Orbi.to Privacy Policy
Effective Date: May 17, 2025
Last Updated: May 17, 2025
We are committed to protecting your privacy. This policy outlines our practices and your rights concerning your personal data. Please review it carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Services.
1. Introduction
This Privacy Policy describes how Special Normal Co., Ltd. ("we," "us," "our," or "Orbi.to") collects, uses, and shares your personal data when you use our websites orbi.to (collectively, the "Services").
Special Normal Co., Ltd. is the controller of your personal data. We are a company registered in Thailand. Our primary contact for privacy-related inquiries is privacy[at]orbi.to. Our full registered address and other contact information can be found on our Contact Page: https://orbi.to/contact.
2. Personal Data We Collect
We collect personal data to provide and improve our Services. The types of personal data we collect include:
(a) Data You Provide Directly:
Account Information:
When you create an account, including through Google Sign-In, we collect your name and email address. We may also receive your profile picture if provided by Google.
Payment Information (Processed by Third Party):
If you subscribe to our paid Services, payment processing is handled by our Merchant of Record, Polar.sh. Polar.sh collects necessary payment details (e.g., credit card information, billing address). Orbi.to does not directly collect or store full payment card details. We receive confirmation data from Polar.sh, such as your name, email, subscription status, product purchased, transaction ID, and billing cycle.
Barcode Generator Content (Authenticated Users):
For logged-in users, we store the data you input to generate barcodes.
Communications:
When you contact us (e.g., via email for support), we collect the information you provide in your communications.
(b) Data We Collect Automatically:
When you use our Services, we automatically collect certain technical and usage data:
Log and Usage Data:
This includes your IP address, browser type and version, operating system, referring URLs, pages visited, features used, access times and dates, and other interaction data with our Services.
Cookies and Similar Technologies:
We use cookies, web beacons, and localStorage to operate our Services, understand usage patterns, and improve user experience. This includes data collected for analytics by Google Analytics and PostHog. For detailed information, please see Section 6 ("Cookies and Other Technologies").
URL Shortener Data:
- For URL Creators: We collect the original long URL, the creator's IP address, and their user agent.
- For Clicks on Shortened URLs: We collect the clicker's IP address, user agent, approximate location derived from the IP, the date and time of the click, and the referring website.
Security Data:
We utilize services like Cloudflare Turnstile for security and bot detection, which may process data such as IP addresses and device telemetry.
(c) Sensitive Personal Data:
We do not intentionally collect sensitive personal data (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health information). Users are advised not to input such data into free-text fields, such as the barcode generator.
3. How We Use Your Personal Data:
We use your personal data for the following purposes:
Providing and Managing Services:
- To create, maintain, and secure user accounts.
- To process URL shortening requests and provide related analytics.
- To enable barcode generation and store associated data for authenticated users.
- To manage subscriptions and process payments for premium services through Polar.sh.
Communication:
- To respond to your inquiries and provide support.
- To send important service-related notices, updates, and administrative messages.
Service Improvement and Personalization:
- To analyze usage trends and user behavior with tools like Google Analytics and PostHog, enabling us to enhance our Services, develop new features, and improve the user experience.
- To personalize certain features for logged-in users based on their preferences.
Security and Compliance:
- To protect the security and integrity of our Services, prevent fraud, and address abuse (e.g., through Cloudflare Turnstile and Axiom server log analysis).
- To comply with applicable legal obligations, resolve disputes, and enforce our Terms of Use and other agreements.
4. Legal Basis for Processing Your Personal Data:
Our legal basis for collecting and using your personal data depends on the data concerned and the specific context in which we collect it:
Performance of a Contract:
We process personal data as necessary to perform our contractual obligations to you when you use our Services (as outlined in our Terms of Use). This includes creating your account, providing requested features (URL shortening, barcode generation), managing subscriptions, and processing payments. Creating a customer record with Polar.sh upon your signup is also based on this.
Legitimate Interests:
We process personal data for our legitimate interests, provided these interests are not overridden by your data protection rights. This includes:
- Analyzing usage to improve our Services (e.g., using server logs, PostHog, and certain Google Analytics data).
