ORBIT Privacy Policy
Effective date: 27 June 2026 Last updated: 27 June 2026
1. Who We Are and How to Contact Us
ORBIT ("ORBIT," "we," "us," or "our") is an approval-first AI "campaign control plane" for cause and fundraising campaigns. ORBIT helps you plan outreach: our AI proposes communities, influencers, sources, social/blog content, and outreach drafts; you approve them; and you publish or send them yourself, manually. The AI never posts, sends, or contacts anyone on its own.
This Privacy Policy explains what personal data we collect, why, how we share it, and the rights you have.
- Operator / data controller: Joshua Kaen Bentley
- Registered address: available on request
- Privacy contact email: hello@tekanology.com
- Data Protection Officer / privacy lead (if appointed): Not applicable; contact us at hello@tekanology.com
- EU/UK representative (if required under GDPR Art. 27): Not appointed. ORBIT is operated from Australia and New Zealand and does not target or offer services to individuals in the EU or UK; an Article 27 representative will be appointed if that changes.
For the purposes of the EU and UK General Data Protection Regulation ("GDPR" / "UK GDPR"), Joshua Kaen Bentley is the controller of personal data described in Section 4, except for the third-party data covered in Section 12, where you (the user) are the controller and we act as your processor. See Section 12 carefully.
2. Scope of This Policy
This Policy applies to the ORBIT web application and API (the "Service"). It covers:
- People who create an ORBIT account and use the Service ("users," "you");
- People whose information is entered into, discovered by, or processed through the Service but who never signed up — for example, influencers, community admins, contacts, and friends/family that the AI discovers or that you choose to add or contact ("third-party individuals"). Section 12 is specifically about you.
This Policy does not cover third-party websites or platforms you connect or publish to (e.g., Facebook, Instagram, Pinterest, your WordPress site), which have their own privacy policies.
3. A Note on Our Current Stage
ORBIT is operated by an early-stage / solo maker. Some features described here are not yet live (for example, paid billing and the optional use of the Anthropic Claude API — see Sections 8 and 9). Where a practice is not yet active, we say so. We will update this Policy and the effective date before turning such features on.
4. The Data We Collect
4.1 Account data
| Data | Where it comes from | Why |
|---|---|---|
| Email address | You, at signup and login (stored case-insensitively and uniquely) | Account identity, login, password-reset emails |
| Password | You, at signup / reset | Authentication. We never store your password in plaintext — it is hashed with bcrypt (12 rounds). If you sign in only with Google, no password is stored. |
| Display name | You, at signup (required) | Profile and interface personalization |
| Avatar URL, time zone (default UTC), locale (default "en") | Your profile settings or defaults | Personalization and scheduling |
| Google account ID | Google sign-in to ORBIT (if you use it) | Social login to ORBIT |
4.2 Campaign content
This is the core of what you put into ORBIT. It includes: campaign title and goal (e.g., "Raise $10,000 for animal shelter roof"), your story / narrative, campaign URL, target and raised amounts, deadline, audience description, and any source material you upload (URL, PDF, or brief), plus the AI's analysis of that brief.
It also includes a fundraising classification and the campaign's jurisdiction/country. We classify campaigns by type (charity, personal, medical, political, disaster relief, securities, etc.) for compliance gating. Note: certain campaign types (medical, political, disaster relief) and the free-text content of your story can reveal special-category / sensitive information (e.g., health, political opinions). See Section 4.7.
4.3 Uploaded media assets
Images and PDFs you upload for use in posts. These are stored on the local filesystem of the server that runs ORBIT (not on external cloud object storage) and served back through the Service. They are not encrypted at rest by the application (see Section 14).
4.4 Third-party data (data about people who did not sign up)
This is ORBIT's most significant privacy exposure and is described in full in Section 12. In summary, the Service stores and processes:
- Discovered influencers — name, handle, reach/follower estimate, a creator–cause "congruence" score, and a free-text rationale ("why this person");
- Discovered communities — name, URL, platform (e.g., Facebook group, Reddit, forum), risk/fit sub-scores, and a risk level;
- Discovered sources — blogs, press, and directories (name + URL);
- Outreach contacts — name, handle, role/description, contact channel, and a full AI-drafted message addressed to that specific person;
- Personal asks — message bodies you intend to send to friends and family;
- Audience facts — reusable donor/community/audience facts that persist across your campaigns.
4.5 Connected-platform credentials (OAuth tokens)
When you connect a platform so you can publish to it, we store the access/refresh tokens and credentials needed to do so:
- Facebook / Instagram, Pinterest: OAuth access/refresh tokens and your account/page identifiers;
- WordPress: site URL, username, and an application password.
