Data & Privacy Policy

Effective Date: 09/02/2026

Last Updated: 07/02/2026

1. Introduction

This Data & Privacy Policy ("Policy") describes how OrbitalsAI ("OrbitalsAI", "we", "us", or "our") collects, uses, stores, shares, and protects information in connection with:

Our websites, including www.orbitalsai.com and related subdomains;
Our application programming interfaces ("APIs"), software development kits ("SDKs"), and developer tools;
Our web applications, dashboards, administrative portals, and customer platforms; and
Any other products and services that link to or reference this Policy

(collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Policy and agree to be bound by its terms. If you do not agree with this Policy, you must not use our Services.

About OrbitalsAI

OrbitalsAI is a speech recognition and audio intelligence service that enables customers to transcribe audio, generate summaries, translations, subtitles, sentiment analysis, speaker identification, and other AI-powered audio insights, with specialized expertise in African and global languages.

Important Note: Our Services are hosted on Microsoft Azure infrastructure. Our primary operations are based in Nigeria, and we comply with Nigerian data protection laws including the Nigeria Data Protection Act (NDPA) and Nigeria Data Protection Regulation (NDPR), as well as international standards including GDPR, UK GDPR, and CCPA where applicable.

2. Scope and Roles

This Policy applies to all Personal Data we process in connection with the Services.

Depending on the circumstances, OrbitalsAI acts in different capacities:

2.1 When We Are a Data Controller

We act as a data controller (or "data fiduciary" under some laws) for Personal Data we collect directly from you, including:

Account registration information
Billing and payment information
Communications with us
Website analytics and usage data
Marketing preferences

2.2 When We Are a Data Processor

We act as a data processor (or "service provider" / "data intermediary") for Personal Data contained in audio, text, or other content that our business customers provide to us for processing via the Services ("Customer Content").

When processing Customer Content:

We process it solely on documented instructions from our customers
The customer is the data controller responsible for providing privacy notices to their end users
Our customer's privacy policy, not this Policy, governs their use of your data

If you are an end user of one of our customers (for example, your calls are transcribed by OrbitalsAI on behalf of your employer or service provider), please contact that customer directly regarding your privacy rights. This Policy should be read together with their privacy notices.

3. Definitions

"Customer": The entity or individual that has entered into an agreement with OrbitalsAI for the Services.

"Customer Content": Any audio, video, text, metadata, or other content submitted to the Services by or on behalf of a Customer, including any Personal Data contained therein.

"Personal Data": Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including NDPR, GDPR, UK GDPR, CCPA, and similar laws).

"Processing": Any operation performed on Personal Data, such as collection, storage, use, disclosure, transfer, and deletion.

"Services": Our websites, APIs, SDKs, platforms, dashboards, and all related products and services.

4. Information We Collect

We collect and process the following categories of information:

4.1 Account and Profile Information

When you create an account, register for API keys, or interact with our Services:

Identity Data: Name, company name, job title/role
Contact Data: Email address, phone number, business address
Credentials: Login credentials (stored using secure hashing)
Preferences: Communication preferences, language preferences, notification settings
Account Activity: Login history, account modifications, support interactions

Purpose: To create and manage your account, provide customer support, authenticate access, and communicate with you about the Services.

4.2 Billing and Payment Information

For paid Services, we and/or our payment service providers collect:

Payment Card Data: Card type, last 4 digits, expiration date, cardholder name
Banking Information: Account details for wire transfers (processed securely)
Billing Data: Billing name, address, company tax/VAT ID
Transaction Records: Invoices, payment history, subscription details, usage charges

Note: We use PCI-DSS compliant third-party payment processors (including Stripe and other secure providers). We do not store complete payment card numbers on our servers.

Purpose: To process payments, generate invoices, manage subscriptions, and comply with tax and accounting obligations.

