Privacy Policy
Last updated: March 23, 2026
In short: Orbis is an AI-powered customer communication platform. We process personal data to provide our services, and we take your privacy seriously. We do not sell your personal data. This policy explains what we collect, why, and your rights.
1. Who We Are
Orbis ("we", "us", "our") is a customer experience platform operated by CX Orbis, providing AI-powered omnichannel communication tools including WhatsApp, Instagram, Email, and more.
- Website: cxorbis.com
- Contact: admin@cxorbis.com
When our business customers ("Tenants") use Orbis to communicate with their end users, we act as a data processor on behalf of the Tenant. For data we collect directly (such as account registration and website analytics), we act as the data controller.
2. What Data We Collect
2.1 Account Data
When you sign up for Orbis, we collect:
- Name, email address, and phone number
- Organization name and business details
- Login credentials (passwords are hashed, never stored in plain text)
- Role and permissions within your organization
2.2 Communication Data
When Tenants use Orbis to communicate with their contacts, we process:
- Message content (text, media, documents) across all channels
- Contact information (names, phone numbers, email addresses)
- Conversation metadata (timestamps, delivery status, channel type)
- WhatsApp Business API data (message templates, delivery receipts)
2.3 AI-Processed Data
When AI features are enabled, we may process:
- Conversation content for AI-generated summaries and auto-labels
- Message text for automatic translation
- Interaction patterns for AI assistant responses
Important: We do not use your data to train AI models. AI processing is performed solely to provide the requested features within your workspace.
2.4 Usage and Technical Data
- IP address, browser type, device information
- Pages visited, features used, and interaction patterns
- Performance logs and error reports
2.5 Payment Data
- Billing name and address
- Payment method details (processed by our payment provider; we do not store full card numbers)
- Transaction history and invoices
3. How and Why We Process Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing our platform and services | Account, communication, technical data | Contract performance |
| Processing messages across channels | Communication data, contact info | Contract performance |
| AI features (summaries, translation, auto-labeling) | Message content | Legitimate interest / Consent |
| Billing and payments | Payment data, account data | Contract performance |
| Platform security and fraud prevention | Technical data, usage logs | Legitimate interest |
| Analytics and service improvement | Usage data (aggregated) | Legitimate interest |
| Customer support | Account data, communication records | Contract performance |
| Legal compliance | As required by law | Legal obligation |
4. AI and Automated Processing
Orbis uses artificial intelligence to power several features:
- AI Assistant: Generates suggested replies and handles customer inquiries automatically
- Conversation Summaries: Creates brief summaries of conversations for agent handoff
- Auto-Translation: Translates messages between languages in real-time
- Auto-Labeling: Categorizes conversations based on content and intent
- Smart Interactive Messages: Suggests relevant actions (links, locations) based on conversation context
These features process message content in real-time. No conversation data is used to train or improve AI models. You can disable AI features at any time from your organization settings.
You have the right to contest any decision made solely by automated processing that significantly affects you.
5. Data Sharing and Disclosure
We share personal data only in the following circumstances:
5.1 Service Providers
We use trusted third-party providers to operate our platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform | Infrastructure and hosting | All platform data (encrypted) |
| Meta (WhatsApp Business API) | WhatsApp messaging | Messages, phone numbers, media |
| OpenAI | AI features | Message content (for processing only) |
| Sentry | Error monitoring | Technical logs (anonymized) |
5.2 Legal Requirements
We may disclose data when required by law, regulation, legal process, or governmental request.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
6. Multi-Tenant Data Isolation
Orbis is a multi-tenant platform. Each Tenant's data is logically isolated:
- Tenants cannot access another Tenant's contacts, conversations, or settings
- All database queries are scoped to the authenticated organization
- API access tokens are organization-specific
- WhatsApp Business Accounts are individually owned by each Tenant
7. International Data Transfers
Orbis infrastructure is hosted on Google Cloud Platform. Your data may be processed in regions outside your country of residence. When data is transferred internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Compliance with the Saudi Personal Data Protection Law (PDPL) cross-border transfer requirements
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
8. Data Retention
We retain data only as long as necessary for the purposes outlined in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Conversation data | Duration of Tenant's subscription |
| WhatsApp messages (Cloud API) | As configured by Tenant; Meta retains for 30 days |
| Server logs | 30 days |
| Payment records | 7 years (legal/tax requirement) |
| Analytics data | 24 months (aggregated) |
Upon account deletion, we destroy personal data within 30 days using documented destruction procedures that prevent re-identification, in compliance with applicable data protection laws.
9. Data Security
We implement industry-standard security measures to protect your data:
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access Controls: Role-based access, multi-factor authentication
- Infrastructure: Google Cloud Platform with enterprise-grade security
- Monitoring: Real-time security monitoring and alerting
- Credential Protection: External tool credentials encrypted with AES-256-GCM
- SSRF Protection: DNS resolution validation, redirect blocking for webhook/API requests
10. Cookies and Tracking
Our website and platform use cookies to provide functionality and improve your experience:
| Category | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, session management | Session / 30 days |
| Functional | Preferences, language settings | 1 year |
| Analytics | Usage patterns, performance monitoring | 24 months |
We do not use third-party advertising or marketing cookies. You can manage cookie preferences through your browser settings.
11. Your Rights
Depending on your location, you have the following rights regarding your personal data:
All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data
- Data Portability: Receive your data in a structured, machine-readable format
- Withdraw Consent: Withdraw previously given consent at any time
- Object: Object to processing based on legitimate interest
Saudi Arabia (PDPL)
- Right to be informed about the purpose and legal basis for processing
- Right to request destruction of data that is no longer needed
- Right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA)
European Economic Area (GDPR)
- Right to restriction of processing
- Right not to be subject to automated decision-making
- Right to lodge a complaint with your local data protection authority
To exercise any of these rights, contact us at admin@cxorbis.com. We will respond within 30 days of receiving your request.
12. WhatsApp Business Platform
Orbis integrates with the WhatsApp Business Platform (Cloud API) provided by Meta. When using WhatsApp through Orbis:
- Messages are routed through Meta's infrastructure and are subject to WhatsApp's Privacy Policy
- Meta retains message metadata for delivery and security purposes
- WhatsApp Business Accounts are owned by the Tenant, not by Orbis
- End-to-end encryption applies to messages between WhatsApp users; Cloud API messages are encrypted in transit and at rest but are decrypted for processing
- Tenants are responsible for obtaining necessary consents from their contacts before sending messages
13. Children's Privacy
Orbis is a business-to-business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users via email for significant changes
- Post a notice on our platform dashboard
Continued use of Orbis after changes are posted constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us:
- Email: admin@cxorbis.com
- Website: cxorbis.com
For complaints about how we handle your data, you may also contact the relevant supervisory authority in your jurisdiction.