Legal

Privacy Policy

Last updated: January 15, 2025

Introduction

OrbitaHR, Inc. ('OrbitaHR', 'we', 'us', or 'our') operates the OrbitaHR HRMS platform (the 'Service'). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service. We reserve the right to make changes to this policy at any time. We will alert you about any changes by updating the 'Last updated' date.

Data We Collect

We collect information you provide directly to us, such as when you create an account, import employee data, or contact support. This includes: personal identifiers (name, email, employee ID); employment data (department, role, salary, attendance records); device and usage data (IP address, browser type, pages visited); and communication data (support tickets, chat messages). We do not sell personal data to third parties under any circumstances.

How We Use Data

We use the information we collect to: provide, maintain, and improve the Service; process payroll and HR transactions on your behalf; send transactional and service communications; enforce our terms and policies; comply with legal obligations; and generate aggregated, anonymized analytics that cannot identify individual users. We process tenant employee data solely as a data processor acting on your instructions as data controller.

Data Sharing

We may share your information with: service providers who assist in our operations (AWS, Stripe, SendGrid) under strict data processing agreements; professional advisors (lawyers, accountants) under confidentiality obligations; law enforcement or government bodies when required by valid legal process; and successors in a merger or acquisition, with advance notice to you. We never share personally identifiable employee data for advertising or marketing purposes.

Data Retention

We retain account data for the duration of your subscription plus 90 days after cancellation, during which you may export your data. After this period, we permanently delete all workspace data from our systems within 30 days. Backup copies may persist for up to an additional 60 days in encrypted form. You may request earlier deletion by contacting privacy@orbitahr.app.

Security

OrbitaHR is SOC 2 Type II certified. We implement AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, multi-factor authentication options, continuous intrusion monitoring, and annual third-party penetration tests. Our security status page is publicly available. In the event of a data breach affecting your workspace, we will notify you within 72 hours as required by GDPR and applicable laws.

Your Rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion ('right to be forgotten'); restrict or object to processing; data portability (receive your data in a machine-readable format); and withdraw consent at any time. To exercise these rights, contact privacy@orbitahr.app. We will respond within 30 days. EU residents may also lodge a complaint with their local supervisory authority.

Cookies

We use essential cookies to authenticate sessions and remember preferences. We use analytics cookies (with your consent) to understand how the Service is used. We do not use advertising cookies. You can control cookie preferences in your browser settings or through our cookie consent banner. Disabling essential cookies may affect Service functionality.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at: privacy@orbitahr.app. OrbitaHR, Inc., 340 Pine Street, San Francisco, CA 94104, United States. For EU/EEA inquiries, you may also contact our EU Representative at eu-privacy@orbitahr.app.