These tokens and the WordPress application password are encrypted at the application layer (AES-256-GCM) before storage. See Section 14 for key-management limitations.
4.6 Usage, technical, and log data
| Data | Why |
|---|---|
| IP address and User-Agent (browser/device string), captured on register/login | Session binding and security |
| Session/refresh-token records (with IP and User-Agent) | Managing your logged-in sessions |
| Audit and workflow logs recording actor IDs, IP addresses, and before/after data of actions | Security, integrity, and an append-only audit trail |
| AI run logs — the full assembled prompt, raw and structured AI output, model ID, and provider, for each AI generation | Debugging, quality, and reproducibility. Note: these logs can contain your campaign content and third-party data. |
The audit and workflow logs are immutable/append-only and currently retained indefinitely (see Section 13). This includes IP addresses.
4.7 Special-category / sensitive data
We do not ask you to provide special-category data, but campaign stories and campaign types (medical, political, disaster relief) can contain it (GDPR Art. 9 data such as health or political opinions). If you include such data, you are responsible for having a lawful basis to do so; where we process it, we rely on the fact that you have manifestly made it public and/or your explicit consent, and we ask you not to include sensitive details about third parties unless you have a lawful basis.
4.8 Payment / billing data
Paid billing is not live yet (Phase 1 is free). When it goes live, payments will be handled by the payment processor Stripe, which collects and processes your card details directly. ORBIT stores no card numbers (no PAN). We store only the processor's reference IDs (checkout session ID, payment-intent ID), the amount, currency (USD), status, and webhook event records. See Section 8.
5. How and Why We Use Your Data (and Our GDPR Lawful Bases)
| Purpose | Data used | GDPR lawful basis (EU/UK users) |
|---|---|---|
| Create and operate your account; authenticate you | Email, password hash, display name, Google ID | Contract (Art. 6(1)(b)) |
| Generate AI proposals: discovery, content, outreach drafts | Campaign content; third-party data; profile settings | Contract (to deliver the Service you request); see Section 12 re third parties |
| Personalize the Service and learn your "voice" across campaigns | Profile settings; your edits/acceptances/rejections of AI drafts | Legitimate interests (Art. 6(1)(f)) — improving the Service for you |
| Secure the Service; prevent abuse; maintain an audit trail | IP, User-Agent, session and audit logs | Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) |
| Send transactional messages (e.g., password reset) | Contract | |
| Process per-campaign payments (when live) | Processor reference IDs, amount, currency | Contract |
| Comply with law and respond to lawful requests | As relevant | Legal obligation (Art. 6(1)(c)) |
| Compliance gating by fundraising type/jurisdiction | Fundraising classification, jurisdiction | Legal obligation / legitimate interests |
Where we rely on legitimate interests, you have the right to object (Section 11). Where we rely on consent (e.g., explicit consent for sensitive data, or any future optional features), you may withdraw it at any time.
6. Cookies and Local Storage
ORBIT does not use HTTP cookies for authentication. Instead, after you log in, the web client stores your session — a JSON blob containing a short-lived JWT access token and an opaque refresh token — in your browser's storage:
- localStorage if you choose "stay logged in / remember me" (persists across browser restarts), or
- sessionStorage if you do not (cleared when you close the tab).
These tokens are sent as an Authorization: Bearer header on each request. They are cleared on logout or failed refresh.
Security note: because the refresh token is stored in browser storage (not an httpOnly cookie), it can in principle be read by JavaScript running on the page and is therefore exposable via cross-site scripting (XSS). We disclose this so you can make an informed choice about the "remember me" option, especially on shared devices.
We do not currently use third-party advertising or analytics cookies. If we add any, we will update this Policy and, where required, request your consent.
7. Who We Share Data With (Disclosures and Sub-Processors)
We do not sell your personal data or third-party data. We share data only with the service providers ("sub-processors") needed to run the Service, and only as described below.
| Recipient | What it does | What is shared | Status |
|---|---|---|---|
| Anthropic (Claude API) | AI content/research/outreach generation, only if the operator enables the Claude provider | The full assembled prompt — campaign goal/story/brief content and third-party data (discovered names, handles, reach) and outreach context — plus outputs | Optional / not enabled by default. See Sections 9 and 10. |
| Ollama (local AI) | Default AI provider, running on the operator's own self-hosted server | The same prompts, but they stay on local infrastructure — no external transfer | Default / current |
| Meta — Facebook / Instagram | OAuth connection and publishing to your owned Facebook Pages / linked Instagram accounts (only when you choose to publish) | OAuth tokens; your page/account ID and name; the post content you publish | When you connect |
| OAuth connection and publishing Pins | OAuth tokens; your account handle; pin content | When you connect | |
| Your WordPress site | Publishing posts via REST API | Site URL, username, encrypted application password; post content | When you connect |
| Stripe | Per-campaign payment processing | Card data goes directly to the processor; ORBIT stores only reference IDs, amount, currency, webhook events | Not live yet |
| Operator's own device (self-hosted locally) | Hosting the application, database (PostgreSQL), and cache (Redis) | All data at rest, as a processor | As applicable |
A current list of sub-processors is available on request at hello@tekanology.com. We will give notice before adding a new sub-processor that materially changes where your data goes — in particular before enabling the Anthropic Claude API.
We may also disclose data where required by law, to enforce our terms, or to protect rights and safety.
8. Payments
ORBIT is free to sign up and is monetized per campaign, priced in USD. Today (Phase 1), campaigns are unlocked for $0 (free/"comped"); no money changes hands. When paid billing launches (Phase 2), payments will be processed by Stripe via its hosted checkout. We never receive or store your full card number. See Sections 4.8 and 7.
9. AI Processing Notice
Your campaign briefs and content — and, for research/outreach features, third-party data — are processed by an AI model to generate proposals. There are two possible providers, selected by the operator:
- Local model (default / now): an Ollama-hosted model (e.g., qwen3) running on the operator's own self-hosted server. With the local provider, your campaign content and third-party data do not leave that machine and are not sent to any external AI company.
- Anthropic Claude API (optional / intended future): if the operator enables it, the full prompt — including campaign content and third-party names/handles/reach — is transmitted over the internet to Anthropic for processing. This is a third-party disclosure and (typically) an international transfer (see Section 10).
Important: every AI output is a proposal only. ORBIT requires human approval before anything is used, and the AI never publishes or sends anything — you do that yourself, manually. We retain a local log of each AI generation (including the prompt and output) for debugging and quality (see Section 4.6 and Section 13).
10. International Data Transfers
The Service is self-hosted by the operator; the primary hosting region is Australia or New Zealand (the operator's own device). Depending on that region and your location, your data may be processed outside your home country, including outside the EEA/UK.
Where ORBIT relies on the local AI model, no AI-related international transfer occurs. If the operator enables the Anthropic Claude API, or when Stripe and the connected platforms (Meta, Pinterest) are used, personal data may be transferred to the United States or other countries. For transfers from the EEA/UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum / IDTA) and/or applicable adequacy or data-bridge mechanisms. You can request more information at hello@tekanology.com.
11. Your Privacy Rights
11.1 If you are in the EU/EEA or UK (GDPR / UK GDPR)
You have the right to:
- Access — get a copy of the personal data we hold about you;
- Rectification — correct inaccurate or incomplete data;
- Erasure ("right to be forgotten") — ask us to delete your data, subject to legal exceptions;
- Restriction — ask us to limit processing in certain cases;
- Portability — receive certain data in a portable, machine-readable format;
- Object — object to processing based on legitimate interests (Section 5);
- Withdraw consent — where we rely on consent, at any time, without affecting prior processing;
- Not be subject to solely automated decisions with legal or similarly significant effects. ORBIT's AI is decision-support only: it proposes, and a human decides — so no qualifying solely-automated decision-making takes place.
To exercise these rights, email hello@tekanology.com. We will respond within the time limits required by law (generally one month under GDPR). You also have the right to lodge a complaint with your supervisory authority (in the UK, the ICO; in the EU, your local DPA).
Honesty about our current limitations: we are building out automated tools to fulfil these rights. Today, some erasure is partial — for example, deleting a campaign cascades to its research and outreach data, but certain learned/audience data and the immutable audit log persist (see Section 13). If you ask us to erase your data, we will handle it manually and tell you what we cannot delete and why.
11.2 If you are in California (CCPA / CPRA)
This section is our notice at collection and statement of your California rights.
- Categories of personal information we collect: identifiers (email, account/Google ID, IP address); internet/network activity (User-Agent, logs); commercial information (payment references); user content (campaign content, uploads); inferences (your learned "voice"). We may also process sensitive personal information where your campaign content includes it (see Section 4.7).
- Purposes: as described in Section 5.
- Sources and disclosures: as described in Sections 4 and 7.
- We do not "sell" your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CPRA. We have not done so in the preceding 12 months.
Your California rights are to know/access, delete, correct, and opt out of sale/sharing (not applicable, as we do not sell or share), plus the right to limit use of sensitive personal information and to non-discrimination for exercising your rights. To exercise them, email hello@tekanology.com. You may use an authorized agent. We will verify your request using your account email.
12. Third-Party Data — Important Notice (You Are the Controller)
ORBIT's research and outreach features generate and store information about people who did not sign up to ORBIT and have not consented: discovered influencers, community admins, sources, outreach contacts, and your friends/family ("personal asks"). The AI also scores some of these people (congruence/fit/risk) and drafts personalized messages addressed to named individuals.
