Orbinto is committed to protecting personal data and ensuring full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP). This page explains how we handle data, your rights, and the tools we provide to help our customers meet their own compliance obligations.

1. Orbinto's Role — Controller vs. Processor

Under GDPR, organizations handling personal data operate as either a data controller (deciding why and how data is processed) or a data processor (processing data on behalf of a controller). Orbinto operates in both capacities:

Scenario	Orbinto's Role	Explanation
You visit orbinto.com or create an account	Data Controller	We decide what data to collect (name, email, billing info) and how to use it.
Your website visitors chat via the Orbinto widget	Data Processor	You (our Customer) are the controller. We process end-user data on your instructions.
Visitor tracking collects browsing data on your site	Data Processor	You enable tracking and determine its scope. We process data on your behalf.
Session recordings capture user interactions	Data Processor	You enable recordings. We store and process them per your configuration.
AI features process chat conversations	Data Processor	AI processing occurs under your instructions when you enable AI features.
CRM integration syncs contact data	Data Processor	You configure the sync. Data flows per your mapping and sync rules.

As a processor, Orbinto only processes personal data based on your documented instructions, as outlined in our Data Processing Agreement (DPA). We do not use your end-user data for our own purposes, and we never sell it.

2. Legal Bases for Processing

GDPR requires a valid legal basis for every processing activity. Here are the bases Orbinto relies on:

Legal Basis	GDPR Article	When We Use It
Performance of a contract	Art. 6(1)(b)	Providing the Service, processing payments, managing your account, customer support
Legitimate interests	Art. 6(1)(f)	Service improvement, security monitoring, fraud prevention, anonymized analytics
Consent	Art. 6(1)(a)	Marketing communications, optional analytics cookies. You may withdraw consent at any time.
Legal obligation	Art. 6(1)(c)	Tax record retention, responding to lawful government requests, regulatory compliance

For our Customers (controllers): You are responsible for establishing the legal basis for processing your end-users' data through the Orbinto widget (e.g., obtaining cookie consent for visitor tracking in the EU). We provide tools to help — see Section 9 below.

3. Data We Process — By Feature

3.1 Live Chat

Conversation transcripts (messages, timestamps, sender identity)
Visitor name, email, and custom fields collected via pre-chat forms
Operator names, response times, and chat ratings
File attachments shared during conversations
IP address and approximate geographic location

3.2 Chatbots

Chatbot conversation logs (questions asked, responses given, flow paths taken)
Data collected by chatbot forms (lead capture fields, custom inputs)
Chatbot performance metrics (completion rates, handoff events)

3.3 AI Features

Chat messages processed for AI writing suggestions, auto-summaries, and auto-tagging
NLP chatbot interactions processed through AI language models
Important: Conversation data is processed in real-time and is not used to train general-purpose AI models. Your data remains yours.
Customers can disable all AI features at any time from account settings

3.4 Visitor Tracking

IP address (used for geographic location approximation and company identification)
Browser type, operating system, device type, screen resolution
Pages visited, time on each page, scroll depth, referral source
UTM parameters and campaign data
Return visit frequency and session history

3.5 Session Recordings (Enterprise)

Mouse movements, clicks, scrolls, and tap events
Page content snapshots (DOM mutations)
Form interactions (with automatic sensitive-field masking — passwords, credit card numbers, and personal identifiers are never captured)
Session metadata (duration, device, entry/exit pages)

3.6 CRM Integrations

Contact records synced between Orbinto and the connected CRM (name, email, phone, company, custom fields)
Chat and interaction history pushed to CRM records
Lead scores and tags synced to CRM fields
Data flows only as configured by the Customer through field mapping settings

3.7 Account Data (Controller Role)

Account holder name, email, company name, billing address
Payment information (processed by Stripe/Razorpay — Orbinto does not store full card numbers)
Usage analytics (feature usage, API call volumes, login history)

4. AI-Specific Disclosures

In line with GDPR Article 22 and the EU AI Act, Orbinto provides the following transparency regarding AI features:

4.1 What AI Features Do

AI Writing Assistant: Suggests reply text to operators based on conversation context. Operators review and edit before sending — no automated replies to end-users.
Auto-Summaries: Generates a brief summary of chat conversations for operator reference. Not shared with end-users.
Auto-Tagging: Classifies conversations by topic (e.g., "billing," "technical support") for reporting. No decisions affecting end-users are made solely based on tags.
NLP/AI Chatbots: Interpret end-user messages using natural language processing and generate responses based on the Customer's configured knowledge base and flows.

4.2 Automated Decision-Making (Article 22)

Orbinto does not make any decisions that produce legal effects or similarly significant effects on individuals based solely on automated processing. AI features are used to assist human operators, not replace them. Specifically:

AI suggestions are always reviewed by a human operator before being sent to end-users.
Lead scoring uses automated rules but does not trigger actions that significantly affect individuals without human review.
Chatbot responses are based on Customer-configured flows, not autonomous decision-making.

4.3 AI Data Processing

No training on your data: Your conversations, visitor data, and recordings are never used to train or fine-tune general AI models.
Processing is ephemeral: AI features process data in real-time. Inputs are not retained by AI providers after generating a response.
You can opt out: AI features can be completely disabled at any time from Settings, with no impact on other Service functionality.

5. Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data. Orbinto supports all of them:

Right	GDPR Article	How to Exercise
Right of access	Art. 15	Request a copy of all personal data we hold about you.
Right to rectification	Art. 16	Request correction of inaccurate or incomplete data.
Right to erasure	Art. 17	Request deletion of your data ("right to be forgotten").
Right to restrict processing	Art. 18	Request that we limit how we process your data.
Right to data portability	Art. 20	Receive your data in a structured, machine-readable format (JSON/CSV).
Right to object	Art. 21	Object to processing based on legitimate interests or direct marketing.
Right regarding automated decisions	Art. 22	Request human review of any automated decision that significantly affects you.
Right to withdraw consent	Art. 7(3)	Withdraw consent for marketing or optional analytics at any time.
Right to lodge a complaint	Art. 77	File a complaint with your local data protection supervisory authority.

To exercise your rights: Email privacy@orbinto.com. We will respond within 30 days. If we need additional time (up to 60 days for complex requests), we will notify you within the initial 30-day period.

If you are an end-user who interacted with a business using the Orbinto chat widget, please contact that business directly. They are the data controller. If they need Orbinto's assistance to fulfill your request, we will cooperate promptly.

6. Data Retention & Deletion

We retain data only for as long as necessary. Retention periods vary by data type and plan:

Data Type	Retention Period	Notes
Chat history	30 days (Free) / Unlimited (Paid)	Customers can delete conversations at any time
Visitor tracking data	7 days (Free) / 90 days (Basic) / 1 year (Pro) / Custom (Enterprise)	Automatically purged after retention period
Session recordings	90 days (default) / Custom (Enterprise)	Customers can delete recordings at any time
Chatbot conversation logs	Same as chat history	Follows plan-based retention
Account data	Duration of account + 30 days	30-day grace period for account recovery
Billing records	7 years	Required by tax and financial regulations
Server logs	90 days	Security and debugging purposes
Inactive visitor profiles	Automatically deleted after 9 months of inactivity	No manual action required

Account Deletion

When you delete your account:

Your account is immediately deactivated and all operators lose access.
All personal data, chat history, visitor data, recordings, and chatbot data are permanently deleted within 30 days.
Backups containing your data are purged within an additional 30 days.
Billing records are retained for 7 years as required by law, but all other identifiable data is removed.

7. International Data Transfers

Orbinto's primary infrastructure is hosted on Amazon Web Services (AWS) in the US-East (Virginia) region. If you or your end-users are located in the EEA, UK, or Switzerland, personal data will be transferred to the United States.

Transfer Safeguards

We protect international data transfers using the following mechanisms:

EU-US Data Privacy Framework (DPF): Our key sub-processors (including AWS and Stripe) are certified under the EU-US DPF.
Standard Contractual Clauses (SCCs): We execute EU Commission-approved SCCs with all sub-processors to ensure adequate protection.
UK Extension & Swiss-US DPF: We comply with the UK Extension to the EU-US DPF and the Swiss-US Data Privacy Framework.
Transfer Impact Assessments: We conduct transfer impact assessments for all data flows to non-adequate countries and implement supplementary safeguards where necessary.

Data Residency (Enterprise)

Enterprise customers may request data residency in the EU (Frankfurt, Germany) or APAC (Singapore) regions. When EU data residency is selected, all end-user data and chat history is stored exclusively within the EU. Contact enterprise@orbinto.com for data residency options.

8. Security Measures

Orbinto implements technical and organizational measures to protect personal data in accordance with GDPR Article 32:

Measure	Implementation
Encryption in transit	TLS 1.2+ for all connections. TLS 1.3 supported.
Encryption at rest	AES-256 encryption for all stored data. BYOK available on Enterprise.
Access control	Role-based access control (RBAC). Principle of least privilege. MFA for all internal systems.
Authentication	SSO/SAML support (Enterprise). MFA available on all plans.
Infrastructure	Hosted on AWS with SOC 2 Type II certified data centers. Network segmentation and firewalls.
Monitoring	24/7 infrastructure monitoring, intrusion detection, and automated alerting.
Testing	Regular third-party penetration testing. Continuous vulnerability scanning.
Employee access	Background checks for all employees. Security training. Access logs audited.

Breach Notification

In the event of a personal data breach, Orbinto will:

Notify affected Customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Provide full details of the breach including scope, affected data types, and remediation steps.
Cooperate with Customers in notifying their end-users and relevant supervisory authorities as needed.
Document the breach, its effects, and all remedial actions taken.

9. Sub-Processors

Orbinto engages the following sub-processors to provide the Service. All sub-processors are bound by Data Processing Agreements and are required to implement appropriate technical and organizational security measures.

