Privacy Policy
Orbirank Privacy Policy
Last Updated: 9 July 2026 Version: 1.0
1. About This Policy
1.1 N.S. IT SERVICES PTY LTD (ABN 75 122 740 121 / ACN 122 740 121), trading as Orbirank ("Orbirank," "we," "us," or "our"), a company incorporated in New South Wales, Australia, is committed to protecting the privacy of everyone who uses our platform ("Service"). This Privacy Policy explains:
- What personal data we collect and why;
- How we use and share that data;
- How long we retain it;
- Your rights over your data;
- How to contact us with questions or requests.
1.2 This Policy applies to:
- Visitors to our website at https://orbirank.com ("Site");
- Registered customers and users of the Orbirank platform ("Customers");
- Any individual whose data we process in connection with the Service.
1.3 This Policy should be read alongside our Terms of Service, which govern your use of the Service.
1.4 Data Controller. For the purposes of the General Data Protection Regulation (EU GDPR), UK GDPR, and applicable data protection law, N.S. IT SERVICES PTY LTD (ABN 75 122 740 121 / ACN 122 740 121), trading as Orbirank, is the data controller of personal data processed under this Policy. Orbirank is also subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Our primary contact for data protection matters is [email protected].
2. Data We Collect and Why
2.1 Account and Identity Data
| Data Element | Source | Purpose | Legal Basis |
|---|---|---|---|
| Name | You provide at registration | Account creation and communication | Contract performance |
| Email address | You provide at registration | Authentication, billing, service notices | Contract performance |
| Company name | You provide (optional) | Account context | Legitimate interests |
| Billing address | Via Paddle at checkout | Tax compliance (Paddle as MoR) | Legal obligation / Contract |
| Time zone | You provide or we detect | Scheduling automation | Contract performance |
| Account preferences | Your settings | Service personalisation | Contract performance |
2.2 Usage and Technical Data
| Data Element | Source | Purpose | Legal Basis |
|---|---|---|---|
| IP address | Automated collection | Security, fraud prevention, analytics | Legitimate interests |
| Browser type and version | Automated collection | Compatibility and debugging | Legitimate interests |
| Device type | Automated collection | Compatibility | Legitimate interests |
| Pages visited and features used | Automated collection | Product improvement, support | Legitimate interests |
| Timestamps of actions | Automated collection | Audit trail, debugging | Legitimate interests |
| Error and crash logs | Automated collection | Reliability improvement | Legitimate interests |
| Referral source | Automated / UTM | Marketing attribution | Legitimate interests |
2.3 Connected Website and SEO Data
| Data Element | Source | Purpose | Legal Basis |
|---|---|---|---|
| Website URL(s) you register | You provide | Core Service function | Contract performance |
| Website crawl data (page content, metadata, structure) | Our crawler accesses your website | SEO audit and recommendations | Contract performance |
| Google Search Console data | Google OAuth (you authorise) | Performance analytics and indexing | Contract performance / Consent |
| Bing Webmaster Tools data | Bing OAuth (you authorise) | Performance analytics and indexing | Contract performance / Consent |
| CMS and site credentials (Vault) | You provide | Autonomous actions on your site | Contract performance / Consent |
2.4 Communications Data
| Data Element | Source | Purpose | Legal Basis |
|---|---|---|---|
| Support messages | You send to us | Answering your requests | Contract performance |
| Email correspondence | Two-way | Account and billing support | Contract performance |
| Survey responses | You provide (optional) | Product improvement | Consent |
2.5 AI Processing Data
When you use AI-powered features, content you input and content the Service generates is processed through our AI sub-processor, Google LLC, via the Google Gemini API. See Section 6 (Sub-Processors) for details. We do not use your content to train AI models without your explicit consent.
2.6 Data We Do NOT Collect
We do not knowingly collect or process:
- Payment card numbers (handled entirely by Paddle as Merchant of Record);
- Special categories of personal data (health, ethnicity, biometric, political views, etc.);
- Data about children under 18;
- Personal data from your website visitors, except where such data incidentally appears in website crawl data (see Section 3.3).
3. Special Cases
3.1 Google Search Console and Bing Webmaster Integration
When you connect your Google Search Console or Bing Webmaster Tools account via OAuth:
- We receive and store performance data (clicks, impressions, queries, rankings) for your website(s) as authorised by the OAuth scope you grant;
- We use this data solely to provide the Service features you request;
- You may revoke this access at any time via your Google Account settings (myaccount.google.com) or Microsoft Account settings, or within the Orbirank dashboard;
- Revoking access will disable related features within the Service but will not affect your account.
3.1A Managed Google Search Console (Path B)
If you opt into Path B (Managed GSC), Orbirank verifies your website in a Google Search Console property managed by Orbirank. Under this path:
- Orbirank receives GSC performance data for your site (queries, clicks, impressions, rankings) through the Managed GSC Property;
- This data is used solely to provide the Service features you have enabled;
- Your site may be simultaneously verified in Orbirank's GSC property and in your own Google account — both are technically permitted by Google's platform;
- You may withdraw consent and switch to Path A (your own OAuth) at any time via account settings or by contacting [email protected];
- Data collected under Path B is not shared with other customers and is deleted upon account termination.
- For full consent terms, see Section 6A of the Terms of Service.
3.2 Customer Credentials Vault
For the detailed security treatment of credentials you store in the Vault, see Section 6 of the Terms of Service. From a privacy perspective:
- Credentials are processed as confidential operational data, not personal data (though some credentials may incidentally contain personal identifiers);
- Access is restricted to automated execution processes only;
- Credentials are deleted upon account termination within 30 days.
3.3 Third-Party Personal Data in Your Website Content
If your website pages (crawled by the Service as part of the SEO audit) contain personal data about your customers or visitors (e.g., names in blog comments, email addresses in contact pages), that personal data may be incidentally processed during the crawl. In such cases:
- You are the data controller of that third-party personal data;
- Orbirank processes it only as necessary to complete the crawl and analysis;
- We recommend ensuring your website's own privacy policy covers search engine and authorised tool crawling;
- We will not use incidentally collected third-party data for any purpose beyond providing the Service to you.
4. How We Use Personal Data
4.1 Service Delivery. To provide, operate, maintain, and improve the Service, including processing automations under your authorisation.
4.2 Billing and Payments. To manage subscription billing, process refund requests, and communicate with Paddle in connection with your subscription.
4.3 Communication. To send you service-related communications (account confirmations, billing notices, critical security alerts) and, where you have opted in, product updates and marketing communications.
4.4 Security and Fraud Prevention. To detect, investigate, and prevent fraudulent or abusive activity and to protect the security of the Service.
4.5 Legal Compliance. To comply with applicable laws, respond to legal process, and protect the rights, property, and safety of Orbirank, its customers, and the public.
4.6 Product Analytics. To understand how the Service is used and to improve features, performance, and user experience. Where possible, we use aggregated or anonymised data for analytics.
4.7 AI Improvement. We do not use your content or account data to train AI models. Content sent to Google Gemini for analysis is processed transiently and is not used by us for model training. Google's API usage policies govern how Google processes data at the infrastructure level; please refer to Google's API Terms of Service for details.
5. Data Retention
| Category | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after termination |
| Billing and transaction records | 7 years (tax/legal obligation) |
| Website crawl and SEO data | Duration of account + 30 days after termination |
| Support correspondence | 3 years from resolution |
| Server and security logs | 6 months (rolling) |
| Customer Credentials (Vault) | Deleted within 30 days of account termination |
| Google/Bing OAuth tokens | Until revoked by you or account termination |
| Marketing opt-in records | Until withdrawal of consent + 3 years for proof |
| Anonymised analytics | Indefinitely (no personal data) |
6. Sub-Processors and Data Sharing
6.1 We share your personal data only with:
| Sub-Processor | Role | Data Shared | Location |
|---|---|---|---|
| Paddle (Paddle.com Market Ltd / Paddle.com Inc.) | Merchant of Record / billing | Name, email, billing address, subscription data | UK, USA |
| Hetzner Online GmbH | Cloud infrastructure | All data stored or processed in our platform | Germany / EU |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | IP address, request metadata | USA (EU Standard Contractual Clauses) |
| Google LLC | AI content generation (Gemini API / Vertex AI); GSC API integration | Content/prompts submitted to AI features; OAuth tokens; GSC performance data | USA (EU Standard Contractual Clauses) |
| Microsoft Corporation | Bing Webmaster Tools API | OAuth tokens, Bing performance data | USA (EU Standard Contractual Clauses) |
6.2 We do not sell personal data to third parties.
6.3 We do not share personal data for third-party advertising purposes.
6.4 We may share data with law enforcement or regulatory authorities where required by law, after assessing the legal validity of the request.
6.5 In the event of a merger, acquisition, or sale of Orbirank's assets, your data may be transferred to the successor entity, with advance notice provided to you.
6.6 An up-to-date sub-processor list is available at https://orbirank.com/legal/sub-processors.
7. International Data Transfers
7.1 Orbirank's primary infrastructure is hosted within the European Union (Hetzner, Germany). However, some sub-processors (including Cloudflare, Google, and Microsoft) are based in the United States and may process your data there.
7.2 Where we transfer personal data outside the European Economic Area (EEA) or UK, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) pursuant to Commission Decision (EU) 2021/914;
- UK International Data Transfer Agreements (IDTAs) where required for UK transfers;
- Adequacy decisions where applicable.
7.3 You may request copies of the applicable transfer safeguards by contacting [email protected].
8. Cookies and Tracking Technologies
8.1 We use cookies and similar technologies on our Site and platform. Our full Cookie Policy is available at [https://orbirank.com/legal/cookies].
8.2 Essential Cookies. Required for the Site and Service to function (authentication, session management, security). Cannot be disabled without disrupting core functionality.
8.3 Analytics Cookies. Used to understand how the Site is used (e.g., pages viewed, session duration).
8.4 Marketing Cookies. Orbirank does not currently use marketing or advertising cookies to track you across third-party websites or to serve targeted advertisements. If this changes in future, we will update this Policy accordingly and, where required by applicable law, obtain your prior consent before placing any marketing cookies.
8.5 You can control cookie preferences via the cookie banner presented on first visit and, where applicable, via your browser settings.
9. Your Privacy Rights
9.1 Depending on your location, you may have the following rights regarding your personal data:
EU and UK Residents (GDPR / UK GDPR)
- Right of access — to receive a copy of the personal data we hold about you (Article 15 GDPR);
- Right to rectification — to correct inaccurate or incomplete data (Article 16);
- Right to erasure ("right to be forgotten") — to request deletion, where there is no legal basis to retain (Article 17);
- Right to restriction — to restrict processing in certain circumstances (Article 18);
- Right to data portability — to receive your data in a structured, machine-readable format (Article 20);
- Right to object — to object to processing based on legitimate interests (Article 21);
- Rights related to automated decision-making — to request human review of automated decisions that significantly affect you (Article 22);
- Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior lawful processing.
California Residents (CCPA / CPRA)
- Right to know what personal information is collected, used, shared, or sold;
- Right to delete personal information;
- Right to opt-out of the sale or sharing of personal information (we do not sell personal information);
- Right to non-discrimination for exercising privacy rights;
- Right to correct inaccurate personal information;
- Right to limit use of sensitive personal information.
Other Jurisdictions
Users in other jurisdictions may have additional rights under local data protection law. For example, Australian residents may exercise rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. If you are located outside the EU, UK, or California and wish to understand or exercise your data protection rights under your local law, please contact [email protected] and we will respond in accordance with applicable requirements.
9.2 How to Exercise Your Rights. Submit requests to [email protected] with subject line "Privacy Rights Request." We will respond within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before processing your request.
9.3 Right to Lodge a Complaint. EU residents have the right to lodge a complaint with their local data protection supervisory authority. UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
10. Data Security
10.1 We implement appropriate technical and organisational security measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption of data at rest (AES-256 or equivalent);
- Encryption of data in transit (TLS 1.2+);
- Role-based access controls;
- Regular security assessments;
- Staff training on data protection.
10.2 No security system is impenetrable. We cannot guarantee absolute security of data transmitted over the internet. In the event of a personal data breach, we will notify affected individuals and relevant supervisory authorities as required by applicable law.
11. Children's Privacy
11.1 The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from children. If we discover that a child has provided us with personal data, we will delete it promptly. If you believe we have inadvertently collected data from a child, contact [email protected].
12. Marketing Communications
12.1 We may send you marketing emails about Orbirank products and features where you have provided consent or, where permitted by applicable law (e.g., PECR in the UK), where you are an existing customer and the communications relate to similar products.
12.2 You may opt out of marketing communications at any time by clicking "Unsubscribe" in any marketing email or by contacting [email protected]. Opting out does not affect service-related communications required to administer your account.
13. Changes to This Policy
13.1 We may update this Policy from time to time. Material changes will be communicated by email to your registered address or by prominent notice on the Site at least 14 days before taking effect.
13.2 Continued use of the Service after the effective date of any update constitutes your acceptance of the revised Policy.
14. Contact
For all privacy-related enquiries, data subject requests, and complaints:
N.S. IT SERVICES PTY LTD (trading as Orbirank) ABN 75 122 740 121 / ACN 122 740 121 New South Wales, Australia Email: [email protected] Website: https://orbirank.com/legal/privacy
Australian Privacy Act enquiries and complaints may also be directed to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.