Privacy Policy
Last Updated: 20th April 2026
1. Introduction and Data Controller
Orbis Identity Ltd (“we”, “us”, “our”) operates the website orbisid.com (the “Website”) and provides the OrbisID Privileged Access Detection and Governance tool (the “Service”). We are committed to protecting your personal data and respecting your privacy in accordance with applicable data protection legislation.
This Privacy Policy explains:
- what personal data we collect when you visit our Website;
- why we collect it and the legal basis under which we process it;
- how long we retain it;
- your rights as a data subject; and
- how to contact us if you have any concerns.
Data Controller
| Company Name | Orbis Identity Ltd |
| Registered Address | 128 City Road London United Kingdom EC1V 2NX |
| Website | orbisid.com |
| Privacy Contact Email | privacy@orbisid.com |
| ICO Registration | ZC128433 |
2. Scope of This Policy
This Privacy Policy applies to personal data collected via orbisid.com, including through:
- browsing and navigating the Website;
- submitting a contact or enquiry form;
- signing up to our newsletter or marketing communications;
- cookies and analytics technologies operating on the Website.
This policy does not apply to data processed within the OrbisID software product itself (e.g. scan data, privileged access records, audit logs). Processing of that data is governed by the data processing agreement entered into with each enterprise customer, in which the customer acts as the data controller and Orbis Identity Ltd acts as a data processor.
3. Personal Data We Collect
3.1 Contact and Enquiry Forms
When you submit an enquiry via our Website, we collect:
- your full name;
- your business email address;
- your company name and job title (if provided);
- the content of your message or enquiry.
3.2 Newsletter and Marketing Sign-Up
When you subscribe to our newsletter or request marketing communications, we collect:
- your full name;
- your business email address;
- your marketing preferences.
3.3 Analytics and Cookie Data
We use analytics tools (including Google Analytics) to understand how visitors interact with the Website. This may include:
- your IP address (anonymised where applicable);
- browser type, version, and operating system;
- pages visited, time spent on pages, and navigation paths;
- referring URLs;
- device type and screen resolution.
This data is collected via cookies and similar tracking technologies. Please refer to Section 8 (Cookies) for further detail.
3.4 Data We Do Not Collect
We do not knowingly collect special category data (such as health information, racial or ethnic origin, or biometric data) through the Website. We do not direct our Website at children under the age of 16 and do not knowingly collect their personal data.
4. Legal Bases for Processing
We rely on the following legal bases to process your personal data:
| Purpose | Legal Basis |
| Responding to enquiries and contact form submissions | Legitimate Interests (Article 6(1)(f) UK/EU GDPR) — responding to a business enquiry submitted at your request. |
| Sending newsletters and marketing communications | Consent (Article 6(1)(a) UK/EU GDPR) — you provide explicit opt-in consent at the point of sign-up. |
| Website analytics (non-essential cookies) | Consent (Article 6(1)(a) UK/EU GDPR) — obtained via our Cookie Consent Manager. |
| Security monitoring and fraud prevention | Legitimate Interests (Article 6(1)(f) UK/EU GDPR) — protecting our systems and users. |
| Compliance with legal obligations | Legal Obligation (Article 6(1)(c) UK/EU GDPR). |
Where we rely on legitimate interests, we have carried out a balancing test to confirm that our interests are not overridden by your rights and interests.
5. How We Use Your Personal Data
We use the personal data we collect for the following purposes:
- to respond to your enquiries and provide information about OrbisID;
- to send newsletters, product updates, and marketing communications (where you have opted in);
- to analyse Website usage and improve the user experience;
- to detect and prevent fraudulent or malicious activity;
- to comply with our legal and regulatory obligations;
- to manage our business relationship with you or your employer.
6. Sharing Your Personal Data
6.1 Third-Party Service Providers
We may share your personal data with trusted third-party service providers acting as data processors on our behalf, including:
- email and CRM platforms (for managing enquiries and newsletter delivery);
- analytics providers (e.g. Google Analytics);
- cloud hosting and infrastructure providers;
- IT security and monitoring services.
All processors are subject to data processing agreements and are required to handle your data securely and only for the purposes we specify.
6.2 Legal Disclosure
We may disclose your personal data where required by law, court order, or regulatory authority — for example, to the Information Commissioner’s Office (ICO) in the United Kingdom.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity, subject to the same protections set out in this policy.
6.4 No Selling of Data
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
7. International Data Transfers
Our Website infrastructure and some of our third-party service providers may process personal data outside the United Kingdom (UK) and the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission and/or the UK ICO;
- transfers to countries covered by a UK Adequacy Regulation or EU adequacy decision;
- binding corporate rules or other approved transfer mechanisms.
