Privacy Policy

1. Introduction

OrbiPilot ("we", "us", or "our") operates the website orbipilot.com and app.orbipilot.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our route optimization platform.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Name and email address (required)
• Password (encrypted with bcrypt)
• Account role (Planner, Driver, or Admin)

3.2 Usage Data

With your explicit consent, we may collect:

• Feature usage logs (which features you use and when)
• Session information (login times, session duration)
• IP addresses (encrypted for security purposes)
• Optimization history (number of optimizations, tasks processed)
• Performance metrics (optimization execution times)

3.3 Contact Form Data

When you submit our contact form, we collect:

• Name and email address
• Phone number and company name (optional)
• Message content
• IP address and user agent (for spam prevention)

3.4 Route Optimization Data

When you use our optimization service, we process:

• Task addresses and coordinates
• Delivery/pickup quantities
• Time windows and service times
• Vehicle configurations

4. Legal Basis for Processing

We process your data under the following legal bases:

• Contract Performance: Account creation and service delivery
• Consent: Analytics tracking and marketing communications (you can withdraw anytime)
• Legitimate Interest: Fraud prevention, security, and service improvement
• Legal Obligation: Compliance with accounting and tax laws

5. How We Use Your Data

• Provide and maintain our route optimization service
• Process your optimization requests and generate routes
• Send service-related emails (account verification, password resets)
• Respond to your inquiries and support requests
• Improve our platform based on usage patterns (with your consent)
• Detect and prevent fraud and abuse

6. Data Sharing and Third Parties

We do not sell your personal data. We may share data with:

Service Providers:

• OSRM: Self-hosted routing engine (data stays on our servers)
• OR-Tools: Self-hosted optimization solver (data stays on our servers)
• Email Service: Nodemailer via SMTP (for transactional emails only)
• Google Analytics: Anonymous usage statistics (only with your consent)

Important: All route optimization processing happens on our own servers. We do not send your task data to third-party APIs.

7. Data Retention

• Account Data: Retained until you delete your account
• Usage Logs: Deleted after 90 days (GDPR compliance)
• Contact Inquiries: Retained for 90 days after resolution
• Optimization History: Retained while your account is active
• Expired Tokens: Automatically deleted after expiration

8. Your GDPR Rights

Under GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw analytics consent anytime

To exercise any of these rights, contact us at privacy@orbipilot.com. We will respond within 30 days.

9. Security Measures

We implement industry-standard security measures:

• HTTPS encryption for all data transmission
• Bcrypt password hashing (12 rounds)
• JWT tokens with short expiration (15 minutes for access tokens)
• IP address encryption for privacy
• Rate limiting to prevent brute force attacks
• Regular security audits and updates

10. Cookies

We use essential cookies for authentication (httpOnly refresh tokens) and optional analytics cookies (Google Analytics) with your consent. See our Cookie Policy for details.

11. Children's Privacy

Our Service is not intended for users under 16 years old. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a prominent notice on our Service. Your continued use after changes constitutes acceptance.

13. Contact Us

For questions about this Privacy Policy or to exercise your GDPR rights, contact: