Orbita Privacy Policy

Updated September 2023

PURPOSE

Orbita, Inc. (“Orbita,” “we,” “us” or “our”) operates certain websites and applications that may, directly or on behalf of our customers, collect personal information.

Orbita respects the privacy of its customers, suppliers, business partners, and individuals who entrust us with their personal information through our services.

The purpose of this policy is to describe how Orbita ensures the privacy of personal information in accordance with the laws and regulations of the countries in which the information is collected, used, and managed.

DEFINITIONS

“Service” means any Orbita website or software application referencing this Policy.
“Customer” means any entity with whom Orbita is contracted to provide a Service.
“User” means any individual that accesses a Service.
“Personal Data” means data about a User who can be identified from those data (or from those and other information either in Orbita’s possession or likely to come into Orbita’s possession).

SCOPE

This Privacy Policy applies to the Service and any Personal Data entered into the Service by or on behalf of a User.

This Privacy Policy does not apply to any information we collect from any source other than the data entered into a Service by or on behalf of a User. We may offer other products and services other than the Service referencing this Privacy Policy. If you wish to learn more about such products and other services, please contact us at privacy@orbita.ai.

WHAT DATA DO WE COLLECT?

When Users access or use a Service, Orbita may request and collect certain Personal Data. You may provide Personal Data to Orbita when you post or transmit content (including any text, graphic, audio, video, or other content), create an account, enroll in a program, complete online surveys, forms or questionnaires, or otherwise use or access the Service. The information you provide may include your name, address, phone number, email address, company name, job title, IP address, content of messages transmitted to us via the Service, and other information that personally identifies you or can otherwise be linked to you.

Also, certain web-based Services, including Orbita’s website, may send one or more cookies – small files – to your computer or device. We may be able to uniquely identify your browser with such cookies. We may use session cookies and persistent cookies. Session cookies provide information to us while your browser is open. Persistent cookies provide information to us after your browser is closed and later re-opened. If your browser is set to disable cookies, some features of the Service may not function.

We may also record certain information sent or made available by your device when you access the Service. Such information may include your location, your device and its specifications, the referring page or service and URL, IP address, browser type and language, operating system specifications, pages viewed, the time you spend on each page, the order in which you view pages, the date and time of your use or access, the exit page or service and URL, application crashes, and similar information.

We may also use technology such as web beacons and clear gifs to track you, and your use of and access to the Service. We may also use this technology in emails we send to you to track whether you opened the email. Please note that some web browsers and devices permit you to broadcast a preference to websites and online services that they “do not track” your online activities. At this time, we do not modify what information we collect or how we use that information based upon whether such a signal is broadcast or received.

HOW WILL WE USE YOUR DATA?

We use collected information, and share collected information with our affiliates, other businesses, suppliers, vendors, licensors, and agents, to operate, maintain and provide the features and functionality of the Service, including to:

respond to and process inquiries by you, our customers, and our providers;
alert Users to new features and functionality, or to products and services offered by us or by third parties;
provide personalized content and information;
enable our customers and other third parties to provide you with access to services or products provided by our customers and other third parties;
monitor the effectiveness of our marketing activity;
transfer Personal Data between Customers to enhance user experience;
enforce this Privacy Policy;
monitor aggregate use of and access to the Service, including potential use of third-party analytics tools or services; and
for any other purpose, with your consent.

We may also disclose collected information if we believe disclosure is required to comply with applicable law, or to protect us or the Service.

In the event that we are involved in a merger, acquisition, sale, bankruptcy, insolvency, reorganization, receivership, assignment for the benefit of creditors, or the application of laws or equitable principles affecting creditors’ rights generally, or a change of control, there may be a disclosure of your Personal Data to another entity related to such event.

We may share your information in response to lawful requests by public authorities, including to meet national security or other lawful enforcement requirements. Please note that you may withdraw your consent to use and/or disclose your Personal Data at any time, subject to certain restrictions prescribed by applicable law. If you do so, we may not be able provide certain services to you.

FOR SUPPORTING CUSTOMERS

Orbita provides Services to its Customers to operate and manage information systems supporting certain businesses operations. The Orbita Services include digital information systems that collect, store, and manage data on behalf of our Customers and Users.

