Legal
Privacy Policy
Last updated: July 1, 2026
This Privacy Policy describes how Orbital Web Design ("Orbital," "we," "us," or "our") collects, uses, and shares information when you visit orbitalwebdesign.com or use our services. It also describes our obligations as a data processor when we operate websites on behalf of our business clients. This policy is intended to satisfy the disclosure requirements of the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the EU and UK General Data Protection Regulation (GDPR/UK GDPR), and comparable comprehensive privacy laws in other U.S. states (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island, Nebraska, Arkansas, and Alabama).
1. Information We Collect
In the preceding 12 months we have collected the following categories of personal information, organized using the statutory categories from California Civil Code §1798.140:
Identifiers
- Name, email address, business name, phone number (provided by you when you contact us, create an account, or sign an agreement)
- Account user ID and authentication session metadata (created by Supabase Auth when you sign in)
- IP address and browser user agent (collected automatically when you use our services or submit a form)
Commercial information
- Subscription plan, billing status, and order history for portal accounts
- On client sites we operate: order data (items purchased, amount, shipping address) — payment card numbers are handled entirely by Stripe and never reach our servers
Internet or other electronic network activity
- Pages visited, timestamps, and request metadata in standard server logs
- Activity log entries for key actions taken in the portal (order fulfillment, member changes, post publishing)
Geolocation data
- Approximate (city-level) geolocation inferred from your IP address only. We do not collect precise GPS location.
Professional or employment-related information
- Business name and role, if you provide them on a contact form or during onboarding
Sensitive personal information (CPRA-defined)
- Account log-in credentials (your password is never stored in plaintext — it is hashed and managed by Supabase Auth)
- TOTP multi-factor authentication factor ID (your authenticator secret never leaves your device)
- Electronic-signature evidence: typed legal name, signing timestamp, IP address, user agent, authentication assurance level (AAL), user account ID, and SHA-256 hash of the signed PDF — retained as legally binding evidence under E-SIGN / UETA
We use sensitive personal information only for the purpose of providing the service, authenticating you, securing your account, and maintaining required legal records. We do not use or disclose SPI to infer characteristics about you and you may invoke your right to limit our use of SPI (see §7).
Categories we do NOT collect
- Government-issued identifiers (Social Security number, driver's license, passport)
- Financial account numbers (Stripe handles all payment data)
- Precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic or biometric data, health information, sexual orientation, or contents of mail/email/text messages
- Inferences drawn from any of the above to create a profile reflecting preferences or behavior
2. Sources of Personal Information
- Directly from you when you contact us, create an account, sign an agreement, or place an order on a client site
- Automatically from your device when you use our services (server logs, IP address, user agent)
- From our business clients (the controllers of their client sites) when they grant you portal access or forward a data request involving their visitors
- From our sub-processors in the course of providing the service (e.g., Stripe returns a transaction confirmation token; Supabase issues session JWTs)
3. How We Use Your Information (Business and Commercial Purposes)
- Performing the services you request — creating and managing your portal account, fulfilling orders, sending transactional emails (via Resend), and rendering the websites we operate on behalf of clients
- Responding to support tickets and contact form submissions
- Maintaining an audit trail for security, billing, and dispute resolution
- Detecting and preventing security incidents, fraud, and abuse (including rate limiting and Cloudflare Turnstile CAPTCHA checks)
- Debugging to identify and repair errors that impair functionality
- Short-term, transient use such as caching and session continuity
- Internal research and development to improve our services
- Providing AI-assisted features — our portal chat assistant and certain content/SEO tools send the minimum necessary information (such as your business name, plan, the user's name and role, and the text of your request, bounded in length) to our AI sub-processor Anthropic to generate a response. This data is not used to train third-party models.
- Complying with legal obligations (tax records, electronic-signature evidence, lawful requests from authorities)
We do not sell or share personal information for cross-context behavioral advertising, and we do not engage in profiling that produces legal or similarly significant effects about you. We honor Global Privacy Control (GPC) browser signals as a valid opt-out signal even though we do not sell or share.
4. Data We Process on Behalf of Our Clients
Orbital operates websites for business clients (the "client sites"). When visitors interact with a client site (by submitting a contact form, placing an order, or subscribing to a newsletter), we process that data as a service provider / data processor on behalf of our client (the business / data controller). Our contractual agreements with clients restrict our use of that data to providing the service and prohibit retaining, using, or disclosing it for any other purpose.
Data collected on client sites may include:
- Contact form submissions (name, email, phone, message)
- Order data (name, email, shipping address, items purchased, payment amount); payment card data is handled entirely by Stripe and never touches our servers
- Newsletter subscriptions (name, email)
- Order tracking lookups (token-based, no login required; no PII returned in tracking responses)
If you interacted with a website powered by Orbital Web Design and wish to request deletion or access to your data, please contact the business that operates that website directly. We will fulfill any deletion or access requests forwarded to us by our clients within 45 days.