4.3 Customer Content

Customers may submit Customer Content to our Services, which may include:

Audio and Video Files: Recordings, live audio streams, video content
Derived Content: Transcripts, captions, subtitles, translations
AI-Generated Outputs: Summaries, sentiment analysis, topic extraction, speaker labels
Associated Metadata: File names, timestamps, language tags, project identifiers, custom labels, user-defined tags

Customer Content may contain Personal Data, including:

Voices and speech patterns
Names, phone numbers, or other information spoken in recordings
Any personal information customers choose to include

Important: Customers are solely responsible for the lawfulness of their submission of Customer Content to OrbitalsAI, including obtaining necessary consents from their end users.

Purpose: To provide the core Services (transcription, analytics, and audio intelligence) as requested by customers.

4.4 Usage Data and Logs

To operate, secure, and improve our Services, we collect:

API and Technical Logs:

API request/response metadata (timestamps, endpoints, parameters, status codes)
Authentication and access logs
Error messages and debugging information
System performance metrics

Aggregated Usage Statistics:

Number of API requests
Audio minutes processed
Feature usage patterns
Service performance metrics

Purpose: To monitor system health, troubleshoot issues, detect security incidents, prevent abuse, optimize performance, and improve the Services.

4.5 Device and Technical Information

When you access our websites, dashboards, or APIs:

Device Data: Device type, operating system, browser type and version
Network Data: IP address, approximate location (city, country), internet service provider
Website Analytics: Pages visited, referring URLs, time spent on pages, navigation paths
Cookies and Identifiers: See Section 10 for detailed information

Purpose: To deliver and optimize our websites, protect against fraud and security threats, and understand how users interact with our Services.

4.6 Communications and Support

When you contact us or we communicate with you:

Support Requests: Questions, issues, feature requests, feedback
Email Content: Correspondence via email or support tickets
Marketing Data: Newsletter subscriptions, event registrations, webinar attendance
Survey Responses: Customer satisfaction surveys, user experience feedback

Purpose: To respond to inquiries, provide technical support, improve our Services, send service-related notifications, and (with consent) send marketing communications.

4.7 Information from Third Parties

We may receive Personal Data about you from:

Single Sign-On (SSO) Providers: Google, GitHub, Microsoft Azure AD, or other identity providers (name, email, profile picture, authentication tokens)
Business Partners: Resellers, integration partners, technology partners
Public Sources: Professional networking sites (LinkedIn), business directories
Payment Processors: Transaction confirmations and payment status updates

Purpose: To facilitate account creation, verify identity, process payments, enable integrations, and improve our Services.

5. How We Use Information

We process Personal Data for the following purposes, to the extent permitted by applicable law:

5.1 To Provide and Operate the Services

Authenticating users and authorizing API access
Processing Customer Content to generate transcriptions, translations, summaries, and analytics
Delivering outputs and results via APIs, dashboards, and integrations
Managing accounts, subscriptions, and user permissions
Processing payments and generating invoices
Providing customer and technical support

5.2 To Maintain, Secure, and Improve the Services

Monitoring system performance, reliability, and availability
Detecting, preventing, and investigating fraud, abuse, and security incidents
Debugging, troubleshooting, and error analysis
Analyzing aggregated, de-identified usage statistics to optimize infrastructure
Conducting research and development to improve accuracy and features
Testing new features and models

5.3 To Communicate with You

Responding to inquiries, support requests, and feedback
Sending administrative messages (security alerts, service updates, billing notifications)
Sending marketing communications (with consent, where required)
Conducting customer satisfaction surveys
Providing onboarding assistance and product education

5.4 To Comply with Legal Obligations

Complying with applicable laws, regulations, court orders, and legal processes
Cooperating with law enforcement, regulators, and government authorities where required
Enforcing our Terms of Service, agreements, and policies
Protecting our rights, property, and interests
Preventing illegal activity and ensuring safety

5.5 With Your Consent

Any other purposes for which you provide specific consent
Processing sensitive Personal Data where consent is required by law

6. Legal Bases for Processing

Where applicable data protection laws require a legal basis for processing Personal Data (such as GDPR, UK GDPR, or NDPR), we rely on one or more of the following:

6.1 Performance of a Contract

Processing necessary to provide the Services and perform our agreements with you or your organization.

Examples: Creating your account, processing audio files, delivering transcriptions, processing payments.