While Orbita Customers ultimately decide what data will be used within Orbita Services, it may include information about their users, customers, and in some cases, their patients. This information may include medical, health, healthcare, medication, treatment, contact, or other information related to people, groups, conditions, or clinical research.

In addition, Orbita provides consulting services to assist Orbita Customers with their implementation and use of Orbita Services at various stages within their project management process as well as varying levels of assistance. Information may be shared as required by the project and at the discretion and control of the Customers to limit and request any special handling requirements.

FOR MARKETING

Orbita collects and uses information gathered through our Services for marketing purposes to provide further information regarding our services and solutions. As addressed and detailed within this Policy, our processing activities are accurate to the stated purposes and all such information is secured with technical and organizational measures to ensure protection for confidentiality, integrity, and availability.

FOR BUSINESS OPERATION USE

Orbita collects certain Personal Data for billing and operations in support of its business. Contact information from Customers is used to perform business operations related to proposals, agreements, billing, invoicing, and for tax reporting purposes.

HOW DO WE STORE YOUR DATA?

Orbita stores the Personal Data we collect for as long as is necessary for the purpose(s) for which we originally collected it. We may retain certain Personal Data for legitimate business purposes and as required by law.

Personal Data that is no longer needed for the purposes defined in this Privacy Policy is destroyed, or where applicable, stripped of personal identifying data attributes (anonymized).

HOW WE SECURE YOUR DATA?

Orbita has implemented and maintains safeguards to secure Personal Data from misuse, loss, or unauthorized alteration. Additionally, safeguards are also in place to ensure that Orbita suppliers, vendors, contractors, and partners are required to keep any shared information confidential and are not permitted to use it for any other purpose than the performance of services for Orbita.

When necessary, Orbita requires and enforces use of encryption when storing and transmitting data. Access controls are in place to ensure that restrictive limits are established and maintained with controls for authentication, authorization, and accounting. Access to Personal Data is protected with these controls and Orbita regularly monitor its systems for possible vulnerabilities and attacks.

USE OF SUBPROCESSORS

Orbita may retain our affiliates and other third parties (“Subprocessors”) to further process data on your behalf in connection with the provision of the Services. Reasonably necessary steps are taken to ensure that such data is treated securely and in accordance with this Privacy Policy and that no transfer of Personal Data will take place to an Orbita Subprocessor unless there are adequate controls in place.

As appropriate, Orbita will only disclose Personal Data with a Subprocessor provided contractual assurances are in place with at least the same level of privacy protection as is required by this Policy and that they will process Personal Data for limited and specific purposes consistent with any consent provided by the Customer or User.

Orbita’s current list of our Subprocessors is available here.

LEGAL DISCLOSURES

Under certain circumstances, Orbita may be required to disclose Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Orbita may disclose Personal Data in the good faith belief that such action is necessary to comply with legal obligations including:

To protect and defend the rights or property of Orbita
To prevent or investigate possible wrongdoing in connection with the Service
To protect the personal safety of users of the Service or the public
To protect against legal liability

WHAT ARE YOUR DATA PROTECTION RIGHTS?

You have the right to exercise certain controls and choices regarding our collection, use and sharing of your information. Your controls and choices include the following:

you may access, correct, update, and delete your information as described in the “How can you delete or correct collected information?” below;
you may change your choices for newsletters, emails, and alerts as described in the applicable newsletter, email, or alert;
you may obtain from us information regarding our policies and practices as they relate to the collection, use and disclosure of your information, including those with respect to the transfer and storage of your information outside of your jurisdiction of residence by contacting us as described in the “Contacting Us” section below; and
if applicable, you may request a list of all third parties to which we have disclosed your Personal Data during the preceding year for direct marketing purposes and a disclosure of the shared information, as described in the “Your California Privacy Rights” section below.

You may, of course, decline to submit Personal Data to us, in which case we may not be able to provide the Service to you.

