Privacy
Private by design, not by marketing copy.
Orbit exists because the people who matter deserve better tools. That only works if the product treats your relationships as yours, not as something to mine, rank, or resell.
Privacy
Orbit exists because the people who matter deserve better tools. That only works if the product treats your relationships as yours, not as something to mine, rank, or resell.
Your private relationship database lives on your device. We do not host or have access to that database. Chosen shares, product analytics, crash reports, website forms, and short-lived service logs are explained below. We do not scan your email, messages, or call history. Contacts, calendars, and reminders are used only through features you enable or actions you choose, after you grant system permission. We do not sell, lease, or trade your information to anyone. The rest of this page is the detail.
Orbit is operated by Ludo Leisure Suite Pty Ltd, ACN 695 119 049 ("we", "us", "our"). This policy follows the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
Your people, moments, conversations, events, notes, reminders, and relationship context live in a local SQLite database on your device. That database is the source of truth for the app. It is protected by your device's standard operating-system protections, including device locks, biometric unlock where enabled, and platform encryption on iOS and Android.
We do not have a copy. The app does not send this data to an Orbit server, because there is no Orbit server holding it.
Orbit creates selected Moments, Context Cards, thinking-of-you messages, event invitations, calendar files, exports, and backup files on your device. It then opens your device's share sheet. The copy goes to the destination you select. It does not pass through an Orbit server.
Nothing leaves through these local share actions until you choose a destination and complete the share. The destination then handles the copy under its own privacy terms.
When you choose to publish a hosted RSVP page, Orbit first sends the chosen event to share.orbit.social and creates the hosted page. It then opens your device's share sheet with that link. The hosted record therefore exists even if you cancel the share sheet.
The hosted event stores its Orbit event identifier, title, start and end time, time zone, location, host name, description, and presentation theme and colour style. It does not receive your wider people map, cadence, private Moments, or other events.
A guest response can store the guest's name or a generated guest label, RSVP status, party size, optional email address, phone number or note, reactions if used, and a first-party device identifier that helps the same browser update its response. Depending on the event settings, a shortened display name, response, party size, and note may appear on the public event page. Email addresses and phone numbers are not included in the public RSVP output.
The hosted event starts with a 90-day expiry. Daily cleanup removes the expired event and its related guest RSVP records.
Contact import, Calendar access, and Reminders require the relevant system permission. Contacts access lets you choose people to import. On iOS, Write back to Contacts is off by default. If you enable it, updating a linked person in Orbit may add a birthday and city or country where the contact does not already hold conflicting details. Supported contact provider builds can also update an Orbit section in the contact's notes. You can turn write-back off again in Orbit's Privacy & access settings.
Show Orbit people in Contacts is a separate contact-source feature for iOS 18 and later. It is off by default and makes Orbit people available to Contacts, Phone, Mail, and Messages only after you turn it on.
With Calendar permission, Orbit can read today's and upcoming events for its calendar surfaces. This can include attendee names and email addresses when Orbit matches a calendar event to a person already in your local database. It can also add an event through a save action you start. With Reminders permission, Orbit can add a follow-up you choose. Contacts, Calendar, and Reminders may sync through the accounts configured on your device. You can revoke their system permissions in your device settings.
Orbit's current iCloud setup is backup-only. The app creates a full backup file called orbit-icloud-backup.json file on your device and opens the share sheet. You choose whether to save it to iCloud Drive or somewhere else. Orbit does not upload it automatically, and live two-way sync is not on. The app records the backup setup state locally; the backup file stays wherever you save it until you delete it there.
Section 2 covers data you choose to move through a share, device integration, backup, or hosted RSVP page. Beyond that chosen data, this section lists the operational data we collect.
We record session counts and a closed, typed list of feature events: wizard completed, person added, conversation logged, share initiated, and similar product milestones. Event metadata is enums and counts only. We do not send person names, moment text, notes, photos, message bodies, contacts, locations, calendar entries, or anything you typed into a field. We see "a person was added," not who.
EAS Observe records app startup timing against the native build or over-the-air update in use. It uses an anonymous install identifier and receives no relationship content. Debug dispatch is disabled.
If the app crashes, Sentry receives a stack trace so we can fix it. Personally identifiable information is disabled at the SDK level. A beforeSend hook scrubs event bodies before they leave the device. Crash reports are a debugging surface, not a relationship-data surface.
We ship JavaScript-only updates through Expo Application Services so we can push bug fixes between store releases. The update channel carries app code to your phone. It does not carry user data back.
If you send us a message, share feedback, or ask for launch updates, we collect the email address you give us and the message body. That is stored in a Cloudflare D1 database we operate. We use it to reply to you or to email you when there is news worth your inbox. Nothing else.
Our website and the share.orbit.social service generate short-lived request logs (IP, user agent, path, timestamp) for security and debugging. These are retained briefly and are not joined to any product analytics.
This website (orbit.social) uses PostHog to count anonymous page views and clicks so we can tell which pages people read and which calls-to-action work. We do not identify visitors. Session recording is disabled. No profile is created unless you are signed into a future logged-in surface and explicitly identified. Browser-level Do Not Track and ad blockers are respected. The PostHog snippet only runs on the marketing website; it is not in the Orbit app itself.
Orbit does not scan your email, messages, or call history. It accesses contacts, calendars, or reminders only when you grant system permission and use or enable the related feature.
We do not build a social graph from public profiles, and we do not enrich your people from third parties.
The marketing site and the app do not load advertising pixels, ad SDKs, or third-party trackers beyond what is listed in section 3.
We do not tell you "your contact got promoted" or scrape news about the people in your circle. That is not what this product is.
We do not sell, lease, rent, or trade your personal information to anyone, under any circumstances.
Orbit is single-player by design. There is no "see who in your company knows whom" surface to leak data through.
We handle personal information under the Australian Privacy Principles in the Privacy Act 1988 (Cth). The principles we actually touch, and how we approach each one:
You can ask us to:
For general questions: hello@orbit.social.
For data access, correction, or deletion requests: support@orbit.social.
If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
Orbit is published by:
Ludo Leisure Suite Pty Ltd
ACN 695 119 049
1044A/1046A Dandenong Rd, Carnegie VIC 3163, Australia
General: hello@orbit.social
Data requests and support: support@orbit.social
You can also use the form on this page (see Need a direct answer?) or the support page.
We will update this page when the product or our processors change. If a change materially affects what we collect or how we use it, we will surface the change on the website and, where we have an email for you, in an email. The date below is the source of truth for the current version.
Last updated: 11 July 2026