Privacy Policy

Last updated: February 11, 2026

1. Introduction

Orbinto ("Orbinto," "we," "us," or "our") operates the orbinto.com website and the Orbinto customer support platform, which includes live chat, chatbot, visitor tracking, CRM integration, and AI-powered features (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, create an account, or use our Service. It also covers the information we process on behalf of our customers ("Customers") when their end-users ("End-Users") interact with the Orbinto chat widget, chatbots, or are tracked via our visitor tracking features.

By accessing or using our Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Service.

2. Data Controller vs. Data Processor

Orbinto operates in two capacities depending on the context:

  • Data Controller: When we collect and process data from visitors to our website (orbinto.com), prospective customers, and account holders, we act as the data controller. We determine the purposes and means of processing this data.
  • Data Processor: When our Customers use the Orbinto Service to communicate with their End-Users (via chat widget, chatbots, or visitor tracking), we act as a data processor on behalf of our Customers. Our Customers are the data controllers of their End-Users' data. We process this data strictly according to our Customers' instructions and our Data Processing Agreement (DPA).

If you are an End-User who has interacted with an Orbinto-powered chat widget on a third-party website, please refer to that website's own privacy policy for information on how your data is handled. You may also contact that business directly to exercise your data rights.

3. Personal Data We Collect

3.1 Information You Provide Directly

  • Account information: Name, email address, company name, job title, phone number, and billing/payment information when you create an account or subscribe to a paid plan.
  • Communications: Any messages, feedback, or support requests you send to us.
  • Profile data: Avatar, preferences, and settings you configure within the Service.

3.2 Information Collected Automatically

  • Usage data: Pages visited, features used, clicks, session duration, and interactions within the Service.
  • Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Log data: Server logs including access times, referring URLs, and error reports.

3.3 Information Processed on Behalf of Customers (Processor Role)

When Customers use the Orbinto Service, we may process the following End-User data on their behalf:

  • Chat conversations: Messages exchanged between End-Users and operators or chatbots.
  • Visitor tracking data: Pages visited, time on site, referral sources, geographic location (derived from IP), browser and device information, and browsing behavior.
  • Pre-chat form data: Name, email, phone number, or custom fields collected via chat forms configured by the Customer.
  • Chatbot interaction data: Responses provided to chatbot prompts and flows.
  • Session recordings and heatmaps: Mouse movements, clicks, scrolls, and page interactions (Enterprise plan only, when enabled by the Customer).

4. How and Why We Use Your Data

We use personal data for the following purposes:

PurposeLegal Basis (GDPR)
Providing and operating the ServicePerformance of contract
Processing payments and managing subscriptionsPerformance of contract
Sending transactional emails (invoices, account alerts, security notifications)Performance of contract
Customer support and troubleshootingPerformance of contract
Product improvement and analyticsLegitimate interest
Preventing fraud, abuse, and security threatsLegitimate interest
Marketing communications (newsletters, product updates)Consent (you may opt out at any time)
Complying with legal obligationsLegal obligation

5. We Do Not Sell Your Data

Orbinto does not sell, rent, lease, or trade your personal information to any third party. This applies to all data we collect — whether you are a website visitor, a Customer, or an End-User interacting with an Orbinto-powered widget.

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), or any other applicable privacy law. We have never sold personal data and have no plans to do so.

We do not share your data with data brokers, advertisers, or any third parties for their own marketing or commercial purposes.

6. How We Share Information

While we never sell your data, we may share it in the following limited circumstances:

  • Service providers and sub-processors: We use trusted third-party providers for hosting (AWS), payment processing (Stripe, Razorpay), email delivery, and analytics. These providers are contractually bound to process data only on our instructions and in accordance with this policy.
  • CRM integrations: When a Customer connects a third-party CRM (e.g., Salesforce, HubSpot, Zoho CRM), data flows between Orbinto and the CRM as configured by the Customer. Orbinto does not control how the third-party CRM handles data after transfer.
  • Legal requirements: We may disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Orbinto, our Customers, or others.
  • Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: We may share your data for any other purpose with your explicit consent.

7. Cookies and Tracking Technologies

7.1 Orbinto Website (orbinto.com)

We use cookies and similar technologies on our website for the following purposes:

  • Essential cookies: Required for the website to function (session management, authentication, security).
  • Analytics cookies: Help us understand how visitors interact with our website so we can improve it.
  • Preference cookies: Remember your settings and preferences (language, theme).

