Privacy Policy

    Last updated: January 2025

    OrbitronAI Privacy Policy

    This Policy explains how OrbitronAI and its affiliates (“OrbitronAI”, “we”, “us”, “our”) collect, use, disclose, and protect information—including personal data—across our websites, products, services, and agentic platforms (including NovaOS, ComplyNova, LeadNova, FlowNova, PayNova, and related APIs, dashboards, and mobile or web apps). It also describes choices and rights available to individuals.

    OrbitronAI aligns this Policy with applicable privacy frameworks, including GDPR/UK GDPR, CCPA/CPRA, UAE PDPL, KSA PDPL (SDAIA), and sectoral obligations (e.g., SAMA PSP & Cybersecurity Framework where applicable). Our ISMS is designed against ISO/IEC 27001 with controls referencing ISO/IEC 27002, SOC 2, and NIST guidance.

    If you use an OrbitronAI product under a separate contract (e.g., Master Services Agreement, DPA), the contract and its Data Processing Addendum govern in case of conflict with this Policy.

    1. Scope

    This Policy applies to:

    • Visitors to OrbitronAI websites and marketing pages;
    • Users of OrbitronAI products and services (cloud or on-prem);
    • Individuals whose data we process on behalf of enterprise customers (as a processor).

    2. Key Definitions

    Controller / Processor:

    OrbitronAI acts as Controller when deciding why/how to process personal data for our own purposes (e.g., website analytics, account provisioning). We act as Processor when processing personal data on behalf of a customer under contract (e.g., data flowing through ComplyNova or NovaOS).

    Personal Data / Personal Information (PI/PD):

    Information relating to an identified or identifiable natural person.

    Usage Data:

    Technical telemetry collected automatically (e.g., device IDs, IP addresses, event logs, page views).

    Location Data:

    Approximate or precise geolocation if enabled by the user/device.

    Cookies / Similar Technologies:

    Small text files, SDKs, web beacons, local storage, or similar used for analytics, performance, and preference management.

    Services:

    OrbitronAI products, platforms, APIs, and support.

    3. What We Collect

    A. Data you provide

    • Identity & contact data (name, email, phone, company, role).
    • Account & auth data (usernames, role assignments, SSO identifiers).
    • Business content uploaded or entered into our Services (tickets, forms, documents, prompts, workflow configs).
    • Payment/billing details (handled by PCI-compliant providers where relevant).

    B. Data collected automatically

    • Usage Data (browser type/version, device info, referrer, pages viewed, timestamps).
    • Diagnostics & performance metrics (crash logs, error traces, agentic workflow telemetry).
    • Limited Location Data when enabled.

    C. Data from third parties

    • Partners and integrators (with appropriate contractual safeguards).
    • Public sources and business databases, to support due-diligence or risk workflows in ComplyNova (as contracted).

    Special categories: We do not intentionally collect sensitive personal data unless contractually required by a customer for compliance use cases, and then only under strict controls and documented lawful bases.

    4. Lawful Bases (GDPR/UK GDPR)

    Where we act as Controller, we rely on:

    • Contract: To provide and support the Services you requested.
    • Legitimate Interests: To secure, improve, and market our Services (balanced against your rights).
    • Consent: For optional cookies, certain marketing, or where required by law.
    • Legal Obligation: To comply with applicable laws/regulators.
    • Vital/Public Interest: Only where applicable and permitted.

    When acting as Processor, we process data solely on the documented instructions of our customer (the Controller).

    5. How We Use Information

    • Provide, operate, secure, and improve the Services (including training, evaluating, and orchestrating agent workflows).
    • Configure roles, access, and tenancy; enforce security, audit, and change management.
    • Deliver support, incident response, and client success.
    • Personalize dashboards and product experiences (where permitted).
    • Communicate service updates, security notices, and marketing (opt-out available).
    • Detect and prevent fraud, abuse, or prohibited activities.
    • Perform analytics and research to enhance performance, safety, and reliability.

    6. Cookies & Similar Technologies

    We use necessary cookies for core functionality and optional cookies/SDKs for analytics and performance. You can manage preferences via our cookie banner and browser settings. Where required, we obtain consent before setting non-essential cookies. Disabling certain cookies may impact functionality (e.g., authenticated areas).

    7. Sharing & Disclosures

    We do not sell personal information.

    We may share data with:

    • Affiliates & Subsidiaries: For integrated operations under this Policy.
    • Service Providers/Processors: Cloud hosting, security, analytics, support, communications, payments—bound by DPAs and confidentiality.
    • Enterprise Customers: When we process data on their behalf (e.g., results within ComplyNova workflows).
    • Legal/Regulatory: If required by law, subpoena, lawful request, or to protect rights, safety, and security.
    • Business Transfers: Mergers, acquisitions, restructurings (with appropriate safeguards).
    • Aggregated/De-identified Reports: That cannot reasonably identify an individual.