6.2 Legitimate Interests

Processing necessary for our legitimate business interests or those of third parties, provided such interests are not overridden by your rights and freedoms.

Examples:

Improving and optimizing our Services
Detecting and preventing fraud and security threats
Conducting analytics to understand usage patterns
Marketing our Services (subject to opt-out rights)
Operating our business efficiently

6.3 Consent

Processing based on your explicit consent.

Examples:

Marketing emails (where consent is required)
Non-essential cookies and analytics
Processing sensitive Personal Data

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6.4 Legal Obligation

Processing required to comply with applicable law, regulations, or legal processes.

Examples:

Responding to lawful requests from authorities
Complying with tax and accounting requirements
Meeting data protection regulatory requirements

6.5 When We Act as a Data Processor

When processing Customer Content, our legal basis is determined by the Customer (as data controller) and set out in our agreement with them.

7. Customer Content

7.1 Customer Data Processing

When processing Customer Content on behalf of our customers, we act as a data processor (or "service provider" under some laws).

We process Customer Content:

To provide the Services as requested by the customer
To maintain and secure the Services
To comply with legal obligations
As otherwise directed by the customer in their service agreement

7.2 Access Controls

Access to Customer Content is:

Strictly limited to authorized personnel who require access for legitimate operational purposes
Controlled through appropriate technical and organizational measures:

Role-based access controls
Multi-factor authentication
Access logging and monitoring
Regular security audits

7.3 Aggregated, De-Identified Data

We may generate and use aggregated, de-identified statistics from the operation of the Services for business purposes, including:

Infrastructure maintenance and capacity planning
System performance monitoring
Service reliability improvements
Product analytics

These statistics:

Do not identify individuals or reveal the content of Customer Content
Are aggregated across multiple customers
Cannot be reasonably re-identified

7.4 Customer Control

Customers maintain control over their Customer Content:

Retention: Customers can configure retention periods or request deletion
Deletion: Upon customer request, we delete Customer Content within a reasonable timeframe
Access: Customers can export their data at any time through their dashboard or API

8. How We Share Personal Data

We do NOT sell Personal Data. We share Personal Data only in the limited circumstances described below:

8.1 Service Providers and Subprocessors

We engage third-party service providers to support our Services. These include:

Infrastructure Providers:

Microsoft Azure – Cloud computing, storage, and hosting services (primary infrastructure)
Content delivery networks (CDNs)

Business Operations:

Payment processors (Stripe, bank payment providers)
Customer support tools (ticketing, live chat)
Email service providers
Analytics and monitoring services

Security and Compliance:

Security monitoring and incident response providers
Audit and compliance verification services

Requirements: All service providers are:

Bound by contractual obligations to protect Personal Data
Required to use data only for providing services to us
Subject to appropriate security and confidentiality measures
Listed in our Subprocessor List (Section 17)

8.2 Customers and Authorized Users

When processing Customer Content on behalf of a Customer:

We share outputs (transcripts, analytics, etc.) with that Customer and their authorized users
We process data as directed by the Customer
The Customer controls access to their outputs and data

8.3 With Your Consent or At Your Direction

We may share Personal Data:

When you explicitly consent to sharing
As part of integrations you configure (e.g., exporting to third-party tools)
When you direct us to share with specific parties

8.4 Business Transfers

In the event of:

Merger, acquisition, or sale of business assets
Corporate restructuring, financing, or reorganization
Bankruptcy or insolvency proceedings

Personal Data may be transferred as part of the transaction, subject to:

Confidentiality protections
Continued adherence to this Policy or equivalent protections
Notice to affected users where required by law

8.5 Legal Obligations and Protection of Rights

We may disclose Personal Data when we believe in good faith that disclosure is necessary to:

Comply with law: Court orders, subpoenas, regulatory requirements
Protect rights: Enforce our Terms of Service, protect our intellectual property
Ensure safety: Prevent fraud, abuse, illegal activity, or harm to persons or property
Respond to emergencies: Protect the vital interests of individuals

8.6 Aggregated and De-Identified Data

We may share aggregated, de-identified, or anonymized data that does not identify individuals with:

Business partners for research or analytics
Industry organizations for benchmarking
The public in reports or presentations

Such data cannot reasonably be used to identify you.

