Skip to content

Privacy Policy

Last updated: May 21, 2026

This policy describes how Orby collects, uses, shares and protects personal data in the context of its collaboration platform (chat, feed, projects, CRM, documents, calendar, statistics and mobile app). It applies to all users and organizations accessing the service through orbyintranet.com, platform.orbyintranet.com, admin.orbyintranet.com and associated mobile apps.

1. Who is the data controller

For Content uploaded by users in an Organization's workspace, the Organization is the data controller and Orby acts as a processor. For account data and Platform usage data, Orby is the data controller.

2. Data we collect

  • Account data: name, email, mobile (optional), profile picture, role/title, department, country, organization you belong to.
  • Credentials: password (stored with hash + salt), session tokens, devices registered for 2FA.
  • User content: chat messages (text, audio, video, attachments, polls), feed posts and comments, files and folders, tasks and projects, CRM records (leads, deals, contacts, interactions), calendar events, recognitions and birthdays.
  • Technical data: IP address, browser type, operating system, mobile device identifiers, push notification tokens.
  • Usage data: actions relevant for auditing (logins, permission changes, access to sensitive documents), aggregated metrics for internal statistics and Customer dashboards.
  • Billing data: tax name, tax ID, address, contracted plan, payment history. We do not store full card data — these are processed by our payment partners.

3. How we use the data

  • Provide the contracted service and its features (real-time messaging, notifications, sync across devices).
  • Ensure Platform security, prevent fraud and investigate incidents (audit logs).
  • Bill and manage payments.
  • Communicate with you about your account, service changes, new features and support.
  • Improve the product through aggregated and anonymized metrics.
  • Comply with legal obligations and respond to authorities when legally required.

4. Legal bases

We process data based on: contract performance (to provide the service), legal obligations (billing, accounting retention), legitimate interest (security, fraud prevention, product improvement) and consent (marketing notifications, when applicable — always revocable).

5. Sharing with third parties

We do not sell personal data. We share only with vendors essential to the operation, under confidentiality and data protection agreements:

  • Cloud providers for hosting the application, database and file storage.
  • Transactional email providers (notifications, invitations, password recovery).
  • Push notification providers for mobile apps (Android/iOS).
  • Payment platforms (only for billing of paid plans).
  • Monitoring and logging tools (for technical diagnostics).

When required by law, we may share data with competent authorities. We do not allow these vendors to use your data for their own purposes.

6. International transfers

Some vendors may be located outside Angola (e.g. cloud regions in Europe or the US). Whenever international transfers occur, we ensure appropriate safeguards (standard contractual clauses, security certifications).

7. Retention

  • Organization content: kept while the account is active. After termination, the Organization has 30 days to export; after that, data may be deleted.
  • Audit and security logs: up to 12 months, except for legal needs.
  • Billing data: per applicable legal periods (typically 5 to 10 years).
  • Backups: typical rotation up to 30 days.

8. Security

  • Encryption in transit (HTTPS/TLS) across the Platform.
  • Passwords stored with strong hash and salt (non-reversible).
  • Two-factor authentication (2FA) available for all users.
  • Per-organization isolation (multi-tenant): no Organization sees another's data.
  • Access control by role and by department, with granular permissions.
  • Audit log of sensitive events.
  • Automated backups and recovery plan.
  • Continuous monitoring and regular security updates.

9. Your rights

You have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Request portability (export) of your data.
  • Request erasure (“right to be forgotten”), except for legally required retention.
  • Object to processing based on legitimate interest.
  • Withdraw previously given consents.

To exercise these rights, contact us through the means indicated in section 12. When data is managed by an Organization, we may ask you to exercise your rights directly with your company's administrator.

10. Cookies and local storage

We only use cookies and local storage that are strictly necessary for authentication, session maintenance and interface preferences (e.g. light/dark theme stored in orby-theme). We do not use advertising cookies or third-party behavioral tracking.

11. Minors

Orby is not directed to people under the age of 18 and does not knowingly collect data from minors. If you are aware that a minor created an account without authorization, contact us for immediate removal.

12. Contact and complaints

For privacy questions or to exercise your rights, write to contacto@orbyintranet.com. You also have the right to file a complaint with the competent data protection authority.

13. Changes to this policy

We may update this policy to reflect changes in the service or in legislation. Material changes will be communicated by email and/or notice on the Platform. The version in effect is always the one published on this page.

Informational document. For specific data processing agreements (DPA) with your Organization, contact us.