5. Categories of Third Parties Who Receive Your Information
We share personal information with the following categories of third parties, each only to the extent necessary for the stated purpose:
- Sub-processors (infrastructure and service providers) — listed in §6 below
- Professional advisors (auditors, attorneys, accountants) when reasonably necessary
- Government or law-enforcement authorities when compelled by valid legal process or to protect rights, safety, or property
- An acquiring or successor entity in connection with a merger, acquisition, or sale of all or substantially all of our assets (you will be notified of any such transfer)
We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law. We have not sold or shared the personal information of any consumer, including minors under 16, in the preceding 12 months.
6. Sub-Processors
We use the following sub-processors. Each operates under its own privacy policy and a Data Processing Agreement with us:
- Supabase (database hosting, authentication, file storage): supabase.com/privacy
- Stripe (payment processing for client e-commerce orders): stripe.com/privacy
- Resend (transactional email delivery): resend.com/privacy
- Vercel (website hosting and edge delivery): vercel.com/legal/privacy-policy
- Cloudflare (Workers runtime and storage proxy, R2 backup and media storage, Stream video delivery, Turnstile bot protection): cloudflare.com/privacypolicy
- UptimeRobot (website uptime monitoring for clients on monitored plans; stores monitor IDs and 30-day uptime ratios): uptimerobot.com/privacy
- Google Fonts (web font delivery via CDN): policies.google.com/privacy
- Anthropic (AI assistant for the portal chat, content drafting, and privacy-policy generation; receives only the data needed to answer a request): anthropic.com/legal/privacy
- Replicate (AI media/model inference used by certain features): replicate.com/privacy
- Twilio (SMS notifications and operator messaging for client sites): twilio.com/legal/privacy
- Sentry (application error monitoring; configured to scrub personal data before transmission): sentry.io/privacy
- Google Business Profile, Search Console, and PageSpeed APIs (managing and reporting on client Google presence and SEO): policies.google.com/privacy
- DataForSEO (competitive SEO/keyword/backlink analysis for client sites): dataforseo.com/privacy-policy
- Yelp (importing public business reviews for client sites): yelp.com/tos/privacy_policy
A template Data Processing Agreement (DPA) for our clients is available on request from hello@orbitalwebdesign.com.
7. Your Privacy Rights
Depending on your location, you may have one or more of the following rights. We honor all rights listed below for every user, regardless of location, except where a right is expressly limited to residents of a particular jurisdiction.
California residents (CCPA / CPRA)
- Right to know what personal information we collect, the sources, the business purposes, and the categories of third parties to whom we disclose it
- Right to access a copy of the specific pieces of personal information we hold about you
- Right to delete personal information we collected from you, subject to statutory exceptions (e.g., we may retain electronic-signature evidence and tax records as required by law)
- Right to correct inaccurate personal information
- Right to data portability — to receive a copy of your data in a portable, machine-readable format
- Right to opt out of the sale or sharing of personal information (we do not sell or share; nothing to opt out of)
- Right to limit the use and disclosure of sensitive personal information (we already limit SPI use to providing the service; no further action needed)
- Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised a privacy right
- Right to designate an authorized agent to make a request on your behalf; we will require written authorization and may require you to verify your identity directly
- Right to opt out of automated decision-making technology (ADMT) used for significant decisions — this right becomes enforceable January 1, 2027 under the 2026 CPRA regulations. We do not use ADMT to make significant decisions about you (such as employment, credit, housing, healthcare, or insurance determinations), so this opt-out is not presently triggered. Our AI-assisted portal features generate content and suggestions but do not produce legally or similarly significant effects about you.
We honor Global Privacy Control (GPC) signals as a valid opt-out preference signal. Because we do not sell or share personal information, no opt-out action is triggered by GPC, but we treat the signal as confirmation that you do not consent to such uses.
Residents of other U.S. states with comprehensive privacy laws
If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island, Nebraska, Arkansas, or Alabama, you have rights substantially similar to the California rights above — including the rights to access, delete, correct, and obtain a portable copy of your personal data, and to opt out of targeted advertising, sale, and certain profiling. If we deny a request, you may appeal our decision by replying to our denial email; if your appeal is denied you may contact your state's Attorney General.
EU, UK, and EEA residents (GDPR / UK GDPR)
You have the rights of access, rectification, erasure, restriction of processing, objection, and data portability, plus the right to withdraw consent and the right to lodge a complaint with your supervisory authority. Our legal bases for processing are:
- Contract (Art. 6(1)(b)) — for account creation, service delivery, signing agreements, and processing orders
- Legal obligation (Art. 6(1)(c)) — for tax records, electronic-signature evidence retention, and responding to lawful requests
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, rate limiting, audit logging, and internal administration; our interest is balanced against your rights and you may object
- Consent (Art. 6(1)(a)) — for newsletter subscriptions and any other purpose for which we explicitly ask
We are based in the United States, and our sub-processors (Supabase, Vercel, Cloudflare, Resend, Stripe) may process data in the United States or other countries outside the EEA. Where required, we rely on the EU–U.S. Data Privacy Framework (DPF) adequacy decision and Standard Contractual Clauses (SCCs) for such transfers. The DPF adequacy decision remains in force as of this policy's effective date; however, it faces ongoing legal challenges, including a pending appeal before the EU Court of Justice (Case C-703/25 P), and a June 2026 U.S. Supreme Court ruling affecting FTC independence (Trump v. Slaughter) raises questions about the enforceability of the Framework. We maintain SCCs as a supplementary safeguard for EU/EEA data transfers and will update this policy promptly if the DPF is invalidated or otherwise materially affected.
