./legal/privacy
Privacy Policy
Last updated: 26 May 2026. We may update this Privacy Policy from time to time; material changes will be communicated to active customers in advance.
1. Controller
Daniel Schemann
Triebelsheide 37b
42111 Wuppertal, Germany
Phone: +49 (0)202 393 536 6
E-mail: [email protected]
2. Scope
This Privacy Policy applies to the following offerings:
- the marketing website at orboto.io and all language sub-paths
- the Customer Portal at account.orboto.io (account management, subscription, billing)
- the orboto Cloud tenant instances at *.orbo.to or on customer-owned domains
- the orboto Mail Service (OMS) as an add-on for transactional e-mail
- the Status Page at status.orboto.io
Not in scope: self-hosted orboto instances ("Self-Host" under the orboto Sustainable Use License or Enterprise License). If you run orboto on your own infrastructure, you are the data controller in your own right and need your own privacy policy.
3. Principles
We process personal data only where necessary to provide our services or where another legal basis applies (Art. 6 GDPR). We follow the principles of data minimisation, purpose limitation, transparency, and storage limitation.
4. Processing When You Visit the Website (orboto.io)
4.1 Server log data
Visiting the website causes us to process technically necessary data:
- Date and time of access
- URL accessed
- User agent
- Referrer URL (if transmitted)
- IP address (truncated after 7 days)
Purpose: providing the website, detecting attacks, maintaining stability.
Legal basis: Art. 6 (1) f GDPR (legitimate interest in a functioning web service).
Retention: rolling 30 days, then deleted.
4.2 Waitlist sign-up
If you sign up for the waitlist, you submit:
- E-mail address (required)
- Full name (required)
- Company name (optional)
- Feature interests (optional, multi-select)
- Marketing consent (optional, double opt-in)
Purpose: notification when the service becomes available, optionally additional product updates.
Legal basis: Art. 6 (1) b GDPR (pre-contractual measure) and, for marketing consent, Art. 6 (1) a GDPR.
Retention: until unsubscribe; in case of inactivity, 24 months after the last interaction.
Sign-up uses a double opt-in process: you receive a confirmation e-mail with a link. You are only added to the waitlist after clicking that link.
4.3 Cookies
We use only technically necessary cookies (session cookies for authentication, CSRF protection, language preference). We do not use tracking, analytics, or marketing cookies. We therefore do not display a consent banner - the legal obligation only applies to non-essential cookies.
Legal basis: § 25 (2) Nr. 2 TTDSG (German Telecommunications-Telemedia Data Protection Act - technically necessary cookies may be used without consent).
5. Processing in the Customer Portal (account.orboto.io)
5.1 Account data
On registration we process:
- E-mail address
- Full name
- Password (stored as Argon2id hash only, never in plain text)
- TOTP secret if two-factor authentication is enabled (encrypted)
- Company name and billing address for invoicing
- VAT-ID (for B2B customers)
Purpose: account management, contract performance, billing.
Legal basis: Art. 6 (1) b GDPR (contract performance).
Retention: for the duration of the active customer relationship, plus 10 years for invoicing data per § 147 AO (German Tax Code) and § 257 HGB (German Commercial Code).
5.2 Payment data
Payments are processed by our Merchant-of-Record (MoR) payment partner. The MoR is the contractual partner for the payment; we only receive notification of successful / failed payments and pseudonymous identifiers. Credit card data, IBAN, or other payment instruments are not known to us - they remain with the MoR. The current MoR is identified in the Customer Portal under Settings → Billing and reflected in Annex A of the Terms & Conditions.
Legal basis: Art. 6 (1) b GDPR (contract performance) and Art. 6 (1) c GDPR (compliance with tax obligations).
6. Processing in the Cloud Tenant Instance
When you use orboto Cloud we process the content you and your workspace members create in the product:
- Tickets, comments, attachments, documents (within the workspace)
- Member data (name, e-mail, role)
- Audit log entries (who changed what when)
- Telemetry data of the workspace instance (performance metrics, no content)
- AI usage logs for AI features (token usage, no prompt content beyond what is necessary)
Purpose: providing the productivity tool, audit security, billing of AI usage.
Legal basis: Art. 6 (1) b GDPR (contract performance) and Art. 6 (1) f GDPR (legitimate interest in security / audit).
Retention:
- Workspace content: during active subscription; after cancellation a 90-day grace period with export option, then hard delete
- Audit log: Cloud Team 30 days, Cloud Business 90 days, Enterprise configurable up to 24 months
- AI usage logs: 12 months
- Telemetry: raw data 30 days, aggregated data 12 months
- Backups: rolling 30 days
7. Processing in the orboto Mail Service (OMS) Add-on
If you book the OMS add-on, you send transactional e-mails through us. We process:
- Recipient e-mail address
- Sender address
- Subject and content of the e-mail (required for delivery, not persistently logged)
- Send metadata (timestamps, delivery status, bounce / complaint events)
Purpose: delivery of customer e-mails to their recipients.
Legal basis: Art. 6 (1) b GDPR (contract performance). The customer is the controller in relation to their recipients; we are processor in the OMS context.
Retention:
- E-mail content: not persistently logged (only transient for delivery)
- Send metadata and headers: 30 days
- Bounce / complaint events: 90 days (reputation protection)
E-mail send-out happens via AWS SES, primary region eu-central-1 (Frankfurt), failover eu-west-1 (Dublin).
