Privacy Policy

Last Updated: March 23, 2026

Empathy Works Inc. ("we," "us," "our") operates the Orbit platform, a membership management platform powering this website and associated services (the "Service"). This Privacy Policy explains how personal information is collected, used, disclosed, and protected when you use the Service.

Important: Each Organization using the Orbit platform is the data controller and determines the purposes and means of personal data processing. Empathy Works Inc. operates the Orbit platform as a data processor and processes personal data on behalf of the Organization according to the Organization's instructions and configuration.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

  • Email address (used as your unique identifier and login credential)
  • First name and last name
  • Password (stored in hashed form; we never store plaintext passwords)
  • Organization/company affiliation (optional)
  • Profile photo (optional)

Membership and Purchase Information:

  • Membership level selection
  • Purchase history and transaction records
  • Billing information (processed and stored by Stripe; see Section 5)

Event Registration Information:

  • Name, email, organization, and job title (when registering for events)

Member Directory Information (if applicable):

  • Name, organization, job title, and biographical information
  • Location data (city, country, address)
  • Geographic coordinates (latitude/longitude, derived from provided address)
  • Areas of expertise / tags
  • Social media profile links (up to 4: e.g., LinkedIn, Twitter, GitHub, Instagram)
  • Website URL
  • Featured photo

Course Information:

  • Course enrollment records
  • Assessment/quiz participation data

Communications:

  • Any messages or inquiries you send to us
  • Email preference settings (marketing opt-in/out, notification opt-in/out)

File Uploads:

  • Files you upload to the Service, including original filename, file size, and file type (MIME type)

1.2 Information Collected Automatically

Analytics and Usage Data:

  • Pages viewed (URL paths)
  • Referrer URLs and traffic sources
  • Types of interactions (profile views, event registrations, resource downloads, announcement views, directory views, course enrollments)
  • Session identifiers
  • Timestamps of interactions

Geolocation Data:

  • Approximate country-level location derived from your IP address using the MaxMind GeoLite2 database
  • We do not collect precise GPS coordinates from your device

Email Engagement Data:

  • Email delivery status (delivered, bounced, failed)
  • Email open events
  • Email link click events
  • Complaint/spam report events

Device and Connection Data:

  • Information typically transmitted in HTTP headers (browser type, operating system)
  • IP address (used for geolocation and security purposes)

1.3 Information from Third Parties

Social Login Providers:

  • If you sign in via Google OAuth or a configured SSO provider, we receive your name, email address, and profile information as authorized by your account settings with that provider.

Payment Processor (Stripe):

  • Transaction confirmations, payment status, subscription status, and customer identifiers. We do not receive or store your full credit card number.

Zoom (for virtual events):

  • Meeting registration status and participation data when you register for Zoom-integrated events.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Operation and Delivery

  • Creating and managing your account
  • Processing membership applications and renewals
  • Facilitating event registrations and course enrollments
  • Displaying your profile in the member directory (if applicable)
  • Processing payments and maintaining transaction records
  • Delivering purchased content and services

2.2 Communications

  • Sending transactional emails (account verification, password resets, payment receipts)
  • Sending operational notifications (membership reminders, event confirmations)
  • Sending marketing communications (newsletters, announcements) with your consent
  • Responding to your inquiries and support requests

2.3 Analytics and Improvement

  • Understanding how users interact with the Service
  • Measuring content engagement and event attendance
  • Improving Service features and user experience
  • Generating aggregate, de-identified usage reports for the Organization

2.4 Security and Compliance

  • Detecting and preventing fraud, abuse, and unauthorized access
  • Enforcing our Terms of Service
  • Complying with legal obligations
  • Monitoring email deliverability (bounce rates, complaint rates) to maintain sender reputation

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we process your information based on:

  • Consent: Marketing emails, optional directory profiles, optional analytics tracking
  • Contract Performance: Account creation, membership management, payment processing, event registration, course enrollment
  • Legitimate Interests: Service improvement, security, fraud prevention, aggregate analytics
  • Legal Obligation: Tax record keeping, compliance with applicable laws

4. How We Share Your Information

4.1 Within the Organization

Administrators and Staff members of the Organization can access member data including your name, email, organization, membership status, event registrations, and purchase history for the purpose of managing the Organization.