For California residents: where applicable, we comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Please refer to Section 11 for your California-specific rights.
8. Cookies and Tracking Technologies
8.1 What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help us recognise your browser, remember your preferences, and understand how you use our Website.
8.2 Types of Cookies We Use
| Cookie Type | Purpose / Description |
| Strictly Necessary | Essential for the Website to function correctly. These cannot be disabled. No consent required. |
| Analytics / Performance | Used via Google Analytics to collect anonymised data about how visitors use the site. Enabled only with your consent. |
| Functional | Remembers your preferences (e.g. cookie consent choice). May be enabled without consent where strictly necessary. |
| Marketing / Tracking | We do not currently use marketing or advertising tracking cookies. |
8.3 Managing Cookies
When you first visit our Website, you will be presented with a Cookie Consent Manager that allows you to accept or decline non-essential cookies. You may update your preferences at any time via the cookie settings link in the Website footer.
You may also control cookies at the browser level. Instructions for major browsers are available at:
- Google Chrome: chrome://settings/cookies
- Mozilla Firefox: about:preferences#privacy
- Microsoft Edge: edge://settings/privacy
Please note that disabling certain cookies may affect the functionality of the Website.
9. Data Retention
We retain personal data only for as long as is necessary for the purposes described in this policy, or as required by law. Our standard retention periods are:
| Data Category | Retention Period |
| Contact and enquiry form submissions | 24 months from date of submission, or until the matter is resolved. |
| Newsletter subscriber data | Until you unsubscribe, or 36 months from last engagement, whichever is sooner. |
| Analytics data (Google Analytics) | 14 months (Google Analytics default data retention setting). |
| Server and security logs | 90 days. |
Following expiry of the relevant retention period, data will be securely deleted or anonymised.
10. Your Rights Under UK and EU GDPR
Depending on your location, you have the following rights in relation to your personal data:
| Right | Description |
| Right of Access | To request a copy of the personal data we hold about you (Subject Access Request). |
| Right to Rectification | To request correction of inaccurate or incomplete personal data. |
| Right to Erasure | To request deletion of your personal data (‘right to be forgotten’), subject to legal retention obligations. |
| Right to Restrict Processing | To request that we limit how we use your data in certain circumstances. |
| Right to Data Portability | To receive your data in a structured, commonly used, machine-readable format. |
| Right to Object | To object to processing based on legitimate interests or for direct marketing purposes. |
| Right to Withdraw Consent | To withdraw consent at any time where processing is consent-based, without affecting prior lawful processing. |
| Rights re. Automated Decisions | We do not make solely automated decisions with significant legal effects based on Website data. |
To exercise any of these rights, please contact us at privacy@orbisid.com. We will respond within one calendar month of receiving your request. We may request proof of identity before actioning your request.
If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
- European Union: Your local EU data protection authority.
11. Additional Rights for California Residents (CCPA / CPRA)
If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following additional rights:
- Right to Know: the right to know what personal information we collect, use, disclose, or sell about you.
- Right to Delete: the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: we do not sell or share personal information as defined by CCPA. No opt-out mechanism is required.
- Right to Limit Use of Sensitive Personal Information: we do not collect sensitive personal information as defined by CPRA via the Website.
- Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights.
To submit a CCPA/CPRA request, contact us at privacy@orbisid.com. You may also submit a request on behalf of a minor child. We will respond within 45 days of a verifiable consumer request, with an option to extend by a further 45 days where reasonably necessary.
Categories of personal information collected in the last 12 months: Identifiers (name, email address); Internet or other electronic network activity (browsing data, analytics). We have not sold or shared personal information for cross-context behavioural advertising.
12. Security of Your Personal Data
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- TLS encryption for all data transmitted to and from the Website;
- access controls and authentication requirements for staff with access to personal data;
- regular security assessments and vulnerability monitoring;
- data minimisation and pseudonymisation practices where appropriate.
Whilst we take all reasonable steps to protect your data, no method of transmission over the internet is completely secure. We cannot guarantee the absolute security of data transmitted to us.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where required.
13. Third-Party Links
Our Website may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any external sites you visit. We are not responsible for the privacy practices of third-party websites.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the services we provide. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify you by email or via a notice on the Website.
We encourage you to review this policy periodically. Continued use of the Website following the posting of any changes constitutes your acceptance of the revised policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we process your personal data, please contact us:
| Contact Method | Details |
| privacy@orbisid.com | |
| Post | Orbis Identity Ltd, 128 City Road, London, United Kingdom, EC1V 2NX |
| Website | orbisid.com |