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure, hosting, database, storage	United States (us-east-1)
Stripe	Payment processing (USD, EUR, GBP, AUD)	United States
Razorpay	Payment processing (INR)	India
Postmark / SendGrid	Transactional email delivery	United States
Redis Cloud	Real-time messaging and session management	United States

Sub-Processor Changes

We will notify Customers at least 30 days in advance before adding or replacing a sub-processor. Customers may object to a new sub-processor within that 30-day period. If we cannot reasonably accommodate the objection, the Customer may terminate their subscription.

Subscribe to sub-processor change notifications by emailing privacy@orbinto.com with the subject "Sub-processor notifications."

10. Compliance Tools for Customers

Orbinto provides built-in tools to help you meet your GDPR obligations as a data controller:

10.1 Consent Management

Cookie consent banner: Configurable consent banner for EU visitors before visitor tracking activates. Supports Accept All, Reject All, and granular category selection (Essential, Analytics, Functional).
Pre-chat consent forms: Customizable GDPR consent checkbox in pre-chat forms. Link to your own privacy policy.
Session recording opt-in: End-users must explicitly consent before session recording begins (Enterprise). Opt-out available at any time.
Consent log: Full audit trail of all consents collected with timestamps, IP addresses, and consent text shown.

10.2 Data Export

Export all data for a specific end-user (chat history, visitor sessions, form submissions) in JSON or CSV format.
Bulk data export via API for data portability requests.
Export your complete account data at any time from Settings.

10.3 Data Deletion

Delete individual end-user profiles and all associated data (conversations, tracking data, recordings).
Delete specific conversations or visitor sessions.
Bulk deletion via API for large-scale erasure requests.
All deletions are permanent and propagate to backups within 30 days.

10.4 Privacy Controls

Sensitive-field masking: Session recordings automatically mask password fields, credit card inputs, and other sensitive form fields. Custom masking rules available.
IP anonymization: Option to anonymize the last octet of IP addresses for visitor tracking.
Data minimization: Configure which visitor data points are collected. Disable any category you don't need.
Disable features: Individually disable visitor tracking, session recordings, or AI features without affecting other Service functionality.

11. Cookies & Tracking Technologies

11.1 Orbinto Website (orbinto.com)

Cookie Category	Purpose	Required?
Strictly necessary	Authentication, session management, security (CSRF)	Yes
Functional	Language preference, theme preference	No — consent required
Analytics	Anonymous usage statistics for website improvement	No — consent required

We do not use advertising or retargeting cookies.

11.2 Orbinto Chat Widget (on Customer Websites)

Technology	Purpose	Lifetime
Session cookie	Maintain active chat session across page loads	Browser session
Local storage	Returning visitor identification, widget state (open/closed)	6 months
Visitor tracking cookie	Associate page views with a visitor profile (when tracking is enabled)	6 months

The chat widget does not set any cross-site tracking cookies, advertising cookies, or third-party cookies. The chat session cookie is classified as "strictly necessary" under most GDPR interpretations because it enables essential chat functionality. Visitor tracking cookies require consent in the EU — see our consent banner tool above.

12. Data Processing Agreement (DPA)

Our DPA governs how Orbinto processes personal data on behalf of Customers in compliance with GDPR Article 28. The DPA covers:

Scope and purpose of data processing
Types of personal data and categories of data subjects
Orbinto's obligations as a processor
Customer's obligations as a controller
Sub-processor engagement and notification
Data breach notification procedures
Data deletion and return upon contract termination
Audit rights
Standard Contractual Clauses (Annex)

How to get the DPA:

Enterprise plan: The DPA is automatically executed as part of your subscription agreement.
Professional plan: Request a signed DPA by emailing legal@orbinto.com.
All plans: A standard DPA is incorporated by reference into our Terms of Service.

13. Data Protection Impact Assessments

Orbinto conducts Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for processing activities that are likely to result in high risk to individuals. We have completed DPIAs for:

Visitor tracking and behavioral analytics
Session recording and replay
AI-powered chat processing and automated tagging
Lead scoring based on automated profiling

DPIAs are reviewed annually or whenever significant changes are made to these features. Enterprise customers may request a summary of relevant DPIAs by contacting privacy@orbinto.com.

14. Changes to This Page

We reserve the right to update this GDPR page at any time to reflect changes in our practices, new features, legal requirements, or regulatory guidance. When we make changes:

We will update the "Last updated" date at the top of this page.
For material changes, we will notify Customers by email at least 30 days in advance.
Previous versions of this page are available upon request for audit purposes.

15. Contact & Data Protection Officer

For any GDPR-related questions, requests, or concerns:

Data Protection Officer: dpo@orbinto.com
Privacy inquiries: privacy@orbinto.com
Legal / DPA requests: legal@orbinto.com

We will acknowledge your inquiry within 48 hours and provide a substantive response within 30 days.

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

GDPR Compliance