Privacy Policy

Orbit Metrics ("we," "our," or "us") operates Orbit Scorecard, an AI-powered business intelligence platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

Account Information

When you create an account or sign in, we collect:

• Email address
• Display name (if provided)
• Profile picture URL (if signing in via Google)
• Account identifier (UID)

Business Data

When you connect third-party data sources (such as Shopify, HubSpot, or Google Ads), we store:

• Business metrics and transactional data from connected platforms
• Integration connection status and metadata
• Scorecard definitions and configurations you create

Conversation Data

To provide our AI-powered features, we store:

• Chat messages between you and our AI assistant
• SQL queries generated during conversations
• Query results and preview data

Automatically Collected Information

• IP address and approximate location
• Browser type and device information
• Usage patterns and feature interactions
• Error logs and performance data

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our services
• Process and fulfill your requests for AI-generated scorecards
• Authenticate your identity and manage your account
• Communicate with you about service updates and support
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

3. Data Storage and Security

Infrastructure

Your data is stored securely on Google Cloud Platform infrastructure, including:

• Google BigQuery: Business data and scorecard results (US region)
• Google Firestore: Account settings, chat history, and scorecard definitions
• Firebase Authentication: Secure authentication credentials

Tenant Isolation

Each user's data is stored in completely isolated datasets. Your business data cannot be accessed by other users, and we enforce strict query validation to prevent cross-tenant data access.

Security Measures

• Encryption in transit (TLS 1.3) and at rest
• Regular security audits and vulnerability assessments
• Access controls and authentication for all services
• Audit logging of data access and modifications

4. Third-Party Services

We use the following third-party services:

5. Data Retention

We retain your data according to the following schedule:

• Account data: Retained while your account is active, deleted within 30 days of account deletion request
• Business data: Retained while your account is active, deleted within 30 days of account deletion request
• Chat history: Retained for 2 years, then automatically archived or deleted
• Audit logs: Retained for 7 years for compliance purposes

You may request earlier deletion of your data by contacting us at hello@orbitmetrics.io

6. Your Rights

All Users

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated data
• Export your data in a machine-readable format
• Withdraw consent for optional data processing

European Economic Area (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation:

• Legal basis: We process your data based on contract performance (providing our services) and legitimate interests (improving our services)
• Right to object: You may object to processing based on legitimate interests
• Right to restriction: You may request we limit how we use your data
• Data portability: You may request your data in a structured, commonly used format
• Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority

Data transfers: Your data is processed in the United States. We rely on Google Cloud's Standard Contractual Clauses for lawful data transfers from the EEA.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act provides you with additional rights:

• Right to know: You may request information about the categories and specific pieces of personal information we have collected
• Right to delete: You may request deletion of your personal information
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Authorized agent: You may designate an authorized agent to make requests on your behalf

Do Not Sell: We do not sell your personal information to third parties.

7. Cookies and Tracking

We use essential cookies required for the service to function:

• Authentication cookies: To keep you signed in
• Session cookies: To maintain your session state

We do not use third-party advertising or tracking cookies.

8. Children's Privacy

Our service is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

10. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, please include "GDPR Request" in your email subject line. We will respond to all requests within 30 days.