FOR CITIZENS OF THE EU AND SWITZERLAND

Orbita complies with the EU-U.S. Data Privacy Framework (“DPF”) and Swiss-U.S. DPF as developed by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. Orbita has certified to the Department of Commerce that it adheres to these frameworks with respect to such information. If there is any conflict between the terms in this Privacy Policy and the DPF, the DPF shall govern. To learn more about the DPF, and to view our certification, please visit https://www.dataprivacyframework.gov/ .

Orbita’s participation in the EU-U.S. DPF and the Swiss-U.S. DPF are subject to investigation and enforcement by the United States Federal Trade Commission.

Orbita will investigate and attempt to resolve complaints and disputes regarding Orbita’s use and disclosure of Personal Data in accordance with the EU-U.S. DPF and the Swiss-U.S. DPF. Please send all complaints to privacy@orbita.ai.

Orbita recognizes the Personal Data protection rights of citizens under the EU-U.S. DPF and the Swiss-U.S. DPF and offers the means for these individuals to correct, amend, delete or limit the use of their Personal Data within applications that are powered by Orbita Services. Orbita supports the following Personal Data protection rights:

Right of Access, Update, and Deletion: The right to access, update or delete owned Personal Data.
Right of Rectification: The right to have owned Personal Data rectified if that information is inaccurate or incomplete.
Right of Objection: The right to object to Orbita’s processing of owned Personal Data.
Right of Restriction: The right to request that that Orbita restrict the processing of owned Personal Data.
Right of Data Portability: The right to be provided with a copy of the owned Personal Data Orbita may have in a structured, machine-readable and commonly used format.
Right of Consent Withdrawal: The right to withdraw consent at any time where Orbita relied on such consent to process owned Personal Data.

Orbita has registered with the JAMS Foundation (JAMS), a commercial dispute resolution service, to provide an independent dispute resolution alternative for Customers. In the event that Orbita fails to respond or does not resolve a complaint within forty-five (45) days, Customers seeking a resolution may contact JAMS. To learn more about JAMS dispute resolution services, including instructions for submitting a complaint, visit: https://www.jamsadr.com/dpf-dispute-resolution.

CHILDREN’S PRIVACY

Orbita Services do not address anyone under the age of 18 (“Children”). Orbita does not knowingly collect Personal Data from anyone under the age of 18. If Orbita becomes aware that Personal Data from children has been collected by an application using an Orbita Service, without parental consent, Orbita will remove that information from Orbita servers upon discovery or by way of parental request.

SALE OF YOUR PERSONAL DATA

Orbita does not rent, sell, or share your Personal Data with nonaffiliated companies for marketing purposes or otherwise, unless we have your permission.

CALIFORNIA PRIVACY RIGHTS

This section supplements the information in the Privacy Policy and applies solely to Users who reside in the State of California. This section of the policy is provided to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this section.

The Service may collect Personal Data. Personal Data does not include: (i) publicly available information from government records; (ii) deidentified or aggregated consumer information; or (iii) health or medical information covered by the Health Insurance Portability and accountability Act of 1996 and the California Confidentiality of Medical Information Act or clinical trial data.

INFORMATION WE COLLECT

The Service has collected the following categories of Personal Data from consumers within the past 12 months. Some personal information included in this category may overlap with other categories.

Category	Examples	Collected
A. Identifiers	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.	Yes
B. Personal Information Categories listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e))	A name, signature, physical characteristics or description, address, telephone number, insurance policy number, education, or any other financial information, medical information, or health insurance information.	Yes
C. Protected classification characteristics under California or federal law	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	Yes

We obtain the Personal Data described in the table above directly from you, for example when you complete forms or answer questions through the Service. The Service may also obtain Personal Data indirectly from you, for example by observing your actions interacting with the Service. We may also obtain Personal Data about you from Customers.

Use of Personal Data. We may use, sell, or disclose the Personal Data for one or more of the following purposes:

To fulfill or meet the reason for which you provided the information, such as enabling you to be matched with medical service providers through the Service.
To provide support, personalize, and develop the Service, products, and services.
To create, maintain, customize, and secure your account with us.
To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
To personalize your experience with the Service, including customizing product and service offerings relevant to your interests.
To help maintain the safety, security, and integrity of the Service, products and services, databases and other technology assets, and business.
To transfer your data between Customers to enhance user experience;
For testing, research, analysis, and product development.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
As described to you when collecting your Personal Data or as otherwise set forth in the CCPA.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us is among the assets transferred.

