Orbi
by oona
Start today

Privacy Policy

March 30, 2026

1. Overview

Oona Flairlab GmbH (“we”, “us”, or “the Provider”) operates the service Orbi. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR). This policy explains how we collect, process, and store your information.

2. Data Controller

The responsible party for data processing (Controller) is:

Oona Flairlab GmbH

Kaiserswerther Straße 135

40474 Düsseldorf, Germany

Email: orbi@oonalab.ai

3. Data We Collect and Why

Data CategoryPurposeLegal Basis (GDPR)
Account Info (Name, Email)To create and manage your user account.Art. 6(1)(b) - Contract
Payment Data (via Stripe)To process subscriptions. We do not store credit card details on our servers.Art. 6(1)(b) - Contract
Social Media Access (OAuth)To provide insights and automation (read/write access as permitted).Art. 6(1)(b) - Contract
AI Input/OutputProcessing your prompts to generate scripts, strategy, and metadata.Art. 6(1)(b) - Contract
Technical Logs (IP, Browser)To ensure system security and stability.Art. 6(1)(f) - Legitimate Interest

4. Google API Data

When you connect your YouTube account to Orbi, we request access to the following Google API scopes via OAuth 2.0:

  • youtube.readonly — to read your channel information, video metadata, and playlists.
  • youtube.force-ssl — to read and respond to comments on your videos.
  • yt-analytics.readonly — to retrieve analytics data (views, watch time, audience demographics) for your channel and videos.
  • youtube.upload — to upload videos to your YouTube channel on your behalf.

How we use this data: We use your YouTube data solely to provide the Orbi service features you have authorized, including displaying your channel analytics, generating AI-powered content insights, managing comments, and publishing content. We do not use your Google user data for advertising, market research, or to train general-purpose AI models.

How we store this data: Your OAuth access and refresh tokens are stored encrypted in our database. YouTube analytics and video metadata retrieved via the API are stored in our database for as long as your account is active to provide you with historical insights. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

How we share this data: We do not sell, rent, or share your Google user data with third parties, except with the sub-processors necessary to operate the service (listed at https://orbiai.app/subprocessors). Your YouTube data may be processed by Google Gemini (Vertex AI) within EU regions solely to generate AI-powered insights for your use within Orbi.

Revoking access: You can disconnect your YouTube account from Orbi at any time through your account settings. You can also revoke Orbi's access directly via your Google Account Permissions. Upon disconnection, we stop accessing your YouTube data and delete stored tokens. Previously retrieved analytics data is retained according to our data retention policy (see Section 7).

Orbi's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party Processors & AI Data Residency

We work with specialized partners to provide our services. We ensure all partners provide adequate data protection levels.

  • Google Gemini (Vertex AI): We use Google's Vertex AI infrastructure. For EU customers, we utilize EU-specific regions (e.g., europe-west3 in Frankfurt or europe-west4 in Netherlands). This ensures your prompts and AI-generated content are processed and stored within the European Economic Area (EEA).
  • OAuth Authentication: We use secure tokens (OAuth) to connect to your social media accounts (e.g., Google, Meta). We never see or store your platform passwords.
  • Stripe: Payments are handled by Stripe. Your data may be processed in accordance with Stripe's Global Privacy Policy.

Data Processing Agreement (DPA) for Business Customers

If you use Orbi in a professional or business capacity (B2B), our processing of personal data on your behalf is governed by our Data Processing Agreement (DPA). This DPA is incorporated by reference into this Privacy Policy and our Terms and Conditions. By using our Service, you expressly accept the DPA, which can be found at: https://orbiai.app/dpa.

6. Data Storage & Protection

We implement robust technical and organizational measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: All stored data, including database contents and backups, is encrypted using AES-256 encryption.
  • Access Control: Access to personal data and production systems is restricted to authorized personnel only, following the principle of least privilege.
  • OAuth Token Security: Social media access tokens are stored encrypted in our database. We never store your social media platform passwords.
  • Infrastructure Security: Our application is hosted on secure cloud infrastructure with firewall protection, automated security updates, and regular monitoring.
  • AI Data Residency: For EU customers, AI processing via Google Gemini (Vertex AI) is restricted to EU data centers (Frankfurt, Netherlands), ensuring your data remains within the EEA.
  • Payment Security: We do not store credit card numbers or payment method details on our servers. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.

7. Data Retention

We adhere to the principle of "storage limitation."

  • Active Account: We store your content (scripts, metadata) for as long as your account is active to provide you with a history of your work.
  • Cancellation: Upon cancellation, we immediately stop syncing your social media analytics.
  • Deletion: We retain your generated content for a maximum of 24 months after account inactivity to allow for easy reactivation, unless you exercise your "Right to Erasure" (see Section 9) earlier.
  • Legal Necessity: Invoices and payment records are kept for 10 years as required by German tax and commercial law (HGB/AO).

8. Cookies and Tracking

Currently, we use essential cookies to keep you logged in. In the future, we may implement analytics or ad tags (e.g., Google Analytics). If we do, we will implement a Consent Management Provider (Cookie Banner) to ensure you can opt-in or opt-out before any non-essential tracking begins.

9. Your Rights

Under the GDPR, you have the following rights:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request we delete your data ("Right to be forgotten").
  • Object/Restrict: Object to processing based on legitimate interests.
  • Portability: Receive your data in a structured, machine-readable format.

To exercise these rights, please contact us at orbi@oonalab.ai.

10. Changes to this Policy

We may update this policy to reflect changes in our service or legal requirements. We will notify you of any significant changes via email or a notice within the Orbi platform.