← Back to home

Privacy Policy

Last updated: March 2026

1. What we collect

When you create an account, we collect your email address and a bcrypt-hashed password. We do not collect your name, phone number, or any other personally identifying information beyond what is strictly required to operate the service.

All node data — the content you create inside Orbtium — is encrypted on your device using AES-256-GCM before transmission. We store only the encrypted ciphertext and associated metadata (creation timestamps, node UUIDs). We cannot access, read, or reconstruct your data.

We collect minimal server-side logs (IP addresses, request timestamps) for security and abuse-prevention purposes. Logs are retained for 30 days and then permanently deleted.

2. How we use your information

Your email address is used solely to:

  • Authenticate you to your account
  • Send transactional emails (password reset, account security alerts)
  • Communicate important service changes

We do not sell, rent, or share your email address with third parties. We do not use your data to train machine-learning models. We do not run advertising of any kind.

3. Encryption & zero-knowledge architecture

Orbtium is built on a zero-knowledge encryption model. Your encryption key is derived from your password using PBKDF2 with a per-user salt. The derived key never leaves your device. All node content is encrypted client-side before being sent to our servers.

This means: if you forget your password, your data cannot be recovered by us. We have no back door, no key escrow, and no ability to comply with requests to produce decrypted user content — because we do not have it.

Server infrastructure is hosted in the EU (Frankfurt) on providers that are ISO 27001 certified. Data at rest is encrypted at the storage layer in addition to the application-level encryption described above.

4. Data retention

Your account and encrypted data are retained for as long as your account is active. If you delete your account, all associated data — encrypted ciphertext, metadata, and email — is permanently deleted within 7 days. This deletion is irreversible.

Backup snapshots are purged on a 14-day rolling cycle, so deleted data will be absent from all backups within 21 days of account deletion.

5. Your rights (GDPR)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:

  • Right of access — you may request a copy of the personal data we hold about you
  • Right to rectification — you may correct inaccurate personal data
  • Right to erasure — you may request deletion of your account and all associated data
  • Right to data portability — you may export your encrypted data at any time from the app settings
  • Right to object — you may object to processing of your data; given our zero-knowledge model, this largely means account deletion

To exercise any of these rights, email us at privacy@orbtium.com. We will respond within 30 days.

6. Contact

For privacy inquiries: privacy@orbtium.com

Postal address: Orbtium Ltd, 123 Example Street, London, EC1A 1BB, United Kingdom

We are registered as a data controller under UK GDPR. If you have an unresolved complaint, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).