated date at the top of this page, and significant changes affecting how your data is used will be communicated directly, not just posted silently.
CONTACT
Questions about this policy, security questions from your procurement or risk team, or anything you want confirmed in writing before you adopt Orbit — reach out directly to Steve Hunt at [email protected]. We'd rather answer a direct question accurately than have this document try to anticipate every one.