We do not engage in solely automated decision-making that produces legal or similarly significant effects about you (no automated profiling for credit, employment, etc.).
How to exercise your rights
To exercise any of these rights, submit our data request form, email us at hello@orbitalwebdesign.com or write to us at the address in §13. We will acknowledge your request within 10 business days and respond substantively within 45 days; if more time is needed we may extend by another 45 days and will tell you why. To protect your information, we will verify your identity before fulfilling a request — typically by asking you to confirm the request from the email address on file, or for unauthenticated requests by matching at least two data points we already hold.
8. Data Retention
We retain each category of personal information only as long as necessary for the purposes for which it was collected, after which it is deleted or de-identified.
- Portal account data (identifiers, account metadata): duration of your account plus 90 days
- Contact form submissions (identifiers, message content): 3 years from receipt, or sooner upon request, unless an ongoing matter requires longer retention
- Order data (commercial information, shipping addresses): 7 years for tax and legal compliance
- Newsletter subscriptions (email address): until you unsubscribe; an unsubscribe suppression record (hashed email) is retained indefinitely to prevent re-subscription errors
- Audit log entries (activity, security events): 2 years
- Electronic-signature evidence (sensitive personal information per §1): life of the agreement plus 7 years, to satisfy E-SIGN / UETA evidentiary requirements
- Authentication session metadata and MFA factor IDs: duration of your account
- Server logs (Supabase): per Supabase's standard retention (approximately 30 days)
- Encrypted daily backups (database snapshots and storage objects) in Cloudflare R2: per the lifecycle rule on the archive/ prefix
9. Security
- All data in transit is encrypted via TLS (HTTPS)
- Portal and Admin access requires two-factor authentication (TOTP) at aal2 assurance level
- Database access is protected by row-level security policies; no user can read data outside their permitted scope
- Public-facing forms are rate-limited and protected by Cloudflare Turnstile CAPTCHA
- Stripe handles all payment card data; we are not in scope for PCI-DSS cardholder data storage
- Supabase provides point-in-time recovery on production plans; daily encrypted backups (database and storage objects) are mirrored to Cloudflare R2 under a retention lifecycle rule
No method of transmission or storage is 100% secure. We will notify affected individuals and applicable regulators of any breach of personal information in the timeframes required by law (typically within 72 hours under GDPR and \"without unreasonable delay\" under U.S. state laws).
10. Cookies, Local Storage, and Tracking Signals
We do not use advertising cookies or third-party tracking. Our application uses:
- Browser sessionStorage: to remember your last active tab within a session (cleared when the tab is closed)
- Browser localStorage: used by Supabase Auth to persist your login session across page reloads
- No cookies are set by Orbital Web Design directly
Do Not Track (DNT): There is no industry-wide standard for responding to browser DNT signals, so we do not respond to them. We do, however, honor Global Privacy Control (GPC) signals as described in §7.
11. Children's Privacy
Our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. We comply with the U.S. Children's Online Privacy Protection Act (COPPA), including the FTC's 2025 amended rule (effective June 23, 2025; full compliance required by April 22, 2026). Consistent with those amendments, we maintain a written information security program covering any data incidentally collected; our data retention schedule (§8) serves as our written retention policy; we do not collect biometric identifiers from children; and we obtain separate verifiable parental consent before disclosing any child's information for purposes beyond those integral to the service. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.
In addition, we do not knowingly sell or share the personal information of consumers between 13 and 16 years of age, as those terms are defined by the CCPA. If you become aware that a minor between 13 and 16 has provided personal information to us, please contact us so we can address it.
12. Changes to This Policy
We may update this policy periodically. Material changes will be noted with a new \"Last updated\" date at the top of this page; for substantial changes that affect your rights, we will provide additional notice (such as an email to account holders or a prominent notice on the home page). Continued use of our services after an update constitutes acceptance of the revised policy.
13. Contact
For privacy questions, data requests, or to report a concern:
Orbital Web Design
Attn: Privacy
4539 N 22nd St, STE N
Phoenix, AZ 85016
hello@orbitalwebdesign.com
EU/UK residents have the right to lodge a complaint with their local data protection supervisory authority. California residents may also contact the California Attorney General at oag.ca.gov/privacy.