Orbus Software

Privacy Policy

Orbus Software treats the privacy of our visitors with the highest importance

1. Who We Are

1.1 Primary Privacy Contact

The entity responsible for personal data processed via our Websites is the Orbus Software group entity operating those Websites. For account and service data, the responsible entity is the group entity named in your contract (see Section 1.2).

Privacy contact email: privacy@orbussoftware.com

Postal address: please refer to Annex A

1.2 Multiple Contracting Entities

Because we contract with customers through different legal entities, the controller for Customer and User account data is typically the Orbus Software entity:

named in the relevant order form or subscription agreement; or
that otherwise provides the Services to the customer.

How to identify your contracting entity: Please refer to your contract or invoice, or contact privacy@orbussoftware.com.

1.3 Group Companies

We may involve the following group companies in operating our Websites and delivering our Services:

Entity

Country

Role

Scope

Seattle Software Ltd, trading as Orbus Software

United Kingdom

Controller/Processor

Services delivery, account management, websites, sales & marketing

Seattle Business Software, Inc., dba Orbus Software

United States

Controller/Processor

Services delivery, account management, websites, sales & marketing

Seattle Software Australia Pty Ltd, trading as Orbus Software

Australia

Controller/Processor

Services delivery, account management, websites, sales & marketing

Orbus Software Sp. z.o.o.

Poland

Controller/Processor

Services delivery, account management, websites, sales & marketing

Capsifi UK Limited

United Kingdom

Controller/Processor

Services delivery

Capsifi USA Inc.

United States

Controller/Processor

Services delivery

Capsifi Australia Pty Ltd

Australia

Controller/Processor

Services delivery

1.4 DPO / Representatives

Data Protection Officer: No Data Protection Officer required

EU representative: Orbus Software Sp. z.o.o.

UK representative: Seattle Software Ltd

2. How Our Processing Differs: Before vs. After You Become a Customer

We collect and use personal data differently depending on your relationship with us. The table below summarises this distinction.

Stage

Who This Covers

Primary Purposes

Before you become a customer (Visitors & Prospects)

Website visitors, demo requesters, newsletter subscribers, event attendees, sales prospects

Operate & secure our Websites; respond to inbound requests; B2B marketing & sales; analytics & cookie-based measurement

After you become a customer (Customers & Authorized Users)

Customer representatives, administrators, and end-users of our Services

Provide & secure the Services; account administration; support; billing & payments; legal compliance

Customer Content (processed on behalf of customers)

Personal data uploaded to or generated within the Services by or on behalf of a customer

We act as processor on customer instructions; deliver the Services; security; incident response

More detail is provided in Sections 4 (Visitors & Prospects), 5 (Customers & Authorized Users), and 6 (Customer Content).

3. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

4. Visitors & Prospects (Pre-Customer Processing)

4.1 Purposes

We use Visitor and Prospect personal data to:

Operate, maintain, and secure our Websites (performance monitoring, troubleshooting, abuse and fraud prevention).
Respond to your requests (e.g., "Contact us" forms, demo requests, scheduling calls, partner enquiries).
B2B marketing and sales (newsletters, product updates, event invitations, outbound follow-up, CRM management).
Analytics and website improvement (understanding how our Websites are used, measuring marketing performance and attribution).
Compliance and protection (responding to lawful requests, enforcing our terms, protecting rights and safety).

4.2 Legal Bases (UK/EU)

Purpose

Legal Basis

Operate & secure Websites

Legitimate interests (to run a secure, functional website); Legal obligation (where applicable)

Respond to requests

Legitimate interests; Steps prior to entering a contract (at your request)

B2B marketing & sales

Legitimate interests (business-to-business marketing to professional contacts); Consent (where required by applicable law)

Analytics & performance measurement

Consent (for non-essential cookies); Legitimate interests (for strictly necessary analytics where permitted)

Compliance & protection

Legal obligation; Legitimate interests

Legitimate interests: We process certain data to operate our business effectively, keep our Websites secure, and communicate with business contacts about our products. You have the right to object to processing based on legitimate interests in certain circumstances — see Section 10.

4.3 Cookies and Similar Technologies (OneTrust)

We use cookies and similar technologies on our Websites. We use OneTrust to provide a cookie consent banner and preference centre. You can review the cookies in use and manage your preferences at any time via our Cookie Preference Centre linked to on www.orbussoftware.com.

We use the following categories of cookies:

4.4 Retention (Visitors & Prospects)

We retain Visitor and Prospect personal data for the purposes described above, consistent with our retention policy and applicable law.

