PRIVACY POLICY

1. Overview

Orbital Agents ("we," "us," "our," or "Orbital Agents") is committed to protecting your privacy and handling personal information responsibly in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal and business information when you use our AI Agent Readiness Diagnostic Lab services ("Services").

By using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Our Commitment:

• We treat all business information as confidential and privileged
• We never sell or share your diagnostic data with third parties
• We use your data solely to deliver your Diagnostic Lab outcomes
• We implement enterprise-grade security measures to protect your information

2. Information We Collect

We may collect the following categories of information:

Personal & Contact Information:

• Name, email address, company name and role
• Business context, size, industry, country and region

Diagnostic & Assessment Data:

• Diagnostic responses, readiness scores and assessment data
• Information relating to your organisation's current state across:
  • People, roles and ownership structures
  • Processes and workflows
  • Performance metrics and constraints
  • Technology stack and data maturity
  • Governance structures and risk factors

Payment Information:

• Booking and payment metadata (not full card details)
• Payment processing is handled exclusively by Stripe, Inc. We do not collect, see, or store your credit card numbers, CVV codes, or banking details.

Technical Information:

• IP address, browser type, device information
• Website usage data (pages visited, time spent, actions taken)
• Cookie data (see Section 4 for details)

Sensitive Business Data: The diagnostic information you provide may include commercially sensitive and confidential business data. This information is treated as private, privileged and purpose-bound to deliver the service.

3. How We Use Information

Your information is used only to:

• Deliver AI Agents Diagnostic Lab sessions and advisory services
• Generate readiness assessments and Diagnostic Lab Reports
• Prepare and conduct your live Diagnostic Lab session
• Communicate service-related information
• Operate, secure and improve our platform and services
• Meet legal and regulatory obligations

We do not:

• Sell your data
• Share your diagnostic data with third parties
• Use your organisation's identifiable information for marketing or benchmarking
• Publish client-specific information

Aggregated Data: We may produce aggregated, anonymised industry insights. No individual, organisation, system, metric, or business model is identifiable in any aggregated publication.

Confidentiality: Your business data remains confidential. It exists to serve your decision-making—nothing else. Your diagnostic and business data is used solely to support your engagement with Orbital Agents and to deliver your Diagnostic Lab outcomes.

4. Cookies & Tracking Technologies

Orbital Agents uses cookies and similar technologies to enable core website functionality, understand site usage and performance, and improve user experience.

Types of Cookies:

• Essential Cookies: Required for website operation (session management, form submission, authentication)
• Analytics Cookies: Used to understand site usage (e.g., Google Analytics with IP anonymization enabled)
• Preference Cookies: Remember your settings and preferences

Your Choices: You can manage cookie preferences via your browser settings or our cookie banner. Disabling essential cookies may affect website functionality.

Third-Party Analytics: We use Google Analytics to analyze website traffic. Data is anonymized and aggregated. Google's use of data is governed by their privacy policy: https://policies.google.com/privacy

5. Marketing Communications

You may receive communications related to:

• Diagnostic Lab Sessions and booking reminders
• Follow-up materials and your Diagnostic Lab Report
• Relevant Orbital Agents insights and updates

Your Rights:

• You may unsubscribe from marketing communications at any time via the "unsubscribe" link in emails or by contacting us
• Transactional communications (booking confirmations, report delivery, service updates) will still be sent as necessary for service delivery

Email Service Provider: We use ConvertKit (Kit) for email communications. Kit is GDPR compliant and processes data in accordance with their privacy policy.

6. Data Storage & Security

Orbital Agents takes data security seriously and implements multiple layers of protection to safeguard your information.