We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelate, or incompatible purposes without providing you notice.

SHARING PERSONAL DATA

We may share your Personal Data by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the Personal Data confidential, and prohibit using the disclosed information for any purpose except performing the contract.

In the preceding twelve (12) months, Orbita has disclosed Personal Data for a business purpose to the categories of third parties indicated in the chart below. We do not sell Personal Data and, in the preceding twelve months, Orbita has not sold Personal Data.

Category	Business Purpose Disclosures	Sales
A. Identifiers	To Orbita’s Customers.	No
B. Personal Information Categories listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e))	To Orbita’s Customers.	No
C. Protected classification characteristics under California or federal law	To Orbita’s Customers.	No
D. Commercial Information	None	No
E. Biometric Information	None	No
F. Internet or other similar network activity	None	No
G. Geolocation Data	None	No
H. Sensory Data	None	No
I. Professional or Employment related information	None	No
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. 1232g, 34 C.F.R. Part 99))	None	No
K. Inferences drawn from other personal information	None	No

RIGHTS AND CHOICES

The CCPA provides California Users with specific rights regarding their Personal Data. This section describes your CCPA rights and explains how to exercise those rights. You have the right to require that we disclose certain information to you about our collection and use of your Personal Data over the past 12 months (the “Right to Know”). Once we receive your request and confirm your identity (see the “How to Contact Us” section below), we will disclose to you:

The categories of Personal Data we collected about you.
The categories of sources for the Personal Data we collected about you.
Our business or commercial purpose for collecting or selling that Personal Data.
The categories of third parties with whom we share that Personal Data.
If we sold or disclosed your Personal Data for a business purpose, two lists disclosing the personal categories that each category purchased or obtained.
The specific pieces of Personal Data we collected about you (also called a data portability request).

You have the right to request that we delete any of your Personal Data that we collected from you and retained, subject to certain exceptions (the “Right to Delete”). Once we receive your request and confirm your identity (see the “How to Contact Us” section below), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated withing the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our obligations to you;
detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
debug products to identify and repair errors that impar existing intended functionality;
exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
comply with the California Electronic Communications Privacy Act (Cal. Penal Code 1546 et. Seq.);
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
comply with a legal obligation;
make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify Personal Data not subject to one of these exceptions from our records and will direct our service providers to take similar action. We do not provide these deletion rights for business-to-business Personal Data. To exercise your rights to know or delete described herein, please submit a request as described in the “How to Contact Us” section below. Only you, or someone legally authorized to act on your behalf, may make a Request to Know or Delete related to your Personal Data. You may only submit a Request to Know twice within a 12-month period. Your Request to Know or Delete must provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

RESPONSE TIMING AND FORMAT

We will confirm receipt of your request within ten (10) business days. We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

PERSONAL DATA SALES OPT-OUT AND OPT-IN RIGHTS

If you are age 16 or older, you have the right to direct us to not sell your Personal Data at any time (the “right to opt-out”). We do not sell the Personal Data of consumers we actually know are less than 16 years old. Consumers who opt-in to Personal Data sales may opt-out of future sales at any time. To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by contacting Orbita at privacy@orbita.ai. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Data sales. However, you may change your mind and opt back in to Personal Data sales at any time by contacting support with your request: (privacy@orbita.ai). You do not need to create an account with us to exercise your opt-out rights. We will only use Personal Data provided in an opt-out request to review and comply with the request.

NON-DESCRIMINATION

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your Personal Data’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

HOW TO CONTACT US

Please send all inquiries about this Privacy Policy and any of our privacy practices to:

privacy@orbita.ai

or by mail addressed to:

Orbita, Inc.
Attn: Privacy
77 Sleeper Street, 2^nd Floor
Boston, MA 02210

or by phone at:

+1 857-574-0432

CHANGES AND UPDATES

Orbita reviews and updates this Privacy Policy from time to time and not less than annually.