Legal

Privacy Policy

Last updated: April 22, 2026

This Privacy Policy explains how OrbitNest Studio (the “Service”, “we”, “us”) collects, uses, and shares personal information when you visit studio.orbitnest.io, use our dashboard, or interact with backends built on OrbitNest.

1. Who we are

OrbitNest Studio is a developer platform that provides managed PostgreSQL databases, authentication, edge functions, object storage, and observability for software applications. For the purposes of this policy, OrbitNest is the data controller of personal information we collect about admins who sign in to the Studio, and the data processor of personal information our customers store in their own projects.

Contact: privacy@orbitnest.io.

2. Information we collect

Account information

When you create an admin account we collect your name, email address, hashed password (if you set one), and any profile details you choose to provide. When you sign in with a third-party provider (Google or GitHub), we also store your provider user ID, verified email, display name, and avatar URL so we can link subsequent sign-ins to the same account.

Project and usage data

We collect metadata about the projects you create — project names, regions, database schemas, function source, storage bucket configurations, and API key identifiers. We also log system events such as sign-ins, token refreshes, failed auth attempts, function invocations, and administrative actions so you can audit activity on your own projects.

Content stored in your projects

Anything you or your application's end-users put into your project database, storage buckets, or function logs is your content. We store and process it on your behalf as a processor and do not use it to train models, build derivative products, or for advertising.

Device and connection information

We automatically collect IP address, user-agent string, approximate location (city-level, derived from IP), browser type, operating system, referring URL, and timestamps for each request to the Service. This information is used for security, abuse prevention, and service reliability.

Billing information

Paid plans are processed by our payment processor. We receive the billing email, country, last four digits of the card, and renewal status — we never see or store full card numbers.

3. How we use information

Provide, operate, and improve the Service.
Authenticate you and keep your account and projects secure (e.g. rate limiting, lockouts, anomaly detection).
Communicate service announcements, security notices, and support replies.
Generate aggregated analytics about platform usage (never cross-customer data mixing).
Comply with legal obligations and enforce our Terms of Service.

We do not sell personal information and we do not use your project content to train machine-learning models.

4. OAuth and single sign-on

When you choose to sign in with Google or GitHub, the provider returns a verified email address, a stable user ID, your name, and (optionally) an avatar URL. We store only what is needed to let you sign in again and display your profile — we do not read your Gmail, calendar, repositories, or any other data scope, and we never request scopes beyond openid email profile for Google and read:user user:email for GitHub.

You can disconnect any linked provider at any time under Settings → Account → Linked Accounts. Disconnecting a provider removes the OAuth link and provider identifiers from our database; it does not delete your admin account.

5. Cookies and local storage

We use cookies and browser local storage strictly to operate the Service: authentication tokens, CSRF protection state, theme preference, and remembered project selection. We do not use third-party advertising or behavioural tracking cookies.

7. Data retention

Account information is retained while your account is active and for up to 30 days after deletion to allow for recovery. Audit logs are kept for up to 12 months. Backups follow a 30-day rolling retention. Content you put in your projects is retained as long as your project exists; deleting a project triggers hard-delete of its database, storage, and function sources within 30 days.

8. How we protect information

We use TLS 1.2+ for all connections, encrypt data at rest with AES-256, hash admin passwords with bcrypt, and keep strict role-based access for our engineers. See our Security page for full details.

9. Your rights and choices

Depending on where you live, you may have the right to access, correct, export, or delete personal information about you, and to object to or restrict certain processing. To exercise any of these rights, email privacy@orbitnest.io. We'll respond within 30 days.

EU/UK users can lodge a complaint with their local supervisory authority. California users may exercise rights under the CCPA/CPRA by the same channel.

10. International transfers

OrbitNest operates servers in multiple regions. When data moves across regions we rely on Standard Contractual Clauses or equivalent safeguards. Customers can restrict a project to a specific region in Project Settings.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and in the Studio. The "Last updated" date at the top of this page reflects the most recent revision.

13. How to contact us

Privacy questions, access requests, or complaints: privacy@orbitnest.io. General support: support@orbitnest.io.

Questions?

Our team is happy to clarify anything on this page. Reach out any time.

support@orbitnest.io privacy@orbitnest.io security@orbitnest.io