Privacy policy

LEGAL REVIEW REQUIRED — DRAFT ONLY. This document was generated as a starting point and has NOT been reviewed by qualified legal counsel. It must be reviewed and approved by a licensed attorney before publication. Legal entity details have been populated; all other content must be verified by qualified legal counsel before publication. Do not publish without legal review.

Effective date: March 2026

Last updated: March 2026

This Privacy Policy explains how ORBAT HQ PTY LTD ("ORBAT," "we," "us," or "our"), operating the website at orbathq.com and the platform at app.orbathq.com, collects, uses, discloses, and retains personal data.

ORBAT is a B2B SaaS platform. The Service is designed for use by organizations, and we collect personal data primarily in the context of business users (account holders, team members, and contacts) — not consumers or end-users of our customers.

1. Who we are

Data controller: ORBAT HQ PTY LTD

Data protection contact: privacy@orbathq.com

EU representative: ORBAT HQ PTY LTD does not currently have a designated EU representative. If you are an EU/EEA data subject and wish to exercise your rights, please contact privacy@orbathq.com directly.

ORBAT is the data controller for personal data collected through orbathq.com, including account registration, website analytics, and marketing activities.

ORBAT is a data processor with respect to personal data that customers provide or generate within the ORBAT platform (for example, supplier contact names included in CSV uploads). This distinction and its GDPR implications are described further in our DPA, available on request.

2. What personal data we collect

2.1 Account data

When you register for an ORBAT account, we collect:

• Your name
• Your work email address
• Your company name and company domain
• A password (stored as a cryptographic hash — we never store passwords in plaintext)
• Your role within your organization (for access control purposes)

When you invite team members to your account, we collect their work email addresses and the role you assign them.

2.2 Billing data

When you subscribe to a paid plan, we collect:

• Stripe customer ID (a reference identifier created by Stripe)
• Subscription status, plan type, and billing interval
• Last four digits of the payment card and card expiry month/year (provided by Stripe for display purposes)

ORBAT does not store payment card numbers, CVV codes, or full card data of any kind. All payment processing is handled by Stripe, Inc. (a PCI DSS Level 1 compliant payment processor). The payment data you enter at checkout is transmitted directly to Stripe and never passes through ORBAT's servers.

2.3 Usage data

When you use the Service, we automatically collect:

• Login timestamps and session activity
• Feature usage events (for example: supplier uploaded, crawl started, graph viewed, export downloaded)
• IP address
• Browser type and version
• Operating system
• Referring URL

This data is used for security monitoring, abuse detection, product improvement, and billing metering (for usage-based Enterprise plans).

2.4 Website analytics data

When you visit orbathq.com, we collect analytics data through Google Analytics 4 (GA4) with your consent (where required). This includes pages visited, time on page, traffic source, and device type. See Section 7 (Cookies) for details on how to control this.

2.5 Communications data

If you contact us for support, sales, or demo requests, we retain records of those communications including your name, email address, company, and the content of your messages.

2.6 What we do NOT collect

ORBAT does not collect:

• Payment card numbers or full payment credentials (handled entirely by Stripe)
• Personal data belonging to your suppliers' employees — our intelligence engine extracts organizational names and domains from public web content only, not personal data
• Personal data of your own customers or end-users
• Health data, financial account numbers, government identification numbers, or other special category data
• Data from children — the Service is intended exclusively for business use by individuals aged 18 and over

3. How we use personal data

We use personal data for the following purposes:

| Purpose | Data used | Legal basis |

|---|---|---|

| Account creation, authentication, and access management | Account data | Contract performance — processing is necessary to provide the Service (GDPR Art. 6(1)(b)) |

| Subscription management, billing, and invoicing | Account data, billing data | Contract performance (GDPR Art. 6(1)(b)); legal obligation for financial records (Art. 6(1)(c)) |

| Delivering the ORBAT platform and all features you have subscribed to | Account data, usage data | Contract performance (GDPR Art. 6(1)(b)) |

| Sending transactional emails: trial reminders, crawl completion notifications, payment receipts, password reset, security alerts | Account data (email address) | Contract performance (GDPR Art. 6(1)(b)) |

| Security monitoring, fraud prevention, and abuse detection | Usage data, IP address | Legitimate interests (GDPR Art. 6(1)(f)) — protecting the security and integrity of the Service |

| Diagnosing and fixing technical issues | Usage data, error logs | Legitimate interests (GDPR Art. 6(1)(f)) |

| Product analytics and improvement | Usage data (aggregated and/or anonymized where possible) | Legitimate interests (GDPR Art. 6(1)(f)); consent for GA4 cookies (Art. 6(1)(a)) |

| Responding to support, sales, or demo requests | Communications data | Legitimate interests (GDPR Art. 6(1)(f)) — responding to business inquiries |

| Marketing emails and product updates | Account data (email address) | Consent (GDPR Art. 6(1)(a)) — opt-in required; unsubscribe at any time |

| Compliance with legal obligations (including law enforcement requests with proper legal process) | As required | Legal obligation (GDPR Art. 6(1)(c)) |

