Privacy Policy
Effective date: May 1, 2026 · Version 1
OrbitPM ("we," "us," or "our") is a project management platform that helps teams organize tasks, track goals, collaborate on documents, and communicate through integrated channels including email and WhatsApp. This Privacy Policy explains how we collect, use, store, and protect your information when you use OrbitPM at app.orbitpm.ae and related services. Use of OrbitPM is also governed by our Terms of Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your name, email address, and a hashed password. If you enable two-factor authentication, we store an encrypted TOTP secret.
1.2 Workspace & Project Data
Content you create within OrbitPM — including tasks, projects, goals, documents, comments, time entries, file uploads, and automation rules — is stored in your workspace. All workspace data is logically isolated from other workspaces.
1.3 Email Integration
If you connect your email account (Gmail or Outlook), we access your inbox via OAuth with the permissions you grant. We store email metadata (sender, subject, date) and message content for AI analysis. OAuth tokens are encrypted at rest using AES-256-GCM. You can disconnect your email account at any time from Settings.
1.4 WhatsApp Integration
If you link your phone number to OrbitPM, we store your phone number (in E.164 format), conversation history, and message content exchanged with our WhatsApp Business number. This data is used to process your commands (e.g., creating tasks, querying project status) and deliver replies. We do not read or access your private WhatsApp conversations with other contacts. You can unlink your phone number at any time from Settings.
1.5 Usage & Technical Data
We collect standard web server logs including IP addresses, browser type, and request timestamps. We use this data for security monitoring, rate limiting, and service reliability.
1.6 AI Processing
When AI features are enabled, task descriptions, email content, and WhatsApp messages may be sent to third-party AI providers (OpenAI, Anthropic, or Azure OpenAI) for processing. This includes intent classification, task extraction, status report generation, and smart triage. AI providers process data according to their own privacy policies and do not use your data for model training under our agreements.
2. How We Use Your Information
- Provide and operate the OrbitPM service
- Process your commands via email and WhatsApp integrations
- Generate AI-powered insights, task suggestions, and status reports
- Send notifications about task assignments, mentions, and deadlines
- Authenticate your identity and protect your account
- Enforce rate limits and prevent abuse
- Improve service reliability and fix bugs
3. Data Sharing
We do not sell your personal data. We share data only in these circumstances:
- AI Providers — Task content and messages are sent to your configured AI provider for processing. No data is shared if AI features are disabled.
- WhatsApp (Meta) — Messages you send to and receive from our WhatsApp Business number are transmitted through Meta's WhatsApp Business Platform.
- Email Providers — When you connect Gmail or Outlook, data flows through Google or Microsoft APIs respectively under your OAuth authorization.
- Infrastructure — Your data is hosted on Microsoft Azure (UAE North region). Database backups are encrypted and stored within the same region.
- Legal Requirements — We may disclose data if required by law or to protect the safety of our users.
3a. Lawful basis for processing (GDPR Art 6 / UAE PDPL)
We process personal data only when we have a lawful basis to do so. The table below summarises the bases we rely on per processing purpose. The full version (categories, sub-processors, cross-border transfer mechanism, retention, data-subject rights pointer) lives in our public lawful-basis matrix. You can manage your preferences from the Privacy settings page.
| Purpose | Data categories | Lawful basis | Retention |
|---|---|---|---|
| Account management | Email, name, password hash, locale, timezone | Contract — Art 6(1)(b) | Until account deletion + 30-day grace |
| Workspace content | Tasks, projects, goals, documents, comments, files | Contract — Art 6(1)(b) | Until item deleted; 30-day soft-delete restore window |
| AI features | Task content, message bodies you submit to AI tools | Contract — Art 6(1)(b) (consent-gated for ai_training) | Conversations: 90 days; provider zero-retention |
| Email / Calendar / WhatsApp / Slack integrations | OAuth tokens (encrypted), message metadata + bodies you opt to import | Consent — Art 6(1)(a) per integration | Until you disconnect the integration |
| Audit logging + abuse monitoring | IP, user-agent, action log, classification, outcome | Legitimate interest — Art 6(1)(f) (security) | 2 years (regulatory + security incident review) |
| Search indexing | Embeddings of task / project / goal / document text | Contract — Art 6(1)(b) | Until source row deleted |
| Data exports (GDPR Art 20 portability) | Snapshot of your workspace records | Legal obligation — Art 6(1)(c) | 7 days, then auto-purge |
Essential service — "essential" purpose
Data needed to deliver OrbitPM (account, workspace content, audit logs). Lawful basis: performance of contract (Art 6(1)(b)). Cannot be withdrawn while an account is active — withdrawal of consent here is equivalent to closing the account, available via the account-deletion flow on Privacy settings.