Please read this carefully:
- You are the data controller for the third-party individuals you choose to add, target, or contact. ORBIT acts as your processor for that data. This means you are responsible for having a lawful basis (e.g., legitimate interests with a balancing assessment, or consent) to process and contact them, and for providing any required privacy notice to them (GDPR Articles 13–14).
- Our safeguards are partial. Discovered communities and contacts default to "candidate" (not auto-targeted); approving a community requires you to record an approval basis; marking an outreach contact as "sent" requires you to record a per-recipient consent basis; and a suppression/opt-out list exists. However, these bases are free-text self-attestations recorded by you after the fact — they do not stop the AI from discovering, scoring, or drafting about a third party. The AI's scoring of named non-users happens without notice to those individuals.
- Outreach is contact tooling. Sending the drafts the AI prepares may be subject to anti-spam and electronic-communications laws (e.g., CAN-SPAM, CASL, ePrivacy/PECR). You are responsible for compliance, including honoring opt-outs and suppression requests. Because ORBIT never sends on your behalf, you decide and execute every send.
- Rights of third parties. If a third-party individual contacts us about their data in ORBIT, we will, where feasible, identify the user who controls it and assist that user in responding; we may also restrict or delete the data. Third parties (and you) can reach us at hello@tekanology.com.
If you cannot satisfy these obligations for a given person, do not add or contact them through ORBIT.
13. Data Retention and Deletion
We keep personal data only as long as needed for the purposes above, then delete or anonymize it. Specifics, stated honestly given how the Service currently works:
- Sessions/tokens: access tokens expire in 15 minutes; refresh tokens have a 30-day life, are rotated on use, and are revoked on logout and on password change. Password-reset tokens are single-use and expire in 1 hour.
- Campaign data: deleting a campaign cascades to and removes its drafts, variants, channels, approval records, and its third-party research and outreach data (discovered communities/sources/influencers, outreach contacts, personal asks, donation events). We block permanent deletion of a campaign that has published posts (it can be archived instead).
- Connected-platform data: when you disconnect a platform (Meta / Facebook, Instagram, Pinterest, or WordPress) in Connections, the OAuth tokens and credentials we stored for it are deleted. To delete the data we obtained from Meta or Pinterest specifically, disconnect that platform, or email hello@tekanology.com to delete your account.
- Account data: your account can be soft-deleted (you can no longer log in). A fully automated hard-erasure of all user-linked data is still being built; until then we handle account erasure manually on request to hello@tekanology.com.
- Data that persists after deletion (disclosed for transparency): certain learned "voice"/audience facts and lessons can survive deletion of their source campaign, and the audit and workflow logs are immutable and retained indefinitely (including IP addresses), organized as yearly partitions. We are working to add defined retention windows. If you request erasure, we will tell you specifically what we can and cannot remove and why.
We will set and publish defined retention periods as the Service matures. In the meantime, you can ask us at any time what we hold and request deletion under Section 11.
14. How We Protect Your Data
- Passwords are hashed with bcrypt (12 rounds) and never stored in plaintext.
- OAuth tokens and your WordPress application password are encrypted at the application layer with AES-256-GCM before storage. Limitation: the encryption key is currently derived from an environment-variable secret rather than a dedicated key-management service; the operator intends to move to a managed KMS/secrets manager before any production deployment.
- Refresh tokens and password-reset tokens are stored only as one-way hashes (not in usable form).
- Sessions use short-lived signed JWTs plus rotating, revocable refresh tokens.
- Audit logging records security-relevant actions in an append-only log.
Honest limitations (current early stage): uploaded media is stored on the local filesystem and is not encrypted at rest by the application; refresh tokens stored in the browser are XSS-exposable (Section 6); and the development configuration ships with weak default database credentials that must be changed before any non-local deployment. No security measure is perfect; we cannot guarantee absolute security. We will notify you and any regulator of a personal-data breach where required by law.
15. Children
ORBIT is not intended for children. You must be at least 16 to use the Service (or 13 where permitted by local law, e.g., in the United States under COPPA). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us data, contact hello@tekanology.com and we will delete it.
16. Changes to This Policy
We may update this Policy as the Service evolves — in particular before enabling the Anthropic Claude API or launching paid billing. When we make material changes, we will update the effective date above and, where appropriate, notify you. Your continued use after an update means you accept the revised Policy.
17. Governing Law and Contact
This Policy is governed by the laws of Australia, without prejudice to mandatory data-protection rights you have in your country of residence.
Questions, requests, or complaints? Contact us at hello@tekanology.com (or our DPO/privacy lead at hello@tekanology.com, if appointed).