Noam Bergmann, Pflugstr. 19, 10115 Berlin, Germany, hello@orbi.so. The controller within the meaning of the GDPR is responsible for the processing of personal data described in this policy.
We process: account data (name, email, role), usage data (page views, feature usage), payment data (via Stripe — we do not store card numbers), health and fitness data (only with explicit consent under Article 9 GDPR), and communication data (messages between coach and client).
Data is processed to: provide the Platform services, process payments, send transactional emails, improve the product via analytics, ensure security, and comply with legal obligations.
Processing is based on: contract performance (Art. 6(1)(b) GDPR) for core services, explicit consent (Art. 9(2)(a) GDPR) for health data, legitimate interest (Art. 6(1)(f) GDPR) for security, and consent (Art. 6(1)(a) GDPR) for analytics and marketing.
We use the following sub-processors: • Supabase (database, authentication) — hosted in Frankfurt (eu-central-1). Contract with Supabase Inc., USA. Standard Contractual Clauses (SCC). • Vercel (web hosting, edge functions) — deployment region Frankfurt (fra1). Contract with Vercel Inc., USA. SCC. • Stripe Payments Europe, Ltd. (payment processing) — based in Dublin, Ireland. Data processed within the EEA. Stripe Connect Express: coaches are merchants of their own payments, Orbi is the platform. • Resend (transactional email) — Resend Inc., USA. SCC. • PostHog (product analytics, consent-based) — EU hosting (eu.i.posthog.com). Contract with PostHog Inc., USA. SCC. • Sentry (error monitoring, consent-based) — EU region Frankfurt. Contract with Functional Software Inc., USA. SCC. Session replay masks all text and input fields. All transfers to the US are covered by Standard Contractual Clauses pursuant to Art. 46 GDPR.
Account data is retained for the duration of the account plus 30 days. Payment records are retained for 10 years (German tax law, AO §147). Health data is deleted when the coach-client relationship ends, unless the client requests earlier deletion.
Under the GDPR, you have the right to: access your data (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). To exercise these rights, contact us at the address above.
We use essential cookies (session management, CSRF protection) without consent. Analytics cookies (PostHog) and error tracking cookies (Sentry) require prior consent via our cookie banner, in compliance with TTDSG §25. See our Cookie Policy for details.
We report personal data breaches pursuant to Art. 33 GDPR without undue delay, and at the latest within 72 hours of becoming aware, to the competent supervisory authority where the breach is likely to result in a risk to the rights and freedoms of natural persons. Affected individuals are informed pursuant to Art. 34 GDPR where there is a high risk.
For access, deletion, rectification requests or other data protection matters, contact us at: Noam Bergmann Pflugstr. 19, 10115 Berlin, Germany Email: hello@orbi.so A Data Protection Officer is not required under §38 BDSG as long as we permanently employ fewer than 20 people in the automated processing of personal data.
Last updated: 2026-04-14
Questions? Contact us at legal@orbi.so
We use analytics cookies to understand how Orbi is used and improve it. They're optional — essential cookies (sign-in, language) work without them. Learn more