4. Sub-processors

ORBAT uses the following third-party services that may process personal data on our behalf. We have Data Processing Agreements in place with each sub-processor, requiring them to protect personal data to equivalent standards.

| Sub-processor | Purpose | Headquarters |

|---|---|---|

| DigitalOcean, LLC | Cloud infrastructure: compute, managed database (PostgreSQL), managed cache (Valkey), and object storage (Spaces). All customer data is stored on DigitalOcean infrastructure. | United States |

| Stripe, Inc. | Payment processing, billing, and subscription management | United States |

| Twilio SendGrid | Transactional email delivery (trial reminders, completion notifications, password resets, receipts) | United States |

| Anthropic, PBC | AI-powered supply chain relationship scoring (see Anthropic notice below) | United States |

| Cloudflare, Inc. | CDN, DDoS protection, WAF, and DNS | United States |

| Google LLC (Google Analytics 4) | Website analytics with your consent | United States |

| HubSpot, Inc. | CRM, marketing email sequences, and website form submissions | United States |

Anthropic — specific notice

ORBAT uses Anthropic's Claude API as a secondary scoring component within its supply chain intelligence pipeline. This component is invoked only when the primary NLP model (spaCy, running locally on ORBAT's infrastructure) produces a confidence score below 0.45, or when the signal source is a press release or blog post.

What is sent to Anthropic: excerpts of up to 500 characters from publicly available vendor websites (for example, a vendor's sub-processor disclosure page), plus the vendor name, source domain, and signal type.

What is never sent to Anthropic: customer data of any kind; supplier lists uploaded by ORBAT customers; information that identifies which ORBAT customer or organization triggered the analysis; or any data a customer has provided to ORBAT.

The text processed by Anthropic is sourced exclusively from public web content — the same content accessible to any member of the public visiting those pages. The processing does not involve personal data in the ordinary case.

ORBAT will notify customers and update this sub-processor list at least 30 days before adding any new sub-processor that will process personal data.

5. Data retention

| Data category | Retention period |

|---|---|

| Trial account data (all user and supplier data) | Deleted 30 days after trial expiry |

| Active account data | Retained for the duration of the subscription |

| Post-termination account data | 30-day export window, then permanently deleted |

| Billing records | 7 years (legal and accounting obligation) |

| Security and audit logs | 12 months |

| Backup snapshots | 30-day rolling window (older backups are overwritten) |

| Marketing communications (where consented) | Until you unsubscribe or withdraw consent |

On request, we can provide a data deletion confirmation letter after account data has been permanently destroyed.

6. Your rights

6.1 Rights under GDPR (EU and UK data subjects)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights with respect to your personal data:

Right of access. You may request a copy of the personal data we hold about you.

Right to rectification. You may request that we correct inaccurate or incomplete personal data.

Right to erasure ("right to be forgotten"). You may request that we delete your personal data. We will fulfill erasure requests within 30 days, subject to legal retention obligations (for example, we are required to retain billing records for 7 years).

Right to data portability. You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV), suitable for transfer to another service. The in-app export feature is available on paid plans. However, your right to request a copy of your personal data under GDPR Article 20 is available to all users regardless of plan — submit your request to privacy@orbathq.com and we will respond within 30 days.

Right to object. You may object at any time to processing based on legitimate interests (GDPR Art. 6(1)(f)), including for direct marketing purposes. On receipt of an objection to marketing, we will stop processing immediately.

Right to restriction. You may request that we restrict processing of your personal data while a dispute regarding accuracy or lawfulness is resolved.

Right to withdraw consent. Where processing is based on your consent (marketing emails, GA4 analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Right to lodge a complaint. You have the right to lodge a complaint with your local supervisory authority. In the EEA, this is the Data Protection Authority in your country. In the UK, this is the Information Commissioner's Office (ICO).

6.2 Rights under CCPA (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you the following rights:

Right to know. You have the right to know what personal information ORBAT collects, uses, discloses, and retains about you.

Right to delete. You have the right to request deletion of personal information ORBAT has collected from you, subject to legal exceptions.

Right to correct. You have the right to request correction of inaccurate personal information.

Right to opt-out of sale or sharing. ORBAT does not sell personal information, and does not share personal information for cross-context behavioral advertising purposes. No opt-out is required for this purpose, but you may submit a request at privacy@orbathq.com for written confirmation.

Right to non-discrimination. ORBAT will not discriminate against you for exercising your CCPA rights.

