Legal

Privacy Policy

Last updated: 28 May 2026

How Orbit Technologies Limited (trading as Orbit Commerce) collects, uses, and protects your personal data under UK GDPR.

1. About this Policy

This Privacy Policy explains how Orbit Technologies Limited, registered in England and Wales (company number 07259336), trading as Orbit Commerce (“we”, “us”, or “our”), processes personal data when you visit our marketing website, sign up for the Orbit Commerce platform, use the Service, contact us, or otherwise interact with us.

This Privacy Policy is written to comply with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). We are registered with the Information Commissioner’s Office (ICO) and pay the annual data protection fee as required by the Data Protection (Charges and Information) Regulations 2018.

2. Controller and Contact

For personal data we process for our own purposes (administration, billing, security, fraud prevention, marketing of our own products, analytics, and similar), we are the data controller.

Orbit Technologies Limited (trading as Orbit Commerce)

Registered office: 2-6 Abington Square, Northampton, England, NN1 4AA

Company number: 07259336

Data protection contact: support@orbitcommerce.net

Postal: mark for “Data Protection” at the registered office above.

When you use the Service to operate a Storefront, you are the controller of your Customers’ personal data and we act as your processor. Our processor obligations are set out in the Data Processing Addendum.

3. Who this Policy Covers

This Policy applies to personal data we hold about:

  • Visitors to our marketing site at orbitcommerce.net and our sub-sites (the help centre, plugin store, theme store);
  • Vendors, including their owners, directors, staff, and authorised users;
  • Partners, Agencies, Suppliers, and Developers who participate in our programmes;
  • Applicants who apply for jobs with us;
  • People who contact us by email, form, chat, phone, or social media;
  • Prospects and other recipients of our marketing communications.

How we handle Customer Personal Data on behalf of Vendors is governed by the Data Processing Addendum and by the Vendor’s own privacy notice. This Policy is not a substitute for the Vendor’s privacy notice on its Storefront.

4. What Personal Data We Collect

4.1 Information you give us

  • Account details (name, email, password, role, profile picture, time zone, language);
  • Business information (company name, registered address, trading address, VAT number, company number);
  • Billing information (billing address, payment-method metadata; full card numbers are processed by our payment processor and are not stored by us);
  • Communications with us (support tickets, chat transcripts, call recordings where we tell you a call is recorded);
  • Content you submit (forms, surveys, event registrations, applications);
  • Information you provide for verification, KYC, or fraud prevention.

4.2 Information we collect automatically

  • Device and connection data (IP address, user agent, screen size, language);
  • Usage data (pages visited, features used, clicks, sessions, errors, performance metrics);
  • Cookies, similar technologies, and identifiers (see the Cookie Policy);
  • Authentication, session, and security log data.

4.3 Information from third parties

  • Identity, KYC, and sanctions-screening data from compliance providers;
  • Payout, payments, and chargeback data from payment processors (when you connect a processor to your Vendor Account);
  • Authentication data from single-sign-on providers if you sign in with them;
  • Information from connected third-party services and channels (for example, marketplaces and ad networks) when you connect them;
  • Information from publicly available sources (Companies House, regulator registers, business directories).

5. How and Why We Use Personal Data (Purposes and Lawful Bases)

PurposeLawful basis (UK GDPR Art. 6)
Provide the Service, your Vendor Account, and the marketing websiteContract performance; legitimate interests
Process subscription Fees and taxContract performance; legal obligation
Provide customer support and respond to enquiriesContract performance; legitimate interests
Operate security, prevent fraud, protect against abuse and AUP breachesLegitimate interests (protecting the Service, vendors, and the public)
Comply with sanctions, anti-money-laundering, tax, and other legal dutiesLegal obligation
Improve, debug, and develop new features (aggregated and de-identified where possible)Legitimate interests
Send service messages (billing, security, policy changes)Contract performance; legal obligation
Send marketing about our products and services to existing customers (soft opt-in)Legitimate interests; PECR soft opt-in for existing customers, with easy unsubscribe
Send marketing to prospects who have opted inConsent
Use cookies and similar technologies (other than strictly necessary)Consent
Establish, exercise, or defend legal claims; manage corporate transactionsLegitimate interests; legal obligation

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms. You can ask us to explain our balancing test by emailing support@orbitcommerce.net. Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

6. AI and Automated Decisions

We do not use Customer Personal Data, your Vendor Content, or your transaction data to train any artificial intelligence model or large language model without your explicit prior consent. We may use aggregated, anonymised, and de-identified data to operate, improve, and secure the Service.

We may use automated tools for fraud detection, abuse detection, and security monitoring. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. Where automation flags a concern, a human reviews the outcome before any account-impacting action is taken, except in time-critical security cases where we will give you the opportunity to contest the outcome after the fact.

7. Sharing Personal Data

We do not sell your personal data. We share personal data only as described in this Policy:

  • Sub-processors and service providers we engage to run the Service (cloud hosting, content delivery, transactional email, analytics, helpdesk, fraud screening, billing, payment processing, monitoring, logging). Our current list is published at orbitcommerce.net/subprocessors;
  • Third-party services you connect to your Vendor Account, for the purpose for which you connect them;
  • Professional advisers (lawyers, accountants, auditors, insurers) under duties of confidentiality;
  • Authorities where we are required to disclose information by law, regulator demand, court order, or to protect rights, safety, or property;
  • In a corporate transaction, to the buyer or successor (subject to appropriate confidentiality).

8. International Transfers

Our hosting infrastructure is located in the United Kingdom and the European Economic Area. Some of our sub-processors process personal data outside the UK and the EEA. Where we transfer personal data to a country or territory that the UK Government has not deemed adequate, we rely on one of the following safeguards under Article 46 UK GDPR:

  • the International Data Transfer Agreement (IDTA) issued by the Information Commissioner;
  • the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum); or
  • where the importer is certified, the UK Extension to the EU-US Data Privacy Framework.

We complete a Transfer Risk Assessment for each Restricted Transfer that relies on the IDTA or UK Addendum. You may request a copy of the relevant transfer mechanism for any specific transfer by emailing support@orbitcommerce.net.

9. How Long We Keep Personal Data

We keep personal data only as long as we need it for the purpose for which we collected it, taking into account our legal, regulatory, accounting, and reporting obligations. Typical retention periods are:

CategoryRetention
Vendor Account — activeFor the duration of the subscription
Vendor Account — closedUp to 24 months after closure (then deleted or anonymised)
Billing, invoicing, and tax records6 years from the end of the relevant accounting period
Support tickets and chat transcripts3 years from last contact
Security and audit logs12 months
Marketing data (where consent withdrawn)Suppression list kept indefinitely to honour withdrawal
Job applicationsUp to 12 months after the role closes (longer with your consent for talent pool)
BackupsUp to 90 days, on a rolling cycle

We may keep personal data longer if we have a legal or regulatory obligation to do so, or if we are dealing with an actual or anticipated claim.

10. Security

We implement technical and organisational measures appropriate to the risk under Article 32 UK GDPR. A summary of those measures is set out in Annex 2 of the Data Processing Addendum.

If a personal data breach affects your personal data and it is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in accordance with Article 34 UK GDPR. We will report breaches to the ICO without undue delay and in any event within 72 hours of becoming aware, where Article 33 requires.

11. Your Rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you and receive a copy;
  • rectify inaccurate or incomplete personal data;
  • erasure of your personal data in certain circumstances;
  • restriction of processing in certain circumstances;
  • data portability for data you have provided to us and that we process by automated means under contract or consent;
  • object to processing based on legitimate interests, and to direct marketing at any time;
  • withdraw consent at any time where processing is based on consent;
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects about you.

To exercise any of these rights, email support@orbitcommerce.net or write to us at the address in section 2. We may need to verify your identity before we act. We will respond within one (1) month, unless the request is complex or numerous, in which case we may extend by up to two further months and will tell you if we do.

For Customer Personal Data: if you are a Customer of a Vendor and you want to exercise your rights in respect of data the Vendor holds, please contact the Vendor (the controller) directly. We will forward any request we receive to the relevant Vendor.

You also have the right to complain to the ICO at ico.org.uk, by telephone on 0303 123 1113, or by post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us first.

12. Cookies and Tracking

Our use of cookies and similar technologies is described in detail in our Cookie Policy. You can manage your cookie preferences at any time by clicking “Cookie settings” in the footer.

13. Marketing

If you are a customer or you have opted in, we may send you marketing about Orbit Commerce products and services. We rely on the PECR “soft opt-in” only where we have collected your contact details in the course of a sale, the marketing relates to similar products and services, and you were given a simple way to opt out at the point of collection and in every message.

You can opt out at any time by using the unsubscribe link in any marketing email or by emailing support@orbitcommerce.net. Opting out of marketing does not affect service messages, which we send for contractual or legal reasons.

14. Children

The Service is for businesses and is not directed at children. We do not knowingly collect personal data from children under sixteen (16). If you believe we have collected personal data from a child, contact support@orbitcommerce.net and we will delete it. Vendors are responsible for their own age policies and any compliance with the Age Appropriate Design Code on their Storefronts.

15. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated Policy on this page with a new “Last updated” date. For material changes that adversely affect your rights, we will give at least thirty (30) days’ notice by email or in the vendor dashboard. Changes that clarify, add detail, or that are required by law may take effect on posting.