Orbit legal
Privacy Policy
This Policy explains what personal information Orbit processes, why it is needed, which providers help operate the service, and how you can access, correct, export, or delete your information.
The short version
- Orbit does not sell or rent personal information and does not disclose it for third-party advertising.
- Orbit uses necessary providers to host the app, authenticate accounts, send email, and connect Strava when you choose.
- Your bike, component, service, and connected ride information is used to provide your maintenance tools.
- You can export account data, clear imported activity data, change communication choices, and request account deletion.
1. Scope and responsible party
This Policy applies to the Orbit website and bicycle-maintenance service at rideorbit.fit. In this Policy, "Orbit", "we", "us", and "our" mean the responsible party that decides why and how Orbit processes personal information.
- Trading name
- Orbit
- Responsible party
- Ride Orbit
- Registration
- Not registered as a company; no registration number
- Physical address
- Big Bay, Cape Town, 7441, South Africa
- Telephone
- +27 82 954 3333
- Information Officer
- As the responsible party, Ride Orbit performs the Information Officer function and is not separately registered. Reach the Information Officer at privacy@rideorbit.fit.
- Privacy contact
- privacy@rideorbit.fit
Orbit is designed with South Africa's Protection of Personal Information Act, 2013 (POPIA) in mind. Other privacy laws may also apply depending on where a user lives and where Orbit offers the service.
2. Information Orbit collects
| Account and profile | Email address, account identifier, display name if provided, email-confirmation status, unit system, currency preference, and authentication/session information. |
|---|---|
| Bikes and components | Bike names and types, active status, Strava gear association, components, component identity details, installation dates, usage baselines, service schedules, and maintenance states. |
| Service history | Inspections, service and replacement dates, distance or time at service, shop name, cost and currency if entered, notes, and related maintenance records. |
| Connected Strava data | Strava athlete identifier, authorized scopes, encrypted access and refresh tokens, token expiry, bike gear details, activity identifier and type, activity date, distance, moving and elapsed time, gear identifier, and assignment state, together with the imported activity data Orbit stores, including the source payload received from Strava, to derive and recalculate maintenance. |
| Communications | Notification preferences, maintenance-alert status, email delivery status, marketing choice, unsubscribe status, and messages or support requests you send. |
| Subscription and billing | Plan, subscription status, billing period, and payment-provider identifiers if paid billing is activated. A hosted payment provider processes complete payment-card details; Orbit does not store complete card numbers. |
| Technical and security | IP address, browser and device information, request and authentication logs, cookie identifiers, error information, and security events that Orbit or its infrastructure providers process to deliver and protect the service. |
| Privacy requests | Export and deletion requests, confirmation text, an optional deletion reason, request status, and records needed to complete or demonstrate the request. |
3. Where information comes from
- Directly from you, when you create an account, add bikes, configure components, record service, choose notifications, or contact Orbit.
- From Strava at your direction, when you authorize the connection and ask Orbit to import gear or activity information.
- Automatically from the service, when Orbit records assignments, maintenance calculations, alerts, account state, cookies, requests, and security events.
- From service providers, such as authentication, email-delivery, hosting, and payment status needed to operate the account.
Where information is required to create or secure an account, not providing it may prevent Orbit from supplying that part of the service. Optional fields and marketing choices can be left blank or declined.
4. How and why Orbit uses information
| Purpose | Why processing is justified |
|---|---|
| Create, authenticate, and secure your account | To provide the service you request, protect accounts, and meet security obligations. |
| Track bikes, components, ride usage, and service history | To perform Orbit's service contract and actions you request. |
| Connect and synchronize Strava | Your affirmative authorization through Strava and the service you request from Orbit. |
| Calculate maintenance estimates and send enabled reminders | To provide requested features and manage the service reliably. |
| Provide support, exports, corrections, and deletion handling | To respond to your request and meet privacy or consumer-law obligations. |
| Prevent abuse, diagnose failures, and protect Orbit | Orbit's legitimate need to secure and operate the service, balanced against user rights. |
| Send optional product news | Your separate, withdrawable marketing choice where consent is required. |
| Comply with law and enforce the Terms | Legal obligations and legitimate claims or defenses. |
Orbit does not use maintenance information to make decisions that produce legal or similarly significant effects about you. Maintenance estimates support your own bicycle-service decisions.
5. Strava-specific processing
Connecting Strava is optional. Orbit redirects you to Strava, where you choose whether to authorize the permissions shown. Orbit currently requests access associated with reading account, activity, and profile information so that it can identify bike gear, import cycling activity, assign ride usage, and calculate maintenance state.
Orbit skips activities identified as private during import and requests the Strava scopes needed for its maintenance features. Orbit stores the imported activity data, including normalized fields and the source payload it receives from Strava, to calculate and recalculate maintenance state. Orbit respects Strava privacy settings and does not show one user's Strava data to another user.
Strava may monitor and collect information about Orbit's access to and use of the Strava API and may use that API usage information for its business purposes, support, improvements, and compliance. Strava processes information under its own privacy policy.
Disconnecting Strava in Orbit marks the connection revoked and stops further synchronization; it does not automatically delete activity data Orbit has already imported. You can remove imported Strava activity data using Orbit's in-app control, or request deletion of your Orbit account, as described under "Retention and deletion".