4.2 Member Directory

If the Organization maintains a public or member-visible directory and you have a directory profile, the information in your profile will be visible to other members or the public as configured by the Organization.

4.3 Third-Party Service Providers

We share information with the following categories of service providers who process data on our behalf:

Service Provider Data Shared Purpose
Stripe Email, name, purchase details Payment processing
Zoom Name, email, organization, job title Virtual event hosting and registration
Postmark (or configured email provider) Email address, name Email delivery
Cloudflare R2 Uploaded files File storage and CDN delivery
Cloudflare Stream (if enabled) Video files Video transcoding and delivery
Google (if OAuth enabled) Authentication tokens Sign-in authentication
Error monitoring provider Error context (user ID only; PII collection disabled) Error monitoring and debugging
MaxMind GeoLite2 IP address (processed locally) Country-level geolocation
OpenAI (if enabled) Data import content AI-assisted data processing
CloudConvert (if enabled) Document files Thumbnail generation
Unsplash (if enabled) Search queries Stock photo selection

4.4 Data We Do NOT Sell

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.

5. Payment Data and Stripe

5.1 What Stripe Handles

All payment processing is handled by Stripe. When you make a payment, your payment card details are transmitted directly to Stripe and are never stored on our servers. Stripe is a PCI DSS Level 1 certified payment processor.

5.2 What We Store

We store the following payment-related identifiers for transaction management:

  • Stripe customer ID
  • Payment intent IDs
  • Subscription IDs
  • Invoice IDs
  • Session IDs
  • Transaction amounts and currency
  • Payment status

5.3 Stripe's Privacy Practices

Stripe's collection and use of your payment information is governed by Stripe's Privacy Policy. We encourage you to review it.

6. Cookies and Tracking Technologies

6.1 Essential Cookies

We use the following essential cookies that are necessary for the Service to function:

  • Session Cookie: Maintains your login session (expires after a period of inactivity or when you log out)
  • CSRF Token: Protects against cross-site request forgery attacks

6.2 Analytics Tracking

The Service may collect page view and interaction data through server-side analytics. This does not use third-party tracking cookies but does record:

  • Pages visited
  • Referrer information
  • Country-level location (via IP geolocation)
  • Interaction events (views, clicks, downloads)

6.3 Email Tracking

Emails sent through the Service may contain:

  • Tracking pixels: Small transparent images that notify us when an email is opened
  • Tracked links: Links that record click events before redirecting to the destination

6.4 Local Storage

The Service may use browser local storage for UI preferences. This data remains on your device and is not transmitted to our servers.

7. Data Retention

7.1 Active Accounts

We retain your personal information while your account is active. Once your account is deleted, data is handled according to the schedule detailed below.

7.2 After Account Deletion

When you delete your account:

  • Your user profile and login credentials are permanently deleted
  • Your membership records are deleted (cascade deletion)
  • Your event registrations are anonymized (your user link is removed, but the registration record may be retained)
  • Your purchase history is anonymized (your user link is removed, but transaction records may be retained for accounting purposes)
  • Your email communication logs are anonymized
  • Your analytics events are anonymized
  • Your page view records are anonymized

We may retain certain information as required by law, such as transaction records for tax and accounting purposes, even after account deletion.

7.4 Specific Retention Periods

The following specific retention periods apply to different data categories:

  • Analytics data: Retained for up to 24 months
  • Email logs: Retained for 30–90 days (subject to email provider retention policies)
  • Purchase and billing records: Retained for up to 7 years (tax and legal obligations)
  • Account data after deletion: Retained for up to 30 days before permanent deletion
  • Database backups: Maintained on a rolling 7–30 day retention period

7.5 Backup Retention

Deleted data may persist in encrypted database backups for a limited period on the rolling 7–30 day backup retention schedule noted in Section 7.4.