9. International Data Transfers

9.1 Cross-Border Transfers

OrbitalsAI is established in Nigeria. We use Microsoft Azure infrastructure, which may involve data centers in Nigeria and other jurisdictions, including:

Within and outside the European Economic Area (EEA)
Within and outside the United Kingdom
Within and outside the United States
Other global regions

When Personal Data is transferred across borders, we implement appropriate safeguards required by applicable law.

9.2 Safeguards for International Transfers

We protect international transfers through:

Standard Contractual Clauses (SCCs):

We use European Commission-approved Standard Contractual Clauses
We implement UK-specific SCCs or International Data Transfer Agreements (IDTAs) where required

Data Processing Agreements:

Our agreements with subprocessors include appropriate data protection terms
We require subprocessors to implement adequate technical and organizational measures

Technical and Organizational Measures:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Access controls and authentication
Security monitoring and incident response
Regular security audits and assessments

Microsoft Azure Compliance:

Microsoft Azure maintains multiple compliance certifications
Azure provides data residency options where required
Azure implements industry-standard security practices

9.3 Nigeria Data Protection Regulation (NDPR) Compliance

We comply with NDPR requirements for processing Personal Data of Nigerian data subjects, including:

Obtaining appropriate consents where required
Implementing security safeguards for data protection
Notifying the Nigeria Data Protection Commission (NDPC) of data breaches
Respecting data subject rights under NDPR
Maintaining records of processing activities

9.4 GDPR and UK GDPR Compliance

For Personal Data of EEA and UK residents, we:

Act as controller or processor as appropriate
Implement appropriate technical and organizational measures
Enter into Data Processing Addenda with customers
Provide mechanisms for exercising data subject rights
Report data breaches to supervisory authorities where required

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our websites. We also use similar technologies such as:

Web beacons (pixel tags)
Local storage
Session identifiers
Analytics scripts

10.2 Types of Cookies We Use

Strictly Necessary Cookies:

Essential for the operation of our websites and Services
Enable core functionality like authentication, security, and session management
Cannot be disabled without impacting functionality

Performance and Analytics Cookies:

Help us understand how visitors use our websites
Collect information about page visits, time on site, errors encountered
Used to improve website performance and user experience
Examples: Google Analytics, internal analytics tools

Functional Cookies:

Remember your preferences and settings
Provide enhanced features and personalization
Examples: Language preferences, dashboard layouts

Advertising and Marketing Cookies (with consent where required):

Used to deliver relevant advertisements
Track campaign effectiveness
Build marketing profiles based on interests
Examples: LinkedIn Insights, Google Ads

10.3 Third-Party Cookies

Our websites may include cookies from:

Google Analytics: Website traffic and user behavior analysis
LinkedIn: Professional networking and B2B advertising
HubSpot: Marketing automation and customer relationship management
Stripe: Payment processing
Other marketing and analytics partners

10.4 Your Cookie Choices

Managing Cookies:

Most browsers allow you to control cookies through settings
You can block cookies, delete existing cookies, or receive notifications when cookies are set
Note: Blocking essential cookies may prevent you from using certain features

Browser Settings:

Chrome: Settings > Privacy and Security > Cookies
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Cookies and website data
Edge: Settings > Cookies and site permissions

Opt-Out Tools:

Digital Advertising Alliance: www.aboutads.info/choices
Network Advertising Initiative: www.networkadvertising.org/choices
Google Analytics Opt-out: tools.google.com/dlpage/gaoptout

Do Not Track:

Some browsers support "Do Not Track" (DNT) signals. We currently do not alter our practices in response to DNT signals. We comply with applicable laws regarding tracking preferences.

