Skip to content

Privacy

Private by design, not by marketing copy.

Orbit exists because the people who matter deserve better tools. That only works if the product treats your relationships as yours, not as something to mine, rank, or resell.

At a glance

What the policy really means

  • Local-firstYour relationship data is designed to stay under your control.
  • No ad-techNo advertising trackers, no selling your data, no audience-building games.
  • ExportabilityYou can leave with your information instead of being trapped in Orbit.

1. The short version

Your private relationship database lives on your device. We do not host or have access to that database. Chosen shares, product analytics, crash reports, website forms, and short-lived service logs are explained below. We do not scan your email, messages, or call history. Contacts, calendars, and reminders are used only through features you enable or actions you choose, after you grant system permission. We do not sell, lease, or trade your information to anyone. The rest of this page is the detail.

Orbit is operated by Ludo Leisure Suite Pty Ltd, ACN 695 119 049 ("we", "us", "our"). This policy follows the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

2. What data Orbit stores, and where

On your device (the source of truth)

Your people, moments, conversations, events, notes, reminders, and relationship context live in a local SQLite database on your device. That database is the source of truth for the app. It is protected by your device's standard operating-system protections, including device locks, biometric unlock where enabled, and platform encryption on iOS and Android.

We do not have a copy. The app does not send this data to an Orbit server, because there is no Orbit server holding it.

Local shares you choose

Orbit creates selected Moments, Context Cards, thinking-of-you messages, event invitations, calendar files, exports, and backup files on your device. It then opens your device's share sheet. The copy goes to the destination you select. It does not pass through an Orbit server.

Nothing leaves through these local share actions until you choose a destination and complete the share. The destination then handles the copy under its own privacy terms.

Hosted RSVP pages

When you choose to publish a hosted RSVP page, Orbit first sends the chosen event to share.orbit.social and creates the hosted page. It then opens your device's share sheet with that link. The hosted record therefore exists even if you cancel the share sheet.

The hosted event stores its Orbit event identifier, title, start and end time, time zone, location, host name, description, and presentation theme and colour style. It does not receive your wider people map, cadence, private Moments, or other events.

A guest response can store the guest's name or a generated guest label, RSVP status, party size, optional email address, phone number or note, reactions if used, and a first-party device identifier that helps the same browser update its response. Depending on the event settings, a shortened display name, response, party size, and note may appear on the public event page. Email addresses and phone numbers are not included in the public RSVP output.

The hosted event starts with a 90-day expiry. Daily cleanup removes the expired event and its related guest RSVP records.

Contacts, Calendar, and Reminders

Contact import, Calendar access, and Reminders require the relevant system permission. Contacts access lets you choose people to import. On iOS, Write back to Contacts is off by default. If you enable it, updating a linked person in Orbit may add a birthday and city or country where the contact does not already hold conflicting details. Supported contact provider builds can also update an Orbit section in the contact's notes. You can turn write-back off again in Orbit's Privacy & access settings.

Show Orbit people in Contacts is a separate contact-source feature for iOS 18 and later. It is off by default and makes Orbit people available to Contacts, Phone, Mail, and Messages only after you turn it on.

With Calendar permission, Orbit can read today's and upcoming events for its calendar surfaces. This can include attendee names and email addresses when Orbit matches a calendar event to a person already in your local database. It can also add an event through a save action you start. With Reminders permission, Orbit can add a follow-up you choose. Contacts, Calendar, and Reminders may sync through the accounts configured on your device. You can revoke their system permissions in your device settings.

Current iCloud backup

Orbit's current iCloud setup is backup-only. The app creates a full backup file called orbit-icloud-backup.json file on your device and opens the share sheet. You choose whether to save it to iCloud Drive or somewhere else. Orbit does not upload it automatically, and live two-way sync is not on. The app records the backup setup state locally; the backup file stays wherever you save it until you delete it there.

3. What we do collect

Section 2 covers data you choose to move through a share, device integration, backup, or hosted RSVP page. Beyond that chosen data, this section lists the operational data we collect.

Product analytics (Expo Insights and Vexo)

We record session counts and a closed, typed list of feature events: wizard completed, person added, conversation logged, share initiated, and similar product milestones. Event metadata is enums and counts only. We do not send person names, moment text, notes, photos, message bodies, contacts, locations, calendar entries, or anything you typed into a field. We see "a person was added," not who.

App performance (EAS Observe)

EAS Observe records app startup timing against the native build or over-the-air update in use. It uses an anonymous install identifier and receives no relationship content. Debug dispatch is disabled.

Crash reporting (Sentry)

If the app crashes, Sentry receives a stack trace so we can fix it. Personally identifiable information is disabled at the SDK level. A beforeSend hook scrubs event bodies before they leave the device. Crash reports are a debugging surface, not a relationship-data surface.

Over-the-air updates (EAS)

We ship JavaScript-only updates through Expo Application Services so we can push bug fixes between store releases. The update channel carries app code to your phone. It does not carry user data back.

Contact, feedback, and launch-update forms (this website)

If you send us a message, share feedback, or ask for launch updates, we collect the email address you give us and the message body. That is stored in a Cloudflare D1 database we operate. We use it to reply to you or to email you when there is news worth your inbox. Nothing else.

Standard server logs

Our website and the share.orbit.social service generate short-lived request logs (IP, user agent, path, timestamp) for security and debugging. These are retained briefly and are not joined to any product analytics.

Website analytics (PostHog)

This website (orbit.social) uses PostHog to count anonymous page views and clicks so we can tell which pages people read and which calls-to-action work. We do not identify visitors. Session recording is disabled. No profile is created unless you are signed into a future logged-in surface and explicitly identified. Browser-level Do Not Track and ad blockers are respected. The PostHog snippet only runs on the marketing website; it is not in the Orbit app itself.

