Privacy Policy
Last updated: 2026-04-14
1. Controller
Noam Bergmann, Pflugstr. 19, 10115 Berlin, Germany, hello@orbi.so. The controller within the meaning of the GDPR is responsible for the processing of personal data described in this policy.
2. Types of Data Processed
We process: account data (name, email, role), usage data (page views, feature usage), payment data (via Stripe — we do not store card numbers), health and fitness data (only with explicit consent under Article 9 GDPR), and communication data (messages between coach and client).
3. Purpose of Processing
Data is processed to: provide the Platform services, process payments, send transactional emails, improve the product via analytics, ensure security, and comply with legal obligations.
4. Legal Basis
Processing is based on: contract performance (Art. 6(1)(b) GDPR) for core services, explicit consent (Art. 9(2)(a) GDPR) for health data, and legitimate interest (Art. 6(1)(f) GDPR) for security and cookieless product analytics. Any marketing communications rely on your consent (Art. 6(1)(a) GDPR).
5. Sub-processors and International Transfers
We use the following sub-processors: • Supabase (database, authentication) — hosted in Frankfurt (eu-central-1). Contract with Supabase Inc., USA. Standard Contractual Clauses (SCC). • Vercel (web hosting, edge functions) — deployment region Frankfurt (fra1). Contract with Vercel Inc., USA. SCC. • Stripe Payments Europe, Ltd. (payment processing) — based in Dublin, Ireland. Data processed within the EEA. Stripe Connect Express: coaches are merchants of their own payments, Orbi is the platform. • Resend (transactional email) — Resend Inc., USA. SCC. • PostHog (cookieless product analytics + error monitoring) — EU hosting (eu.i.posthog.com). Contract with PostHog Inc., USA. SCC. No cookies, no session replay, and no personal data sent to PostHog. All transfers to the US are covered by Standard Contractual Clauses pursuant to Art. 46 GDPR.
6. Retention Period
Account data is retained for the duration of the account plus 30 days. Payment records are retained for 10 years (German tax law, AO §147). Health data is deleted when the coach-client relationship ends, unless the client requests earlier deletion.
7. Your Rights
Under the GDPR, you have the right to: access your data (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). To exercise these rights, contact us at the address above.
8. Cookies and Tracking
We use essential cookies only (session management, CSRF protection), which do not require consent. Our product analytics (PostHog, EU Cloud) runs in cookieless mode — it stores nothing on your device and sets no cookies, so no consent banner is required under TTDSG §25. This anonymous analysis relies on our legitimate interest (Art. 6(1)(f) GDPR) to improve the service, and no personal data is sent to PostHog. We do not use session replay or advertising cookies.
9. Data Breach Notification
We report personal data breaches pursuant to Art. 33 GDPR without undue delay, and at the latest within 72 hours of becoming aware, to the competent supervisory authority where the breach is likely to result in a risk to the rights and freedoms of natural persons. Affected individuals are informed pursuant to Art. 34 GDPR where there is a high risk.
10. Contact for Data Protection Inquiries
For access, deletion, rectification requests or other data protection matters, contact us at: Noam Bergmann Pflugstr. 19, 10115 Berlin, Germany Email: hello@orbi.so A Data Protection Officer is not required under §38 BDSG as long as we permanently employ fewer than 20 people in the automated processing of personal data.