Skip to main contentSkip to navigationSkip to footer
OWOrbitWise
← Back to homeSign in

Legal

Privacy Policy

We are committed to protecting your personal data and your right to privacy. This policy explains what we collect, why, and how.

Last updated: February 19, 2026Effective: February 19, 2026

01 Introduction

OrbitWise ("we," "our," or "us") operates an AI-powered advertising platform. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our platform or interact with our services.

This policy applies to all users of OrbitWise, including advertisers, publishers, and visitors to our website. It is compliant with:

  • GDPR — EU General Data Protection Regulation (EU) 2016/679
  • CCPA — California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.)
  • TCF 2.2 — IAB Europe Transparency & Consent Framework
  • ePrivacy Directive — EU Directive 2002/58/EC (Cookie Law)

By accessing or using OrbitWise, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, you must discontinue use of the Platform.

02 Data We Collect

2.1 Account & Identity Data

When you register for an account, we collect:

  • Full name and email address
  • Password (stored as a cryptographic hash — never in plain text)
  • Company or organisation name
  • Account role (advertiser or publisher)
  • IP address at time of registration

2.2 Billing & Financial Data

  • Billing address and VAT/tax registration number (where applicable)
  • Payment card details are not stored by OrbitWise — all payment processing is handled by PCI-DSS Level 1 compliant payment processors
  • Transaction history, invoice records, and balance information

2.3 Campaign & Performance Data

When you create and manage campaigns, we collect and process:

  • Campaign configurations, budgets, targeting parameters, and scheduling
  • Ad creatives (text, image URLs, video URLs, and HTML5 assets)
  • Performance metrics: impressions, clicks, conversions, spend, ROAS
  • Bid request signals and auction event logs (retained in aggregated form)
  • Attribution data and conversion event payloads

2.4 Technical & Usage Data

We automatically collect:

  • IP address, device type, browser type and version, operating system
  • Pages visited, features used, session duration, and clickstream data
  • API access logs, request timestamps, and response codes
  • Error reports and crash diagnostics (anonymised before analysis)
  • Cookies, pixel tags, and similar tracking technologies (see Section 8)

2.5 End-User Advertising Data (RTB)

When serving ads to end users via real-time bidding (RTB) infrastructure, we may process pseudonymous bid signals including:

  • Pseudonymous device identifiers (hashed, not linked to named individuals)
  • Approximate geolocation (country and city level only)
  • Content category of the publisher page
  • User-agent string and connection type

All RTB data processing is conducted under TCF 2.2 consent signals. We do not create individual user profiles for end users of publisher sites.

03 How We Use Your Data

We process your personal data only where we have a lawful basis. Our processing activities and their corresponding legal bases are:

  • Service delivery — Processing your transactions, operating your account, and running your campaigns (contractual necessity)
  • Fraud detection & traffic quality — Detecting and preventing invalid traffic, click fraud, and platform abuse (legitimate interest)
  • Platform improvement — Analysing aggregated usage data to improve features, performance, and reliability (legitimate interest)
  • Customer support — Responding to enquiries and resolving disputes (contractual necessity)
  • Legal compliance — Meeting tax, accounting, and regulatory obligations (legal obligation)
  • Marketing communications — Sending product updates and relevant offers to existing customers (legitimate interest; opt-out available at any time)

We do not sell your personal data. We do not use your data for purposes incompatible with those stated above without your prior consent.

04 Data Sharing & Disclosure

4.1 Sub-Processors

We share data with trusted sub-processors who provide services necessary to operate the Platform. All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures:

  • Cloud infrastructure — Vercel (hosting), Turso (database)
  • Payment processing — PCI-DSS Level 1 certified processors
  • Email delivery — Transactional email service providers
  • Monitoring & analytics — Sentry (error monitoring), Vercel Analytics

4.2 Partner Networks

When running campaigns, aggregated and pseudonymised performance data (impressions, clicks, spend) may be shared with partner advertising networks for campaign optimisation. We do not share personally identifiable information about registered users with partner networks.

4.3 Legal Requirements

We may disclose your data if required by applicable law, court order, regulatory authority, or to protect the rights, property, or safety of OrbitWise or others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquirer as part of the transaction. We will notify affected users and ensure the same level of data protection continues to apply.