    Third-party pages linked from our Services are governed by their own privacy policies.

    8. International Transfers & Data Residency

    OrbitronAI is a global company with infrastructure options to meet data residency needs (e.g., KSA, UAE, EU). Where data is transferred internationally, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), the UK IDTA/Addendum, and other legally recognized mechanisms. For regulated deployments (e.g., SAMA / KSA PDPL), we support in-region or on-prem options to satisfy local residency and sovereignty requirements, as contractually agreed.

    9. Security

    Our ISMS aligns to ISO/IEC 27001 and SOC 2 principles, employing layered controls:

    • Access control, MFA/SSO, least privilege, role-based authorization.
    • Encryption in transit (TLS) and at rest (industry-standard ciphers).
    • Network segmentation, hardened baselines, secret management, vulnerability management.
    • Secure SDLC, change control, logging/monitoring, SIEM, incident response, and business continuity.
    • Third-party risk management and vendor DPAs.

    No system is 100% secure; we maintain incident response procedures and will notify controllers/users consistent with legal obligations and contracts.

    10. Your Rights & Choices

    Depending on your jurisdiction, you may have rights to:

    • Access, correct, or delete your personal data;
    • Object to or restrict certain processing;
    • Data portability;
    • Withdraw consent (where processing is based on consent);
    • Opt out of marketing communications;
    • Lodge a complaint with a supervisory authority.

    If you are an end user of an enterprise customer (where we act as Processor), please direct requests to your organization’s administrator; we will assist them per our DPA.

    If OrbitronAI is the Controller (e.g., website account, newsletter), contact us at privacy@orbitronai.com.

    11. Retention

    We retain personal data only as long as necessary for the purposes described here or as required by law/contract. Typical controller-side retention:

    • Website accounts & portal profiles: kept while active; deleted within 30 business days after de-registration (subject to legal holds).
    • Newsletter sign-ups: retained until you unsubscribe; then removed within 30 business days.
    • Telemetry/Logs: retained for security and diagnostics per ISMS schedules (e.g., 30–365 days), unless extended for investigations or legal obligations.

    For Processor data (customer content in ComplyNova/NovaOS/etc.), retention is dictated by the customer contract and DPA; we delete or return data upon termination or at the customer’s instruction, subject to legally permitted retention.

    12. Children's Privacy

    Our Services are not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@orbitronai.com and we will take appropriate action.

    13. Marketing Preferences

    You can opt out of promotional emails at any time via the email footer link or by writing to privacy@orbitronai.com. We will still send important transactional or security communications.

    14. Data Subject / Consumer Requests (DSR/DSAR) & Contact

    • Controller matters (OrbitronAI-managed data): privacy@orbitronai.com
    • Processor matters (customer-managed data): contact your organization’s admin; we will support them per DPA.
    Postal (primary correspondence):
    OrbitronAi Agentic FZCO
    Building A1, DSO-IFZA, Dubai, UAE

    To help us verify your identity, we may request reasonable information consistent with law.

    15. Changes to this Policy

    We may update this Policy from time to time. The “Approval Date” and “Version” above reflect the latest approved version. Material changes will be communicated via the website or, where appropriate, via email/admin notices. Continued use of the Services after changes indicates acceptance of the updated Policy.

    16. Jurisdiction-Specific Disclosures (Summary)

    • EU/UK: Controller details, DPO contact, lawful bases, transfer safeguards (SCCs/IDTA), and rights per GDPR/UK GDPR.
    • CCPA/CPRA (California): We do not “sell” personal information as defined by CPRA. We honor consumer rights to know, delete, correct, and limit use of sensitive PI where applicable.
    • UAE PDPL / KSA PDPL: We comply with local consent, purpose limitation, and transfer requirements. Data residency options are available (including KSA and UAE hosting or on-prem) under contract.

    17. Third-Party Services & Links

    Our sites and Services may link to third-party resources. Their privacy practices are their own; review their policies before providing data. Where a third party acts as our Processor, we bind them via DPA and assess security as part of our vendor risk program.

    18. Forums, Feedback, Beta & Telemetry

    If you post in community forums or share feedback, the content may be visible to others. Beta features may collect additional telemetry strictly to improve performance and safety; details are provided in beta terms.

    19. Government, Law Enforcement & Safety

    We may disclose information where required by law or to protect rights, privacy, safety, property, or security of users, customers, the public, or OrbitronAI—consistent with applicable law and our contractual obligations.