Authorized agent. California residents may designate an authorized agent to submit a CCPA rights request on their behalf by providing written authorization.

6.3 How to exercise your rights

To exercise any of the rights described above, submit a request to: privacy@orbathq.com

Please include: your full name, work email address associated with your ORBAT account, the right(s) you wish to exercise, and sufficient information for us to verify your identity. We will acknowledge your request within 5 business days and fulfill it within 30 days (or 45 days where permitted by applicable law for complex requests, with notice to you of the extension).

7. Cookies

7.1 Essential cookies

Essential cookies are strictly necessary for the Service to function. They include session management cookies (httpOnly, Secure, SameSite=Strict) and authentication state. These cookies do not require consent and cannot be disabled without breaking the Service.

| Cookie | Purpose | Duration |

|---|---|---|

| orbat_refresh | Authentication refresh token (httpOnly, Secure, SameSite=Strict) | 30 days |

| Session state cookies | Maintain authenticated session state | Session |

7.2 Analytics cookies (consent required for EU users)

If you consent, ORBAT uses Google Analytics 4 (GA4) to collect website usage data. GA4 uses cookies to distinguish users and sessions. This data is used to understand how visitors use orbathq.com and improve the website.

| Cookie | Provider | Purpose | Duration |

|---|---|---|---|

| _ga | Google | Distinguishes users | 2 years |

| _ga_* | Google | Maintains session state in GA4 | 2 years |

7.3 Marketing cookies (consent required for EU users)

If you consent, ORBAT uses HubSpot tracking to record website visitor activity for marketing and lead qualification purposes.

| Cookie | Provider | Purpose | Duration |

|---|---|---|---|

| hubspotutk | HubSpot | Tracks visitor identity for contact record | 13 months |

| __hstc | HubSpot | Session tracking | 13 months |

| __hssc | HubSpot | Session activity | 30 minutes |

7.4 Cookie consent and control

EU visitors will be presented with a cookie consent banner before any non-essential cookies are set. You may withdraw or update your cookie preferences at any time by clicking the "Cookie preferences" link in the website footer.

For users in other jurisdictions, non-essential cookies are set on the basis of legitimate interests. You may opt out through your browser settings or by submitting a request to privacy@orbathq.com.

8. International data transfers

8.1 Default data residency

Customer data (user accounts, supplier data, discovered intelligence, and crawl logs) is hosted on DigitalOcean infrastructure. The default region is Australia (DigitalOcean Sydney).

8.2 Sub-processors in the United States

Several of ORBAT's sub-processors (Stripe, SendGrid, Anthropic, Cloudflare, Google, HubSpot) are headquartered in and/or process data in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, ORBAT relies on:

• The EU-US Data Privacy Framework (DPF), where the sub-processor is DPF-certified; and/or
• Standard Contractual Clauses (SCCs) as adopted by the European Commission (2021 SCCs), incorporated into our DPA with each sub-processor.

8.3 Enterprise data residency

Enterprise customers may request EU or US data residency (where available) to limit data storage to a specific DigitalOcean region. Contact sales@orbathq.com or your customer success manager for details.

9. Children's data

The Service is intended exclusively for business use by individuals aged 18 and over acting in a professional capacity. ORBAT does not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a minor, we will delete it promptly. If you believe a minor has provided personal data to ORBAT, please contact privacy@orbathq.com.

10. Security

ORBAT implements technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These include AES-256 encryption at rest, TLS 1.3 in transit, tenant-level row-level security in PostgreSQL, in-memory-only access token storage, and regular security assessments. Full details are available at orbathq.com/trust/security.

No security measure is 100% guaranteed. In the event of a confirmed breach affecting your personal data, we will notify you within 72 hours as described in Section 8.3 of our Terms of Service.

11. Third-party links

The Service and orbathq.com may contain links to third-party websites, including supplier websites that ORBAT's intelligence engine has analyzed. ORBAT is not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party site you visit.

12. Changes to this Privacy Policy

We will post any changes to this Privacy Policy on this page with an updated "Last updated" date. For material changes — such as a new purpose for processing, a new category of personal data, or a significant change to your rights — we will provide at least 30 days' advance notice by email to account holders and/or by a prominent notice in the Service.

13. Contact us

For privacy-related questions, data subject rights requests, or complaints:

Email: privacy@orbathq.com

EU representative: ORBAT HQ PTY LTD does not currently have a designated EU representative. If you are an EU/EEA data subject and wish to exercise your rights, please contact privacy@orbathq.com directly.

If you are an EU resident and are not satisfied with our response, you have the right to lodge a complaint with your national Data Protection Authority. A list of EU supervisory authorities is available at edpb.europa.eu.

*This Privacy Policy was last updated in March 2026.*