1. Overview & Data Controller
Orbit (“we,” “us,” or “our”) is a parental control application for Android devices that transforms a child’s phone into a controlled, intentional environment.
This Privacy Policy explains how we collect, use, store, and protect information when you use the Orbit mobile application (“App”) and our website at orbitlauncher.com (“Website”). It applies to both the parent (“you”) who configures the App and the child (“Child User”) who uses the device.
Our core privacy principle: The vast majority of data stays on the device and never leaves it. We designed Orbit to be privacy-first — we do not sell data, we do not serve advertisements, and we do not build profiles of children for any commercial purpose.
By installing and using Orbit, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the App.
2. Information We Collect
2.1 Information Stored Locally on the Device Only
The following data is stored exclusively on the child’s device using local storage (AsyncStorage and Android SharedPreferences). This data is never transmitted to our servers:
- Parent PIN and Emergency PIN: 4-digit PINs used to access parent settings and exit Focus Mode. Stored locally only.
- Child Profile: Child’s first name, selected avatar emoji, and preferred theme color. This is used to personalize the home screen.
- Whitelisted Apps: The list of apps the parent has approved, including package names, app names, and icons.
- Screen Time Data: Daily screen time usage (in milliseconds), per-app time limits and usage, bonus time granted, and daily usage history (retained for 30 days).
- Focus Mode Sessions: Session durations and completion records.
- Tasks & Achievements: Earnable tasks created by the parent (title, reward minutes, completion status, optional child-written notes), achievement badges, and streak data.
- Discovery History: Records from the “What’s That?” feature including the title, explanation, and fun fact returned by AI. Local image file references are retained on the device.
- Weather Location: A city name string entered by the parent for the weather widget. No GPS or precise location data is collected.
- App Settings: Bedtime schedules, break reminders, kiosk mode preferences, and other configuration chosen by the parent.
2.2 Information Transmitted to Our Servers
A small amount of data is transmitted to our backend services to support account management and premium features:
- Firebase Anonymous User ID: When you first open the App, a randomly generated anonymous identifier is created via Firebase Authentication. This ID is not linked to any personally identifiable information unless you choose to link an email address.
- Email Address (optional): If you choose to link an email and password to your account for recovery purposes, that email is stored in Firebase Authentication and our Firestore database.
- Subscription & Billing Data: If you purchase a premium subscription, we store your subscription plan, status, expiration date, and billing transaction records (transaction ID, amount, currency, product ID, store source) in our Firestore database.
- Daily Discovery Count: We track how many times the “What’s That?” feature is used per day for rate-limiting purposes. This count is stored with your anonymous user ID and the date only — no image content or results are stored.
2.3 Information Processed Temporarily
- Camera Images (“What’s That?” feature): When a Child User takes a photo using the Curiosity Engine feature, the image is resized (maximum 1024 pixels), compressed (JPEG, 70% quality), and transmitted to our Cloud Function, which forwards it to OpenAI’s API for identification. We do not store the image on our servers. The image is processed in memory and discarded after the AI response is returned. OpenAI processes the image subject to their own data retention policy (see Section 4).
2.4 Website Data
- Waitlist Signups: If you join our waitlist via the Website, we collect your email address and optionally your first name. This data is stored on our web server and used solely to notify you about Orbit updates and launch availability.
- No Cookies or Tracking: Our Website does not use analytics cookies, tracking pixels, or third-party advertising scripts.
