Privacy Policy
Last Updated: February 19, 2026
Last Updated: February 19, 2026
Effective Date: February 3, 2026
1. Introduction and Data Controller
This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the Orbiant mobile application (the "App").
Data Controller:
Brandenburger Digital Systems UG (haftungsbeschränkt)
Ströherstr. 20, 35683 Dillenburg, Germany
Email: info@orbiant.app
Website: https://orbiant.app
We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, date of birth, gender (optional), occupation (optional), location (optional), phone number (optional), profile picture (stored locally only), bio (optional), timezone.
- Content You Create: Journal entries, habits, goals, bucket list items, tasks and events, reminders, quick notes, voice recordings, time capsules, life principles, wheel of life assessments, focus sessions, routines.
- Feedback: When you submit feedback through the App, we collect your message, optional audio recordings, and device metadata. You may submit feedback anonymously.
Important: Your content is stored locally on your device and is not automatically synced to cloud servers. Only profile metadata (name, email, consent preferences) is synced to our backend for authentication and account management.
2.2 Information Collected Automatically
When analytics is enabled, we collect the following through Firebase (Google):
- Device Information: Device model, operating system version, app version.
- App Instance Identifiers: A randomly generated identifier assigned by Firebase to your app installation. We do not collect advertising identifiers.
- Usage Data: App usage patterns (e.g., which features you use, session duration), feature usage statistics.
- Crash Reports: Technical error data, stack traces, device state at the time of a crash, and diagnostic logs to help us fix issues.
- Performance Data: App startup time, network request performance, and screen rendering metrics.
You can disable analytics collection at any time in Settings → Privacy & AI Processing.
2.3 Location Information
- GPS coordinates are collected only when you explicitly add a location to a journal entry. Location access requires your permission and can be revoked at any time through your device settings.
- When location data is used in AI features (e.g., monthly mentoring), only city and country are sent — never precise coordinates.
2.4 Information from Third-Party Services
- Authentication: Basic profile information (name, email) from Apple Sign-In or Google Sign-In when you choose to sign in with these services.
- Payment Processing: Transaction confirmations from Apple App Store or Google Play Store. We do not receive or store your payment card details.
2.5 Speech Recognition
When you use voice input features, speech is processed using your device's native speech recognition (Apple Speech / Google Speech). By default, speech recognition may use cloud processing provided by Apple or Google for improved accuracy. Audio is not stored by us.
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
- Contract Performance (Art. 6(1)(b)): To provide you with the App's core features, manage your account, process subscriptions, and enable backups and device transfers.
- Consent (Art. 6(1)(a)): For AI-powered features, analytics collection, and marketing communications. You can withdraw consent at any time in Settings.
- Legitimate Interest (Art. 6(1)(f)): For crash reporting and security measures to maintain the App's stability and protect against misuse.
- Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, such as retaining account deletion records for accountability.
4. How We Use Your Information
- To provide, maintain, and improve the App and its features.
- To personalize your experience based on your preferences and usage patterns.
- To enable features such as journaling, habit tracking, goal setting, and planning.
- To provide AI-powered insights and recommendations (only with your explicit consent).
- To process and respond to your feedback and support requests.
- To analyze App usage, diagnose technical issues, and fix bugs (when analytics is enabled).
- To send important service-related updates (e.g., security alerts, changes to Terms).
- To comply with applicable laws and legal obligations.
5. AI-Powered Features
When you enable AI features in Settings, relevant context from your data is sent to third-party AI service providers for processing.
- What data is sent: Only the context needed for the specific feature you are using (e.g., a journal entry for reflection insights, task descriptions for planning suggestions, habit data for mentoring). We minimize the data sent to what is necessary.
- Why it's sent: To generate personalized insights, recommendations, and assistance.
- AI Providers: OpenAI (processing primarily in the US) and Google Gemini (processing in the US/EU).
- Data retention by providers: Automatically deleted within approximately 30 days by providers in accordance with their API data usage policies.
- Training use: Your data is NOT used to train AI models. We use API agreements that explicitly prohibit training on customer data.
- Consent: AI features require your explicit consent. You can enable or disable AI at any time in Settings → Privacy & AI Processing. When disabled, no data is sent to AI providers.
- Feedback processing: When you submit feedback, it may be analyzed using AI to help us categorize, translate, and respond more effectively.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information.
We may share data with the following categories of recipients:
- Firebase (Google): For authentication, cloud profile metadata storage, analytics (when enabled), crash reporting, and performance monitoring. Your content (journal entries, tasks, etc.) is not stored in Firebase, with the following user-initiated exceptions:
• Feedback you submit is stored in Firebase until resolved.
• Time Capsule sharing codes are temporarily stored for up to 24 hours, then automatically deleted.
• Device transfer data is encrypted and temporarily stored for up to 72 hours, then automatically deleted.
- AI Providers (OpenAI, Google Gemini): Only when you have enabled AI features and use an AI-powered function. Data is processed according to each provider's API data usage policy and not permanently stored.
- Apple / Google: For payment processing and subscription management.
- RevenueCat (RevenueCat, Inc., US): For subscription verification and entitlement management. We share your anonymous app user ID and purchase transaction data with RevenueCat. RevenueCat does not receive your name, email, or any personal content. Subject to RevenueCat's Privacy Policy (https://www.revenuecat.com/privacy/).
- Legal Requirements: We may disclose information if required by law, court order, subpoena, or governmental request.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
7. Data Storage and Security
7.1 Local Storage
Your content (journal entries, habits, goals, tasks, notes, and other personal data) is stored primarily on your local device. Sensitive content (journal entries, personal notes, descriptions, reflections) is encrypted using AES-256 encryption. App settings and basic profile information are stored locally without additional encryption, protected by your device's built-in security (passcode, biometrics).
7.2 Cloud Storage
- Profile Metadata (Firebase): Your name, email, email verification status, consent preferences, and last login timestamp are stored in Firebase Firestore. Sensitive profile fields (occupation, location, bio, phone number) are encrypted before cloud storage.
- Backups (iCloud / Google Drive): Encrypted backups are stored in your personal cloud storage (iCloud on iOS, Google Drive on Android). The backup payload is encrypted using AES-256 before upload. Your encryption key is also backed up to your personal cloud storage for recovery purposes.
7.3 Temporary Cloud Storage
- Device Transfer: When you initiate a cross-platform transfer, your encrypted backup is temporarily stored in Firebase Storage and your encryption key is temporarily stored in Firebase Firestore. Both are automatically deleted upon retrieval or after 72 hours. A scheduled cleanup runs every 6 hours to remove expired data.
- Time Capsule Sharing: When you share a Time Capsule via a sharing code, the capsule data is encoded and temporarily stored in Firebase Firestore for up to 24 hours. It is automatically deleted upon retrieval or expiration.
7.4 Security Measures
- Encryption: AES-256 for sensitive local data and backups; HTTPS/TLS for all data in transit.
- Key Storage: Your encryption master key is stored in your device's secure hardware enclave (iOS Keychain / Android Keystore).
- Access Control: Server-side authentication is required for all cloud operations. Firebase Security Rules restrict data access to authenticated users.
- Data Minimization: We minimize the data stored on our servers. Your content lives on your device.
8. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States, in the following cases:
- AI Processing: When you use AI features, data is processed by OpenAI (US) and Google Gemini (US/EU).
- Subscription Management: RevenueCat (US) processes anonymous purchase and subscription data.
- Firebase Services: Firebase (Google) may process data in various locations globally.
These transfers are protected by:
- The EU-US Data Privacy Framework (for transfers to certified US organizations).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Google's and OpenAI's GDPR-compliant data processing agreements.
9. Data Retention
- Local Content: Stored on your device for as long as you keep the App installed. You control deletion directly through the App.
- Cloud Profile: Retained as long as your account is active. Deleted upon account deletion.
- Backups: Stored in your personal cloud (iCloud/Google Drive) until you delete them.
- Device Transfer Data: Automatically deleted after retrieval or within 72 hours.
- Time Capsule Sharing Data: Automatically deleted after retrieval or within 24 hours.
- Feedback: Retained until the feedback is resolved and archived.
- Analytics Data: Retained in accordance with Firebase Analytics default retention (14 months for event data, 2 months for user-level data).
- Crash Reports: Retained for up to 90 days by Firebase Crashlytics.
- Deletion Logs: Account deletion records are retained for legal compliance purposes.
- AI Provider Data: Automatically deleted within approximately 30 days by AI providers.
10. Your Rights
10.1 GDPR Rights (European Economic Area)
If you are in the EEA, you have the following rights under the GDPR:
- Right of Access (Art. 15): Request a copy of your personal data. Use "Export All Data" in Settings → Data Management.
- Right to Rectification (Art. 16): Update or correct your data directly in the App.
- Right to Erasure (Art. 17): Delete your account and associated cloud data via Settings. Local data can be cleared by uninstalling the App.
- Right to Restrict Processing (Art. 18): Request restriction of processing by contacting us.
- Right to Data Portability (Art. 20): Export your data in a structured, machine-readable JSON format via Settings → Data Management → Export All Data.
- Right to Object (Art. 21): Object to processing based on legitimate interest by contacting us.
- Right to Withdraw Consent: Withdraw consent for AI features or analytics at any time in Settings → Privacy & AI Processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with the competent supervisory authority:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
https://datenschutz.hessen.de
10.2 CCPA Rights (California)
If you are a California resident, you have the right to:
- Know what personal information is collected and how it is used.
- Request deletion of your personal information.
- Opt out of the sale of personal information. Note: We do not sell your data.
- Non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at info@orbiant.app or use the in-app features described above.
11. Automated Decision-Making
Our AI-powered features analyze your data to generate insights, recommendations, and suggestions. These are provided for informational and personal reflection purposes only. No automated decisions with legal or similarly significant effects are made about you based on your data. You always retain full control over your data and decisions.
12. Children's Privacy
Our App is not intended for children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal information from children under these age limits. If we learn that we have collected data from a child below the applicable age limit, we will promptly delete that information. If you believe a child has provided us with personal data, please contact us at info@orbiant.app.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy.
- Notify you through the App or via email.
- Give you reasonable notice before the changes take effect.
We encourage you to review this Privacy Policy periodically.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Brandenburger Digital Systems UG (haftungsbeschränkt)
Ströherstr. 20, 35683 Dillenburg, Germany
Email: info@orbiant.app
Website: https://orbiant.app
Back to Legal overview