- Maintaining the security of our platform (e.g., analyzing IP logs via Axiom, using Cloudflare Turnstile).
- Using anonymized or redacted data from barcodes and shortened URLs for analytics after initial retention periods.
- Responding to your communications.
Consent:
We rely on your consent for certain processing activities, such as:
- Placing non-essential cookies and similar tracking technologies (as detailed in Section 6 and managed via our cookie consent tool).
- Sending direct marketing communications (if we implement this in the future and you opt-in).
- Processing data associated with third-party content (e.g., embedded YouTube videos) when you choose to interact with it.
Legal Obligation:
We may process your personal data where necessary to comply with applicable laws and legal processes, such as responding to lawful requests from authorities or for tax and accounting requirements.
5. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The retention periods are as follows:
Account Information (name, email, Polar.sh customer data):
Retained while your account is active, and for 6 months after account deletion, after which it is deleted or anonymized.
Barcode Generator Data (authenticated users):
Stored while your account is active. Retained for 6 months after account deletion, then redacted/anonymized. This anonymized data is used for analytics for one (1) year before deletion.
URL Shortener Data:
-
Created by Authenticated Users: Stored while your account is active. Retained for 6 months after account deletion, then anonymized. This anonymized data is used for analytics for three (3) years before deletion.
-
Created by Non-Authenticated Users (original URL, creator IP): Retained for three (3) years from creation, after which IP addresses are redacted/anonymized.
-
Click Data for Shortened URLs (clicker IP, etc.): Retained for three (3) years from the click, after which IP addresses are redacted/anonymized.
-
Analytics Platform Data (Google Analytics, PostHog): Retained for up to 14 months within these platforms.
-
Server Logs (via Axiom): Retained for one (1) month.
-
Security Data (e.g., Cloudflare Turnstile): Retained in accordance with Cloudflare's policies.
6. Cookies and Other Technologies
We use cookies and similar technologies like web beacons and localStorage to help our Services function, analyze usage, and improve your experience.
What are Cookies? Cookies are small data files stored on your device when you visit a website.
Types of Cookies We Use:
-
Strictly Necessary Cookies:
Essential for the operation of our Services (e.g., session management for logins, security features like Cloudflare Turnstile, remembering cookie consent). These cannot be disabled if you wish to use core functionalities.
-
Performance and Analytics Cookies:
Help us understand how users interact with our Services, such as pages visited and links clicked. This data, often aggregated, helps us improve our Services (e.g., cookies from Google Analytics, PostHog).
-
Functional Cookies:
Enable enhanced functionality and personalization, such as remembering user preferences or feature settings for logged-in users.
-
Specific Technologies:
- Google Analytics: Uses cookies for website analytics.
- PostHog: Uses cookies, localStorage, and navigator.sendBeacon for product analytics and event tracking.
- Cloudflare Turnstile: May use cookies for its security functions.
- Session Cookies: For user authentication and session management.
- Cookie Consent Management: A cookie is used to store your consent preferences.
- YouTube (Embedded Content): If you interact with embedded YouTube videos, YouTube may set cookies.
Managing Your Preferences:
Our cookie consent banner allows you to manage your preferences for non-essential cookies upon your first visit. You can typically adjust your cookie settings at any time (e.g., through a settings link on our website or by modifying your browser settings). For more information about cookies and how to manage them, you can visit resources such as www.allaboutcookies.org. Web Beacons: We may use web beacons (pixel tags) in our communications or on our Services to track user engagement. PostHog also uses navigator.sendBeacon.
7. Sharing and Disclosure of Personal Data
We do not sell your personal data. We may share your personal data with trusted third-party service providers and in specific circumstances as outlined below:
Service Providers:
We engage third-party companies and individuals to perform services on our behalf, such as payment processing, data analytics, security services, hosting, and customer support. These providers have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Google (Sign-In & Analytics):
For account authentication and website analytics. Google's processing is subject to its Privacy Policy: https://policies.google.com/privacy.