3. How We Use Your Information & Legal Basis
We use the information we collect for the following purposes. For users in the European Economic Area (EEA) and United Kingdom, we identify the lawful basis under GDPR Article 6 for each processing activity:
| Purpose |
Data Involved |
Lawful Basis (GDPR) |
| Providing the parental control service |
Local device data (PINs, child profile, whitelisted apps, screen time, settings) |
Contract (Art. 6(1)(b)) — necessary to provide the service you requested |
| Account creation & authentication |
Firebase anonymous user ID |
Contract (Art. 6(1)(b)) — necessary to operate the App |
| Email linking for account recovery |
Email address, password |
Consent (Art. 6(1)(a)) — you actively choose to link your email |
| Curiosity Engine (“What’s That?”) |
Camera images (transmitted to OpenAI, not stored) |
Consent (Art. 6(1)(a)) — parent enables the feature; each use is an active choice |
| Subscription & billing management |
Subscription status, billing transaction records |
Contract (Art. 6(1)(b)) — necessary to fulfil the purchase |
| Rate limiting API usage |
Anonymous user ID, daily discovery count, date |
Legitimate interest (Art. 6(1)(f)) — preventing abuse and ensuring fair use |
| Weather widget |
City name string (no GPS) |
Contract (Art. 6(1)(b)) — feature the parent configured |
| Waitlist & communications |
Email address, optional first name |
Consent (Art. 6(1)(a)) — you voluntarily submit the form |
| Foreground app monitoring (Accessibility Service) |
Active app package names (local, in-memory) |
Contract (Art. 6(1)(b)) — core kiosk enforcement functionality |
Where we rely on consent, you may withdraw it at any time (see Section 11). Where we rely on legitimate interest, we have conducted a balancing test and determined that our interest (preventing API abuse) does not override your rights, given the minimal and non-identifying nature of the data involved.
4. Third-Party Services & Data Processors
Orbit uses the following third-party services as data processors (GDPR Art. 28). We have entered into Data Processing Agreements (DPAs) with each processor that handles personal data on our behalf:
Firebase (Google)
Purpose: Anonymous authentication, Firestore database for user documents, billing history, and rate limiting.
Data shared: Anonymous user ID, optional email, subscription status, daily discovery count.
DPA & transfer mechanism: Google Cloud Data Processing Terms apply. Google participates in the EU–US Data Privacy Framework and offers Standard Contractual Clauses (SCCs) for international transfers.
Policy: firebase.google.com/support/privacy
RevenueCat
Purpose: In-app subscription and purchase management.
Data shared: Firebase user ID (linked to RevenueCat account), purchase transactions, subscription status, product IDs.
DPA & transfer mechanism: RevenueCat’s DPA with Standard Contractual Clauses applies for international transfers.
Policy: revenuecat.com/privacy
OpenAI
Purpose: Image identification and educational content generation for the “What’s That?” Curiosity Engine feature.
Data shared: Compressed camera images (processed in transit, not stored by Orbit). OpenAI may retain API inputs for up to 30 days for abuse and misuse monitoring, after which they are deleted. API data is not used to train OpenAI models.
DPA & transfer mechanism: OpenAI’s DPA with Standard Contractual Clauses applies. OpenAI participates in the EU–US Data Privacy Framework.
Policy: openai.com/privacy
Open-Meteo
Purpose: Weather data for the home screen weather widget.
Data shared: City name (for geocoding to coordinates) and derived latitude/longitude. No personal identifiers are transmitted.
Policy: open-meteo.com/en/terms
5. Data Storage & Security
- Local-first architecture: The majority of Orbit’s data (PINs, child profile, screen time, tasks, achievements, discovery history, app settings) is stored exclusively on the device. Uninstalling the App or clearing app data permanently removes this information.
- Firebase security: Remote data is stored in Google Cloud Firestore with security rules that ensure each user can only access their own data. Authentication tokens are required for all server requests.
- PIN security: PINs are stored in the device’s local storage. They are not transmitted to our servers.
- Encryption in transit: All network communications use HTTPS/TLS encryption.
- No advertising or profiling: We do not use analytics SDKs, advertising networks, or tracking technologies. We do not build behavioral profiles of parents or children.
While we take reasonable measures to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
6. Children’s Privacy (COPPA & GDPR)
Orbit is designed for use by children under the supervision and control of a parent or legal guardian. We take children’s privacy seriously and have designed the App in accordance with the US Children’s Online Privacy Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR) Article 8 (conditions applicable to child’s consent).
6.1 Parental Consent & Control
- Orbit is installed, configured, and controlled by a parent or legal guardian. All settings are protected behind a parent PIN.
- The parent selects which apps are available, sets screen time limits, configures bedtime rules, and controls all features.
