Privacy Policy

The data controller for Orbis Signal is Jan Wir-Konas (operating as Orbis Signal), based in Germany.

Address: Auf der Dorn 24, 40764 Langenfeld (Rheinland), Germany
Email: contact@orbis-signal.com

We are in a market-testing phase and have not yet formed a registered company. Until then, Jan Wir-Konas is the controller named in this policy. We will update this page if that changes.

We have assessed that appointing a Data Protection Officer (DPO) is not required for our current processing activities. You can still contact us at the email above for any privacy question.

Orbis Signal provides premium daily intelligence briefings on global politics, finance, and technology. We offer individual subscriptions and team (organization) plans. To deliver the service we process account, billing, and limited usage data as described below.

The service is intended for adults. It is not directed at children under 16, and we do not knowingly collect data from children.

Under the EU General Data Protection Regulation (GDPR), we need a lawful basis for each use of your personal data. Think of it as the legal reason that allows processing. The bases we rely on are:

• Contract (Art. 6(1)(b)) — processing necessary to create and run your account, deliver briefings you subscribed to, send transactional emails (sign-in links, receipts, team invites), and manage team memberships.
• Legal obligation (Art. 6(1)(c)) — processing required by law, for example retaining invoices and tax-related billing records under German commercial and tax law.
• Legitimate interests (Art. 6(1)(f)) — processing that supports security, abuse prevention, service reliability, and anonymous product analytics, where our interests are not overridden by your rights. You may object to legitimate-interest processing (see section 10).
• Consent (Art. 6(1)(a)) — only where we ask explicitly, such as optional product news or marketing emails. You can withdraw consent at any time.

Where we process data on consent, you are not required to give it to use the core paid service. Where processing is based on contract, we cannot provide the service without the relevant data (for example an email address for your account).

• Account data: email address, optional password (stored as a secure hash), account verification status, sign-in timestamps, authentication method.
• Session and security tokens: hashed single-use tokens for magic links, email verification, team invites, and cross-device sign-in handshakes.
• Billing data: Stripe customer and subscription identifiers, plan type, subscription status, billing email, and for team plans: organization name, legal name, VAT ID, and billing country as entered in checkout.
• Team data: organization membership, role, invitee email addresses (when an admin invites colleagues), and security audit log entries (e.g. who invited whom).
• Feedback: optional cancellation survey responses (reason and short free-text comment).
• Technical data: IP address used for short-lived in-memory rate limiting (not stored in our database), and anonymous analytics events via Vercel Analytics and Speed Insights.
• Cookies and local storage: session cookie, short-lived login handshake cookie, and theme preference cookie — see section 8.

We do not sell your personal data. Editorial briefing content is not personal data about you.

• Provide and secure your account and subscriptions.
• Deliver briefings and enforce access entitlements.
• Process payments and taxes through Stripe.
• Send transactional email (Brevo; bulk team invites via Resend).
• Operate team administration (seats, invites, audit trail).
• Prevent abuse (including trial or invite-code misuse).
• Measure anonymous usage and site performance (Vercel).
• Comply with legal retention duties for invoices and accounting.

We use trusted providers that process data on our instructions under data processing agreements (DPAs). DPAs are being finalized with each provider.

• Neon — database hosting (EU region: Frankfurt).
• Vercel — application hosting, scheduled jobs, anonymous analytics and performance monitoring (functions region: EU Frankfurt).
• Stripe — payments, subscriptions, invoicing, and EU tax features.
• Brevo — transactional email (sign-in, verification, receipts).
• Resend — bulk team invitation email.
• Mailjet — internal operational alerts to our team only (not marketing to subscribers).

Stripe and Vercel are groups with US operations. Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and provider security measures. See section 9.

• Account data: until you ask us to delete your account, subject to legal retention below.
• Magic-link and verification tokens: 15 minutes and 24 hours respectively, then deleted.
• Login handshakes: 15 minutes, then deleted.
• Expired team invites: removed within about 7 days.
• Team security audit logs: up to 24 months, then deleted or anonymized.
• Receipt email delivery log: up to 90 days.
• Bulk invite job results: up to 30 days after completion.
• Invoices and tax records: up to 10 years as required by German tax and commercial law, even after account deletion (personal identifiers may be minimized where possible).
• Server and platform logs: according to Vercel and Neon retention settings, typically rolling windows of days to weeks.

Database backups may briefly retain deleted data until rotated; we document procedures to prevent deleted data from being restored to active systems.

• orbis_session (strictly necessary) — keeps you signed in; up to 30 days.
• orbis_handshake (strictly necessary) — synchronizes magic-link sign-in across devices; about 15 minutes.
• orbis-theme — stores light/dark display preference.

Vercel Analytics and Speed Insights do not use marketing cookies in our configuration. Vercel Analytics uses a short-lived, daily-resetting visitor hash to count visits, not to track you across other websites.

We do not use a heavy cookie-consent banner for advertising trackers. A lightweight site notice points you to this policy. You can control cookies through your browser settings; blocking strictly necessary cookies will prevent sign-in.

We are established in Germany. Primary application and database hosting for production is in the EU (Frankfurt).

Some providers we use are international companies. That means certain support, billing, or infrastructure operations may involve access from the United States or other countries outside the EEA. When that happens, we use GDPR-approved transfer tools (typically Standard Contractual Clausesin the provider's DPA) and we choose EU regions where the product allows it.

In plain terms: your data is mainly stored in Europe; some US-based subprocessors may access limited data to run payments and hosting, under contractual protections.

Under the GDPR you have the following rights, subject to legal limits:

• Access — request a copy of personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data in certain circumstances.
• Restriction — ask us to limit how we use your data.
• Portability — receive data you provided in a machine-readable format where applicable.
• Object — object to processing based on legitimate interests, and always to direct marketing.
• Withdraw consent — where we rely on consent (e.g. marketing opt-in).
• Complain — lodge a complaint with a supervisory authority.

How to exercise your rights: email contact@orbis-signal.com from the email address registered on your account. We use that to verify you own the account. We respond within one month (extendable by two months for complex requests, which we will explain to you).

Self-service download and delete controls in account settings are planned; until then, contact us at the address above.

We use technical measures including encrypted connections (TLS), hashed passwords and single-use tokens, signed session cookies, database access controls, and tenant isolation for team data. No method of transmission or storage is 100% secure; we work to improve our safeguards over time.

You may complain to the data protection authority where you live, work, or where an alleged infringement occurred. In Germany, the federal supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI). If you are in North Rhine-Westphalia, you may also contact the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW).

We may update this policy when our service, providers, or legal requirements change. We will post the new version on this page with an updated date. Material changes affecting existing users may be communicated by email or in-product notice where appropriate.