We do not use third-party advertising or retargeting cookies on our website.

7.2 Orbinto Chat Widget (Embedded on Customer Websites)

The Orbinto chat widget uses limited cookies and local storage to:

  • Maintain the chat session so conversations persist across page loads.
  • Remember End-User identity for returning visitors (if configured by the Customer).
  • Store widget display preferences (open/closed state).

The widget does not use cookies for advertising, cross-site tracking, or profiling. IP addresses collected by the widget are used solely for security (DDoS protection), geographic location approximation, and visitor identification as configured by the Customer.

7.3 Visitor Tracking

When Customers enable visitor tracking, Orbinto collects browsing behavior data (pages visited, time on page, referral source, scroll depth) from End-Users on the Customer's website. This data is collected through a JavaScript snippet embedded by the Customer and is processed on behalf of the Customer (processor role). Customers are responsible for disclosing this tracking in their own privacy policy and obtaining any required consent.

8. AI and Chatbot Data Processing

Orbinto's AI features (available on Professional and Enterprise plans) include AI writing assistant, auto-tagging, auto-summaries, and NLP-powered chatbots. When these features are enabled:

  • Chat conversations may be processed by AI models to generate suggested replies, summaries, and tags.
  • AI processing occurs in real-time and is not used to train general-purpose AI models. Your data remains yours.
  • Customers can disable AI features at any time from their account settings.
  • Chatbot conversation data is stored in the Customer's account and is subject to the same retention and security policies as all other data.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Account data: Retained for the duration of your account plus 30 days after deletion to allow for recovery.
  • Chat history: Retained according to the Customer's plan (30 days for Free, unlimited for paid plans). Customers can delete chat history at any time.
  • Visitor tracking data: Retained according to the Customer's plan (7 days for Free, 90 days for Basic, 1 year for Professional, configurable for Enterprise).
  • Session recordings: Retained for 90 days by default (configurable on Enterprise).
  • Billing data: Retained for 7 years as required by applicable tax and financial regulations.
  • Server logs: Retained for 90 days for security and debugging purposes.

When data is no longer needed, it is securely deleted or anonymized.

10. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All stored data is encrypted using AES-256 encryption. Enterprise customers can use their own encryption keys (BYOK).
  • Access controls: Strict role-based access controls limit who can access data within our organization.
  • Infrastructure security: Our Service is hosted on Amazon Web Services (AWS) with SOC 2 certified data centers.
  • Regular audits: We conduct regular security assessments and penetration testing.
  • Incident response: We maintain an incident response plan and will notify affected parties within 72 hours of discovering a data breach, as required by GDPR.

While we take every reasonable precaution, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. International Data Transfers

Orbinto's servers are located in the United States (AWS US-East region). If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
  • We comply with the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework, as applicable.
  • Enterprise customers may request data residency in the EU or APAC regions.

12. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

12.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interest or direct marketing.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

12.2 Rights Under CCPA/CPRA (California Residents)

  • Right to know: Request disclosure of the categories and specific pieces of personal information we collect.
  • Right to delete: Request deletion of your personal information.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt-out of sale: We do not sell personal information. No opt-out is necessary.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

To exercise any of these rights, contact us at privacy@orbinto.com. We will respond within 30 days (or within the timeframe required by applicable law).

13. Children's Privacy

The Orbinto Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe we have inadvertently collected such data, please contact us at privacy@orbinto.com.

14. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party services (e.g., CRM platforms, messaging channels). This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party service you connect to or interact with.

15. Changes to This Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Post the revised policy on this page.
  • For material changes that significantly affect how we process your data, we will notify you by email (to the address associated with your account) or by displaying a prominent notice within the Service at least 30 days before the changes take effect.

Your continued use of the Service after any changes to this policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically.

16. Data Processing Agreement

If you are a Customer using Orbinto to process End-User data, a Data Processing Agreement (DPA) is available upon request. The DPA outlines our obligations as a data processor, including sub-processor disclosures, data breach notification procedures, and audit rights. Contact legal@orbinto.com to request a signed DPA.

17. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy, please contact us:

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.