6.1 Encryption

Data in Transit:

• All data transmitted between your browser and our servers uses 256-bit SSL/TLS encryption (HTTPS)
• Pre-Session Questionnaire (S3) form submissions use encrypted HTTPS POST requests

Data at Rest:

• All data stored in our database is encrypted using AES-256 encryption
• Encryption keys are managed securely and rotated periodically

Secure Form Access:

• Pre-Session Questionnaire URLs use unique, cryptographically secure tokens
• Tokens are time-limited and expire 30 days after issuance or upon form submission (whichever occurs first)
• Form URLs are not indexed by search engines and cannot be guessed

6.2 Infrastructure Security

• Hosting: Enterprise-grade cloud infrastructure (Abacus.AI) with SOC 2 Type II compliance
• Database: PostgreSQL with encrypted connections and role-based access controls
• Monitoring: 24/7 security monitoring for threats and vulnerabilities
• Updates: Regular security patches applied automatically
• Backups: Redundant backups stored in geographically separate locations

6.3 Access Controls

• Role-Based Access: Only consultants assigned to your engagement can access your questionnaire responses and diagnostic data
• Multi-Factor Authentication (MFA): Required for all staff accounts with administrative privileges
• Audit Logging: All access to client data is logged with timestamps and user identifiers for auditing purposes
• Least Privilege: Staff have access only to data necessary for their role

6.4 Payment Security

• Payment processing is handled exclusively by Stripe, Inc., a PCI DSS Level 1 certified payment processor
• We never see, store, or transmit your credit card details
• All payment data is encrypted end-to-end by Stripe
• Stripe's handling of payment data is governed by their privacy policy and PCI DSS compliance

6.5 Security Limitations

While we implement industry-standard security measures and continuously monitor for threats, no system can be guaranteed to be completely secure. We make ongoing efforts to protect your data but cannot guarantee absolute security.

6.6 Data Breach Response

In the event of a data breach likely to result in serious harm or risk to your rights:

• Detection: We will investigate and assess the scope within 24 hours
• Containment: Immediate actions will be taken to contain and mitigate the breach
• Notification: Affected clients will be notified within 72 hours (as required by GDPR and Australian Privacy Act)
• Regulatory Notification: We will notify the Office of the Australian Information Commissioner (OAIC) and other applicable regulators as required by law
• Remediation: We will document the incident and implement measures to prevent recurrence

6.7 Enterprise Security Options

For clients with heightened security requirements, we offer:

• Non-Disclosure Agreements (NDA): Mutual or unilateral NDAs available upon request
• Data Processing Agreements (DPA): For GDPR compliance and enterprise requirements
• Business Associate Agreements (BAA): For HIPAA-covered entities (US healthcare clients)
• Custom Security Controls: Additional authentication layers, IP whitelisting, or other controls as needed

Contact [email protected] to discuss enterprise security arrangements.

7. Disclosure of Information

7.1 General Policy

Personal information is not sold, rented, or traded. We do not share your diagnostic or business data with third parties except as specified in this section.

7.2 Service Providers (Subprocessors)

We engage trusted third-party service providers who may access your data to provide services on our behalf. All service providers are contractually bound to:

• Use your data only for the specified purposes
• Implement appropriate security measures
• Not disclose your data to third parties without authorization
• Comply with applicable data protection laws

7.3 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or regulatory authority, including to:

• Comply with legal obligations under Australian or foreign law
• Protect our legal rights, property, or safety
• Protect the rights, property, or safety of our clients or the public
• Prevent fraud, security threats, or illegal activity
• Respond to lawful requests from government authorities

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. You will be notified via email at least 30 days before any such transfer, and the acquiring entity will be bound by this Privacy Policy unless you consent to a new policy.

7.5 With Your Consent

We may share your information with third parties if you provide explicit consent for a specific purpose (e.g., sharing your Diagnostic Lab Report with your internal stakeholders or external advisors).

8. International Data Transfers

8.1 Cross-Border Processing

Orbital Agents operates globally and provides services to clients worldwide. Your information may be processed and stored in countries outside your country of residence, including:

• Australia (where Orbital Agents is registered)
• United States (where our infrastructure provider Abacus.AI and service providers Stripe, Kit, and Calendly are located)

8.2 Safeguards for International Transfers

When transferring data internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers of EU personal data outside the EEA
• Data Processing Agreements (DPAs): With all subprocessors that handle personal data
• Encryption: All data is encrypted in transit (SSL/TLS) and at rest (AES-256)
• Compliance: Our service providers are contractually obligated to comply with GDPR, CCPA, and Australian Privacy Act requirements

8.3 Your Consent

By using our Services, you acknowledge and consent to the processing and storage of your information in these jurisdictions. If you do not consent, please do not use our Services.

9. GDPR (EU / UK Addendum)

9.1 Legal Basis for Processing

For users in the European Union (EU) and United Kingdom (UK), we process personal data under the following legal bases:

• Contract Performance: To deliver the AI Agent Readiness Diagnostic Lab services you have purchased
• Legitimate Interests: To improve our services, prevent fraud, and ensure security (where not overridden by your rights)
• Legal Obligations: To comply with legal and regulatory requirements
• Consent: For marketing communications (you may withdraw consent at any time)

9.2 Your Rights Under GDPR

EU and UK users have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal retention requirements)
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent for processing at any time (does not affect prior processing)
• Right Not to be Subject to Automated Decision-Making: We do not use automated decision-making or profiling that produces legal or similarly significant effects

Data Erasure & Third-Party Processors

Orbital Agents performs full internal data erasure across all systems upon a valid erasure request.

For third-party processors such as ConvertKit (Kit), Orbital Agents invokes the maximum deletion and suppression actions available via API, which immediately cease all data processing and communications.

Where a processor does not provide a permanent deletion endpoint via API, Orbital Agents completes full record deletion using the processor's own GDPR mechanisms (including secure administrative deletion).

Orbital Agents does not access, process, profile, or use any processor-retained data after erasure.

Evidence of internal erasure and processor suppression is recorded in an immutable compliance ledger and confirmed via administrative notification.

Stripe is treated as a legal financial archive only; Orbital Agents does not access or process Stripe-retained personal data after erasure.

9.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Subject Line: "GDPR Data Subject Request"

Required Information:

• Your full name and email address used for the engagement
• Description of your request (e.g., "Right of Access," "Right to Erasure")
• Proof of identity (to prevent unauthorized access)

Response Time: We will respond to your request within 30 days (or as required by GDPR). If we need more time, we will notify you of the extension and the reasons.

9.4 Data Protection Authority

If you believe we have violated your rights under GDPR, you have the right to lodge a complaint with your local Data Protection Authority (DPA):

• EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en
• UK Information Commissioner's Office (ICO): https://ico.org.uk

We encourage you to contact us first so we can address your concerns directly.

9.5 EU Representative

Orbital Agents does not currently have an EU representative as we do not regularly offer goods or services to EU data subjects or monitor their behavior.

10. California Privacy (CCPA / CPRA)

10.1 California Consumer Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, or sell
• Right to Delete: Request deletion of your personal information (subject to legal exceptions)
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes requiring opt-out rights
• Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA rights

10.2 Categories of Personal Information We Collect

Under CCPA, we collect the following categories of personal information:

• Identifiers: Name, email address, company name, IP address
• Commercial Information: Payment transaction data, service purchase history
• Professional Information: Job title, company role, business context
• Internet Activity: Website usage data, cookies
• Business Information: Diagnostic responses, organizational data (as detailed in Section 2)

10.3 How We Use Personal Information

We use personal information for the business purposes described in Section 3 of this Privacy Policy.

10.4 Disclosure of Personal Information

We disclose personal information to service providers (subprocessors) as listed in Section 7.2. We do not "sell" personal information as defined by CCPA.

10.5 How to Exercise Your California Rights

California residents may submit requests to:

Email: [email protected]
Subject Line: "CCPA Consumer Request"

Required Information:

• Your full name, email address, and California residence
• Description of your request (e.g., "Right to Know," "Right to Delete")
• Proof of California residency and identity

Verification: We will verify your identity before processing your request to protect against fraudulent requests.

Response Time: We will respond within 45 days of receipt. If we need more time (up to 90 days total), we will notify you.

Authorized Agent: You may designate an authorized agent to make requests on your behalf by providing written authorization.

10.6 No Sale or Sharing of Personal Information

Orbital Agents does not "sell" or "share" personal information as those terms are defined under CCPA/CPRA. We do not disclose personal information to third parties for monetary or other valuable consideration, nor do we share personal information for cross-context behavioral advertising.

11. Data Retention

11.1 Retention Periods

Personal data is retained only as long as necessary for the purposes described in this Privacy Policy and to meet legal obligations:

• Active Client Data: Retained for the duration of service delivery plus 12 months for post-delivery support and Q&A window
• Payment Records: Retained for 7 years to comply with Australian tax and accounting regulations (Income Tax Assessment Act 1997)
• Marketing Communications: Retained until you unsubscribe or request deletion
• Website Analytics: Anonymized data retained indefinitely for service improvement

11.2 Data Deletion

Upon expiration of the retention period, personal data will be:

• Securely deleted from active systems
• Permanently removed from backups within 90 days
• Or anonymized such that it cannot be attributed to you

11.3 Early Deletion Requests

You may request deletion of your data before the retention period expires by contacting [email protected]. We will honor your request except where:

• Retention is required by law (e.g., tax records)
• Retention is necessary to defend legal claims
• Retention is necessary to fulfill our contractual obligations

We will provide written confirmation of deletion within 30 days.

12. Changes to This Policy

12.1 Policy Updates

This Privacy Policy may be updated from time to time to reflect:

• Changes in legal or regulatory requirements
• Updates to our security practices or service providers
• New services, features, or business practices

12.2 Notification of Changes

Material Changes: We will notify you via email at least 30 days before changes take effect. Material changes include changes to data use purposes, new categories of data collected, or changes to your rights.

Non-Material Changes: The updated policy will be posted on our website with a new "Last Updated" date at the top of this page.

12.3 Acceptance of Changes

Your continued use of our Services after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using our Services and may request deletion of your data.

12.4 Version History

We maintain a version history of this Privacy Policy. To request prior versions, contact [email protected].

13. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

If we become aware that we have inadvertently collected personal information from a child under 18, we will:

• Delete the information promptly from our systems
• Notify the parent or guardian (if contact information is available)
• Take steps to prevent future collection

If you believe we have collected information from a child, please contact us immediately at [email protected].

14. Third-Party Links & Services

14.1 External Websites

Our website and communications may contain links to third-party websites, services, or applications (e.g., Stripe payment pages, Calendly booking pages, social media platforms).

Disclaimer: We are not responsible for the privacy practices, content, or security of third-party websites. Third-party services are governed by their own privacy policies.

Your Responsibility: We encourage you to review the privacy policies of any third-party services you access through our platform.

14.2 Social Media Plugins

Our website may include social media sharing buttons or plugins (e.g., LinkedIn, Twitter). These features may collect your IP address, set cookies, or track your activity on our site. Social media features are governed by the privacy policies of the respective platforms.

15. Business Clients & Data Processing Roles

15.1 Data Controller vs. Data Processor

For the purposes of data protection law:

• You (the Client) are the Data Controller for any personal data of your employees, customers, contractors, or stakeholders that you provide to us during the Diagnostic Lab engagement
• Orbital Agents is the Data Processor acting on your instructions to deliver the Diagnostic Lab Report

15.2 Your Responsibilities as Data Controller

If you provide us with personal data about third parties (e.g., your employees, stakeholders), you are responsible for:

• Obtaining appropriate consent or having a lawful basis for processing
• Ensuring the data is accurate and up-to-date
• Informing those individuals about how their data will be processed (including sharing with Orbital Agents)
• Complying with applicable data protection laws in your jurisdiction

15.3 Data Processing Agreement (DPA)

Enterprise clients or clients subject to GDPR may request a formal Data Processing Agreement (DPA) that specifies:

• The scope, nature, and purpose of data processing
• Types of personal data processed
• Data retention and deletion procedures
• Security measures and audit rights
• Subprocessor list and change notification procedures
• Liability, indemnification, and breach notification

To request a DPA, contact [email protected].

15.4 Business Associate Agreement (BAA)

US healthcare clients subject to the Health Insurance Portability and Accountability Act (HIPAA) may request a Business Associate Agreement (BAA) if Protected Health Information (PHI) will be disclosed during the engagement.

To request a BAA, contact [email protected]. Note: Standard Diagnostic Lab engagements do not require PHI and are not covered entities.

16. Australian Privacy Principles (APPs) Compliance

Orbital Agents is bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This Privacy Policy is designed to comply with the APPs.

16.1 Key APP Obligations

• APP 1 (Open and Transparent Management): This Privacy Policy is publicly available and clearly explains our data practices
• APP 3 (Collection of Solicited Personal Information): We collect only information reasonably necessary for our functions
• APP 5 (Notification of Collection): This Privacy Policy notifies you of what we collect and why
• APP 6 (Use or Disclosure): We use and disclose personal information only for primary purposes or with consent
• APP 8 (Cross-Border Disclosure): We take reasonable steps to ensure overseas recipients comply with APPs (see Section 8)
• APP 11 (Security): We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access (see Section 6)
• APP 12 (Access and Correction): You may request access to and correction of your personal information (see Section 16.2)
• APP 13 (Correction of Personal Information): We will correct inaccurate information upon request

16.2 Your Rights Under the Privacy Act

You have the right to:

• Access: Request access to your personal information we hold
• Correction: Request correction of inaccurate or out-of-date personal information
• Complaint: Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Privacy Act

16.3 How to Exercise Your Rights

To request access, correction, or lodge a complaint:

Email: [email protected]
Subject Line: "Australian Privacy Act Request"

We will respond within 30 days.

16.4 Complaints Process

If you believe we have breached the Australian Privacy Principles:

Contact Us First: Email [email protected] with details of your complaint. We will investigate and respond within 30 days.

OAIC Complaint: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: [email protected]

17. Contact Information

17.1 Privacy Inquiries

For questions about this Privacy Policy, to exercise your rights, or to submit a privacy-related request:

Email: [email protected]
Subject Line: [Specify: "Privacy Inquiry," "Data Subject Request," "GDPR Request," "CCPA Request," "Australian Privacy Act Request"]

Postal Address:
Orbital Agents
6-12 View Avenue,
Gold Coast, 4217
Queensland, Australia

17.2 Response Time

We aim to respond to all privacy inquiries within:

• General Inquiries: 30 business days
• Data Subject Requests (GDPR): 30 days
• CCPA Requests: 45 days
• Australian Privacy Act Requests: 30 days

If we require more time, we will notify you of the extension and reasons.

17.3 Data Protection Officer (DPO)

Orbital Agents does not currently have a dedicated Data Protection Officer. Privacy inquiries should be directed to [email protected].

18. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of Queensland, Australia, and the Commonwealth of Australia.

Any disputes arising from or relating to this Privacy Policy or our data practices will be subject to the exclusive jurisdiction of the courts of Queensland, Australia, except where:

• EU/UK users may bring claims in their local jurisdiction under GDPR
• California residents may bring claims under CCPA in California courts
• Other mandatory consumer protection laws apply

19. Consent & Acknowledgment

By using our Services, you:

• Acknowledge that you have read and understood this Privacy Policy
• Consent to the collection, use, storage, disclosure, and processing of your information as described in this Privacy Policy
• Consent to international data transfers as described in Section 8
• Confirm that any personal data you provide about third parties (e.g., employees, stakeholders) has been collected lawfully, with appropriate consent, and in compliance with applicable data protection laws

If you do not agree with this Privacy Policy, you must not use our Services.