Data Type

Typical Retention

Website security / server logs

Minimum of 1 year in accordance with OneTrust requirements

Analytics data (GA4)

14 months

Marketing opt-out / suppression records

As long as needed to honour your preferences

5. Customers & Authorized Users (Post-Contract)

5.1 Purposes

We use Customer and Authorized User personal data to:

Provide and operate the Services (including hosting, processing transactions, enabling features, and maintaining availability).
Account administration (user provisioning, access control, role-based permissions, authentication/SSO, audit logs).
Support and service communications (responding to support tickets, service notifications, incident communications, training).
Billing and payments (invoicing, collections, tax compliance, payment processing via our payment processor).
Security and fraud prevention (access monitoring, security logging, vulnerability management, incident response).
Compliance and legal obligations (recordkeeping, responding to lawful requests, enforcing contracts, audit support).

5.2 Legal Bases (UK/EU)

Purpose

Legal Basis

Provide the Services

Contract (performance of the agreement with the customer)

Account administration

Contract; Legitimate interests

Support & service communications

Contract; Legitimate interests

Billing & payments

Contract; Legal obligation (tax/accounting)

Security & fraud prevention

Legitimate interests; Legal obligation (where applicable)

Compliance & legal obligations

Legal obligation; Legitimate interests

5.3 Retention (Customers & Authorized Users)

We retain Customer and Authorized User personal data for the duration of the customer relationship and as necessary thereafter, consistent with our retention policy and applicable law. Specific retention periods may also be defined in the customer contract or DPA.

5.4 Data Location — Worldwide Processing

Customer and Authorized User personal data may be processed in multiple countries worldwide, including the locations where we and our service providers operate (UK, Poland, USA, Australia, and others). Where a customer contract specifies data residency or processing restrictions, we will process data in accordance with that agreement.

5.5 Account Deletion / End of Service

On termination of the customer relationship, we will handle personal data as described in the applicable contract and DPA.

6. Customer Content (Data We Process on Behalf of Customers)

6.1 Our Role

When Customers use our Services, they may upload, create, or process content that contains personal data ("Customer Content"). In this context:

the Customer is the controller (UK/EU) and determines the purposes and means of processing; and
we act as a processor (UK/EU), and process Customer Content only on documented instructions, as set out in our agreement and Data Processing Addendum (DPA).

6.2 What We Do With Customer Content

We process Customer Content only to:

host and provide the Services;
maintain security, prevent abuse, and troubleshoot;
provide support at the Customer's request; and
comply with applicable law.

6.3 Data Location — Worldwide Processing (Unless Agreed Otherwise)

Customer Content may be processed in multiple countries worldwide (including the USA and Australia) depending on which infrastructure and subprocessors are used. Where a customer contract specifies data residency or restricts processing locations, we will comply with those restrictions.

6.4 End Users and Data Subjects

If your personal data is contained in Customer Content (e.g., you are an end user of a customer's deployment of our Services), please contact the relevant Customer to exercise your data rights. We will assist our Customers as required by the DPA.

7. Who We Share Personal Data With

We may share personal data with:

Recipient

Examples / Purpose

Group companies

(see Section 1.3) — internal administration and service delivery

Hosting & infrastructure providers

e.g. Azure — service delivery

Analytics vendors

Google Analytics 4, Google Tag Manager — website analytics

CRM vendors

e.g., Salesforce — sales and marketing management

Marketing automation

Pardot (Salesforce) — marketing campaigns and lead management

B2B marketing / intent analytics

6sense — B2B audience analytics

Advertising / targeting platforms

Google advertising products (DoubleClick, Ads), LinkedIn — marketing measurement and advertising

Video platforms

Wistia, YouTube — embedded video content

Support / ticketing vendors

e.g. Zendesk — customer support

Consent management

OneTrust — cookie consent and preference management

CDN & security

Cloudflare — website delivery and DDoS protection

Professional advisors

Lawyers, auditors, insurers — where necessary

Authorities

Where required by law or to protect rights and safety

Corporate transaction parties

In connection with M&A, restructuring, or financing (subject to appropriate protections)

See Appendix B for further information.

8. International Data Transfers

Because we operate across the UK, Poland (EU), USA, and Australia, personal data may be transferred to and processed in countries other than where you are located. Where UK/EEA personal data is transferred outside the UK/EEA, we use appropriate safeguards, which may include:

EU Standard Contractual Clauses (SCCs);
the UK International Data Transfer Addendum (UK Addendum to the EU SCCs) or UK IDTA; and/or
adequacy decisions where applicable.

We also implement additional measures where appropriate (e.g., encryption and access controls) consistent with applicable guidance.

Transfer mechanism details: Standard Contractual Clauses

9. Security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure, including:

access controls and least-privilege principles;
encryption in transit and at rest;
logging and monitoring;
vulnerability management; and
incident response procedures.