8. Data Security

8.1 Technical Measures

We implement the following security measures to protect your data:

  • Passwords are hashed using PBKDF2 with SHA-256
  • All data transmitted between your browser and the Service is encrypted via HTTPS/TLS
  • Sensitive integration tokens (Stripe, Zoom, OAuth) are encrypted at rest using Fernet symmetric encryption
  • CSRF protection on all forms
  • Database-level tenant isolation (each Organization's data is stored in a separate PostgreSQL schema)
  • Signed, time-limited URLs for private file downloads
  • Webhook signature verification for payment processing
  • Rate limiting on API endpoints

8.2 Organizational Measures

  • Role-based access control (Member, Staff, Admin)
  • Admin approval workflows for new accounts (configurable)
  • Email suppression lists to prevent sending to invalid addresses
  • Daily email sending limits and complaint rate monitoring

8.3 Data Isolation

The Platform uses PostgreSQL schema-based multi-tenancy. Each Organization's data is stored in a completely separate database schema, providing strong isolation between Organizations. Your data in one Organization cannot be accessed by another Organization.

9. Your Rights and Choices

9.1 Access and Portability

You can access most of your personal information through your account settings and profile pages. Organization administrators may export member data in CSV format.

9.2 Correction

You can update your account information, profile details, and directory listing at any time through your account settings.

9.3 Deletion

You can delete your account at any time through your account settings. Account deletion requires email confirmation as a security measure. See Section 7.2 for details on what happens to your data after deletion.

9.4 Email Preferences

You can manage your email preferences:

  • Marketing emails: Opt out via unsubscribe link in any marketing email or through your account settings
  • Operational notifications: Opt out through your account settings
  • Transactional emails: Cannot be opted out of (required for account security and service delivery)

9.5 Rights Under GDPR (EEA/UK Residents)

If you are located in the EEA or UK, you have additional rights including:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local data protection authority

9.6 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information is collected, used, and shared
  • Delete your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

9.7 Rights Under PIPEDA (Canadian Residents)

Since Empathy Works Inc. operates the Orbit platform and is incorporated in British Columbia, Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal data processing. If you are a resident of Canada, you have the right to:

  • Request access to your personal information
  • Request correction of your personal information
  • Request deletion of your personal information
  • Withdraw your consent at any time
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada regarding our data practices

10. Children's Privacy

The Service is not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under 16. Organizations are not permitted to knowingly collect or process personal data from users under 16 through the Platform. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

11. International Data Transfers

The Orbit platform's primary infrastructure is hosted in the United States, including application servers (Heroku/AWS), object storage (Cloudflare R2 US East), and cache servers (Redis US). Empathy Works Inc., the Platform operator, is incorporated in British Columbia, Canada.

Your information may be processed in the United States and in Canada, and may be transferred to countries other than your country of residence. For users in the European Union, we rely on Standard Contractual Clauses (SCCs) as the legal safeguard for international data transfers and work exclusively with sub-processors that maintain compliant data transfer mechanisms.

Authorized personnel of Empathy Works Inc. may access your data from outside the primary hosting region for purposes of support, troubleshooting, and platform maintenance.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on the Service and updating the "Last Updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Data Controller and Processor

13.1 Data Controller

Each Organization operating a Service instance is the data controller for personal information processed through the Orbit platform. The Organization independently determines:

  • What personal data to collect
  • Which features of the platform to enable
  • How personal data is processed and used
  • Retention periods for personal data (subject to legal minimums)

13.2 Data Processor

Empathy Works Inc. operates the Orbit platform as a data processor. We process personal data solely on behalf of the Organization according to the Organization's instructions and configuration. Empathy Works Inc. may access Organization data solely for purposes of:

  • Technical support and troubleshooting
  • Platform maintenance and improvements
  • Ensuring security and preventing fraud
  • Complying with legal obligations

13.3 Data Processing Agreement

A Data Processing Agreement (DPA) governs the relationship between Empathy Works Inc. and each Organization, setting forth the terms and conditions of data processing. A current list of authorized sub-processors is maintained as a separate document and is available upon request.

14. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our data practices, please contact:

Your Organization — For questions about how your Organization uses your data, contact them directly. You can find their contact information in your account settings or on their website.

Empathy Works Inc. — For matters related to the Orbit platform itself:

  • Email: privacy@orbitams.com
  • Address: 329 Howe St, Unit #540, Vancouver, BC, V6C 3N2, Canada

See how Orbit can work for you

Get a personalized walkthrough and see how associations like yours are simplifying their operations.

Talk to our team

Get tips on running a better association — delivered to your inbox.

Stay as long as you’d like. Unsubscribe anytime.