Privacy Policy
February 23, 2026
1. Overview
Oona Flairlab GmbH (“we”, “us”, or “the Provider”) operates the service Orbi. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR). This policy explains how we collect, process, and store your information.
2. Data Controller
The responsible party for data processing (Controller) is:
Oona Flairlab GmbH
Kaiserswerther Straße 135
40474 Düsseldorf, Germany
Email: orbi@oonalab.ai
3. Data We Collect and Why
| Data Category | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Account Info (Name, Email) | To create and manage your user account. | Art. 6(1)(b) - Contract |
| Payment Data (via Stripe) | To process subscriptions. We do not store credit card details on our servers. | Art. 6(1)(b) - Contract |
| Social Media Access (OAuth) | To provide insights and automation (read/write access as permitted). | Art. 6(1)(b) - Contract |
| AI Input/Output | Processing your prompts to generate scripts, strategy, and metadata. | Art. 6(1)(b) - Contract |
| Technical Logs (IP, Browser) | To ensure system security and stability. | Art. 6(1)(f) - Legitimate Interest |
4. Third-Party Processors & AI Data Residency
We work with specialized partners to provide our services. We ensure all partners provide adequate data protection levels.
- Google Gemini (Vertex AI): We use Google's Vertex AI infrastructure. For EU customers, we utilize EU-specific regions (e.g., europe-west3 in Frankfurt or europe-west4 in Netherlands). This ensures your prompts and AI-generated content are processed and stored within the European Economic Area (EEA).
- OAuth Authentication: We use secure tokens (OAuth) to connect to your social media accounts (e.g., Google, Meta). We never see or store your platform passwords.
- Stripe: Payments are handled by Stripe. Your data may be processed in accordance with Stripe's Global Privacy Policy.
Data Processing Agreement (DPA) for Business Customers
If you use Orbi in a professional or business capacity (B2B), our processing of personal data on your behalf is governed by our Data Processing Agreement (DPA). This DPA is incorporated by reference into this Privacy Policy and our Terms and Conditions. By using our Service, you expressly accept the DPA, which can be found at: https://orbiai.app/dpa.
5. Data Retention
We adhere to the principle of "storage limitation."
- Active Account: We store your content (scripts, metadata) for as long as your account is active to provide you with a history of your work.
- Cancellation: Upon cancellation, we immediately stop syncing your social media analytics.
- Deletion: We retain your generated content for a maximum of 24 months after account inactivity to allow for easy reactivation, unless you exercise your "Right to Erasure" (see Section 7) earlier.
- Legal Necessity: Invoices and payment records are kept for 10 years as required by German tax and commercial law (HGB/AO).
6. Cookies and Tracking
Currently, we use essential cookies to keep you logged in. In the future, we may implement analytics or ad tags (e.g., Google Analytics). If we do, we will implement a Consent Management Provider (Cookie Banner) to ensure you can opt-in or opt-out before any non-essential tracking begins.
7. Your Rights
Under the GDPR, you have the following rights:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate data.
- Erasure: Request we delete your data ("Right to be forgotten").
- Object/Restrict: Object to processing based on legitimate interests.
- Portability: Receive your data in a structured, machine-readable format.
To exercise these rights, please contact us at orbi@oonalab.ai.
8. Changes to this Policy
We may update this policy to reflect changes in our service or legal requirements. We will notify you of any significant changes via email or a notice within the Orbi platform.