05 Your Privacy Rights

5.1 GDPR Rights (EEA / UK Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of Access (Art. 15) — Request a copy of the personal data we hold about you
  • Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
  • Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21) — Object to processing based on legitimate interests
  • Right to Restrict Processing (Art. 18) — Request that we limit how we use your data in certain circumstances
  • Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time without affecting prior processing

5.2 CCPA Rights (California Residents)

  • Right to Know — Request disclosure of categories and specific pieces of personal information collected, used, or shared
  • Right to Delete — Request deletion of personal information subject to certain exceptions
  • Right to Opt-Out — Opt-out of the sale of personal information. We do not sell personal information.
  • Right to Non-Discrimination — Exercise your privacy rights without receiving discriminatory treatment

5.3 Exercising Your Rights

To exercise any of these rights:

Privacy requests

privacy@orbitwise.io — we respond within 30 days (GDPR) or 45 days (CCPA)

Data export / deletion

Use the data management tools in your account settings

We may need to verify your identity before processing certain requests. We will not charge a fee for reasonable requests.

06 Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • Encryption in transit — All data is transmitted over TLS 1.3+ (HTTPS enforced)
  • Encryption at rest — Sensitive data is encrypted at rest using AES-256
  • Access controls — Role-based access controls; principle of least privilege enforced
  • Password security — Passwords are hashed using bcrypt; never stored in plain text
  • Rate limiting & DDoS protection — All API endpoints are rate-limited; DDoS mitigation is active
  • Security monitoring — Continuous monitoring for anomalous access patterns and intrusion attempts
  • Penetration testing — Regular third-party security assessments
  • Incident response — Data breach notification to supervisory authorities within 72 hours as required by GDPR Art. 33

07 Data Retention

We retain personal data for the minimum period necessary to fulfil the purposes for which it was collected, subject to legal obligations:

  • Account data — Retained for the duration of your account plus 30 days after deletion request
  • Financial records — Retained for 7 years as required by tax and accounting regulations
  • Campaign performance data — Retained for 2 years; may be anonymised for aggregate analytics thereafter
  • Security logs — Retained for 90 days for fraud investigation purposes
  • RTB bid signals — Not retained beyond 7 days; aggregated metrics are retained

You may request deletion of your data at any time through your account settings or by contacting privacy@orbitwise.io. Certain data may be retained where required by law or legitimate business interest.

08 Cookies & Tracking

We use cookies and similar technologies for the following purposes:

  • Essential cookies — Required for authentication, session management, and core platform functionality. Cannot be disabled.
  • Preference cookies — Remember your settings (language, timezone, UI preferences)
  • Analytics cookies — Understand how the Platform is used in aggregate (Vercel Analytics — no cross-site tracking)
  • Ad measurement cookies — Measure campaign delivery and performance; used only with appropriate consent

You can manage your cookie preferences through the cookie banner on first visit or by adjusting your browser settings. Note that disabling essential cookies will prevent access to the Platform. See our Cookie Policy for a full list of cookies we use.

09 International Transfers

Your data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area. We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — EU Commission-approved clauses are in place with all relevant sub-processors
  • Data Processing Agreements (DPAs) — Executed with all sub-processors that process personal data on our behalf
  • Adequacy decisions — Where available, we rely on European Commission adequacy decisions for recipient countries

10 Children's Privacy

The OrbitWise Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child under 18, please contact us immediately at privacy@orbitwise.io and we will take prompt steps to delete such data.

11 Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated to you via email and via a prominent notice on the Platform, with at least 14 days' advance notice.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

12 Contact & DPO

For privacy-related questions, requests, or complaints, please contact us through the channels below. We aim to respond to all requests within 30 days.

Data Controller

Orbitwise OÜ

Tartu mnt 25-4, Kesklinna linnaosa

10117 Tallinn, Harju maakond, Estonia

Privacy enquiries

privacy@orbitwise.io

Data Protection Officer

dpo@orbitwise.io

General support

support@orbitwise.io

Supervisory Authority

As an Estonian-registered entity, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). If you are located in another EEA country and believe we have not adequately addressed your privacy concerns, you also have the right to lodge a complaint with your local data protection supervisory authority. A list of national authorities can be found on the European Data Protection Board website.

This Privacy Policy is compliant with GDPR (EU Regulation 2016/679), CCPA (California Civil Code Section 1798.100 et seq.), and the IAB Europe TCF 2.2. Last revised: February 19, 2026.