10.5 Cookie Consent Management

Depending on your location and applicable law:

We may use cookie consent banners to obtain your preferences
You can manage your cookie preferences at any time through our cookie settings
Some cookies (strictly necessary) do not require consent

11. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including:

11.1 Account and Profile Information

Active accounts: Retained for the duration of your account
Closed accounts: Retained for a limited period to comply with legal obligations (typically 90 days to 7 years depending on jurisdiction and type of data)
Marketing data: Retained until you opt out, then deleted within 30 days

11.2 Billing and Payment Information

Payment records: Retained for 7 years for tax and accounting compliance
Transaction history: Retained for audit and dispute resolution
Card data: We do not store complete card numbers; payment processors retain as required

11.3 Customer Content

Default retention: Customer Content is retained only as long as necessary to provide the Services and as specified in customer agreements
Customer control: Customers can configure retention periods through their dashboard
Deletion requests: We honor customer deletion requests within a reasonable timeframe (typically 30 days), subject to legal obligations
Backup retention: Deleted data may persist in backups for up to 90 days

Offline/On-Premise Deployments:

Customers using self-hosted deployments maintain direct control over retention. We provide tools and documentation for data lifecycle management.

11.4 Usage Logs and Technical Data

API logs: Retained for 90 days for troubleshooting and security
Access logs: Retained for 1 year for security and compliance
Aggregated metrics: May be retained indefinitely in de-identified form

11.5 Legal and Compliance Retention

We may retain data longer when required by:

Legal obligations (tax, audit, regulatory requirements)
Legal disputes or investigations
Fraud prevention and security purposes

12. Your Rights and Choices

Your rights regarding Personal Data depend on your location and applicable laws. Subject to applicable law, you may have some or all of the following rights:

12.1 Access and Portability

Right of access: Request confirmation of what Personal Data we hold about you and obtain a copy
Right to data portability: Receive your Personal Data in a structured, machine-readable format (where technically feasible and legally required)

12.2 Correction and Update

Right to rectification: Request correction of inaccurate or incomplete Personal Data
Account updates: You can update certain information directly in your account settings

12.3 Deletion

Right to erasure: Request deletion of your Personal Data in certain circumstances, including:

Data no longer necessary for the purposes collected
You withdraw consent (where processing is based on consent)
You object to processing based on legitimate interests
Data has been unlawfully processed
Required by legal obligation

Limitations: We may be unable to delete data where retention is required by law or necessary for:

Compliance with legal obligations
Establishment, exercise, or defense of legal claims
Fraud prevention and security

12.4 Restriction of Processing

Right to restriction: Request that we limit how we use your Personal Data in certain situations:

You contest the accuracy of the data
Processing is unlawful but you don't want deletion
We no longer need the data but you need it for legal claims
You have objected to processing pending verification

12.5 Objection

Right to object: Object to processing of your Personal Data based on legitimate interests or for direct marketing purposes.

Direct Marketing: You can opt out of marketing emails at any time by:

Clicking "unsubscribe" in marketing emails
Updating preferences in your account settings
Contacting us at contact@orbitalsai.com

12.6 Withdrawal of Consent

Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time
No penalty: Withdrawal does not affect the lawfulness of processing before withdrawal
Continued service: Withdrawal may affect our ability to provide certain Services

12.7 Automated Decision-Making

Right to human review: Right not to be subject to fully automated decision-making with significant effects.

Note: We do not currently use fully automated decision-making for account or service decisions.

12.8 How to Exercise Your Rights

For Account Data (where we are the controller):

Email: contact@orbitalsai.com
Subject line: "Data Subject Rights Request"
Include: Your name, email, account details, and specific request

For Customer Content (where we are a processor):

Contact the customer (data controller) who submitted your data to OrbitalsAI
They are responsible for handling your rights requests regarding Customer Content
We will cooperate with customers to facilitate your requests

Verification: We may need to verify your identity before processing requests. We may request additional information to confirm your identity and protect your privacy.

Response Time: We will respond to your request within the timeframe required by applicable law:

GDPR/UK GDPR: 30 days (may be extended to 60 days for complex requests)
CCPA: 45 days (may be extended to 90 days)
NDPR: As required by Nigerian law

No Fee: Requests are generally free. We may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests.

