Privacy Policy

Orbator.io ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our X (Twitter) banner rotation platform.

By using Orbator.io, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

Key Principle: We collect only the data necessary to provide our Service. We never sell your personal information to third parties.

2.1 Account Information (via Clerk):

• Email address (for account recovery and notifications)
• Unique user identifier (Clerk ID)
• Authentication session data

2.2 X (Twitter) Profile Data (via OAuth):

When you connect your X account, we collect:

• X username (handle)
• Display name
• Profile ID (X User ID)
• Follower count (for quality score calculation)
• Verification status (blue checkmark)
• OAuth access tokens (encrypted and stored securely)
• OAuth token secrets (for API authentication)

Important: OAuth tokens grant us permission to update your X banner on your behalf. These tokens are encrypted at rest and never shared with third parties. You can revoke access anytime via X settings.

2.3 User-Generated Content:

• Banner images uploaded for rotation or ad campaigns
• Campaign creative assets (advertisers)
• Banner titles and descriptions
• Niche tags and targeting preferences

2.4 Usage and Analytics Data:

• Banner impressions (how many times a banner was viewed)
• Click-through data (if applicable)
• Rotation history and timestamps
• Campaign performance metrics
• Device type and browser (for analytics)
• IP address (for security and fraud prevention)

2.5 Payment Information (via Stripe):

• Stripe customer ID (for subscription management)
• Billing address (collected by Stripe)
• Payment history and transaction records

Note: We do NOT store credit card numbers or banking details. All payment information is securely handled by Stripe and subject to Stripe's Privacy Policy.

2.6 Creator Payout Information (via Stripe Connect):

If you enable ad monetization and connect a payout account:

• Stripe Connect account ID
• Bank account details (stored by Stripe, not by us)
• Tax information (as required by law, handled by Stripe)
• Payout history and earnings data

We use your information to:

3.1 Provide Core Services:

• Authenticate your account and manage sessions
• Update your X profile banner automatically based on your rotation schedule
• Display advertiser banners on creator profiles (if ad monetization enabled)
• Process payments for subscriptions and campaign budgets
• Send payouts to creators who earn ad revenue

3.2 Platform Functionality:

• Calculate quality scores for ad matching
• Track impressions and analytics for performance monitoring
• Match advertisers with relevant creators based on niche tags
• Manage campaign budgets and impression delivery

3.3 Communication:

• Send account-related emails (password resets, billing updates)
• Notify you of important service changes or security alerts
• Respond to customer support inquiries
• Send marketing emails (with your consent - you can opt out anytime)

3.4 Security and Compliance:

• Detect and prevent fraud, spam, and abuse
• Monitor for Terms of Service violations
• Comply with legal obligations (tax reporting, law enforcement requests)
• Maintain platform security and prevent unauthorized access

3.5 Improvement and Analytics:

• Analyze usage patterns to improve features
• Debug technical issues and optimize performance
• Understand user preferences to enhance user experience

We do NOT sell your personal information to anyone. Ever.

We share your information only in the following limited circumstances:

4.1 Service Providers:

• Clerk: Authentication and user management - Clerk Privacy Policy
• Stripe: Payment processing and creator payouts - Stripe Privacy Policy
• Supabase: Database and storage for user data and banners - Supabase Privacy Policy
• X (Twitter) API: Banner updates via OAuth - X Privacy Policy

These providers are contractually obligated to protect your data and may only use it to provide services to Orbator.io.

4.2 Public Information:

The following information may be visible to other users:

• X username and display name (for advertisers browsing creator profiles)
• Follower count and verification status (for ad matching)
• Quality score (visible to advertisers)
• Niche tags (for campaign targeting)

Note: Banner images displayed on your X profile are public by nature (since they appear on your public X profile).

4.3 Legal Requirements:

We may disclose your information if required by law, such as:

• Responding to court orders, subpoenas, or legal process
• Complying with tax reporting obligations (1099 forms for creators earning over $600/year)
• Investigating fraud, security issues, or Terms violations
• Protecting the rights and safety of Orbator.io, users, or the public

4.4 Business Transfers:

If Orbator.io is acquired, merged, or sells assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Platform before any such transfer occurs.

