Privacy Policy — ORBIT AI

The short version: ORBIT AI collects only the data necessary to deliver and improve our service. We do not sell your data. We do not use your uploaded documents to train AI models. You remain in control of your data at all times.

Table of Contents

Who We Are
Data We Collect
How We Use Your Data
Legal Bases for Processing
Data Sharing & Third Parties
Document & Content Data
Data Retention
Security
Your Rights
Cookies
International Transfers
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

ORBIT AI ("ORBIT AI", "we", "our", or "us") is a software-as-a-service platform that enables businesses to deploy an AI-powered document assistant trained exclusively on their own content. ORBIT AI is operated by Harris Thomas and associated entities ("the Company").

For the purposes of applicable data protection law — including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") — ORBIT AI acts as a data controller in relation to the personal data of visitors to our website and registered account holders, and as a data processor in relation to any personal data contained within documents you upload to the platform.

Our contact details are set out in Section 14.

2. Data We Collect

2.1 Account & Registration Data

Full name
Business email address
Company name and website URL
Billing address and VAT number (where applicable)
Password (stored as a bcrypt hash; we never store plaintext passwords)

2.2 Usage & Technical Data

IP address and approximate geolocation (country level)
Browser type, operating system, and device type
Pages visited, feature interactions, and session duration
API request logs (anonymised after 30 days)
Error logs and diagnostic information

2.3 Payment Data

Payment card details are collected and processed exclusively by our payment processor, Stripe. We receive only a tokenised reference and the last four digits of your card. We never store full card numbers.

2.4 Communications Data

When you contact us by email or submit a support request, we retain those communications and any personal data contained within them for the purpose of resolving your enquiry.

2.5 End-User Chat Data

Messages submitted by visitors to AI assistants deployed by our customers ("End Users") are processed in real time to generate responses. We do not store End User chat messages beyond the duration of the active session unless our customer has enabled session logging in their account settings.

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Providing and operating the ORBIT AI platform	Account data, usage data	Contract performance
Processing payments and managing subscriptions	Billing data	Contract performance
Sending transactional emails (receipts, alerts, password resets)	Email address	Contract performance
Improving platform reliability, performance, and security	Usage data, error logs	Legitimate interests
Sending product updates and feature announcements	Email address	Legitimate interests (with opt-out)
Complying with legal obligations (tax, fraud prevention)	Billing and account data	Legal obligation
Responding to support requests	Communications data	Contract performance / legitimate interests

We will never use your data for automated decision-making that produces significant legal effects without your explicit consent.

4. Legal Bases for Processing

Under the UAE PDPL, we rely on the following legal bases for processing personal data:

Contract performance — processing necessary to deliver the services you have subscribed to.
Legitimate interests — improving our platform, preventing fraud, and communicating product news, where our interests do not override your rights and freedoms.
Legal obligation — complying with applicable law, including tax and financial reporting requirements.
Consent — for optional marketing communications and non-essential cookies. You may withdraw consent at any time.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

5.1 Sub-processors

We engage the following categories of sub-processors to operate the platform:

Cloud infrastructure — server hosting, databases, and object storage
AI model providers — large language model APIs used to generate assistant responses (your document content is sent to these providers at inference time but is not used for their model training)
Payment processing — Stripe, Inc.
Email delivery — transactional email service providers
Error monitoring — application performance monitoring tools

All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organisational measures.

5.2 Legal Disclosure

We may disclose personal data where required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of ORBIT AI, our customers, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

6. Document & Content Data

Documents you upload to ORBIT AI ("Customer Content") are processed solely to provide the service — specifically, to generate vector embeddings that power semantic search and AI responses.

We do not use Customer Content to train, fine-tune, or improve any AI model — whether our own or any third party's. Your business knowledge stays yours.

Customer Content is stored in encrypted form at rest and in transit. Access is restricted to the specific customer account that uploaded it. ORBIT AI staff may access Customer Content only where strictly necessary to investigate a support issue and only with the customer's knowledge.

When you delete a document through the platform, it is removed from active storage within 24 hours and from all backup systems within 30 days.

7. Data Retention

Data Category	Retention Period
Account data	Duration of subscription + 90 days following account closure
Billing records	7 years (UK tax law requirement)
Customer Content (documents)	Until deleted by customer, or 30 days after account closure
API request logs	Anonymised after 30 days; deleted after 12 months
Support communications	3 years from date of resolution
End User session data	End of session (unless session logging is enabled by customer)

You may request early deletion of your data at any time, subject to our legal retention obligations.

8. Security

We implement industry-standard technical and organisational security measures, including:

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
Bcrypt password hashing with per-account salts
Role-based access controls and least-privilege principles
Regular dependency vulnerability scanning
Isolated per-customer data environments

Despite these measures, no internet transmission is completely secure. If you believe your account has been compromised, contact us immediately at hello@orbitdocai.com.

We will notify you of a personal data breach affecting your account without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with our obligations under the UAE PDPL.

9. Your Rights

Under the UAE PDPL, you have the following rights regarding your personal data:

Right of access — obtain a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction — request that we limit processing of your data in certain circumstances.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@orbitdocai.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the UAE Data Office (the authority responsible for overseeing the UAE PDPL) at uaedataoffice.ae.

10. Cookies

Our website uses cookies and similar tracking technologies. Please see our Cookie Policy for full details of what we set, why, and how to manage your preferences.

11. International Data Transfers

Our infrastructure may be hosted in data centres located in the United Arab Emirates, the European Economic Area (EEA), or the United States. Where personal data is transferred outside the UAE, we ensure appropriate safeguards are in place in accordance with Article 22 of the UAE PDPL, including:

Transfers to countries that provide an adequate level of data protection as determined by the UAE Data Office
Standard contractual clauses or binding corporate rules approved by the competent authority
The recipient has implemented appropriate technical and organisational measures satisfying UAE PDPL requirements

12. Children's Privacy

ORBIT AI is a business-to-business platform and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will notify registered account holders by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Your continued use of the platform after the effective date constitutes acceptance of the revised policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

ORBIT AI — Data Enquiries

Email: hello@orbitdocai.com

Website: orbitdocai.com