PostHog (Product Analytics):
For understanding user interaction with our Services. Subject to PostHog's Privacy Policy: https://posthog.com/docs/privacy. (We utilize their US-based server option).
Polar.sh (Payment Processing):
Our Merchant of Record for handling subscriptions and payments. Subject to Polar.sh's Privacy Policy: https://polar.sh/legal/privacy.
Axiom (Server Logs):
For log management and analysis. Subject to Axiom's Privacy Policy: https://axiom.co/privacy.
Cloudflare (Security & CDN):
For security services (e.g., Turnstile) and content delivery. Subject to Cloudflare's Privacy Policy: https://www.cloudflare.com/privacypolicy/.
YouTube (Embedded Content):
Data may be collected by YouTube if you interact with embedded videos, as per Google's Privacy Policy.
Legal Compliance and Protection:
We may disclose personal data if required by law or in the good faith belief that such action is necessary to:
- (i) comply with legal obligations or valid legal processes;
- (ii) protect and defend our rights, property, or safety, or that of our users or the public;
- (iii) prevent or investigate possible wrongdoing in connection with the Services.
Business Transfers:
In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you if your data becomes subject to a different privacy policy.
8. International Data Transfers
Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including the United States, where our third-party service providers may operate. These countries may have data protection laws that are different from the laws of your country (including Thailand and the European Economic Area - EEA).
When we transfer personal data outside of regions like Thailand or the EEA, we implement appropriate safeguards to ensure your data receives an adequate level of protection. These safeguards include relying on mechanisms such as Standard Contractual Clauses approved by relevant authorities (e.g., the European Commission) or adequacy decisions, which are typically part of the Data Processing Addendums with our service providers. By using our Services, you acknowledge that such transfers may occur.
9. Data Security
We implement appropriate technical and organizational measures designed to protect your personal data from unauthorized access, use, alteration, or destruction. These measures include HTTPS encryption for data in transit, encryption at rest where appropriate, access controls, regular security reviews, selection of secure third-party vendors, anonymization/pseudonymization techniques, and data backup procedures.
However, no security system is impenetrable. While we strive to protect your personal data, we cannot guarantee its absolute security.
10. Your Data Protection Rights
Depending on your jurisdiction (e.g., GDPR for EEA residents, PDPA for Thailand residents), you have certain rights concerning your personal data. These may include:
-
Right of Access: To request information about and access to your personal data.
-
Right to Rectification: To request correction of inaccurate or incomplete personal data.
-
Right to Erasure (Right to be Forgotten): To request deletion of your personal data under certain conditions.
-
Right to Restrict Processing: To request the limitation of our processing of your personal data under certain conditions.
-
Right to Data Portability: To receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible and under certain conditions.
-
Right to Object: To object to our processing of your personal data based on legitimate interests or for direct marketing purposes.
-
Rights Related to Automated Decision-Making: To not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you, under certain conditions. (We do not currently engage in such automated decision-making).
-
Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
-
Right to Lodge a Complaint: To lodge a complaint with a relevant supervisory authority if you believe our processing of your personal data infringes applicable data protection laws.
To exercise these rights, please contact us at privacy[at]orbi.to. We will respond to your request in accordance with applicable law. We may need to verify your identity before fulfilling your request.
11. Children's Privacy
Our Services are not directed to individuals under the age of 20. We do not knowingly collect personal data from children under 20. If we become aware that we have inadvertently collected personal data from a child under 20 without appropriate consent, we will take steps to delete such information. If you believe we might have any information from or about a child under 20, please contact us at privacy[at]orbi.to.
12. Links to Third-Party Websites
Our Services may contain links to other websites not operated by us. If you click a third-party link, you will be directed to that party's site. We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will post any changes on this page and update the "Last Updated" date. For material changes, we will endeavor to provide more prominent notice, such as by emailing registered users. We encourage you to review this policy periodically.
14. Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of Thailand.
15. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Email: privacy[at]orbi.to
Data Controller:
Special Normal Co., Ltd.