4.5 Aggregated Data:

We may share anonymized, aggregated statistics (e.g., "10,000 banners rotated this month") for marketing or analytics purposes. This data cannot be used to identify individual users.

We implement industry-standard security measures to protect your data:

5.1 Encryption:

• All data transmitted between your browser and our servers is encrypted via HTTPS/TLS
• OAuth tokens are encrypted at rest in our database
• Payment data is tokenized and encrypted by Stripe

5.2 Access Controls:

• Strict access controls limit who can view user data internally
• Multi-factor authentication for admin accounts
• Regular security audits and penetration testing

5.3 Infrastructure Security:

• Database hosted on Supabase (SOC 2 Type II certified)
• Backend hosted on Render (secure cloud platform)
• Automatic security patches and updates
• Daily encrypted backups of critical data

Disclaimer: No method of internet transmission or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You use the Service at your own risk.

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Account data: Retained while your account is active
• Banner images: Retained while your account is active or until you delete them
• Analytics data: Aggregated analytics retained indefinitely (anonymized after account closure)
• Payment records: Retained for 7 years to comply with tax and financial regulations
• Communication logs: Support tickets retained for 2 years

Upon Account Deletion:

• Your profile data, banners, and OAuth tokens are deleted within 30 days
• Analytics data is anonymized (no longer linked to your identity)
• Payment records are retained for legal compliance but marked as "deleted user"
• Backups containing your data are purged within 90 days

Depending on your location, you may have the following rights:

7.1 Access and Portability:

• Request a copy of your data in a machine-readable format
• View your account information via the Settings page

7.2 Correction:

• Update your email, display name, and preferences in Settings
• Request corrections to inaccurate data

7.3 Deletion:

• Delete your account anytime via Settings → Account Management
• Request deletion of specific data (subject to legal retention requirements)

7.4 Opt-Out:

• Unsubscribe from marketing emails via the link in any email
• Disable analytics tracking (future feature)

7.5 GDPR Rights (EU Residents):

• Right to be forgotten (request complete data deletion)
• Right to restrict processing
• Right to object to automated decision-making
• Right to lodge a complaint with your data protection authority

7.6 CCPA Rights (California Residents):

• Know what personal information is collected
• Request deletion of personal information
• Opt-out of sale of personal information (we don't sell data)
• Non-discrimination for exercising privacy rights

To exercise your rights, contact us at privacy@orbator.io or via Discord.

We use cookies and similar technologies for:

8.1 Essential Cookies:

• Session management (keeps you logged in)
• Security and fraud prevention
• Load balancing and performance

These cookies are necessary for the Service to function and cannot be disabled.

8.2 Analytics Cookies (Future):

• Track usage patterns and feature adoption
• Understand user demographics
• Measure marketing campaign effectiveness

You will be able to opt-out of analytics cookies when implemented.

8.3 Third-Party Cookies:

Third-party services we use may set their own cookies:

• Clerk (authentication)
• Stripe (payment processing)

These cookies are governed by the respective third-party privacy policies.

Managing Cookies:

Most browsers allow you to control cookies through settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

Orbator.io is not intended for children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@orbator.io, and we will delete the data promptly.

Parents or guardians who discover their child has used our Service should contact us to request account deletion.

Orbator.io is based in the United States. If you access our Service from outside the U.S., your data will be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) and other legal mechanisms to ensure adequate protection for international data transfers, as required by GDPR and similar regulations.

By using our Service, you consent to the transfer of your data to the United States and other jurisdictions where our service providers operate.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.

How we notify you:

• Email notification for material changes
• In-app banner or notification
• Updated "Last Updated" date at the top of this page

Continued use of the Service after changes constitutes acceptance of the updated policy. If you disagree with the changes, please discontinue use of the Service.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Privacy Inquiries: privacy@orbator.io
• General Support: support@orbator.io
• Discord Community: Join here
• X (Twitter): @orbator

Data Protection Officer (GDPR):

For EU residents with GDPR-related inquiries, contact: dpo@orbator.io

We typically respond to privacy requests within 30 days.