Privacy Policy

We at ORBITAL SYSTEMS (“Orbital”) consider security and integrity to be part of our company DNA. It’s our obligation as controller of our customers’ personal data to inform our customers, both prospects and purchasing, about how and why we process their personal data.

This Privacy Policy applies to the processing of personal data for the following categories of individuals:

1. Customers: Individuals who have purchased or actively use our products and services.

2. Prospect Customers: Individuals who have shown interest in our products or services, such as by joining waiting lists or signing up for newsletters.

3. Business Partners and Collaborators: Individuals engaging with us for other reasons, such as inquiries, partnerships, or collaborations.

4. Website visitors:When you visit our website, certain data is collected to improve your experience and analyze how the website is used. This includes information gathered through cookies and similar technologies, such as browsing behavior or technical details about your device. For more detailed information about how cookies are used, including the types of cookies we use and how you can manage your preferences, please refer to our Cookie Policy.

If you fall into any of these categories, this policy outlines how we handle your data.

We collect and process your personal data to provide our products and services, fulfill legal and contractual obligations, and improve your experience with us. The type of data we collect, the reasons we process it, and the lawful basis for doing so are described in the sections below.

Providing personal data is often necessary for specific purposes, such as creating an account, processing payments, or delivering our services. In cases where data is required to fulfill a contract, failure to provide the requested information may mean we are unable to offer the relevant product or service. For optional processing, such as marketing communications, you have the right to decline without affecting your access to our core services.

Below, we outline the categories of individuals we process data for and explain when we collect your data, what types of data are collected, and the lawful basis for its processing.

Customers
When you become a customer and use our services, we collect personal data to fulfill our contractual obligations and ensure you receive the best possible experience. This includes the information you provide during the sign-up process, such as your name, email address, and account details, as well as data generated through your use of our products, such as invoice information. This data is collected when you communicate with us during the sign-up process, register for services via our app or website, or use our products.

Additionally, technical product data is generated when our products are in use. This includes non-personal information such as filter status, temperature, or sensor metrics, which helps us deliver notifications and statistics to you via the web or app. This data also enables us to improve our products and analyze trends, such as aggregated shower habits, which we may publish as anonymized findings. Importantly, this technical data does not identify you personally.

The lawful basis for processing customer data is performance of a contract, where the data is necessary to deliver our services and fulfill our agreements with you.

We may also rely on legitimate interest to improve our services, develop products, and analyze non-personal data for business purposes.

Prospect Customers
If you have expressed interest in our products or services but have not yet become a customer, we collect and process data to keep you informed and provide relevant updates. This includes your name, email address, and any preferences you provide when signing up for waiting lists, requesting information, or engaging with our marketing materials. For example, if you register on a waiting list, we use your data to notify you when products or services become available in your country and to share updates on launches, features, or promotions.

We may also collect data about how you interact with our marketing materials, such as whether you open our emails or browse specific parts of our website. Cookies and similar technologies help us understand your interests and tailor our communications to make them more relevant.

The lawful basis for processing data from prospect customers is legitimate interest, as it allows us to share information about our products and services that align with your expressed interest. You have the right to opt out of marketing communications at any time, and your preferences will always be respected.

Business Partners and Collaborators
We collect personal data from business partners, collaborators, and other professionals engaged with us in partnerships, collaborations, or business development activities. This may include contact details, such as names, email addresses, and phone numbers, as well as other information necessary for managing agreements or projects.

This data is processed to facilitate communication, maintain relationships, and ensure the smooth operation of collaborative activities. For example, we may process your contact details to share updates on a joint project or to manage the terms of an agreement.

The lawful basis for processing this data is primarily performance of a contract, where the data is essential to fulfill agreements or obligations. In other cases, we rely on legitimate interest to support business development and maintain effective collaboration.

Website visitors
When you visit our website, we may collect limited data to improve your experience and analyze how our website is used. This includes information collected via cookies, pixels and similar technologies, such as your browsing behavior or device details. This data helps us understand usage patterns, ensure the functionality of our website, and optimize our digital presence.

While most of this data is non-identifiable, some information may be linked to you if you have interacted with us previously (e.g., signing up for a newsletter). For more information, please refer to our Cookie Policy.

The lawful basis for processing website visitor data is legitimate interest, as it allows us to enhance the performance and usability of our website. Where cookies require consent under applicable laws, we ensure that your preferences are respected.

