GDPR Compliance
This page describes how Empathy Works Inc. ("we," "us") complies with the General Data Protection Regulation (GDPR) in operating the Orbit platform. The primary audience is Organizations (our business customers) that use Orbit and need to understand how we handle personal data under the GDPR.
Notice for End Users
If you are a member of an Organization using Orbit and want to exercise your data protection rights:
- To delete your account and data: Go to your account settings and select "Delete Account." This is self-service and takes effect after email confirmation.
- To request a copy of your data: Contact your Organization's administrator, or email privacy@orbitams.com. We will respond within 30 days.
- To update your personal information: Edit your profile through your account settings at any time.
Please note that these actions apply only to data stored within Orbit. Your Organization may store data about you in other systems as well.
Our Goals
Empathy Works Inc. is committed to compliance with the GDPR for all services we offer to residents of the EU. We collect and process personal data only as necessary to provide the Orbit platform. In addition to our legal obligations, we aim to follow best practices in privacy and data protection.
Our Role as Data Controller and Data Processor
Orbit serves both Organizations and individual end users, and our role varies depending on the context.
As a Data Processor: Organizations subscribe to Orbit to manage their membership communities. Through our contractual relationship with each Organization (the data controller), we process personal data on their behalf and at their direction. Each Organization independently decides what data to collect, which features to enable, and how to use the platform. We store, process, and retrieve data on their behalf.
As a Data Controller: We also process certain data for our own purposes — for example, data related to Organization account management, billing, platform operations, and aggregate analytics. In this capacity, we act as a data controller.
Data Processing Agreements
We provide a Data Processing Agreement (DPA) to all Organizations that use Orbit. The DPA defines the scope of data processing, our obligations as a processor, data subject rights, sub-processor management, international transfer safeguards, and breach notification procedures.
Organizations can review and execute our standard DPA. Enterprise customers with custom DPA requirements can submit them for review to legal@orbitams.com.
Our Use of Third-Party Data Processors
Orbit relies on third-party services for infrastructure, payment processing, email delivery, and other functions. We maintain a list of sub-processors as a separate, regularly updated document. All sub-processors are bound by data processing agreements with equivalent data protection obligations.
We provide Organizations with at least 30 days' advance notice before adding a new sub-processor, along with the right to object.
Consent Collection
When acting as a data processor: It is the responsibility of the Organization (data controller) to ensure that appropriate consent or other lawful basis has been established for the personal data processed through Orbit. This includes data entered directly by end users, imported via API, or provided through integrations.
When acting as a data controller: For data we process for our own purposes (account management, billing, platform analytics), we rely on the lawful bases of contract performance and legitimate interest as appropriate.
The platform currently uses only essential cookies (session and CSRF tokens) and does not use third-party tracking cookies. A cookie consent mechanism will be introduced before any non-essential tracking is enabled.
Right to Access / Right to Portability
End users can request a copy of their personal data. Organization administrators can export member data in Excel and JSON formats through the platform's admin tools.
Individual end users who wish to obtain a copy of their personal data can contact their Organization's administrator or email privacy@orbitams.com. We process data access requests within 30 days.
Exported data is provided in structured, machine-readable formats (Excel and JSON) to support data portability.
Right to Erasure
End users can delete their account at any time through their account settings. Account deletion:
- Is self-service and requires email confirmation
- Permanently removes personal profile data (name, email, directory information)
- Anonymizes associated records (event registrations, purchases, analytics) to preserve organizational reporting while removing personal identifiers
- Takes effect within 30 days of confirmation
Organization administrators can also manage and remove end user accounts through admin tools.
Erasure and account deletion are not reversible. Once completed, the personal data cannot be recovered.
Right to Rectification
End users can update their personal information (name, email, profile details, directory listing) at any time through their account settings. Organization administrators can also update end user records through admin tools.
Data Security
We implement technical and organizational measures to protect personal data, including:
- Encryption in transit: TLS 1.2+ (HTTPS) on all connections
- Encryption at rest: AES-256 for databases and file storage
- Application-level encryption: Sensitive integration tokens (payment, video conferencing, OAuth) are encrypted using Fernet symmetric encryption
- Tenant isolation: Each Organization operates in a completely isolated PostgreSQL database schema — one Organization's data is never accessible to another
- Password hashing: PBKDF2 with SHA-256
- Error monitoring: PII collection is disabled in our error monitoring system
For more details, see our Security Practices page.
International Data Transfers
Personal data is hosted on servers in the United States (Heroku/AWS infrastructure). For transfers of personal data from the EU to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and on sub-processors that maintain their own adequate transfer mechanisms.
Empathy Works Inc. is incorporated in British Columbia, Canada. Canada has received an adequacy decision from the European Commission for transfers of personal data under PIPEDA.
Notification in the Event of a Data Breach
In the event of a confirmed personal data breach, we will notify affected Organizations within 72 hours of discovery, in accordance with GDPR Article 33. We will work with Organizations to assess the scope of the breach and coordinate notification to affected data subjects where required under Article 34.
Our response to security incidents is governed by a formal Incident Response Plan that covers detection, triage, containment, eradication, notification, and post-incident review.
Data Retention
We define specific retention periods for each category of personal data:
- Account data: Retained until account deletion, then permanently removed within 30 days
- Analytics data: Up to 24 months, after which it may be aggregated or deleted
- Email delivery logs: 30–90 days (in accordance with email provider policies)
- Purchase and billing records: Up to 7 years (legal and tax obligations)
- Database backups: Rolling 7–30 day retention
We do not retain personal data longer than necessary for the purposes for which it was collected.
Children's Data
The Orbit platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. Organizations using the platform are not permitted to knowingly process personal data from users under this age through Orbit.
Contact Information
Questions and concerns about our GDPR compliance can be directed to:
- Email: privacy@orbitams.com
- Mail: Empathy Works Inc., 329 Howe St, Unit #540, Vancouver, BC, V6C 3N2, Canada
If you are an EU resident and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority.
Last updated: March 23, 2026