Orbus Software

Privacy Policy

Orbus Software treats the privacy of our visitors with the highest importance

1. Who We Are

1.1 Primary Privacy Contact

The entity responsible for personal data processed via our Websites is the Orbus Software group entity operating those Websites. For account and service data, the responsible entity is the group entity named in your contract (see Section 1.2).

Privacy contact email: privacy@orbussoftware.com 

Postal address: please refer to Annex A

1.2 Multiple Contracting Entities

Because we contract with customers through different legal entities, the controller for Customer and User account data is typically the Orbus Software entity:

  • named in the relevant order form or subscription agreement; or
  • that otherwise provides the Services to the customer.

How to identify your contracting entity: Please refer to your contract or invoice, or contact 

privacy@orbussoftware.com. 

1.3 Group Companies

We may involve the following group companies in operating our Websites and delivering our Services:

Entity

Country

Role

Scope

Seattle Software Ltd, trading as Orbus Software

United Kingdom

Controller/Processor

Services delivery, account management, websites, sales & marketing

Seattle Business Software, Inc., dba Orbus Software

United States

Controller/Processor

Services delivery, account management, websites, sales & marketing

Seattle Software Australia Pty Ltd, trading as Orbus Software

Australia

Controller/Processor

Services delivery, account management, websites, sales & marketing

Orbus Software Sp. z.o.o.

Poland

Controller/Processor

Services delivery, account management, websites, sales & marketing

Capsifi UK Limited

United Kingdom

Controller/Processor

Services delivery

Capsifi USA Inc.

United States

Controller/Processor

Services delivery

Capsifi Australia Pty Ltd

Australia

Controller/Processor

Services delivery

1.4 DPO / Representatives 

Data Protection Officer: No Data Protection Officer required

EU representative: Orbus Software Sp. z.o.o.

UK representative: Seattle Software Ltd

2. How Our Processing Differs: Before vs. After You Become a Customer

We collect and use personal data differently depending on your relationship with us. The table below summarises this distinction.

Stage

Who This Covers

Primary Purposes

Before you become a customer (Visitors & Prospects)

Website visitors, demo requesters, newsletter subscribers, event attendees, sales prospects

Operate & secure our Websites; respond to inbound requests; B2B marketing & sales; analytics & cookie-based measurement

After you become a customer (Customers & Authorized Users)

Customer representatives, administrators, and end-users of our Services

Provide & secure the Services; account administration; support; billing & payments; legal compliance

Customer Content (processed on behalf of customers)

Personal data uploaded to or generated within the Services by or on behalf of a customer

We act as processor on customer instructions; deliver the Services; security; incident response

More detail is provided in Sections 4 (Visitors & Prospects), 5 (Customers & Authorized Users), and 6 (Customer Content).

3. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

Category

Examples

Identity & contact data

Name, business email, phone number, job title, employer, business address

Website & device data

IP address, user agent, pages visited, timestamps, approximate location (from IP), cookie identifiers

Cookie & analytics data

GA4 identifiers, OneTrust consent records, targeting/advertising identifiers (subject to cookie choices)

Marketing & communications data

Email preferences, opt-in/opt-out status, event attendance, message content from forms

Account data

Username, role, permissions, authentication/SSO identifiers

Service usage & log data

Feature usage, timestamps, diagnostics, audit logs, error reports, telemetry

Support data

Ticket content, call/chat records (where applicable), attachments

Billing data

Billing contacts, invoices, tax details, transaction history

Customer Content

Personal data included in content uploaded to or generated within the Services by or on behalf of a customer

4. Visitors & Prospects (Pre-Customer Processing)

4.1 Purposes

We use Visitor and Prospect personal data to:

  1. Operate, maintain, and secure our Websites (performance monitoring, troubleshooting, abuse and fraud prevention).
  2. Respond to your requests (e.g., “Contact us” forms, demo requests, scheduling calls, partner enquiries).
  3. B2B marketing and sales (newsletters, product updates, event invitations, outbound follow-up, CRM management).
  4. Analytics and website improvement (understanding how our Websites are used, measuring marketing performance and attribution).
  5. Compliance and protection (responding to lawful requests, enforcing our terms, protecting rights and safety).

4.2 Legal Bases (UK/EU)

Purpose

Legal Basis

Operate & secure Websites

Legitimate interests (to run a secure, functional website); Legal obligation (where applicable)

Respond to requests

Legitimate interests; Steps prior to entering a contract (at your request)

B2B marketing & sales

Legitimate interests (business-to-business marketing to professional contacts); Consent (where required by applicable law)

Analytics & performance measurement

Consent (for non-essential cookies); Legitimate interests (for strictly necessary analytics where permitted)

Compliance & protection

Legal obligation; Legitimate interests

Legitimate interests: We process certain data to operate our business effectively, keep our Websites secure, and communicate with business contacts about our products. You have the right to object to processing based on legitimate interests in certain circumstances — see Section 10.

4.3 Cookies and Similar Technologies (OneTrust)

We use cookies and similar technologies on our Websites. We use OneTrust to provide a cookie consent banner and preference centre. You can review the cookies in use and manage your preferences at any time via our Cookie Preference Centre linked to on www.orbussoftware.com. 

We use the following categories of cookies:

Category

OneTrust ID

Purpose

Requires Consent?

Examples

Strictly Necessary

C0001

Essential to operate the Websites and save your consent preferences (e.g., OneTrust, Cloudflare security)

No

OptanonConsent, OptanonAlertBoxClosed, _cfuvid

Performance / Analytics

C0002

Measure how visitors use our Websites to help us improve them. Includes Google Analytics 4 (GA4) and Google Tag Manager.

Yes

_ga, _ga_xxxxxxxxxx, _gclxxxx (Google conversion)

Functional

C0003

Enable additional features such as embedded video content and B2B intent/analytics tools. Includes 6sense and Wistia.

Yes

_gd_visitor, _gd_session, _gd_svisitor (6sense); Wistia video progress

Targeting / Marketing

C0004

Support marketing measurement and advertising campaigns, including via Google advertising products, LinkedIn, YouTube, and Pardot (Salesforce Marketing Cloud).

Yes

IDE, test_cookie (DoubleClick/Google); li_gc, bcookie, lidc (LinkedIn); YSC, VISITOR_INFO1_LIVE (YouTube); pardot

Vendors whose cookies or tags are present on our Websites include (among others): Google (Analytics, Tag Manager, DoubleClick/Ads, YouTube), LinkedIn, 6sense, Pardot (Salesforce), Wistia, OneTrust, and Cloudflare. You can view the full and current vendor list via the OneTrust Preference Centre.

Targeting cookies and marketing analytics: If you accept targeting cookies, our marketing partners may collect information about your interactions with our Websites (e.g., pages visited, interactions, approximate location derived from IP address) and may combine it with other information they hold. You can withdraw or change your consent at any time via the OneTrust Preference Centre.

4.4 Retention (Visitors & Prospects)

We retain Visitor and Prospect personal data for the purposes described above, consistent with our retention policy and applicable law.

Data Type

Typical Retention

Website security / server logs

Minimum of 1 year in accordance with OneTrust requirements

Analytics data (GA4)

14 months

Marketing opt-out / suppression records

As long as needed to honour your preferences

5. Customers & Authorized Users (Post-Contract)

5.1 Purposes

We use Customer and Authorized User personal data to:

  1. Provide and operate the Services (including hosting, processing transactions, enabling features, and maintaining availability).
  2. Account administration (user provisioning, access control, role-based permissions, authentication/SSO, audit logs).
  3. Support and service communications (responding to support tickets, service notifications, incident communications, training).
  4. Billing and payments (invoicing, collections, tax compliance, payment processing via our payment processor).
  5. Security and fraud prevention (access monitoring, security logging, vulnerability management, incident response).
  6. Compliance and legal obligations (recordkeeping, responding to lawful requests, enforcing contracts, audit support).

5.2 Legal Bases (UK/EU)

Purpose

Legal Basis

Provide the Services

Contract (performance of the agreement with the customer)

Account administration

Contract; Legitimate interests

Support & service communications

Contract; Legitimate interests

Billing & payments

Contract; Legal obligation (tax/accounting)

Security & fraud prevention

Legitimate interests; Legal obligation (where applicable)

Compliance & legal obligations

Legal obligation; Legitimate interests

5.3 Retention (Customers & Authorized Users)

We retain Customer and Authorized User personal data for the duration of the customer relationship and as necessary thereafter, consistent with our retention policy and applicable law. Specific retention periods may also be defined in the customer contract or DPA.

5.4 Data Location — Worldwide Processing

Customer and Authorized User personal data may be processed in multiple countries worldwide, including the locations where we and our service providers operate (UK, Poland, USA, Australia, and others). Where a customer contract specifies data residency or processing restrictions, we will process data in accordance with that agreement.

5.5 Account Deletion / End of Service

On termination of the customer relationship, we will handle personal data as described in the applicable contract and DPA.

6. Customer Content (Data We Process on Behalf of Customers)

6.1 Our Role

When Customers use our Services, they may upload, create, or process content that contains personal data (“Customer Content”). In this context:

  • the Customer is the controller (UK/EU) and determines the purposes and means of processing; and
  • we act as a processor (UK/EU), and process Customer Content only on documented instructions, as set out in our agreement and Data Processing Addendum (DPA).

6.2 What We Do With Customer Content

We process Customer Content only to:

  • host and provide the Services;
  • maintain security, prevent abuse, and troubleshoot;
  • provide support at the Customer’s request; and
  • comply with applicable law.

6.3 Data Location — Worldwide Processing (Unless Agreed Otherwise)

Customer Content may be processed in multiple countries worldwide (including the USA and Australia) depending on which infrastructure and subprocessors are used. Where a customer contract specifies data residency or restricts processing locations, we will comply with those restrictions.

6.4 End Users and Data Subjects

If your personal data is contained in Customer Content (e.g., you are an end user of a customer’s deployment of our Services), please contact the relevant Customer to exercise your data rights. We will assist our Customers as required by the DPA.

7. Who We Share Personal Data With

We may share personal data with:

Recipient

Examples / Purpose

Group companies

(see Section 1.3) — internal administration and service delivery

Hosting & infrastructure providers

e.g. Azure — service delivery

Analytics vendors

Google Analytics 4, Google Tag Manager — website analytics

CRM vendors

e.g., Salesforce — sales and marketing management

Marketing automation

Pardot (Salesforce) — marketing campaigns and lead management

B2B marketing / intent analytics

6sense — B2B audience analytics

Advertising / targeting platforms

Google advertising products (DoubleClick, Ads), LinkedIn — marketing measurement and advertising

Video platforms

Wistia, YouTube — embedded video content

Support / ticketing vendors

e.g. Zendesk — customer support

Consent management

OneTrust — cookie consent and preference management

CDN & security

Cloudflare — website delivery and DDoS protection

Professional advisors

Lawyers, auditors, insurers — where necessary

Authorities

Where required by law or to protect rights and safety

Corporate transaction parties

In connection with M&A, restructuring, or financing (subject to appropriate protections)

See Appendix B for further information.

8. International Data Transfers

Because we operate across the UK, Poland (EU), USA, and Australia, personal data may be transferred to and processed in countries other than where you are located. Where UK/EEA personal data is transferred outside the UK/EEA, we use appropriate safeguards, which may include:

  • EU Standard Contractual Clauses (SCCs);
  • the UK International Data Transfer Addendum (UK Addendum to the EU SCCs) or UK IDTA; and/or
  • adequacy decisions where applicable.

We also implement additional measures where appropriate (e.g., encryption and access controls) consistent with applicable guidance.

Transfer mechanism details: Standard Contractual Clauses

9. Security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure, including:

  • access controls and least-privilege principles;
  • encryption in transit and at rest;
  • logging and monitoring;
  • vulnerability management; and
  • incident response procedures.

10. Your Rights and Choices

10.1 UK / EEA (Including Poland)

Subject to conditions and applicable exceptions, you may have the right to:

  • access your personal data;
  • rectify inaccurate personal data;
  • erasure of personal data (“right to be forgotten”);
  • restrict certain processing;
  • object to processing based on legitimate interests or for direct marketing;
  • data portability (where applicable); and
  • withdraw consent (where processing is based on consent) — without affecting the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). In Poland, this is the Urząd Ochrony Danych Osobowych (UODO).

10.2 USA (State Privacy Laws)

Depending on the applicable US state privacy law and whether thresholds are met, individuals may have rights to access, delete, correct, or opt out of certain processing (such as targeted advertising or “sale” of personal data as defined by applicable law). We will respond to verifiable requests as required.

US rights request method: privacy@orbussoftware.com

10.3 Australia

Under the Australian Privacy Act 1988, individuals may request access to or correction of personal information held about them, subject to applicable exceptions. We will respond to requests within a reasonable timeframe.

10.4 How to Exercise Your Rights

Submit a request: email privacy@orbussoftware.com 

We may need to verify your identity before responding. We will respond within the timeframe required by applicable law.

11. Marketing Communications

We may send marketing emails to business contacts where permitted by applicable law (typically on the basis of legitimate interests for B2B contacts, or consent where required).

You can opt out of marketing emails at any time by:

Opting out of marketing will not affect service communications we are required to send you as a customer.

12. Do We “Sell” Personal Data?

We do not sell personal data in exchange for money.

We may allow certain advertising and marketing partners to collect information via cookies for purposes such as measuring campaign effectiveness and delivering advertising, subject to your cookie choices made via the OneTrust Preference Centre and applicable law.

13. Children

Our Websites and Services are directed at business professionals and are not intended for use by children. We do not knowingly collect personal data from children.

‍

14. Changes to This Notice

We may update this Privacy Notice from time to time. When we do, we will post the updated notice on this page and revise the “Last updated” date at the top. If changes are material, we may provide additional notice (e.g., on our Websites or by email to affected customers).

15. Contact Us

If you have any questions about this Privacy Notice or how we handle your personal data, please contact us:

Email: privacy@orbussoftware.com 

Postal address: Orbus Software, 11th Floor, 123 Victoria Street, London SW1E 6DE

EU representative: Orbus Software, Ul. Zabrska 20, 4th Floor, 40‑083 Katowice, Śląskie, Poland

Appendix A — Group Companies

Fill in the table below with all group companies involved in processing personal data covered by this notice.

Entity

Registered Address

Country

Seattle Software Ltd

11th Floor, 123 Victoria Street, London SW1E 6DE

UK

Orbus Software Sp. z.o.o.

Ul. Zabrska 20, 4th Floor, 40‑083 Katowice, Śląskie, Poland

Poland

Seattle Business Software, Inc.

Suite 1105, 33 E 33rd St, New York, NY 10016

USA

Seattle Software Australia Pty Ltd

Level 9, 89 York Street, Sydney 2000

Australia

Capsifi UK Limited

11th Floor, 123 Victoria Street, London SW1E 6DE

UK

Capsifi Australia Pty Ltd

Level 9, 89 York Street, Sydney 2000

Australia

Capsifi USA Inc.

Suite 1105, 33 E 33rd St, New York, NY 10016

USA

Appendix B — Processors & Subprocessors

Vendor

Category

Purpose

Data Types

Location(s)

Transfer Safeguards (UK/EU data)

Privacy Policy

Microsoft Ireland Operations Limited

Hosting

Service delivery

Customer content

Worldwide

SCC

https://www.microsoft.com/en-gb/privacy/privacystatement

Google Analytics / GTM

Analytics

Website analytics & tag management

Cookie / device data

USA

SCC

policies.google.com/privacy

Google Ads / DoubleClick

Targeting

Marketing measurement & advertising

Cookie / device / interaction

USA

SCC

policies.google.com/privacy

LinkedIn

Targeting

Marketing measurement & advertising

Cookie / device / interaction

Worldwide

SCC

linkedin.com/legal/privacy-policy

6sense

Functional / Targeting

B2B intent & marketing analytics

Cookie / device / company data

USA

SCC

https://6sense.com/privacy-policy/

Pardot (Salesforce)

Marketing automation

Lead management & marketing campaigns

Contact + marketing data

Worldwide

SCC

https://www.salesforce.com/company/legal/privacy/

Wistia

Functional

Video hosting & embedding

Device / viewing data

USA

SCC

wistia.com/privacy

YouTube (Google)

Functional / Targeting

Embedded video content

Cookie / device data

USA

SCC

policies.google.com/privacy

OneTrust

Strictly Necessary

Consent management

Consent preferences

USA

SCC

onetrust.com/privacy-notice

Cloudflare

Strictly Necessary

CDN, DDoS protection, security

Device / traffic data

USA + global

SCC

cloudflare.com/privacypolicy

Salesforce, Inc.

CRM

Sales & customer management

Contact + comms data

Worldwide

SCC

https://www.salesforce.com/company/legal/privacy/

Zendesk, Inc.

Support

Ticketing & customer support

Contact + support content

Worldwide

SCC

https://www.zendesk.co.uk/company/agreements-and-terms/privacy-notice/

Gainsight, Inc.

Customer Success

Customer management

Contact + comms data

Worldwide

SCC

https://www.gainsight.com/policy/privacy/

Microsoft, Inc. (Microsoft 365)

Email

Email communication

Contact, Email + content

Worldwide

SCC

https://www.microsoft.com/en-gb/privacy/privacystatement

Saasflow OU (Guideflow)

Pre-sales/Solutions consulting

Product demonstration platform

Contact + email

Worldwide

Adequacy

https://www.iubenda.com/privacy-policy/62163346

Orum Inc.

Prospecting

Telephone dialling

Contact

Worldwide

Data Privacy Framework certified

https://orum.com/privacy

Salesloft, Inc.

Prospecting

Pre-contract prospecting platform

Contact + email comms

Worldwide

SCC

https://www.salesloft.com/legal/privacy-policies