Marketing activites and data use
We aim to deliver relevant and valuable information about our products and services. To achieve this, we process personal data for activities such as sending newsletters, sharing product updates, and offering promotions tailored to your interests.

For marketing purposes, we may process data such as your contact details, interaction history (e.g., email engagement or website usage), and, for existing customers, purchase history. These insights help us provide targeted communications while respecting your privacy.

We process personal data to share updates, news, and promotions about our products and services that we think might interest you. This may include:

• Sending newsletters and product updates.
• Informing you about new launches or features.
• Offering promotions, discounts, or special deals tailored to your interests.
• Inviting you to events, surveys, or other engagement opportunities.

We understand that everyone has different preferences when it comes to receiving marketing communications. If at any point you decide that you no longer wish to receive information from us, we will respect your choice. You can easily opt out by:

• Clicking the unsubscribe link in any marketing email you receive.
• Adjusting your preferences through your account settings, where available.
• Contacting us directly (see contact details below) to let us know your preferences.

Choosing to opt out of marketing communications will not affect your use of our services or our ability to send important updates related to your account.

We rely on legitimate interest as the lawful basis for our marketing activities, which allows us to communicate with you in a relevant and efficient manner. This approach reflects our aim to provide value without overstepping your expectations. For marketing, our legitimate interest lies in sharing relevant updates, offers, and information about our products and services to maintain and grow our business.

We may collaborate with trusted third-party service providers to deliver communications, analyze data, and improve the effectiveness of our marketing efforts. These third parties are contractually required to handle your data securely and comply with applicable data protection laws.

When relying on legitimate interest, we assess the necessity of processing and ensure it aligns with your reasonable expectations. As a customer or someone who has shown interest in our products, it is reasonable to expect that we may process your data to keep you informed about updates or offers. To minimize any impact on your privacy, we apply measures such as data minimization, anonymization, and offering clear opt-out options for marketing communications.

We believe these steps ensure our legitimate interests do not override your rights. However, you have the right to object to this processing if you feel it impacts your interests or freedoms, see our contact details below.

We never save data longer than we need. Some data is discarded directly, others are stored for a long time depending on the data and our legal requirements.

For example, a buying customer’s personal data is saved no longer than 24 months after the termination of the contract. Exceptions do apply to such information that must be stored by law, e.g. the Swedish Accounting Act (Sw: Bokföringslagen).

Personal data is also saved for billing purposes. In the case of unpaid invoices, the personal data is saved until the claim is settled. When the invoice is paid, the data is deleted after 24 months if not required by law that it is stored for a longer period.

Please see the tables below for more detailed information. Do note that we will not process your personal data for any other purposes than listed below. If additional processing would be needed, we will inform you and ask for further consent or explain on what legal basis we process your personal data.

We share your data with a number of partners in order to provide our services to you. We may use databases and software suppliers to handle communication with you in the best possible manner.

We generally enter into a binding agreement with all external parties that includes a duty of confidentiality and require them to comply with the requirements of applicable legislation regarding processing and transfer of personal data.

These partners often act as data processors on our behalf, meaning they process your data strictly in accordance with our instructions and for the purposes we have outlined. We always seek to guarantee the security and confidentiality of your personal data.

We strive to primarily process personal data within the European Union (EU) and European Economic Area (EEA). However, in certain circumstances, it may be necessary to transfer personal data to countries outside the EU/EEA. Such transfers may occur, for example, if the services we provide require cooperation with partners, suppliers, or systems located in third countries, including the United States.

When transferring personal data to a country outside the EU/EEA, we ensure that these transfers are executed in a secure and lawful manner. We do not transfer your personal data to an external party outside the EU/EEA unless we have taken the appropriate steps to safeguard your data, including:

• Ensuring the destination country has been deemed to provide an adequate level of data protection by the European Commission.
• Entering into agreements incorporating Standard Contractual Clauses (SCCs) or equivalent safeguards between us as the data exporter and the data importer. These agreements ensure that your data receives a level of protection equivalent to that provided within the EU/EEA. A copy of such standard contractual clauses can be found here.

Additionally, we may adopt other safeguards as required by GDPR, such as:

• Utilizing an approved code of conduct in accordance with Article 40 GDPR.
• Employing an approved certification mechanism under Article 42 GDPR.

