Privacy Policy

Amity Net AS, org. no. 936 792 383, is the controller for personal data described in this Privacy Policy, unless we expressly state that we act as processor for a business customer.

• Account data, such as name, email address, password data, billing information, company information, and plan details.
• Profile and workspace data, such as usernames, connected social-media accounts, team roles, settings, and content preferences.
• OAuth tokens and account identifiers from third-party platforms you connect (Meta/Facebook/Instagram, Google/YouTube, TikTok, LinkedIn). These are used only to publish content on your behalf and to display the connection status in your workspace.
• Content and publishing data, such as captions, media (images and videos), scheduling details, branded pages, comments, and campaign information.
• Technical and usage data, such as IP address, device/browser data, log data, login events, diagnostics, and product usage analytics.
• Support and communication data, such as emails, chats, support requests, feedback, and complaint handling information.
• Payment and transaction data provided by payment providers or app stores in connection with your subscription.

• To provide, secure, maintain, and improve the service.
• To manage accounts, subscriptions, billing, renewals, and payment recovery.
• To enable publishing, integrations, branded pages, analytics, and support.
• To prevent abuse, fraud, security incidents, and unlawful activity.
• To communicate with you about service changes, account issues, legal notices, and product updates.
• To comply with legal obligations and enforce our Terms and policies.

Where GDPR or similar law applies, we process personal data where necessary to perform a contract with you, to comply with legal obligations, for our legitimate interests in operating and securing the service, or on the basis of consent where required. Where we rely on legitimate interests, we consider the impact on your rights and expectations.

We share personal data only with the sub-processors necessary to deliver the service:

• Supabase (Ireland, EU region) — database, authentication, storage.
• Vercel — web hosting and edge delivery.
• Mux — video transcoding and streaming. Media you upload as video is processed and streamed through Mux.
• PettersonApps — data processor that handles the publishing pipeline between Orbyt and connected social-media platforms (Meta, Google/YouTube, TikTok, LinkedIn). PettersonApps receives only the content, media URL, and account identifiers necessary to publish the post you initiate.
• The connected social-media platforms themselves (Meta, Google, TikTok, LinkedIn) — only when you have connected the corresponding account, and only with the data needed to publish the content you have authored.

We may also share data with payment providers, support tools, security providers, email delivery providers, professional advisers, authorities where required by law, and business partners involved in the delivery of the service. We may share data in connection with a merger, financing, restructuring, or sale of all or part of our business.

We never sell your personal data.

If personal data is transferred outside the EEA/UK, we will use recognised legal transfer mechanisms where required, such as adequacy decisions, standard contractual clauses, or equivalent safeguards.

We keep personal data for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, maintain backups, and protect the service. Retention periods may vary depending on the type of data and the legal or operational reason for keeping it.

OAuth tokens for connected social-media accounts are kept only while the connection is active — when you disconnect an account in Orbyt or revoke access at the provider, the corresponding token is deleted within 30 days. Account data is deleted within 30 days of account closure, unless retention is required by law.

Depending on where you live, you may have the right to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing is based on consent. You may also have the right to complain to a supervisory authority (in Norway: Datatilsynet).

We use cookies and similar technologies only as needed for security, authentication, performance, login management, and product analytics. We do not use third-party advertising cookies. A separate Cookie Policy is available on request.

When you connect your Google/YouTube account, Orbyt requests only the scopes strictly necessary to publish content on your behalf (for example youtube.upload). Access and refresh tokens are stored encrypted at rest and are used solely to perform the publishing actions you initiate.

Data obtained from Google APIs is not sold, is not used for advertising, is not used to train AI or machine-learning models, and is not shared with third parties beyond what is required to deliver the publishing action you have asked for.

You can revoke Orbyt’s access to your Google account at any time from myaccount.google.com/permissions or from your Orbyt settings.

Orbyt’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Privacy questions and rights requests can be sent to: post@orbyt.no.