Who this applies to
This policy covers Orbit: the app, our marketing website, and any data we hold about the families who use them. "We" means Orbit; "you" means the parent or child account holder or the adult visiting the website.
What we collect
Short list, no surprises:
- Account details. Email address and chosen password (stored in a scrambled form that even we can't read), username, optional display name, and who's in your family (which parents and children belong to the same Orbit).
- The "find each other" half of your phone's locks. So other phones in your family can send you messages only you can open. We never see the private half. That stays on your phone.
- Locked-up messages waiting to be delivered. We hold them on our servers only until the other phone comes online and picks them up. Once delivered, they're deleted.
- Routing info. Who sent a message to whom, when, and to which phone. This is unavoidable in any messaging system; we can't deliver a message without knowing the destination.
- Locked-up location data waiting to be delivered. If your family uses the location features (shared places, geofences, and their rules), that information is locked up on the phone before it reaches us, exactly like a message. We hold the sealed bundle only to pass it between your family's phones. We can't open it. See Location below.
- Phone information. Phone type (iPhone or Android), app version, and a rough region worked out from your phone's internet address. Used for keeping you signed in and for the approved sign-in feature.
- Your Mack settings. The mode (Off / Hold for approval / Block), which categories you have on or off, and your watchlist words for each child. Stored so the settings can be sent to your child's phone, where Mack actually runs.
- Mack alerts. When Mack, our AI safety guard, running on the child's phone, flags a message, we receive: which categories were flagged, which version of Mack did the flagging, and the time. We do not receive the message itself.
- Single messages you've chosen to share with us. If you tap "share this one to help train Mack" on a specific message (off unless you turn it on for that one message), the wording is sent to us and used to improve future versions of Mack. Everything that identifies your family is stripped off before it's stored: no name, no email, no chat name. There's no way to trace a shared message back to a particular family. This is a separate step from telling us Mack got an alert wrong.
- Server logs. Which page or feature was used, whether it succeeded, the time, and the internet address. Used to run the service and investigate abuse.
What we don't collect
- The actual words of your family's messages. Messages are locked up on the sending phone before they reach us; only the phones in the conversation can open them. Mack, our AI safety guard, runs on the phone, not on our servers, so we don't receive the words as part of the safety check either. The only exception is a single message you've actively chosen to share to help train Mack (described above), and even then, anything that identifies your family is stripped off before it's stored.
- The private half of your phone's locks. Lives on the phone that made it. If you delete the app, it's gone.
- Where anyone is. We never see raw location: no coordinates, no map pins, no addresses, no place names, no geofence boundaries, and no rules. It's all locked up on the phone before it reaches us. We literally cannot see where any child or adult in your family is. See Location.
- Contacts from your phonebook or other apps. We don't read your address book.
- Profiles of your child. We do not build advertising profiles, we do not share or sell any data with marketers, and there's no advertiser on the other end of Orbit.
- Outside trackers. No Google Analytics, no Facebook tracker, no Segment, nothing watching what your child does inside the app.
- Biometrics, ID photos, age-verification data. We don't ask for them.
Location
Orbit has optional location features: you can save places (like home or school), draw a geofence around them, and set rules (for example, let me know when my child leaves school). Here's the important part: this all works without our servers ever seeing where anyone is.
- It's end-to-end encrypted. Every place, geofence, boundary, and rule is locked up on the phone that created it before it ever reaches us, using the same end-to-end encryption as your messages. Only your family's phones hold the key.
- We never see raw location. Not coordinates, not map pins, not addresses, not place names, not the shape of a geofence. What we store is a sealed bundle we can't open, held only to pass between your family's phones. To us it's meaningless scrambled data.
- The checking happens on the phone. Working out whether a child has entered or left a place happens on the child's phone, not on our servers. We never receive a stream of your child's whereabouts, because there's nowhere in our system for it to go.
- We can't tell where anyone is, even if asked. Because the data is locked up and the private key never leaves the phone, we cannot produce anyone's location for a court, an advertiser, or ourselves. It isn't a policy choice we could reverse; the design makes it impossible.
If you don't turn the location features on, none of this data exists in the first place.
Why we have it
Each category above exists for one of three reasons:
- To run the service. Delivering a message means knowing where to send it. Signing you in means storing your password in a safe, scrambled form.
- To keep the service safe. Logs help us spot abuse and stop spam and harassment accounts.
- To meet legal obligations. If a court orders us, we'll hand over what we hold, which, by design, isn't much.
If a piece of data doesn't fit one of those three, we shouldn't have it. If you spot one, tell us. It's a bug.
How long we keep it
- Locked-up messages: deleted as soon as they're delivered. If they sit undelivered, they're cleared after 30 days.
- Server logs: cleared after 30 days.
- Account info: kept while the account is in use. When you delete an account, it's cleared within 30 days (some back-ups may linger a little longer before being rotated out, but they're never restored).
- Mack settings: kept while you and your child are linked.
- Mack alerts: kept for the life of the account so you can look back at past alerts. Cleared when the account is deleted.
- Single messages shared to help train Mack: kept until we choose to delete them. Used only to make the next version of Mack better. Everything identifying your family was stripped off when the message was shared, so we cannot trace one back to your family. We don't sell or share this data with anyone else.
Children's data
Orbit is designed for family messaging, which means most children using it are under the adult age of consent. A child account on Orbit is created by a parent, lives inside that parent's Orbit, and is controlled by the parent until they decide otherwise.
- No child can sign up without a parent creating the account first.
- We don't ask children for their email, phone number, real name, or ID.
- Parents can review the list of their child's contacts, change Mack's settings, and delete the child's account at any time.
- When Mack, running on the child's phone, spots signs of self-harm or suicidal thoughts in a message, an alert (saying which category fired and at what time, not the message itself) is sent to the parent, and a crisis card with UK helplines is shown to the child. These crisis alerts can't be turned off.
- We do not use any child's data for advertising, analytics, or profiling, or for any purpose beyond running the service they're using.
Your rights
You can, at any time:
- Access the account information we hold about you.
- Correct anything we have wrong (display name, email, etc.).
- Delete your account. Deletion removes the account and all associated metadata within 30 days.
- Export your account metadata in a machine-readable format. (Messages are only readable on your devices; they're not server-side to export.)
- Object to any processing you disagree with, or ask us to restrict it.
- Lodge a complaint with your local data-protection authority if you believe we've mishandled your data.
Email the address in the "How to reach us" section to exercise any of these. We respond within 30 days.
Changes to this policy
When we change this policy, we'll update the "Last updated" date at the top and, if the change materially affects how we handle your data, email every account holder at least 14 days before it takes effect. You can reject the change by deleting your account during that window.
How to reach us
Email privacy@yourorbit.chat (address reserved at launch) for any privacy question, access request, deletion request, or concern. For security disclosures, see the Security page.