What we never do

No surveillance wrapper around a relationship app.

No inbox scanning

Orbit does not scan your email, messages, or call history. It accesses contacts, calendars, or reminders only when you grant system permission and use or enable the related feature.

No LinkedIn or social scraping

We do not build a social graph from public profiles, and we do not enrich your people from third parties.

No ad networks or trackers

The marketing site and the app do not load advertising pixels, ad SDKs, or third-party trackers beyond what is listed in section 3.

No background social intel

We do not tell you "your contact got promoted" or scrape news about the people in your circle. That is not what this product is.

No data resale

We do not sell, lease, rent, or trade your personal information to anyone, under any circumstances.

No team or org features

Orbit is single-player by design. There is no "see who in your company knows whom" surface to leak data through.

4. How long we keep data

  • On-device data. For as long as you keep the app installed. Delete the app and the local database goes with it. There is no server copy of that private database. Data separately shared to a hosted RSVP page follows the retention period below.
  • Backup and export files. Kept wherever you choose to save them, including iCloud Drive if you select it in the share sheet. That destination's retention rules apply, and you delete the files there.
  • Hosted RSVP pages and guest responses. The event and its related RSVP records expire 90 days after the hosted page is created. A daily cleanup removes expired records. The first-party device identifier cookie used for returning RSVPs can remain in a guest's browser for up to one year. After an event expires, that cookie no longer links to the deleted event or its RSVP records.
  • Product analytics. Aggregated session counts and feature-event counts are retained per Expo Insights and Vexo defaults. Individual session data is short-lived; aggregated counts are kept for trend analysis.
  • Crash reports. Retained for 30 days, then deleted.
  • Contact, feedback, or launch-update email. Kept until you ask us to delete it, or until you opt out of future emails. Routine purges happen on quiet records.
  • Server logs. Retained for a short window (typically up to 30 days) for security and debugging, then rotated out.

5. Australian Privacy Principles

We handle personal information under the Australian Privacy Principles in the Privacy Act 1988 (Cth). The principles we actually touch, and how we approach each one:

  • APP 1 (open and transparent management). This page is the management statement. It is public, dated, and written to be understood.
  • APP 2 (anonymity and pseudonymity). The app does not require an account. Use Orbit without telling us who you are.
  • APP 3 (collection of solicited personal information). We only collect what section 3 lists. We do not collect sensitive information.
  • APP 4 (unsolicited personal information). If something arrives unsolicited (for example, an email with content we did not ask for), we destroy or de-identify it where lawful.
  • APP 5 (notification of collection). Collection points (contact, feedback, launch-update, support, and in-app analytics surfaces) are visible at the point of collection.
  • APP 6 (use and disclosure). We use information for the purpose collected. We do not disclose it for unrelated purposes without your consent or a lawful exception.
  • APP 7 (direct marketing). We do not run advertising. If you give us an email to hear product news, you can opt out in any message we send.
  • APP 8 (cross-border disclosure). Some service providers (Expo, Vexo, Sentry, Cloudflare, PostHog) process data outside Australia. We pick vendors with comparable privacy standards and limit what they receive (see section 3).
  • APP 9 (government-related identifiers). We do not collect or use government identifiers.
  • APP 10 (quality). Because most of your data lives on your device and is authored by you, you control its accuracy. For data we hold (contact, feedback, launch-update, and support messages), you can ask us to correct it.
  • APP 11 (security). On-device data is protected by operating-system encryption on iOS and Android. Data in transit uses TLS. Vendor surfaces are kept narrow and configured to minimise what we ever see.
  • APP 12 (access). You can ask us what we hold about you. See section 6.
  • APP 13 (correction). You can ask us to correct it. See section 6.
  • Notifiable Data Breaches scheme. If an eligible data breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

6. Your rights

You can ask us to:

  • Access the personal information we hold about you. We will respond within 30 days.
  • Correct anything that is wrong. We will action corrections within 7 days of receiving written notice.
  • Delete what we hold (contact, feedback, launch-update, support correspondence, and hosted RSVP data we can verify). On-device data you delete yourself by removing it in the app or uninstalling.
  • Opt out of any future emails.
  • Complain about how we have handled your information.

For general questions: hello@orbit.social.

For data access, correction, or deletion requests: support@orbit.social.

If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

7. Data you choose to share

A Moment, Context Card, thinking-of-you message, event invitation, calendar file, export, or backup shared through your device stays local until you choose a destination in the share sheet. The copy then lives with that person, app, or storage provider under their privacy rules.

An RSVP link works differently. Orbit creates the hosted page on share.orbit.social before the share sheet opens. Cancelling the share sheet does not remove that hosted record. It remains until its 90-day expiry unless you ask us to remove it sooner.

A device integration also moves, copies, or exposes data across Orbit's boundary when you import a contact, update a linked contact, expose the optional iOS 18 contact source, add a calendar event, or add a reminder. The device service and any account connected to it then apply their own privacy and retention settings.

8. Contact

Orbit is published by:

Ludo Leisure Suite Pty Ltd
ACN 695 119 049
1044A/1046A Dandenong Rd, Carnegie VIC 3163, Australia

General: hello@orbit.social
Data requests and support: support@orbit.social

You can also use the form on this page (see Need a direct answer?) or the support page.

9. Updates to this policy

We will update this page when the product or our processors change. If a change materially affects what we collect or how we use it, we will surface the change on the website and, where we have an email for you, in an email. The date below is the source of truth for the current version.

Last updated: 11 July 2026