Analytics — "analytics" purpose
OrbitPM does not ship product analytics today. If we add analytics in the future we will gate it behind a Consent Management Platform; the basis will be consent (Art 6(1)(a)).
Marketing — "marketing" purpose
Product newsletters and update emails. Off by default — opt-in only. Lawful basis: consent (Art 6(1)(a)). Withdraw any time from Privacy settings.
AI training — "ai_training" purpose
Off by default. Our current AI sub-processors (OpenAI, Anthropic, Azure OpenAI) operate under zero-retention / no-training agreements. We would only flip this purpose if a future arrangement with explicit opt-in were available; the basis at flip-on time would be consent (Art 6(1)(a)).
Third-party share — "third_party_share" purpose
Off by default. Reserved for advertising pixels and embedded scripts that share personal data with parties outside our sub-processor list. None today.
4. Data Security
We implement the following security measures:
- All data in transit is encrypted via TLS 1.3
- Sensitive credentials (API keys, OAuth tokens) are encrypted at rest using AES-256-GCM with HKDF-derived keys
- Passwords are hashed using bcrypt
- Webhook payloads are verified via HMAC-SHA256 signatures
- WhatsApp phone verification codes are hashed and rate-limited
- All API endpoints are protected by authentication and authorization checks
- Role-based access control (owner, admin, member, viewer) restricts workspace operations
- Rate limiting is enforced on authentication and messaging endpoints
5. Data Retention
- Account data is retained as long as your account is active.
- Workspace content (tasks, documents, etc.) uses soft-delete — trashed items can be restored. Permanently deleted data is removed from the database.
- WhatsApp messages are retained for conversation continuity and undo functionality. You can request deletion by contacting us.
- Email data can be removed by disconnecting your email integration.
- Rate limit entries are automatically pruned after expiry.
6. Your Rights
You have the right to:
- Access, correct, or delete your personal data
- Export your workspace data
- Disconnect email and WhatsApp integrations at any time
- Disable AI features for your workspace
- Delete your account and all associated data
Self-serve flows (GDPR Articles 17 & 20): Signed-in users can request a machine-readable export, schedule account deletion, or manage their granular consent preferences directly from the Privacy settings page. Workspace owners can additionally schedule workspace deletion from Workspace Privacy. Both deletion flows honour a 30-day grace period before any data is permanently destroyed; you may cancel at any time during that window. Consent withdrawals take effect immediately for new processing, and the consent log keeps a complete history of every grant and withdrawal so you can audit your own state.
To exercise these rights through us, contact us at contact@orbitpm.ae.
7. Cookies
OrbitPM uses only strict-necessary cookies today:
- Session cookie — issued by NextAuth.js after sign-in; HTTP-only, secure, scoped to our domain. Required for authentication; cannot be disabled.
- CSRF cookie — issued by NextAuth.js; protects against cross-site request forgery. Required; cannot be disabled.
We do not use tracking cookies, advertising cookies, or third-party analytics. If we ever ship analytics we will gate it behind a Consent Management Platform (CMP) that asks for explicit opt-in before any non-essential cookie is set. Until then, the "analytics" purpose toggle in your Privacy settings is informational only.
8. Children's Privacy
OrbitPM is not intended for use by individuals under 16 years of age. We collect a date of birth at signup (GDPR Art 8 default age 16, aligned with UAE PDPL); accounts that don't meet the minimum are rejected at signup. If you believe a minor has created an account, contact us at contact@orbitpm.ae and we will delete it.
9. International Data Transfers
Your data is processed and stored on Microsoft Azure in the UAE North region. If you access OrbitPM from outside the UAE, your data will be transferred to and processed in the UAE.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. Continued use of OrbitPM after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at contact@orbitpm.ae.