Legal

Privacy, without the dark patterns.

What we collect, what we don't, and what you can do about it. No legalese, no fine print.

Last updated · April 27, 2026

01

Our principles

We collect the minimum we need to run Orba, never sell your data, and give you the tools to export or delete it on demand. The rest of this page explains how.

  • Minimum collection. If we don’t need it, we don’t store it.
  • No sale, ever. Your data is not a product line.
  • Your data, your call. Export or delete from settings.
02

What we collect

We collect three buckets of data:

  • Account data. Email, name, password hash, profile photo (if provided), workspace name, billing info via Stripe.
  • Workspace content. Boards, columns, tasks, comments, attachments, and metadata you and your teammates create.
  • Usage and device data. IP address, browser, OS, pages visited, performance metrics. Used to keep the Service running.
03

How we use it

We use the data above only to:

  • Provide and improve the Service.
  • Authenticate you and prevent abuse.
  • Process payments via Stripe.
  • Send transactional email (confirmations, security alerts, billing receipts).
  • Send product updates if you opt in. You can unsubscribe at any time.

We do not use your workspace content to train machine learning models. Period.

04

Who we share with

We only share data with sub-processors strictly necessary to run the Service:

  • Stripe — payments.
  • OVHcloud — hosting (EU region).
  • ZeptoMail — transactional email.
  • Cloudflare — DDoS mitigation and edge caching.

Each sub-processor is bound by a data-processing agreement. We never sell or rent your data to advertisers.

05

Cookies and similar tech

We use cookies for two things and two things only:

  • Strictly necessary. Authentication, CSRF protection, theme preference.
  • First-party analytics. Aggregate page views, no cross-site tracking, no third-party adtech.
06

How long we keep it

Workspace content lives as long as your account does. When you delete your account, we delete content within 30 days. Backups are purged within 90 days.

Billing records are retained for 7 years to comply with tax law. Logs are retained for 30 days for security.

07

Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Production access is gated by SSO with hardware keys, audited monthly. We’re working toward SOC 2 Type II certification — status updates at orba.work/security.

Found a vulnerability? Email security@orba.work. We respond within 24 hours and credit responsible disclosure.

08

Your rights

Whatever your jurisdiction, you have the right to:

  • Access a copy of your data.
  • Correct it if it’s wrong.
  • Delete it.
  • Port it to another tool (CSV or JSON export).
  • Object to processing based on legitimate interest.

Most of these are one-click in your account settings. For anything else, email privacy@orba.work.

09

International transfers

Orba is hosted in the EU. If you access the Service from outside the EU, your data is transferred to and stored in the EU. We rely on Standard Contractual Clauses for any onward transfer.

10

Changes to this policy

We’ll post the new version here and update the date at the top. Material changes are announced by email at least 14 days before they take effect.

11

Contact

Privacy questions? Email privacy@orba.work. EU users may also contact our DPO at dpo@orba.work.

Still have questions

Email a real human.

Privacy questions go to a small team that actually replies.

Start free

Free for teams of three. No card required.