12.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

Nigeria: Nigeria Data Protection Commission (NDPC) – Website: https://ndpb.gov.ng
European Union: Your local Data Protection Authority – List: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom: Information Commissioner's Office (ICO) – Website: https://ico.org.uk
United States (California): California Attorney General – Website: https://oag.ca.gov/privacy/ccpa

13. Security

We implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

13.1 Technical Security Measures

Encryption:

In transit: TLS 1.3 for all data transmission
At rest: AES-256 encryption for stored data
Backups: Encrypted backups with secure key management

Access Controls:

Role-based access control (RBAC)
Multi-factor authentication (MFA) for administrative access
Least privilege principle
Regular access reviews and revocations

Network Security:

Firewalls and intrusion detection/prevention systems
Virtual private networks (VPNs) for internal access
DDoS protection
Network segmentation

Infrastructure Security:

Hardened server configurations
Regular security patching
Vulnerability scanning
Penetration testing

13.2 Organizational Security Measures

Security Policies and Procedures:

Information security policy
Incident response plan
Business continuity and disaster recovery plans
Data breach notification procedures

Personnel Security:

Background checks for employees with data access
Security awareness training
Confidentiality agreements
Secure onboarding and offboarding procedures

Vendor Management:

Security assessments of third-party providers
Contractual security requirements
Regular vendor reviews

Monitoring and Logging:

Security information and event management (SIEM)
Real-time threat detection
Audit logging of access and changes
Regular log reviews

13.3 Compliance and Certifications

We maintain compliance with industry standards and regularly assess our security posture:

Regular internal security audits
Third-party security assessments
SOC 2 Type II readiness (in progress)
ISO 27001 alignment
PCI-DSS compliance for payment processing (via payment processors)

13.4 Incident Response

Data Breach Notification:

If we become aware of a data breach affecting your Personal Data, we will:

Investigate: Assess the nature and scope of the breach
Contain: Take immediate steps to contain and remediate
Notify: Notify affected individuals and relevant authorities within the timeframe required by law: GDPR: 72 hours to supervisory authority; NDPR: 72 hours to NDPC; CCPA: Without unreasonable delay
Support: Provide assistance and guidance to affected individuals

Limitations:

While we strive to protect your data: No method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials. You should report any security concerns immediately to contact@orbitalsai.com

14. Children's Privacy

The Services are not directed to and are not intended for use by children under the age of 13 (or any higher minimum age required by law in your jurisdiction).

We do not knowingly collect Personal Data from children.

If we learn that we have collected Personal Data from a child in violation of applicable law:

We will delete such data as quickly as possible
We will notify the parent/guardian if required by law

If you believe a child has provided Personal Data to us, please contact us immediately at:

Email: contact@orbitalsai.com – Subject: "Children's Privacy Concern"

15. Third-Party Links and Services

15.1 Third-Party Websites

Our Services may contain links to third-party websites, applications, or services. This Policy does not apply to those third parties.

We are not responsible for:

Privacy practices of third-party sites
Content or services provided by third parties
Data collection by third-party sites

We recommend that you review the privacy policies of any third-party websites you visit.

15.2 Third-Party Integrations

Our Services may integrate with or allow you to connect to third-party services (e.g., cloud storage, CRM systems, communication platforms).

Your use of third-party integrations:

Is governed by those third parties' terms and privacy policies
May result in data sharing with those third parties as you configure
Is at your own risk and discretion

We recommend reviewing the terms and privacy practices of any integrated services.

16. Changes to This Policy

16.1 Updates

We may update this Policy from time to time to reflect:

Changes in our practices
Legal or regulatory requirements
New features or Services
User feedback

16.2 Notice of Changes

When we make material changes to this Policy, we will:

Update the "Last Updated" date at the top of this Policy
Provide additional notice as required by law, which may include: Email notification to your registered email address; Prominent notice on our website; In-app notification; Notice in our dashboard

16.3 Your Acceptance

Continued use of the Services after the effective date of changes constitutes your acceptance of the updated Policy.

If you do not agree with the updated Policy:

You must stop using the Services
You may close your account
You may request deletion of your data (subject to legal retention requirements)

16.4 Legal Notices

If you have opted out of receiving legal notice emails or have not provided an email address: Legal notices (including Policy changes) still govern your use of the Services. You are responsible for regularly reviewing this Policy. We recommend checking this page periodically for updates.

17. Subprocessors

We engage carefully selected third-party subprocessors to support our Services.

17.1 Current Subprocessors

Our primary subprocessors include:

Subprocessor	Service Provided	Data Processed	Location
Microsoft Azure	Cloud infrastructure, hosting, storage	All data categories	Global (configurable regions)
Paystack	Payment processing	Payment information	United States, European Union
Google (Google Auth)	Authentication, single sign-on (SSO)	Identity data (name, email, profile picture)	United States, Global
Google (Google Analytics)	Website analytics, usage analysis	Usage data, analytics data	United States, Global

17.2 Subprocessor Updates

We may update our subprocessors from time to time. Enterprise customers can subscribe to notifications of subprocessor changes through their account settings or by contacting their account manager.

17.3 Subprocessor Requirements

All subprocessors are required to:

Implement appropriate technical and organizational security measures
Process data only as instructed by OrbitalsAI
Maintain confidentiality of data
Comply with applicable data protection laws
Cooperate with data subject rights requests
Notify us of data breaches

18. Contact Us

18.1 General Privacy Inquiries

If you have questions about this Policy or our privacy practices:

OrbitalsAI
ORBITALS AI LIMITED,
LANRE SHITTU BUILDING , SHEHU YARADUA WAY , MABUSHI, FCT, NIGERIA
Email: contact@orbitalsai.com

18.2 Exercising Your Rights

To exercise your privacy rights (access, deletion, correction, etc.):

Email: contact@orbitalsai.com
Subject Line: "Data Subject Rights Request"
Include: Your name, email address, account details, and specific request

18.3 Security Concerns

To report security vulnerabilities or incidents:

Email: contact@orbitalsai.com – Subject Line: "Security Incident" or "Vulnerability Report"

We take security reports seriously and will respond promptly to legitimate concerns.

18.4 Business Inquiries

For partnership, sales, or general business inquiries:

Email: contact@orbitalsai.com or info@orbitalsai.com
Website: https://www.orbitalsai.com/contact

Appendix: Jurisdiction-Specific Notices

A. Nigeria Data Protection Regulation (NDPR) Notices

Lawful Basis for Processing: We process Personal Data in accordance with NDPR, relying on consent, contract performance, legal obligations, and legitimate interests.
Data Subject Rights: Nigerian data subjects have rights to access, rectify, erase, restrict processing, and object to processing of their Personal Data.
Cross-Border Transfers: We implement adequate safeguards for international data transfers as required by NDPR.
Breach Notification: We will notify the Nigeria Data Protection Commission (NDPC) of data breaches within 72 hours as required by law.

B. California Consumer Privacy Act (CCPA) Notices

Categories of Personal Information Collected: See Section 4 of this Policy.
Business Purposes: See Section 5 of this Policy.
Sales and Sharing: We do not "sell" Personal Information as defined by the CCPA. We may "share" information for cross-context behavioral advertising purposes (via cookies).
Right to Opt-Out: California residents can opt out of the "sharing" of Personal Information by: Clicking "Do Not Sell or Share My Personal Information" in our website footer; Enabling Global Privacy Control (GPC) in your browser; Emailing privacy@orbitalsai.com
No Discrimination: We will not discriminate against you for exercising your CCPA rights.
Authorized Agent: California residents may designate an authorized agent to make requests on their behalf.

C. General Data Protection Regulation (GDPR) Notices

Legal Basis: See Section 6 of this Policy.
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.
Data Transfers: We use Standard Contractual Clauses and other appropriate safeguards for transfers outside the EEA.

D. UK GDPR Notices

Legal Basis: See Section 6 of this Policy.
Supervisory Authority: Information Commissioner's Office (ICO) – https://ico.org.uk
International Transfers: We use the UK's International Data Transfer Agreement (IDTA) and Standard Contractual Clauses where applicable.

This Privacy Policy is effective as of 9/02/2026 and supersedes all prior versions.

OrbitalsAI reserves the right to modify this Policy. Material changes will be communicated as described in Section 16.

For questions or concerns, contact: privacy@orbitalsai.com

← Back to home