Orbit
Legal Document

Privacy Policy

Last updated: April 2026

1. Who We Are

Orbit is operated by Foundry Apps ("we", "us", "our"), a business based in Guernsey, Channel Islands. We are the data controller for personal information collected through this service.

Contact: david@foundryapps.co.uk

ODPA registration: DPA11561

2. Legal Framework

This Privacy Policy is governed by the Data Protection (Bailiwick of Guernsey) Law, 2017 ("the Law"), administered by the Office of the Data Protection Authority (ODPA) of Guernsey. Guernsey holds adequacy status with both the UK and the European Union, meaning personal data may flow freely between these jurisdictions.

Where you are located in the UK or European Union, the protections in this policy also satisfy the requirements of the UK GDPR and EU GDPR respectively. Where you are located in California, the additional rights set out in Section 11 apply under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA).

3. What Data We Collect

We collect the following categories of personal data:

  • Account data: Your email address and display name, collected when you register or sign in via Google OAuth (provided through Supabase Auth).
  • Notification preferences: Your choices regarding push or email notifications for launch events and updates.
  • Subscription data: Your Pro subscription status (a boolean flag in our database). Full payment details are never stored by us — they are handled entirely by Paddle as Merchant of Record.
  • Usage analytics: Basic, aggregated analytics about pages visited and features accessed, used solely to improve the service. We do not use cross-site tracking or build individual behavioural profiles.
  • Technical data: IP address and browser type, collected automatically by our hosting provider (Vercel) for security and operational purposes.
  • Error data: Application error reports collected by Sentry to help us identify and fix bugs. These may include browser type, operating system, and a stack trace, but are not linked to your identity.
  • Cookies: Session cookies required for authentication. See our Cookie Policy for details.

Space mission data (launches, ISS position, astronaut details, events) is sourced from public APIs — primarily NASA APIs (public domain / CC0), SpaceX API (Apache 2.0), and Launch Library 2 — and contains no personal information.

4. Legal Basis for Processing

Under the Data Protection (Bailiwick of Guernsey) Law, 2017 (and equivalent UK/EU GDPR provisions), we process your data on the following legal bases:

  • Contract performance: Processing your account and subscription data to deliver the service you signed up for.
  • Legitimate interests: Basic usage analytics, error monitoring, and security logging to maintain and improve the service, where these interests are not overridden by your rights.
  • Consent: Notification preferences, where you have explicitly opted in.

5. How We Use Your Data

  • To create and manage your account
  • To process Pro subscription payments via Paddle
  • To gate Pro features based on your subscription status
  • To send notifications based on your preferences
  • To send transactional emails (account confirmation, payment receipts)
  • To respond to support enquiries
  • To detect and prevent abuse or unauthorised access
  • To improve the service through aggregated usage analysis
  • To diagnose and fix application errors via Sentry

We do not sell your personal data. We do not use your data for advertising or share it with third parties for their marketing purposes.

6. Data Processors

We use the following trusted third-party services to operate Orbit. Each acts as a data processor on our behalf:

  • Supabase (Supabase Inc.): Authentication and database hosting. Your account data (email, display name, notification preferences, subscription status) is stored on Supabase infrastructure in the EU (AWS eu-west-1 region). Authentication is provided via Google OAuth through Supabase. Subject to Supabase's Privacy Policy.
  • Paddle (Paddle.com Market Limited): Paddle acts as the Merchant of Record for all Pro subscription purchases. Paddle collects and processes your payment card details, billing address, and transaction history directly — we receive only a subscription status indicator. For billing-related data requests, contact Paddle directly. Subject to Paddle's Privacy Policy.
  • Vercel (Vercel Inc.): Application hosting and content delivery. Vercel processes IP addresses and request logs as part of serving the application. Subject to Vercel's Privacy Policy.
  • Sentry (Functional Software, Inc.): Error monitoring and performance tracking. Sentry may receive browser and OS information alongside application error data. Subject to Sentry's Privacy Policy.

7. International Transfers

Guernsey holds adequacy status recognised by both the UK and the EU, permitting free flow of personal data to and from Guernsey without additional safeguards. Our primary data store (Supabase) is hosted within the EU (AWS eu-west-1). Where data is processed by US-based processors (Vercel, Sentry, Paddle), appropriate safeguards are in place via Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).

8. Data Retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account closure on request.
  • Notification preferences: Retained while your account is active; deleted with your account.
  • Usage analytics: Aggregated and anonymised within 90 days; individual records are not retained beyond this point.
  • Error reports: Retained by Sentry for up to 90 days.
  • Server logs: Retained by Vercel for up to 30 days for security and operational purposes.

9. Your Rights (Guernsey / UK GDPR / EU GDPR)

As a data subject under the Data Protection (Bailiwick of Guernsey) Law, 2017 (and the equivalent UK and EU GDPR provisions), you have the following rights. To exercise any of them, contact us at david@foundryapps.co.uk. We will respond within one calendar month.

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Ask us to correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data where there is no compelling reason for us to continue processing it.
  • Right to restriction: Ask us to limit how we use your data in certain circumstances.
  • Right to data portability: Receive your personal data in a structured, machine-readable format (e.g. JSON or CSV).
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent (e.g. notification preferences), you may withdraw it at any time without affecting prior processing.

You also have the right to lodge a complaint with the Office of the Data Protection Authority (ODPA) of Guernsey at odpa.gg, or by post to: ODPA, St Martin's House, Le Bordage, St Peter Port, Guernsey, GY1 1BR.

UK residents may also contact the Information Commissioner's Office (ICO) at ico.org.uk. EU residents may contact their local supervisory authority.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS/TLS), hashed credential storage via Supabase Auth, row-level security on our database, and error monitoring via Sentry. However, no internet transmission is completely secure, and we cannot guarantee absolute security.

11. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). These rights apply in addition to your rights under Section 9 above.

Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories:

  • Identifiers: Email address, Google account identifier
  • Internet activity: Pages visited, features used, error logs
  • Commercial information: Subscription status (Pro/Free) — payment details are held by Paddle, not us

We collect this information for the business purposes described in Section 5.

We Do Not Sell or Share Your Personal Information

Orbit does not sell your personal information to third parties, nor do we share it for cross-context behavioural advertising purposes. You therefore have the right to opt out of sale/sharing — but there is nothing to opt out of.

Your CCPA Rights

  • Right to Know: You may request a copy of the personal information we have collected about you in the past 12 months, including the categories and specific pieces of information, the sources from which it was collected, the business purposes for collecting it, and any third parties it was shared with.
  • Right to Delete: You may request deletion of your personal information. We will delete (and direct our service providers to delete) your information, subject to certain legal exceptions (e.g. completing a transaction, detecting security incidents, complying with legal obligations).
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: As noted above, we do not sell or share personal information for advertising. No opt-out is required.
  • Right to Limit Use of Sensitive Personal Information: We do not collect or use sensitive personal information as defined under the CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not affect the price or quality of service you receive from Orbit.

How to Exercise Your CCPA Rights

To submit a verifiable consumer request, email us at david@foundryapps.co.uk with the subject line "CCPA Rights Request". We will verify your identity and respond within 45 calendar days. You may designate an authorised agent to make a request on your behalf — the agent must provide written authorisation.

For deletion or correction of billing data held by Paddle, you must contact Paddle directly at paddle.com/legal/privacy as they are the Merchant of Record and independent data controller for payment information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date above indicates when this policy was last revised.

13. Contact

For any questions or requests relating to this Privacy Policy, please contact:

Foundry Apps
Guernsey, Channel Islands
david@foundryapps.co.uk

Foundry Apps · ODPA DPA11561 · Guernsey