- By installing and configuring Orbit on a child’s device, the parent provides verifiable parental consent for the data practices described in this policy.
6.2 COPPA Compliance (United States)
COPPA applies to the online collection of personal information from children under 13. Orbit is a parent-directed service: the parent installs, configures, and controls the App on the child’s behalf. We comply with COPPA as follows:
- We do not collect personal information directly from children without parental involvement. The parent initiates all data collection by configuring the App.
- We provide this privacy policy describing our data practices regarding children’s information.
- We collect only the minimum information necessary to operate the service.
- The Firebase anonymous user ID used for rate limiting qualifies as a persistent identifier used for “internal operations support” under the COPPA Rule (§ 312.2), which is exempt from the consent requirement.
6.3 GDPR Article 8 Compliance (EEA & UK)
Under GDPR Article 8, where consent is the lawful basis for processing and the data subject is a child, the processing is lawful only if consent is given or authorised by the holder of parental responsibility. The age threshold is 16 in most EU member states (some set it as low as 13).
- Orbit is configured and controlled exclusively by the parent or legal guardian, who provides consent on behalf of the child.
- For processing activities that rely on consent as the lawful basis (email linking, Curiosity Engine image processing, waitlist signup), the parent is always the person providing that consent.
- Children do not independently create accounts, provide personal details, or authorise data processing. The child’s interaction is limited to using features the parent has enabled.
- We make reasonable efforts to verify that the person configuring the App is the holder of parental responsibility (PIN-protected setup, email verification for account linking, purchase transaction for premium users).
6.4 Data Collected from Children
- Child’s first name: Entered by the parent to personalize the home screen. Stored locally only.
- Camera images: The Child User may take photos using the “What’s That?” feature. Images are processed temporarily by OpenAI (retained up to 30 days for abuse monitoring) and are not stored on our servers (see Section 2.3 and Section 4).
- Task notes: A Child User may write short notes when completing tasks. These are stored locally only.
- App usage patterns: Screen time and per-app usage are tracked locally to enforce parental limits. This data does not leave the device.
6.5 What We Do NOT Collect from Children
- We do not collect children’s email addresses, phone numbers, or contact information.
- We do not collect precise geolocation (GPS) data.
- We do not create user accounts for children.
- We do not use persistent identifiers to track children across apps or services.
- We do not serve advertisements to children.
- We do not enable children to make their personal information publicly available.
- We do not collect more information than is reasonably necessary to provide the service.
6.6 Parental Rights
Under both COPPA and GDPR, parents have the right to review the personal information collected from their child, request deletion of that information, and refuse further collection. Since child data is stored locally on the device, parents can review and delete it directly by accessing parent settings (via PIN), clearing app data, or uninstalling the App. For any data stored on our servers (limited to the anonymous user ID and discovery rate limits), contact us at privacy@orbitlauncher.com.
7. Device Permissions
Orbit requires certain Android permissions to function as a parental control application. Each permission serves a specific, disclosed purpose:
| Permission |
Purpose |
| Internet |
Network access for authentication, subscriptions, weather data, and the Curiosity Engine. |
| Accessibility Service |
Monitors which app is in the foreground to enforce kiosk mode and per-app time limits. Does not read screen content, text input, or user interactions. |
| Usage Stats |
Monitors app usage to enforce screen time limits. |
| Display Over Other Apps |
Shows overlay screens when screen time is reached or an unapproved app is launched. |
| Boot Completed |
Automatically restarts Orbit after device reboot to maintain kiosk protection. |
| Camera |
Required for the “What’s That?” Curiosity Engine feature. Requested at runtime; can be denied. |
| Query All Packages |
Lists installed apps so the parent can select which to whitelist. |
| Notifications |
Displays parental control notifications (e.g., screen time warnings). |
| Wake Lock & Battery Optimization Exemption |
Keeps the kiosk protection running reliably in the background. |
| Device Administrator |
Optional. Enables advanced kiosk lock-task mode for stronger protection against bypass. |
8. Data Sharing & Disclosure
We do not sell, rent, or trade personal information. We share data only in these limited circumstances:
- Service providers: We share limited data with Firebase (authentication, database), RevenueCat (subscription management), and OpenAI (image processing) solely to provide the App’s functionality, as described in Section 4.
