Privacy Policy

Effective date: 07 June 2026

1. Who We Are

orbzy.app ("we", "us", "our") operates the website at orbzy.app. We are the data controller for the personal data described in this policy.

Registered address:

Unit 80, Cherry Orchard Industrial Estate
Dublin 10
D10 NX96
Ireland

Contact: [email protected].

2. Data We Collect

Data you provide

  • Email address — when you request improvement tips, log in via magic link, or purchase a report.
  • Website URL — the URL you submit for scanning.
  • Payment information — processed directly by Stripe; we do not store card details.

Data collected automatically

  • Scan results — scores and category data for URLs you submit, stored in our database.
  • Session tokens — a short-lived JWT cookie set when you log in, used solely to authenticate your session.
  • Server logs — standard web server logs (IP address, browser, timestamps) retained for up to 30 days for security and debugging.

3. How We Use Your Data

  • To deliver scan results and reports you request.
  • To send you the magic link to log in to your account.
  • To send monitoring alerts you have explicitly subscribed to.
  • To notify us (the operator) of new email captures for lead management.
  • To process payments via Stripe.
  • To maintain the security and performance of the Service.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:

  • Contract — to fulfil your purchase of a paid report or monitoring plan.
  • Legitimate interests — to provide the scanning service and maintain security logs.
  • Consent — for optional email notifications and non-essential cookies. You may withdraw consent at any time.

5. Cookies

We use the following cookies:

CookiePurposeType
auth_tokenAuthenticates your login sessionStrictly necessary
cookie_consentStores your cookie consent preferenceStrictly necessary
Stripe cookiesFraud prevention during paymentFunctional
ph_*_posthogPostHog analytics — stores a pseudonymous visitor ID to measure page views and feature usage. Set only after you accept analytics cookies.Analytics

We do not use advertising or retargeting cookies. You can manage cookie preferences via the banner shown on your first visit.

6. Data Sharing & Third Parties

We share data only with the following service providers, each bound by data processing agreements:

  • Neon (Neon Inc.) — database hosting. Data stored in the EU or US region as configured.
  • Railway (Railway Corp.) — application hosting infrastructure.
  • Stripe — payment processing. Subject to Stripe's own Privacy Policy.
  • Brevo (Sendinblue) — transactional email delivery.
  • PostHog (EU Cloud) — product analytics. Page views, feature usage, and conversion events are sent to PostHog EU servers (Frankfurt). Data is processed under a Data Processing Agreement. Only pseudonymous user IDs are shared; no name or email is sent to PostHog unless you are signed in and have accepted analytics cookies.
  • Cloudflare — CDN, DDoS protection, and Cloudflare Insights aggregate performance telemetry. No individual tracking; no persistent analytics cookies set.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

7. Data Retention

  • Scan results and scores: retained indefinitely to power monitoring features; deleted on request.
  • Email addresses: retained until you unsubscribe or request deletion.
  • Auth session tokens: expire after 7 days.
  • Server logs: deleted after 30 days.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / Restriction — object to or restrict certain processing.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g., the Irish DPC, the UK ICO, or your national equivalent).

9. California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the "sale" of personal information. We do not sell personal information. To exercise your rights, contact us at the email above.

10. International Transfers

Your data may be processed outside your country of residence (e.g., in the United States by our infrastructure providers). Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms to ensure adequate protection.

11. Security

We implement industry-standard security measures including HTTPS, server-side session tokens stored as HTTP-only cookies, and access controls on our database. No transmission over the internet is 100% secure; we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will post the updated policy with a new effective date. Material changes will be communicated via email if we hold your email address.

13. Contact

For any privacy questions or requests, contact us at [email protected] or by post:

orbzy.app
Unit 80, Cherry Orchard Industrial Estate
Dublin 10
D10 NX96
Ireland