For transfers to the United States, we may rely on the EU-U.S. Data Privacy Framework (DPF). The DPF recognizes that certified organizations in the U.S. provide an adequate level of data protection equivalent to EU standards. When transferring data under this framework, we ensure that our service providers or partners are certified and adhere to its strict obligations, including safeguarding your rights to access, rectify, or delete your personal data. You can verify DPF certifications through the U.S. Department of Commerce's DPF website.

In specific cases where neither an adequacy decision nor the safeguards outlined above apply, we may rely on derogations under Article 49 GDPR. These include situations where the transfer is necessary for the performance of a contract, for important reasons of public interest, or with your explicit consent. When relying on derogations, we ensure that transfers are limited to what is strictly necessary and lawful under GDPR.

Security of data comes first in everything we do. Security features are built into all of our products, services, and infrastructure to keep data protected at every layer. We invest in teams and technology to continually improve that security, protecting not only our operations, but your business and data as well.

In the unlikely event that we lose control of your personal data and this data is of a sensitive nature we will inform you without undue delay, and no later than 72 hours after we have become aware of the incident.

It is our obligation to only process personal data which are correct, relevant and necessary with regards to the purposes of the processing, and you are entitled to control that this is the case. Orbital is responsible for that your personal data is processed in accordance with existing legislation. We will, on your request or on our own initiative, correct, de-identify, erase or complement data which are detected to be inaccurate, incomplete or misleading. You as an individual have a number of rights under existing legislation. You have the right to:

• Gain access to your personal data.
  We will, on your request, provide information regarding which of your personal data we are processing as quickly as possible.
  You are also entitled to obtain a copy of the personal data which is being processed.
  Orbital may refuse you access to the personal data if your request is manifestly unfounded, clearly abusive or if the personal data cannot be disclosed by access due to requirements in other legislation.
  The register with your personal data will be provided free of charge. However, Orbital has the right to charge a reasonable fee for administrative costs arising out of request of additional copies or if the request is manifestly unfounded or clearly abusive.
• Demand rectification of your personal data.
  We will, on your request, rectify the inaccurate or incomplete information that we are processing about you as quickly as possible.
• Demand erasure of your personal data.
  We will erase your personal data on your request as quickly as possible from when we received your message if they are no longer necessary for the purpose for which they were collected or if the processing was based on your consent.
  Please note that we cannot erase your personal data if we still have a legal basis for continuing the processing. If that is the case, we will cease with the processing of the personal data that is possible to erase and is corresponding to your request and inform you of the legal basis and the relevant purpose of the continued processing.
• Demand limitation of processing.
  You have a right to mark your personal data in order for it to only be processed for certain limited purposes. You can inter alia demand limitation when you consider that your personal data are inaccurate, and you have demanded rectification according to the above. Whilst the time when the personal data’s correctness is investigated, the processing of it will be limited.
  We will inform you if the investigation results in that the processing shall be limited. We will make sure that necessary rectifications or erasure of personal data and limitation of processing of personal data also is made by the companies to which Orbital have disclosed your personal data.
• Demand data portability.
  You have a right to, under certain circumstances, receive and transmit your personal data in a structured, commonly used and machine-readable format to another controller. Contact us if you wish to know more.
• Object to processing of personal data which is being done with the support of a balancing test.
  You can object to the processing if it is based on a balancing of interest test. If you object to such processing, we will only continue to process your personal data if there are eligible reasons to the processing which outweighs your interest. We will inform you of the reasons if that is the case.
• Demand that we cease to process your personal data for direct marketing.
  You always have a right to object against direct marketing by sending an e-mail to contact@orbital-systems.com When we have received your objection, we will cease to process the personal data for such marketing purpose.
• Complain on our processing of your personal data and compliance with the law to the Swedish Data Protection Authority.
  You are entitled to complain on the processing that we perform on your personal data to the Data Protection Authority if you think that we are in breach of the Privacy Policy, do not fulfil your rights or in any other way are acting contrary to existing law.

If you wish to make use of any of your rights above, please feel free to contact us. Our contact details can be found below.

Sometimes we may come to do changes in the privacy policy. We will send you a message if we do major changes by use of appropriate means, e.g. by sending a message by e-mail, inform via a pop-up in the app/on the web, or send a SMS message to you.

In some event, we will inform you in advance, and your continued use of the webpage and/or app after the changes will constitute your acceptance of the changes. Therefore, we kindly advise you to ensure that you read all such messages carefully.