Zum Hauptinhalt springen

Privacy Policy

Effective on launch · Last updated 2026-05-13 · Version privacy_v_2026_05_13

This page hosts the working draft of the Orbit by Devotel Privacy Policy. The version above is the consent string persisted with your signup. Final counsel-reviewed text replaces this placeholder before launch.

1. Controller / processor roles

Devotel is the controller of personal data we collect directly from you (account email, billing details, audit-log actors). Devotel is a processor of message content, contact records, and conversation history your workspace uploads or generates — your organisation is the controller of that data, and your end users have rights against your organisation.

2. Categories of data processed

  • Account data: email, name, workspace name, authentication identifiers via Clerk.
  • Billing data: Stripe customer id, payment-method metadata (last4, brand). Card numbers never reach Devotel infrastructure.
  • Message + call content: body text, media, audio, transcripts, AI agent reasoning logs, attached files.
  • Telemetry: page-views, feature usage, error traces. Honoured: the W3C Global Privacy Control signal (Sec-GPC: 1) disables product analytics for the session.

3. Legal bases (GDPR Art 6)

Account creation and billing rest on contract performance. Audit logging and abuse-prevention rest on legitimate interests balanced against your rights. Marketing communications rest on your prior consent, which you can withdraw at any time without affecting the lawfulness of prior processing.

4. Retention

Tenant-scoped message + call records follow the per-channel retention window your workspace owner configures (default 13 months for messages, 7 years for billing ledger entries to meet tax retention). Audit-chain rows are append-only and retained for the life of the workspace.

5. Sub-processors

Orbit relies on Google Cloud (compute, storage, secret management), Clerk (authentication), Stripe (billing), Anthropic (AI agents), Telnyx + DIDWW (inbound DIDs), and Devotel's wholesale softswitch (outbound termination). A live sub-processor inventory is maintained at /legal/subprocessors (published before launch).

6. Your rights

GDPR Art 15–22 + CCPA §1798.100 et seq. grant you access, rectification, deletion, restriction, portability, objection, and the right not to be subject to solely automated decisions. File a Data Subject Access Request at orbit.devotel.io/dsar — the public flow gated by Turnstile + OTP requires no Clerk session.

7. International transfers

Orbit infrastructure runs in Google Cloud's europe-west1 region. Where data crosses borders (e.g. to a US sub-processor or a non-EU carrier on the wholesale switch), transfers rest on the European Commission's Standard Contractual Clauses or an adequacy decision.

8. Contact

Privacy enquiries: privacy@devotel.io. DPO appointment, EU/UK representative, and supervisory-authority complaint addresses are listed at /legal/contacts (published before launch).

Privacy Policy — Orbit by Devotel | Orbit