Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and a hashed password. If you enable two-factor authentication, we store an encrypted TOTP secret.

1.2 Workspace & Project Data

Content you create within OrbitPM — including tasks, projects, goals, documents, comments, time entries, file uploads, and automation rules — is stored in your workspace. All workspace data is logically isolated from other workspaces.

1.3 Email Integration

If you connect your email account (Gmail or Outlook), we access your inbox via OAuth with the permissions you grant. We store email metadata (sender, subject, date) and message content for AI analysis. OAuth tokens are encrypted at rest using AES-256-GCM. You can disconnect your email account at any time from Settings.

1.4 WhatsApp Integration

If you link your phone number to OrbitPM, we store your phone number (in E.164 format), conversation history, and message content exchanged with our WhatsApp Business number. This data is used to process your commands (e.g., creating tasks, querying project status) and deliver replies. We do not read or access your private WhatsApp conversations with other contacts. You can unlink your phone number at any time from Settings.

1.5 Usage & Technical Data

We collect standard web server logs including IP addresses, browser type, and request timestamps. We use this data for security monitoring, rate limiting, and service reliability.

1.6 AI Processing

When AI features are enabled, task descriptions, email content, and WhatsApp messages may be sent to third-party AI providers (OpenAI, Anthropic, or Azure OpenAI) for processing. This includes intent classification, task extraction, status report generation, and smart triage. AI providers process data according to their own privacy policies and do not use your data for model training under our agreements.

2. How We Use Your Information

• Provide and operate the OrbitPM service
• Process your commands via email and WhatsApp integrations
• Generate AI-powered insights, task suggestions, and status reports
• Send notifications about task assignments, mentions, and deadlines
• Authenticate your identity and protect your account
• Enforce rate limits and prevent abuse
• Improve service reliability and fix bugs

3. Data Sharing

We do not sell your personal data. We share data only in these circumstances:

• AI Providers — Task content and messages are sent to your configured AI provider for processing. No data is shared if AI features are disabled.
• WhatsApp (Meta) — Messages you send to and receive from our WhatsApp Business number are transmitted through Meta's WhatsApp Business Platform.
• Email Providers — When you connect Gmail or Outlook, data flows through Google or Microsoft APIs respectively under your OAuth authorization.
• Infrastructure — Your data is hosted on Microsoft Azure (UAE North region). Database backups are encrypted and stored within the same region.
• Legal Requirements — We may disclose data if required by law or to protect the safety of our users.

4. Data Security

We implement the following security measures:

• All data in transit is encrypted via TLS 1.3
• Sensitive credentials (API keys, OAuth tokens) are encrypted at rest using AES-256-GCM with HKDF-derived keys
• Passwords are hashed using bcrypt
• Webhook payloads are verified via HMAC-SHA256 signatures
• WhatsApp phone verification codes are hashed and rate-limited
• All API endpoints are protected by authentication and authorization checks
• Role-based access control (owner, admin, member, viewer) restricts workspace operations
• Rate limiting is enforced on authentication and messaging endpoints

5. Data Retention

• Account data is retained as long as your account is active.
• Workspace content (tasks, documents, etc.) uses soft-delete — trashed items can be restored. Permanently deleted data is removed from the database.
• WhatsApp messages are retained for conversation continuity and undo functionality. You can request deletion by contacting us.
• Email data can be removed by disconnecting your email integration.
• Rate limit entries are automatically pruned after expiry.

6. Your Rights

You have the right to:

• Access, correct, or delete your personal data
• Export your workspace data
• Disconnect email and WhatsApp integrations at any time
• Disable AI features for your workspace
• Delete your account and all associated data

To exercise these rights, contact us at contact@orbitpm.ae.

7. Cookies

OrbitPM uses a session cookie for authentication (NextAuth.js). We do not use tracking cookies, advertising cookies, or third-party analytics. The session cookie is HTTP-only, secure, and scoped to our domain.

8. Children's Privacy

OrbitPM is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.

9. International Data Transfers

Your data is processed and stored on Microsoft Azure in the UAE North region. If you access OrbitPM from outside the UAE, your data will be transferred to and processed in the UAE.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. Continued use of OrbitPM after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at contact@orbitpm.ae.