- Legal requirements: We may disclose information if required by law, legal process, or government request, or to protect the rights, safety, or property of Orbit, our users, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you of any such change and any choices you may have.
- No advertising or data brokerage: We never share data with advertisers, data brokers, or any party for the purpose of targeted advertising or profiling.
9. Data Retention & Deletion
- Local data: Retained on the device until the App is uninstalled, app data is cleared, or the parent uses the “Reset All” function within the App.
- Firebase user data: Retained for the duration of the account. You may request deletion by contacting us.
- Billing history: Retained for legal and accounting requirements as required by applicable law.
- Rate limit records: Daily records are ephemeral and are not used for any purpose beyond preventing abuse.
- Waitlist data: Retained until launch completion or until you request removal by emailing privacy@orbitlauncher.com.
- Camera images: Not retained by Orbit. Processed in memory and discarded after the AI response is returned.
10. Data Breach Notification
In the event of a personal data breach that affects data stored on our servers, we will:
- Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Art. 33), unless the breach is unlikely to result in a risk to the rights and freedoms of affected individuals.
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34). Notification will describe the nature of the breach, the likely consequences, and the measures we have taken or propose to take.
- Document all breaches in an internal breach register, including breaches that do not require notification, along with remediation actions taken.
Because the majority of Orbit’s data is stored locally on the device and never reaches our servers, a server-side breach would have a limited scope of impact (affecting only anonymous user IDs, optional emails, and subscription records). A device-level breach (e.g., physical access to the child’s phone) is outside the scope of our server-side breach procedures but is mitigated by PIN protection and standard Android device encryption.
11. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data and your child’s personal data:
11.1 Rights Under GDPR (EEA & UK Users)
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data and your child’s data from our servers (“right to be forgotten”).
- Right to restriction (Art. 18): Request that we restrict processing of your data while a dispute is resolved or while we verify an objection.
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)): Where we process data based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal. Withdrawing consent may affect the availability of certain features (e.g., the Curiosity Engine).
- Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority. A list of EU/EEA data protection authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner’s Office (ICO).
11.2 Rights Under Other Jurisdictions
Users in other jurisdictions (including under COPPA, the Australian Privacy Act, and applicable state privacy laws) may have similar rights to access, correct, and delete personal information.
11.3 Exercising Your Rights
To exercise any of these rights, contact us at privacy@orbitlauncher.com. We will respond within 30 days (or sooner if required by your jurisdiction). We may ask you to verify your identity before processing the request.
Since most data is stored locally on the device, many of these rights can be exercised directly by the parent without contacting us — for example, editing the child profile, resetting the app, or uninstalling Orbit.
12. International Data Transfers
Orbit’s backend services are hosted in the United States (Google Cloud, us-central1 region). If you are located outside the United States, your personal data may be transferred to and processed in the United States.
12.1 Transfer Mechanisms (EEA & UK)
For transfers of personal data from the EEA or UK to the United States, we rely on the following GDPR-compliant transfer mechanisms:
- EU–US Data Privacy Framework (DPF): Our primary processors (Google/Firebase and OpenAI) are certified under the EU–US Data Privacy Framework, providing an adequacy basis for data transfers under GDPR Article 45.
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on the European Commission’s Standard Contractual Clauses (GDPR Article 46(2)(c)) as incorporated into our Data Processing Agreements with each processor. This includes our agreements with RevenueCat.
12.2 Supplementary Measures
In addition to the transfer mechanisms above, we implement the following supplementary safeguards: all data is encrypted in transit (TLS); our processors are contractually prohibited from accessing personal data except as necessary to provide the service; the scope of personal data transferred is minimal (anonymous IDs, optional email, subscription records); and the majority of data never leaves the device.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes that affect children’s data, we will provide prominent notice (such as an in-app notification) and, where required by law, obtain renewed parental consent. Continued use of the App after changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us: