Privacy Policy
This Privacy Policy explains what personal information OrbitBoard collects, how we use it, who we share it with, and the rights you have over it. It applies to the marketing site at orbitboard.ai, the app at app.orbitboard.ai, and the inbound-email service at boards.orbitboard.ai.
At a glance
| What | Why | Who we share it with | How long |
|---|---|---|---|
| Account profile (email, name, avatar) from Google or GitHub | So you can sign in and we know who you are | Google Cloud (hosting), Google or GitHub (sign-in) | While your account exists, plus 30 days |
| Content you create (boards, tasks, attachments, notes) | To provide the service | Google Cloud (hosting); OpenAI / Anthropic when you use AI features | Until you delete it, plus 30 days |
| AI prompts and voice audio | To power AI ticket generation, voice input, and digests | OpenAI (always for voice), Anthropic (when configured), LangSmith (for debugging) | Voice audio: not retained after transcription. Prompts and responses: with the chat or ticket they relate to |
| Inbound email forwarded to a board address | To turn the email into a ticket | Mailgun (parsing), OpenAI / Anthropic (AI summarization) | With the resulting ticket |
| Technical data (IP, user-agent, request logs) | To run, secure, and debug the service | Google Cloud (logs stay in our cluster) | 30 days |
1. Who we are
OrbitBoard is operated by [FILL IN: Douglas Riches], a sole proprietor based in Ontario, Canada, doing business as OrbitBoard ("OrbitBoard", "we", "us", "our"). Mailing address: [FILL IN: Ontario service address].
The person responsible for personal-information protection under PIPEDA is [FILL IN: Douglas Riches], reachable at privacy@orbitboard.ai.
2. What information we collect
2.1 Account and profile information
When you sign in with Google or GitHub, we receive your email address, display name, profile photo URL, and provider account ID. We request only the OAuth scopes we need: profile and email from Google; user:email from GitHub. We do not receive your password, your Google or GitHub social graph, or access to any other Google or GitHub data.
After signing in, you may set a handle (username) and adjust settings; both are stored on your account.
2.2 Content you create
When you use the service, you create boards, lanes, issues, tasks, notes, comments, attachments (up to 25 MB each), authored documents, and custom AI agents. We store this content so we can show it back to you and your collaborators. You are the owner of your content.
2.3 AI prompts and voice
When you use AI features (ticket generation, AI chat, voice input, voice readback, document authoring agent, board agent, custom agents), the text or audio you provide is sent to one or more AI providers — see §5 for the full list. Generated AI responses are stored alongside the chat or item they relate to.
2.4 Inbound email
Each board can have a private inbox address of the form <token>@boards.orbitboard.ai. When someone sends or forwards email to that address, we receive the sender's email address and name, the subject, the plain-text and HTML body, and any attachments. We use this content to suggest a ticket on the board.
2.5 Technical data
Like any networked service, we collect your IP address, user-agent string, and standard request metadata. We use this to operate the service, prevent abuse, and diagnose problems. Server access logs and error logs are stored inside our Google Cloud cluster for 30 days.
2.6 Cookies
See the Cookie Notice for the small set of cookies we use.
3. How we use your information
| Purpose | Legal basis under GDPR |
|---|---|
| Providing the service (rendering boards, sending notifications, syncing across devices) | Performance of a contract (Art. 6(1)(b)) |
| Authenticating you | Performance of a contract |
| Generating AI tickets, summaries, chat responses, voice transcriptions | Performance of a contract |
| Sending digests and notifications you have configured | Performance of a contract |
| Debugging and improving the AI features via LangSmith traces | Legitimate interests (Art. 6(1)(f)) — running a working service |
| Security, fraud and abuse prevention | Legitimate interests |
| Legal compliance (tax records, lawful requests) | Legal obligation (Art. 6(1)(c)) |
We do not currently send marketing email. If we ever introduce optional marketing email, it will be consent-based (Art. 6(1)(a)) and you will be able to opt in or out at any time.
4. AI processing
4.1 What we send to AI providers
To power AI features, we send the relevant prompt content (and, for voice input, the relevant audio) to one or more AI providers. The provider that handles each request is configured by us, not by you. See §5 for the current list.
4.2 No training on your content
We have configured the AI providers we use to operate under terms that do not permit them to train their models on your content. Specifically:
- OpenAI API requests are sent with the no-training configuration (zero-data-retention or equivalent) per OpenAI's enterprise terms.
- Anthropic API customer data is not used to train Anthropic models per Anthropic's commercial terms.
We rely on these contractual and technical commitments. If they ever change in a way that affects you, we will update this policy with at least 30 days' notice and require re-acceptance.
4.3 LangSmith tracing
We send AI request and response data to LangSmith (operated by LangChain Inc.) to debug and improve our AI features. LangSmith retains traces for [FILL IN: 30 days / the configured retention window]. We rely on LangSmith for our own legitimate interest in operating a working service.
4.4 Voice audio
When you use voice input, your audio is sent to OpenAI's Whisper service for transcription. We do not retain the raw audio after transcription. The resulting transcript is stored alongside the chat message or ticket that produced it.
4.5 Automated decision-making
AI-generated tickets, summaries, and chat responses are suggestions. They are not decisions about you in the sense of Article 22 of the GDPR. A human (you, your collaborator, or board owner) decides whether to accept, edit, or discard each AI suggestion.
5. Sub-processors
We use the following third-party service providers ("sub-processors") to operate OrbitBoard. Each receives only the data shown. All are located in or operated from the United States.
| Provider | What they do | Data they receive | Their privacy policy |
|---|---|---|---|
| Google Cloud (Google LLC) | Application hosting (GKE in us-central1), PostgreSQL database, Redis, object storage (MinIO), in-cluster logging |
All stored data | https://cloud.google.com/terms/cloud-privacy-notice |
| OpenAI (OpenAI, L.L.C.) | Default LLM provider; always handles voice transcription (Whisper) and text-to-speech | AI prompts and audio you submit | https://openai.com/policies/privacy-policy |
| Anthropic (Anthropic, PBC) | LLM provider when configured | AI prompts you submit | https://www.anthropic.com/legal/privacy |
| LangSmith (LangChain, Inc.) | AI request/response tracing for debugging | AI prompts and responses with associated metadata | https://www.langchain.com/privacy-policy |
| Mailgun (Sinch America, Inc.) | Receives email sent to your board's inbound address and posts it to our server | The email content (sender, subject, body, attachments) | https://www.mailgun.com/legal/privacy-policy/ |
| Resend (Resend, Inc.) | Sends transactional email (digests, notifications) | Recipient address, message body | https://resend.com/legal/privacy-policy |
| Google Identity | Google OAuth sign-in | OAuth profile (email, name, avatar) | https://policies.google.com/privacy |
| GitHub (GitHub, Inc.) | GitHub OAuth sign-in | OAuth profile (email) | https://docs.github.com/en/site-policy/privacy-policies |
If we add or replace a sub-processor of the same kind (e.g., a new outbound email vendor), we update this list with a minor version bump and no separate notice. If we add a sub-processor that introduces a new category of data flow (e.g., a website analytics vendor), we treat it as a material change requiring 30 days' notice and re-acceptance.
6. Notice to people who email a board address
If you send or forward email to a *@boards.orbitboard.ai address, your message and any attachments are processed by our AI to suggest a ticket on the recipient board. The board owner is responsible for having the authority to receive your content; we do not independently verify it.
We do not use email content for any purpose other than processing the requested ticket. To request deletion of your content from our systems, email privacy@orbitboard.ai with the date and subject line of your message and we will purge it within 30 days.
7. Where your data is stored and international transfers
All production data is stored in Google Cloud us-central1 (Iowa, United States). For users located in the European Union, the United Kingdom, or Switzerland, this constitutes a cross-border transfer of personal data under Chapter V of the GDPR.
We rely on the following safeguards for these transfers:
- The EU-US Data Privacy Framework for sub-processors that are DPF-certified, as listed in §5 (check each vendor's privacy policy for current certification status).
- Standard Contractual Clauses (SCCs) with sub-processors that are not DPF-certified, either signed directly or relied upon via the vendor's published Data Processing Addendum.
We have performed a Transfer Impact Assessment ("TIA") that concludes the combination of contractual safeguards, encryption in transit and at rest, data minimization, and the absence of bulk-surveillance interest in our processing is sufficient. The TIA summary is available on request from privacy@orbitboard.ai.
OrbitBoard is the data exporter; the sub-processors listed in §5 are the data importers.
8. How long we keep your data
| Data | Retention |
|---|---|
| Account profile | Until you delete your account, plus a 30-day purge window |
| Boards, lanes, issues, tasks, notes, attachments, authored documents | Until you delete them, plus a 30-day grace window during which they can be restored |
| Comments, labels, AI chat records | Deleted immediately when you delete them |
| Voice audio | Not retained after transcription |
| AI chat and document-chat history | For the lifetime of the parent board or document |
| Activity records (audit trail) | For the lifetime of the parent issue |
| Inbound email rows | For the lifetime of the resulting ticket |
| LangSmith traces | [FILL IN: 30 days / configured retention] |
| Server access logs | 30 days |
| Database backups | 30-day rolling window |
When we say "plus a 30-day purge window," we mean the data is soft-deleted immediately and permanently purged from our active databases within 30 days. Backups containing your data age out within the rolling backup window above.
9. Your rights
You have the following rights in the personal information we hold about you. The specific rights available to you depend on where you live; we honor the maximum applicable set.
- Canada (PIPEDA) — access your information, correct it, withdraw consent, lodge a complaint with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/).
- European Union, United Kingdom, Switzerland (GDPR / UK GDPR / FADP) — access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7), and the right to lodge a complaint with a supervisory authority in your country (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en).
- California (CCPA / CPRA) — the right to know, delete, correct, opt out of sale or sharing of personal information, limit use of sensitive personal information, and not be discriminated against for exercising these rights. We do not sell or share personal information in the sense of the CCPA. Categories of personal information collected, sources, business purposes, and CCPA-specific disclosures are in the Appendix.
- Other US states with comprehensive privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, Oregon, New Jersey, Delaware, Iowa, Indiana, Montana, New Hampshire, Tennessee, Minnesota, Maryland) — substantially equivalent rights are honored.
How to exercise these rights:
- Self-serve in the app: use Delete my account and Export my data in your settings.
- Or email privacy@orbitboard.ai.
We respond within 30 days of your request. If we need more time, we will tell you why and how long.
10. Security
We use the following measures to protect your information:
- HTTPS / TLS in transit for every public endpoint.
- Encryption at rest provided by Google Cloud for our database and object storage.
- JWT authentication with short-lived access tokens (15 minutes) and rotating refresh tokens (7 days).
- All application data is stored inside our Google Cloud cluster; we do not share databases with other projects despite being on a shared cluster.
- We rely on the security certifications and practices of our sub-processors (linked in §5).
If we ever discover a breach of security safeguards affecting your personal information that creates a real risk of significant harm:
- We will notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible (per the PIPEDA Breach of Security Safeguards Regulations).
- We will notify the relevant EU/UK supervisory authority within 72 hours and affected individuals without undue delay where required (per GDPR Articles 33-34).
- We will comply with applicable US state breach-notification laws on the strictest applicable timeline.
11. Children
OrbitBoard is for users 16 years of age or older. We do not knowingly collect personal information from anyone under 16. If we learn that we have, we will delete the data and terminate the account.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We track changes with a version number (see the header above).
- Material changes (such as new categories of data, new purposes, removed user rights, or new sub-processors that introduce a new category of data flow) require 30 days' advance notice by email and re-acceptance the next time you sign in.
- Minor changes (clarifications, typos, or replacement of a sub-processor with another of the same kind) are posted with a new version number and no separate notice.
13. Contact
Privacy questions, requests, and complaints: privacy@orbitboard.ai.
Postal mail:
[FILL IN: Douglas Riches] d/b/a OrbitBoard [FILL IN: Ontario mailing address]
Appendix A: California (CCPA / CPRA) notices
Categories of personal information we have collected in the last 12 months (per Cal. Civ. Code § 1798.140):
| Category | Examples we collect |
|---|---|
| Identifiers | Email address, OAuth provider account ID, IP address |
| Customer records | Name, account information |
| Internet or other electronic network activity | Server access logs, request metadata |
| Audio information | Voice recordings (transient — see §4.4) |
| Inferences | AI-generated summaries derived from your content |
Categories of sources — you (directly), Google or GitHub (when you sign in), email senders (when they email a board address).
Business or commercial purposes — providing the service, security, debugging, legal compliance (per §3).
Sale / sharing of personal information — we do not sell or share personal information in the sense of the CCPA/CPRA.
Sensitive personal information — limited to authentication credentials (managed through OAuth and used only to authenticate you) and voice recordings (transient). We do not use sensitive PI to infer characteristics about you. You may limit the use of sensitive PI by emailing privacy@orbitboard.ai.
Retention — see §8.
To exercise CCPA rights, email privacy@orbitboard.ai. You may designate an authorized agent in writing; we will verify both your identity and the agent's authority before processing the request.
Appendix B: EU / UK supervisory authorities
You may lodge a complaint with the supervisory authority in your country:
- EU member states: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- United Kingdom: Information Commissioner's Office, https://ico.org.uk/
- Switzerland: Federal Data Protection and Information Commissioner, https://www.edoeb.admin.ch/
We are not currently required to designate an EU representative under GDPR Article 27 because our processing of EU residents' data is occasional and does not include large-scale processing of special-category data or systematic monitoring. If this changes, we will appoint a representative and update this Policy.
Appendix C: Transfer Impact Assessment summary
- Personal data transferred: account profile, user-generated content, AI prompts and voice audio, inbound email, technical metadata.
- Recipient countries: United States (all sub-processors).
- Legal basis for transfer: EU-US Data Privacy Framework where the sub-processor is certified; Standard Contractual Clauses where it is not.
- Risk assessment: The personal data we process is not the type that US national-security surveillance programs (FISA § 702, Executive Order 12333) typically target; we have no indication that any of our sub-processors have received bulk-surveillance demands relating to our customers; our data flows are encrypted in transit and at rest.
- Supplementary measures: Data minimization (we send only what the AI feature needs); use of named, contractually-bound sub-processors; aggressive retention windows; the ability for you to delete your account and content at any time.
We will reassess this TIA whenever a sub-processor changes its operations or US surveillance law materially changes.