Privacy Policy

1. Who We Are

Orbyt AI is operated by Daniel Zarghoum, based in Marbella, Spain. We provide AI-powered auto-reply services for WhatsApp, Email (Gmail), and Instagram for small and local businesses.

Contact: daniel.zarghoum@gmail.com

2. Data We Collect

Account data

When you create an Orbyt AI account we collect your email address, business name, and a hashed password (we never store plain-text passwords). This is managed by Supabase, a SOC 2 certified authentication provider.

Gmail data (only when you connect Gmail)

If you choose to connect a Gmail inbox, we request the following OAuth scopes from Google:

• gmail.readonly — to read incoming emails so the AI can understand what the customer is asking
• gmail.send — to send replies on your behalf (only when you explicitly approve)
• gmail.modify — to create draft replies that appear in your Gmail drafts for your review before sending

We store your OAuth access token and refresh token securely in Airtable to maintain the connection. We only access email content to generate AI-drafted replies — we never read, store, or analyse your emails for any other purpose. We do not share email content with any third party except Groq (our AI provider, see Section 5).

You can disconnect Gmail at any time from your dashboard, which immediately revokes our access and deletes your stored tokens.

WhatsApp and Instagram messages

When customers send messages to your connected WhatsApp or Instagram account, the message text is processed by our AI to generate a reply. Messages may be stored temporarily in our database (Airtable) to populate your inbox dashboard. We do not use these messages for training AI models.

Billing data

Payment processing is handled entirely by Stripe. We never see or store your credit card number. We receive confirmation of subscription status from Stripe.

3. How We Use Your Data

• To provide the AI auto-reply service you subscribed to
• To generate AI-drafted responses to your customers' messages
• To display your message history in the Orbyt AI dashboard
• To send you transactional emails (account confirmation, billing receipts)
• To improve service reliability and diagnose errors (via server logs)

We do not use your data for advertising, profiling, or selling to third parties.

4. Google API Data — Limited Use Disclosure

Orbyt AI's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Gmail data to provide the email auto-reply feature you explicitly activated
• We do not transfer Gmail data to third parties except as necessary to provide the service (Groq AI for reply generation) or as required by law
• We do not use Gmail data for serving advertisements
• We do not allow humans to read your Gmail data unless you have given explicit permission or it is required for security purposes
• Gmail data is not used to train AI or machine learning models

5. Third-Party Services We Use

• Supabase — authentication and user management (SOC 2 certified)
• Airtable — database for messages, bookings, and OAuth tokens
• Groq — AI inference for generating replies (message content sent to Groq is not retained for training per their terms)
• Stripe — payment processing (PCI DSS compliant)
• Vercel — hosting and serverless functions
• Google (Gmail API) — email access when you connect your inbox
• Meta (Graph API) — Instagram DMs when you connect your account

6. Data Retention

We retain your data for as long as your account is active. If you delete your account:

• Your account credentials are deleted from Supabase immediately
• Your OAuth tokens (Gmail, Instagram) are deleted from our database
• Message history is deleted within 30 days
• Stripe retains billing records as required by law

7. Your Rights (GDPR)

If you are based in the EU or UK, you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — object to processing of your data
• Withdraw consent — disconnect any connected service at any time from your dashboard

To exercise any of these rights, email us at daniel.zarghoum@gmail.com and we will respond within 30 days.

8. Security

We take reasonable technical measures to protect your data including HTTPS encryption in transit, encrypted token storage, and access controls. However, no system is 100% secure. If you discover a security vulnerability, please contact us immediately at daniel.zarghoum@gmail.com.

9. Cookies

We use minimal cookies — only those required for authentication (session tokens set by Supabase). We do not use tracking or advertising cookies.

10. Changes to This Policy

We may update this policy as we add new features. If changes are significant, we will notify you by email. The "Last updated" date at the top of this page always reflects the most recent version.

11. Contact

For any privacy-related questions, requests, or concerns:

• Email: daniel.zarghoum@gmail.com
• Website: orbytai.org