Privacy Policy

This Privacy Policy describes how Shaping Rooms LLC ("Company," "we," "us," or "our") collects, uses, stores, and shares data in connection with the ORBIT runtime AI governance platform and related services (the "Service"). ORBIT is a business-to-business (B2B) service designed exclusively for enterprises and regulated industries. We do not offer services directly to consumers. This policy explains our data practices regarding our customers ("Customers") and the data processed through our platform. Questions regarding this policy should be directed to legal@orbitauthority.com.

To provide our cryptographic governance infrastructure, we collect and store the following limited categories of data: Account and Organization Data: Email addresses, organization names, and administrative contact information, managed through our authentication provider (Clerk). Governed Action Records: Action types, payload metadata (specifically, field names and values used for governance decisions), governance verdicts (allow/deny), denial codes, deciding component, and the cryptographic receipts generated by our ledger. API Key Metadata: API key prefixes, descriptive labels, and creation and last-used timestamps. We never store full API key values. Usage Metrics: Aggregated system telemetry including governed action counts, denial rates, latency measurements, and contamination verdicts.

Because ORBIT operates as a privacy-preserving governance boundary, we explicitly do not store: Full Large Language Model (LLM) prompt content or completion content. LLM queries are routed through ORBIT to the Customer's selected LLM provider. ORBIT intercepts proposed actions from the LLM response to evaluate them against the Customer's charter. The underlying query content passes through to the LLM provider and is not retained by ORBIT. Personally Identifiable Information belonging to our Customers' end users. Payment card or financial account data (handled by our payment processor, Stripe).

We utilize the following third-party sub-processors under written data processing agreements: Clerk: identity and authentication management. Amazon Web Services (AWS): cloud hosting and infrastructure. Data is hosted in the United States. Stripe: billing and payment processing. LLM Providers: OpenAI, Anthropic, Google, Mistral, and Microsoft Azure. Customers control which LLM provider receives their query content through their API requests. ORBIT does not select your LLM provider. These providers receive transient query content governed by your independent agreements with them. We do not sell Customer data to any third party.

We use collected data solely to: Provide, operate, and maintain the ORBIT Service and cryptographic ledger. Generate, store, and authenticate tamper-evident receipts. Process billing and manage Customer accounts. Monitor system security, detect unauthorized access, and optimize performance. Comply with applicable legal obligations. We do not use your data for marketing, advertising, or AI model training.

Account and organization data is retained while the Customer account is active and for twelve (12) months following account termination. Governed action records and cryptographic receipts are retained for thirty-six (36) months from the date of creation, or longer if required by applicable law, to support audit and compliance needs. Usage metrics are retained for twenty-four (24) months in aggregated form. Upon account termination, Customers have ninety (90) days to export their governed action records and cryptographic receipts. After this window, data is permanently deleted. Cryptographic receipts already held by the Customer remain independently verifiable using the ORBIT public key after account termination and data deletion.

For purposes of the General Data Protection Regulation (GDPR), Shaping Rooms LLC acts as a Data Controller for Customer account and organization data, and as a Data Processor for governed action payload metadata submitted through the Service. EU residents have the right to: access, rectification, erasure, restriction of processing, data portability, and objection to processing of their personal data. To exercise these rights, contact legal@orbitauthority.com. We respond within thirty (30) days. Data transferred outside the European Economic Area to the United States is protected by Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework.

Under the California Consumer Privacy Act (CCPA), eligible California residents have the right to request access to the specific personal information we have collected, request deletion of their personal information, and opt out of the sale of personal information. Shaping Rooms LLC does not sell Customer or end-user personal information. To submit a CCPA request, contact legal@orbitauthority.com. We do not discriminate against users who exercise their rights.

We implement industry-standard security measures including encryption in transit (TLS) and at rest, principle-of-least-privilege access controls, cryptographic signing of all governed action receipts using AWS KMS, and regular security reviews. No internet-based service can guarantee absolute security. In the event of a data breach affecting Customer data, we will notify affected Customers as required by applicable law.

We use only strictly necessary session cookies via our authentication provider (Clerk) to maintain secure administrative logins. We do not use advertising, tracking, or marketing cookies.

We may update this Privacy Policy periodically. We will notify Customers of material changes via email or in-platform notification prior to the changes taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy-related inquiries, data subject requests, or questions about this policy: legal@orbitauthority.com Shaping Rooms LLC California, USA