6. When information is disclosed
Orbit does not sell, rent, or trade personal information and does not disclose it for third-party advertising. Orbit discloses only the information reasonably needed by providers working on its behalf to deliver, secure, and support the service.
| Hosting and infrastructure | Application delivery, hosting, network security, request processing, and operational logs. |
|---|---|
| Account and data services | Account authentication, session management, database processing, storage, and backup services. |
| Email delivery | Email confirmation, password recovery, maintenance notifications, and delivery records. |
| User-authorized integrations | Strava is named because you choose whether to connect it for gear and ride information. Strava receives API requests and related usage data under its own privacy policy. |
| Payment processing | Payment and subscription processing only if paid billing is activated and you choose a paid plan. The payment provider is identified at checkout. |
Orbit may also disclose information:
- to professional advisers bound by confidentiality where reasonably necessary;
- when required by applicable law, valid legal process, or a competent regulator;
- to protect users, Orbit, or others from fraud, abuse, or serious harm; or
- as part of a merger, financing, restructuring, or sale, subject to appropriate safeguards and notice where required.
Providers may use subprocessors under their own contracts. Orbit maintains a current internal provider register, supplies named processor information where law or a provider agreement requires it, and remains responsible for choosing providers and applying appropriate safeguards.
7. International transfers
Orbit's providers operate infrastructure in multiple countries, including the United States. Personal information may therefore be processed outside South Africa. Those countries may have different privacy laws.
Orbit offers the service worldwide and relies on its providers' data-processing terms, standard contractual and transfer clauses, and other lawful safeguards intended to provide an appropriate level of protection wherever your information is processed.
8. Retention and deletion
Orbit should keep personal information only for as long as needed for the purpose described, to provide an active account, meet legal obligations, resolve disputes, protect the service, and complete valid requests. Different records require different periods.
| Account and maintenance records | While the account is active and needed to provide Orbit. An account becomes inactive after 24 months without a successful login. Orbit sends warnings approximately 60, 30, and 7 days before deletion, then deletes or anonymizes Orbit-native account data subject to limited lawful retention. |
|---|---|
| Strava information | Imported Strava activity data (normalized fields and the source payload) is retained while your account is active and used for maintenance calculations. You can clear it at any time with Orbit's in-app control, and it is removed when your Orbit account is deleted. Disconnecting Strava stops synchronization but does not by itself delete already-imported data. |
| Security and infrastructure logs | Retained for up to 90 days for security, abuse prevention, and reliability, then deleted or anonymized, subject to infrastructure-provider periods. |
| Email delivery records | Delivery records retained for up to 12 months for deliverability, troubleshooting, and support. |
| Deletion and legal records | Retained for up to 3 years to evidence that a request was handled and for legal-defense purposes, then deleted. |
| Backups | Deletions propagate to backups as encrypted backups expire on their normal cycle, generally within 35 days. |
Orbit currently provides an account-data export, a control for clearing imported Strava activity data, and an account-deletion request. Submitting a deletion request creates a review item; it does not instantly delete the account, cancel billing, revoke Strava, or erase all product records.
The inactivity period runs from your last successful login. Background Strava synchronization, scheduled notifications, and email delivery do not reset it.
9. Security
Orbit uses reasonable technical and organizational safeguards appropriate to the service, including access controls, encrypted transport, protected credentials, encrypted Strava tokens, provider security controls, and separation between users' records.
No online service can guarantee absolute security. Keep your password confidential, use a unique password, and contact Orbit if you suspect unauthorized access. Orbit will handle qualifying security incidents and notifications as required by applicable law.
10. Cookies and similar technology
Orbit currently uses cookies needed to sign you in, maintain your authenticated session, protect requests, and complete the Strava authorization flow. These are functional and security cookies, not advertising cookies.
Orbit does not currently use non-essential advertising or behavioral-analytics cookies. If non-essential cookies are introduced, Orbit will explain their purpose and provide any consent choices required by law before setting them.
11. Your rights and choices
Depending on the law that applies, you may have the right to:
- ask whether Orbit holds personal information about you and request access to it;
- request correction, completion, deletion, restriction, or objection where applicable;
- download an available account-data export;
- disconnect Strava and request deletion of imported Strava information;
- withdraw consent where processing relies on consent, without affecting earlier lawful processing;
- change notification and marketing choices; and
- complain to the Information Regulator of South Africa or another competent privacy authority.
Orbit may need to verify your identity before acting on a request. Some rights are subject to lawful exceptions. Orbit will explain if a request cannot be fulfilled in whole or in part.
Privacy requests should be sent to privacy@rideorbit.fit. Information about complaints is available from the Information Regulator.
12. Marketing choices
Orbit separates optional marketing from account creation and necessary service messages. Marketing choices are unchecked by default in Orbit's sign-up flow. You can decline or unsubscribe without losing access to the core service.
Email confirmation, password recovery, security notices, legal notices, and maintenance notifications you enable are service communications rather than general marketing.
13. Children
Orbit is intended for adults aged 18 or older and does not knowingly collect personal information from children. If Orbit learns that a child has created an account contrary to this rule, Orbit will take appropriate steps to remove the account and information.
14. Policy changes and contact
Orbit may update this Policy when the service, providers, laws, or data practices change. The current version and effective date will be shown here. Orbit will provide reasonable notice of material changes and request a new choice where required.
Questions, objections, and privacy requests can be sent to privacy@rideorbit.fit.