Privacy Policy for Orbit

Last updated on November 10th 2022 (version 2.0)

This Privacy Policy provides details of the personal data we collect from you, what we do with it, how you might access it and who it might be shared with.

Our Contact Information (Data Controller)

Orbit Technology AS
Dokkveien 11, NO-3920 Porsgrunn, Norway
Company Email: privacy@getorbit.com

What we do with your personal data

Orbit is committed to protecting the privacy of our customers, hosts and users alike. We take the confidentiality and integrity of customer data in our control very seriously and strive to assure that all data is protected from unauthorized access and is only available when essential to fulfill our obligations as controllers and for the purposes that data was collected for.

We process personal data only for the purpose for which they are collected. The purpose is dependent on whether you use only our website, or additionally, our services. If you use our services you are required to register and we collect your personal data. We use this personal data for the provision of the service or the performance of the contract. We may use your personal data for other similar purposes, including marketing and communications, but that will only occur in the case we have your consent or another legal justification for doing so.

From our tenants, members and subscribers we process and retain personal data for the following purposes and periods, with the applicable legal basis:

Ensure proper access to property, people and assets
Legal basis: GDPR Article 6(1)(b) - we have a contract with the data subject
Retention period: No later than 2 years after the customer relationship has ended

Fraud detection and prevention
Legal basis: GDPR Article 6(1)(f) - it's in our legitimate interest (Fraud detection and prevention)
Retention period: No later than 2 years after the customer relationship has ended

Identity verification
Legal basis: GDPR Article 6(1)(b) - we have a contract with the data subject
Retention period: No later than 2 years after the customer relationship has ended

Deliver our products and services
Legal basis: GDPR Article 6(1)(b) - we have a contract with the data subject
Retention period: No later than 2 years after the customer relationship has ended or 5 years if a transaction has been completed in accordance with the Money Laundering Act

Provide customer service and perform customer administration
Legal basis: GDPR Article 6(1)(b) - we have a contract with the data subject
Retention period: Contact information about customers no later than 2 years after the customer relationship has ended. Customer service will store contact information from people who make contact for 1 year.

Improve our products and services
Legal basis: GDPR Article 6(1)(a) - we have the data subject's consent
Retention period: 1 year

Provide you with personalized customer follow-up
Legal basis: GDPR Article 6(1)(a) - we have the data subject's consent
Retention period: 1 year

Enhanced access control experience
Legal basis: GDPR Article 6(1)(a) - we have the data subject's consent
Retention period: Until consent withdrawn or the customer relationship has ended

What personal data do we collect?

The personal data we collect depends on whether you just visit our website or use our services. If you visit our website, you do not need to provide us with any personal data. However, your browser transmits some data automatically, such as the date and time of retrieval of one of our web pages, your browser type and settings, your operating system, the last web page you visited, the data transmitted and the access status, and your IP address.

If you use our services, personal data is required to fulfill the requirements of a contractual or service relationship, which may exist between you and our organization.

We collect

- Contact information: name, e-mail address and telephone number

- Identity information:
registered address, name and date of birth

- Means of identification:
Bank ID, National ID, passport, driver's license, etc

- Technical information:
device, operating system, user agent and IP address

- Access and usage data:
information about entries to buildings and locations connected to Orbit Account & Payment Information

- Product information:
information about the products you pay or subscribe to

- Transaction information:
your name, email address, billing address, shipping address, payment method information (such as credit or debit card number, bank account information or payment card image selected by you), purchase amount, date of purchase, and in some cases, some information about what you have purchased and your phone number

- Communication:
SMS, chat and email

- Mobile device information:
Device location, bluetooth and motion data

- Browser and device data
, such as IP address, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model and language.

We collect your personal data from the following indirect sources

- Contact information (name, e-mail address and telephone number) from National Identity Providers (BankID, etc)
- Identity information (registered address, name and date of birth) from National Identity Providers (BankID, etc)
- Means of identification (Bank ID, National ID, passport, driver's license) from National Identity Providers (BankID, etc)
- Access and usage data (information about entries to buildings and locations connected to Orbit) from Physical Access Control Systems (OpenPath, etc)
- Communication (SMS, chat and email) from SMS/Email/Support Chat providers (Intercom, etc)
- Transaction information (your name, email address, billing address, shipping address, payment method information) from Payment processors (Stripe, etc)

Who might we share your personal data with?

To maintain and improve our services, your personal data may need to be shared with or disclosed to service providers, other Controllers or, in some cases, public authorities. We may be mandated to disclose your personal data in response to requests from a court, police services or other regulatory bodies. Where feasible, we will consult with you prior to making such disclosure and, in order to protect your privacy, we will ensure that we will disclose only the minimum amount of your information necessary for the required purpose.

We transfer personal data to the following organizations and countries as sub-processors:

- Amazon Web Services, Europe (Stockholm) Region (Luxembourg)
- Bugsnag (United States)
- Google Analytics (United States)
- Hotjar (Malta)
- HubSpot, Inc. (United States)
- Intercom, Inc. (United States)
- Openpath Security, Inc. (United States)
- Postmark (United States)
- Segment (United States)
- Signicat (Norway)
- Stripe Inc. (United States)
- Twilio Inc. (United States)

When a Processor or Controller is in a country outside the EU, we apply the necessary safeguards which may include, confirming whether the EU approves of transfers to the country, whether we need to use the EU's model contracts or, if the transfer is internal to our organization, commitment to Binding Corporate Rules. Details of these safeguards may be obtained by contacting us directly.

Data sharing with hosts you interact with

By default Hosts are only allowed limited access to your personal data.

If you are a tenant at a host location that uses Orbit, the host will have access to your personal data, albeit only the personal information provided to us by the host or acquired by Orbit for the purpose of onboarding to Orbit and gaining access to the Host’s premises as long as you are deemed a tenant and user in Orbit.

If you are not a tenant, but have booked and/or been given access to a host location that uses Orbit, the Host will have limited access to your personal data in the period from a booking/access request being initiated by you and up to 90 days after the booking/access having been deemed completed or canceled. The purpose of this access is solely to manage your bookings/access to the host’s premises. This period can be extended for the purpose of providing necessary support or in case of a dispute, incident or security related events after access has been revoked.

Under no circumstances shall personal data acquired or accessed through Orbit by hosts be used for any purpose other than what is outlined in this policy. This applies specifically to sales or marketing purposes of the host’s own business and products.

Hosts are not allowed to use your personal data for any other purpose unless explicit consent has been granted by you either through Orbit or personal data have been collected directly from the you outside of Orbit’s control.

In the case you consent to share your personal data with hosts beyond the limitations outlined above, hosts will be granted access to this data for the purposes outlined in the consent. You will be able to revoke this consent at any time, in accordance with privacy regulation in your jurisdiction.

After access to a your personal data has been revoked, hosts will still be able to access all anonymized data from the booking/access performed by you in Orbit.

You maintain ownership of your personal data at all times in Orbit. No portion of these data sharing and ownership rules is intended to encroach on your rights. We will always comply with applicable regulations in this regard.

How do we look after personal data?

We limit the amount of personal data collected only to what is fit for the purpose, as described above. We restrict, secure and control all of our information assets against unauthorized access, damage, loss or destruction; whether physical or electronic. We retain personal data only for as long as is described above, to respond to your requests, or longer if required by law. If we retain your personal data for historical or statistical purposes we ensure that the personal data cannot be used further. While in our possession, together with your assistance, we try to maintain the accuracy of your personal data.

How can you access your personal data?

You have the right to request access to any of your personal data we may hold. If any of that information is incorrect, you may request that we correct it. If we are improperly using your information, you may request that we stop using it or even delete it completely.

If you would like to make a request to see what personal data of yours we might hold, you may make a request from our company website or through the Orbit App support functions or by sending us an email.

Where you have previously given your consent to process your personal data, you also have the right to request that we port or transfer your personal data to a different service provider or to yourself, if you so wish.

Where it may have been necessary to get your consent to use your personal data, at any moment, you have the right to withdraw that consent. If you withdraw your consent, we will cease using your personal data without affecting the lawfulness of processing based on consent before your withdrawal.

Our Data Protection Officer

Daniel Bentes
Email: privacy@getorbit.com

Our Supervisory Authority

You have the right to lodge a complaint with any Supervisory Authority.
See our Supervisory Authority contact details below.

Datatilsynet / Data Inspectorate P.O. Box 458 Sentrum, 0105 Oslo, Norway
Email: postkasse@datatilsynet.no

Telephone: +4722421910 Website: www.datatilsynet.no

Change log

Version 1.0:
-
Original policy

Version 2.0:
-
Clarification of your rights, our purposes, data retention periods and sub-processors.
- Clarified what data is shared with hosts you interact with through Orbit.