10. Your Rights and Choices

10.1 UK / EEA (Including Poland)

Subject to conditions and applicable exceptions, you may have the right to:

access your personal data;
rectify inaccurate personal data;
erasure of personal data ("right to be forgotten");
restrict certain processing;
object to processing based on legitimate interests or for direct marketing;
data portability (where applicable); and
withdraw consent (where processing is based on consent) — without affecting the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In Poland, this is the Urząd Ochrony Danych Osobowych (UODO).

10.2 USA (State Privacy Laws)

Depending on the applicable US state privacy law and whether thresholds are met, individuals may have rights to access, delete, correct, or opt out of certain processing (such as targeted advertising or "sale" of personal data as defined by applicable law). We will respond to verifiable requests as required.

US rights request method: privacy@orbussoftware.com

10.3 Australia

Under the Australian Privacy Act 1988, individuals may request access to or correction of personal information held about them, subject to applicable exceptions. We will respond to requests within a reasonable timeframe.

10.4 How to Exercise Your Rights

Submit a request: email privacy@orbussoftware.com

We may need to verify your identity before responding. We will respond within the timeframe required by applicable law.

11. Marketing Communications

We may send marketing emails to business contacts where permitted by applicable law (typically on the basis of legitimate interests for B2B contacts, or consent where required).

You can opt out of marketing emails at any time by:

using the unsubscribe link in any marketing email; or
contacting us at privacy@orbussoftware.com

Opting out of marketing will not affect service communications we are required to send you as a customer.

12. Do We "Sell" Personal Data?

We do not sell personal data in exchange for money.

We may allow certain advertising and marketing partners to collect information via cookies for purposes such as measuring campaign effectiveness and delivering advertising, subject to your cookie choices made via the OneTrust Preference Centre and applicable law.

13. Children

Our Websites and Services are directed at business professionals and are not intended for use by children. We do not knowingly collect personal data from children.

14. Changes to This Notice

We may update this Privacy Notice from time to time. When we do, we will post the updated notice on this page and revise the "Last updated" date at the top. If changes are material, we may provide additional notice (e.g., on our Websites or by email to affected customers).

15. Contact Us

If you have any questions about this Privacy Notice or how we handle your personal data, please contact us:

Email: privacy@orbussoftware.com

Postal address: Orbus Software, 11th Floor, 123 Victoria Street, London SW1E 6DE

EU representative: Orbus Software, Ul. Zabrska 20, 4th Floor, 40‑083 Katowice, Śląskie, Poland

Appendix A — Group Companies

Entity

Registered Address

Country

Seattle Software Ltd

11th Floor, 123 Victoria Street, London SW1E 6DE

Orbus Software Sp. z.o.o.

Ul. Zabrska 20, 4th Floor, 40‑083 Katowice, Śląskie, Poland

Poland

Seattle Business Software, Inc.

Suite 1105, 33 E 33rd St, New York, NY 10016

USA

Seattle Software Australia Pty Ltd

Level 9, 89 York Street, Sydney 2000

Australia

Capsifi UK Limited

11th Floor, 123 Victoria Street, London SW1E 6DE

Capsifi Australia Pty Ltd

Level 9, 89 York Street, Sydney 2000

Australia

Capsifi USA Inc.

Suite 1105, 33 E 33rd St, New York, NY 10016

USA

Appendix B — Processors & Subprocessors

Vendor

Orbus Partnerships

The heart of what we do

What Drives Our Success

Passionate Experts Driving Innovation in Enterprise Transformation

Orbus Software

Privacy Policy

1. Who We Are

1.1 Primary Privacy Contact

1.2 Multiple Contracting Entities

1.3 Group Companies

1.4 DPO / Representatives

2. How Our Processing Differs: Before vs. After You Become a Customer

3. What Personal Data We Collect

4. Visitors & Prospects (Pre-Customer Processing)

4.1 Purposes

4.2 Legal Bases (UK/EU)

4.3 Cookies and Similar Technologies (OneTrust)

4.4 Retention (Visitors & Prospects)

5. Customers & Authorized Users (Post-Contract)

5.1 Purposes

5.2 Legal Bases (UK/EU)

5.3 Retention (Customers & Authorized Users)

5.4 Data Location — Worldwide Processing

5.5 Account Deletion / End of Service

6. Customer Content (Data We Process on Behalf of Customers)

6.1 Our Role

6.2 What We Do With Customer Content

6.3 Data Location — Worldwide Processing (Unless Agreed Otherwise)

6.4 End Users and Data Subjects

7. Who We Share Personal Data With

8. International Data Transfers

9. Security

10. Your Rights and Choices

10.1 UK / EEA (Including Poland)

10.2 USA (State Privacy Laws)

10.3 Australia

10.4 How to Exercise Your Rights

11. Marketing Communications

12. Do We "Sell" Personal Data?

13. Children

14. Changes to This Notice

15. Contact Us

Appendix A — Group Companies

Appendix B — Processors & Subprocessors