Privacy Policy

Last updated: 30 April 2026

OrbitEOS ("we", "us", "our") provides energy-management software that lets you monitor and control electrical assets — solar inverters, batteries, EV chargers, meters — across one or many sites. This Privacy Policy explains what we collect, why we collect it, and the choices you have. It applies to orbiteos.com, orbiteos.nl, the OrbitEOS web app at app.orbiteos.cloud, the OrbitEOS mobile apps for iOS and Android, and any related services (collectively, the "Service").

1. Who is the data controller?

The data controller for the Service is OrbitEOS. You can reach us at hello@orbiteos.cloud for any privacy question or to exercise your rights under the GDPR.

2. What we collect

2.1 Account information

• Your name and email address.
• The organisation name you provided at signup.
• Your password — stored only as a salted hash; we never see the cleartext.
• If you sign in with Google or Apple: the federated identity (provider, subject, email, display name) returned by the provider's ID token. We do not receive your provider password.
• If you sign in with an email magic-link: the email address you submitted and a single-use token sent to that address.

2.2 Telemetry from your energy system

• Real-time and historical readings from devices you've connected (power, energy, state of charge, temperature, etc.).
• Configuration of those devices (manufacturer, model, identifiers, network address).
• Site metadata you provide: site name, address, postcode, coordinates, occupant label, timezone.

2.3 Usage data

• Audit log entries for important actions (sign-in, configuration change, role assignment).
• Server logs for the Service: request URL, IP address, user-agent, timestamp, response status. Retained 30 days.
• Session cookies and authentication tokens needed to keep you signed in.

2.4 What we do NOT collect

• We do not run advertising or analytics trackers (no Google Analytics, no Facebook pixel).
• We do not sell your data, ever.
• We do not access your email beyond the address you used to sign up or sign in.

3. Why we use it

• To run the Service — show your dashboards, accept your control commands, send notifications, store history. Legal basis: contract performance.
• To sign you in — verify Google/Apple ID tokens or email magic-links against the identity provider. Legal basis: contract performance.
• To keep the Service secure — detect abuse, rate-limit, audit configuration changes. Legal basis: legitimate interest in operating a secure platform.
• To comply with the law — keep accounting records, respond to lawful requests. Legal basis: legal obligation.
• To improve the Service — aggregate, anonymised metrics on which features are used. We never share or sell raw user data for this purpose. Legal basis: legitimate interest.

4. Who we share it with

We use the following sub-processors. Each one is bound by a Data Processing Agreement and processes your data only on our instructions.

• Hosting: the European data centre that runs our application servers and database.
• Email delivery: the transactional email provider that sends magic-link emails, password resets, and notifications.
• Identity providers: Google and Apple for SSO sign-in, only if you choose to use that option.
• Error tracking: only metadata about server errors (stack trace, request URL, anonymised user identifier) — no telemetry payloads.

We do not transfer your data outside the European Economic Area unless the destination has an EU Adequacy Decision or appropriate Standard Contractual Clauses are in place.

5. How long we keep it

• Account data: for as long as your account exists, plus 30 days after deletion.
• Telemetry: for as long as the underlying site exists, then deleted within 90 days of site deletion. You can also export and delete it earlier on request.
• Audit logs: 12 months for security purposes.
• Server logs: 30 days.
• Magic-link tokens: 15 minutes; the token row is retained for 30 days for audit purposes after use or expiry.

6. Your rights under the GDPR

• The right to access a copy of your personal data.
• The right to rectify inaccurate data.
• The right to erasure ("be forgotten").
• The right to data portability — we'll export your account data and telemetry in a machine-readable format.
• The right to restrict processing.
• The right to object to processing based on legitimate interest.
• The right to withdraw consent for any processing based on consent (e.g. SSO sign-in linkage).
• The right to lodge a complaint with your supervisory authority (the Dutch DPA — Autoriteit Persoonsgegevens — for users in the Netherlands).

To exercise any of these rights, email hello@orbiteos.cloud. We respond within 30 days.

7. Cookies

The marketing site (orbiteos.com / orbiteos.nl) uses one cookie to remember your theme and language preference. The web app (app.orbiteos.cloud) uses local storage to keep you signed in (access and refresh tokens). We do not use third-party advertising or analytics cookies.

8. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Security

We protect your data with TLS 1.2+ in transit, AES-GCM encryption at rest for sensitive secrets, role-based access control, and audit logging of administrative actions. No system is perfect; if you believe you've found a vulnerability, please email hello@orbiteos.cloud and we'll respond promptly.

10. Changes to this policy

We may update this policy from time to time. We'll always post the new version here with a new "Last updated" date. If a change is material — for example, a new sub-processor or a new data category — we'll notify you by email at least 14 days before it takes effect.

Terms of Service  ·  hello@orbiteos.cloud  ·  Home