8. Sub-Processors
We use the following sub-processors. This list will form part of the data processing agreement (Terms § 10 / Annex A) once the Terms & Conditions are published; it is updated when changes occur.
| Provider | Location | Purpose | Transfer |
|---|---|---|---|
| IONOS SE | Karlsruhe, DE | Server hosting (Coolify) | EU/EEA |
| Hetzner Online GmbH | Gunzenhausen, DE | Server hosting (Coolify) | EU/EEA |
| Alwyzon e.U. | Vienna, AT | Tenant object storage | EU/EEA |
| Amazon Web Services EMEA SARL | Luxembourg | AWS SES for transactional e-mail (OMS only) | EU regions (FRA + DUB), SCC |
| Active payment Merchant-of-Record (current vendor identified in Customer Portal → Settings → Billing) | EU/EEA or US, depending on active vendor | Merchant-of-Record, payment processing, VAT remittance | varies; safeguards disclosed in ToS Annex A |
| Cloudflare, Inc. | San Francisco, US | DNS resolution only (no CDN, no WAF) | US, SCC + DPF |
| Functional Software, Inc. (Sentry) | San Francisco, US | Error tracking (stack traces, technical metadata) | US, SCC + DPF |
9. International Data Transfers
Our primary processing happens within Germany and the EU (IONOS, Hetzner, AWS EU regions; the active payment Merchant-of-Record is selected by us with EU/EEA establishment wherever possible). Transfers to third countries occur only with US sub-processors (Cloudflare for DNS, Sentry for error tracking, and certain payment Merchant-of-Record vendors if a US-established vendor is active). For those, EU Standard Contractual Clauses (Art. 46 (2) c GDPR) and / or the EU-US Data Privacy Framework apply.
10. Security Measures
We take appropriate technical and organisational measures to protect your data:
- Encryption in transit: TLS 1.2+ for all connections
- Encryption at rest: sensitive data (API keys, OAuth tokens, encryption keys) are AES-256-GCM encrypted
- Password hashing: Argon2id with project-wide pepper
- Backup: daily encrypted backups, rolling 30-day retention
- Access restriction: need-to-know principle; admin access logged
- Audit log: all administrative actions and data accesses logged
- Updates: timely application of security-relevant patches
A detailed list of technical and organisational measures (TOMs) will be published as Annex B of the Terms & Conditions once those clear legal review.
11. Data Subject Rights
Under the GDPR you have the following rights:
- Access (Art. 15) to the personal data we process about you
- Rectification (Art. 16) of incorrect data
- Erasure (Art. 17, "right to be forgotten")
- Restriction of processing (Art. 18)
- Data portability (Art. 20) in a machine-readable format
- Objection (Art. 21) to processing
- Withdrawal of given consents (e.g. marketing consent) at any time for the future
To exercise these rights, a message to [email protected] suffices. We respond within one month (Art. 12 (3) GDPR).
Account deletion: you can delete your account at any time in the Customer Portal under Settings → Delete Account. After initiation a 90-day grace period with export option runs; thereafter your account and all associated workspace data are irreversibly deleted.
12. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our registered office:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
13. Data Protection Officer
We are not legally required to appoint a Data Protection Officer (fewer than 20 persons regularly engaged in processing personal data, § 38 BDSG). For data protection enquiries, please contact [email protected].
14. Minimum Age
Our service is intended for users aged 16 years and older. For children under 16, parental consent is required per Art. 8 GDPR. As orboto is primarily a B2B productivity tool, we assume our users act in a professional context.
15. California and US State Privacy Rights
If you are a resident of California, Virginia, Colorado, Connecticut, Texas, Utah, or another US state with a comprehensive privacy law, you have additional rights regarding personal information we collect about you.
15.1 We Do Not Sell Personal Information
We do not sell personal information as defined by the California Consumer Privacy Act (CCPA / CPRA) or any equivalent US state privacy law. We do not engage in "sharing" of personal information for cross-context behavioural advertising. We do not use targeted advertising or sell behavioural data to third parties.
15.2 Your Rights as a California Resident
Under the CCPA / CPRA, California residents have the right to:
- Right to Know: request the categories of personal information we collect about you, the sources, the purposes, and the categories of recipients with whom we share it
- Right to Access: request a copy of the specific pieces of personal information we hold about you
- Right to Delete: request deletion of your personal information, subject to legal retention obligations (e.g. tax-record retention)
- Right to Correct: request correction of inaccurate personal information
- Right to Opt-Out of Sale / Sharing: we do not sell or share personal information, so opting out has no practical effect - but you may submit the request anyway and we will record it
- Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information for inferential purposes beyond what is necessary to provide the service
- Right of Non-Discrimination: we will not discriminate against you for exercising your privacy rights (e.g. by charging different prices or providing inferior service)
15.3 Other US States
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Utah (UCPA), and other states with comprehensive privacy laws have substantially similar rights. We apply the same Right to Know / Access / Delete / Correct process for all US residents to keep things simple.
15.4 How to Exercise Your Rights
Send your request to [email protected] with:
- State of residence
- Specific right you wish to exercise
- Account e-mail address or other identifier we use to associate the request with your records
We respond within 45 days (extendable by an additional 45 days where necessary and with notice). We verify your identity through reasonable means before fulfilling access or deletion requests.
15.5 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly before fulfilling the request.
15.6 Children's Privacy (US)
Our service is not directed at children under 13 (US COPPA) or under 16 (EU GDPR). We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, contact [email protected] and we will delete it promptly.
16. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in the law or in our services. Substantive changes will be communicated by e-mail to all active customers with reasonable advance notice. The current version is always available at orboto.io/legal/privacy.