Orbio ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our ITSM platform and website.

1. Information We Collect

Account Information. When you register, we collect your email address, name, and company details. This is necessary to provide you access to the platform and manage your tenant.

Usage Data. We collect log data including IP addresses, browser type, pages visited, and timestamps. This helps us maintain security and improve our service.

Content Data. Any data you submit through the platform — tickets, comments, asset records, KB articles — is stored securely in your dedicated database schema. We do not access or process this content except as necessary to provide the service.

2. How We Use Your Data

We do not sell your personal data. We do not use your content for training AI models.

3. Lawful Basis for Processing (POPIA)

In compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), Orbio processes personal data only on the following lawful bases:

4. Data Subject Rights (POPIA Section 5-24)

Under POPIA, data subjects in South Africa have the following rights:

Exercise these rights from your account settings, via the CRM Consent Center, or by contacting us at privacy@orbio.io. We will respond within 30 days as required by POPIA.

5. Data Storage, Security & Cross-Border Transfers

All data is stored in PostgreSQL databases encrypted at rest (AES-256). Connections are TLS 1.3-encrypted in transit. Passwords are hashed with BCrypt. Each tenant's data is isolated at the database schema level to prevent cross-tenant access.

Where data is transferred across South African borders (e.g., to cloud infrastructure providers), Orbio ensures appropriate safeguards are in place, including Standard Contractual Clauses and Data Processing Agreements with all sub-processors. Our sub-processor register is available to tenants upon request.

6. Data Retention

We retain your account data for as long as your account is active. Upon tenant deletion, all associated data is permanently deleted within 30 days. Retention periods for specific data categories are defined in our Data Processing Register and default to 7 years (the POPIA prescription period) unless a shorter period is justified.

7. Automated Decision-Making

Orbio does not make decisions based solely on automated processing that produce legal effects concerning data subjects. Where automated decision-making is used (e.g., workflow triggers, SLA breach detection), human oversight is always available and data subjects may request manual review.

8. Marketing Consent & Preference Center

Orbio only sends marketing communications to contacts who have explicitly opted in. Every marketing email includes a one-click unsubscribe link. You can manage your marketing preferences at any time through the CRM Compliance → Consent Center. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Third-Party Services & Sub-Processors

Orbio may integrate with third-party services you explicitly configure (Microsoft Entra ID, Google Workspace, Okta, email providers). Data shared with these services is governed by their respective privacy policies. We maintain a register of all sub-processors with details on data categories, transfer safeguards, and contract status. This register is available in the CRM Compliance → Vendor Register.

10. Cookies

We use essential cookies for authentication and session management only. No tracking cookies or third-party analytics cookies are used. Under POPIA Section 69, consent is required for non-essential cookies; our cookie banner provides explicit notice and opt-in for any future non-essential cookie use. You can control cookie preferences through your browser settings.

11. Complaints & Information Regulator

If you believe your personal information has been processed in violation of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: enquiries@inforegulator.org.za
Web: www.inforegulator.org.za
Tel: +27 (0)10 023 5200

12. Information Officer

Orbio's Information Officer is responsible for overseeing compliance with POPIA. You may contact our Information Officer at dpo@orbio.io or by raising a DSAR (Data Subject Access Request) through the CRM Compliance module.

13. Contact

For privacy-related inquiries or to exercise your POPIA rights, contact us: