Privacy Policy

Last Updated: 20th April 2026

1. Introduction and Data Controller

Orbis Identity Ltd (“we”, “us”, “our”) operates the website orbisid.com (the “Website”) and provides the OrbisID Privileged Access Detection and Governance tool (the “Service”). We are committed to protecting your personal data and respecting your privacy in accordance with applicable data protection legislation.

This Privacy Policy explains:

  • what personal data we collect when you visit our Website;
  • why we collect it and the legal basis under which we process it;
  • how long we retain it;
  • your rights as a data subject; and
  • how to contact us if you have any concerns.

Data Controller

Company NameOrbis Identity Ltd
Registered Address128 City Road
London
United Kingdom
EC1V 2NX
Websiteorbisid.com
Privacy Contact Emailprivacy@orbisid.com
ICO RegistrationZC128433

2. Scope of This Policy

This Privacy Policy applies to personal data collected via orbisid.com, including through:

  • browsing and navigating the Website;
  • submitting a contact or enquiry form;
  • signing up to our newsletter or marketing communications;
  • cookies and analytics technologies operating on the Website.

This policy does not apply to data processed within the OrbisID software product itself (e.g. scan data, privileged access records, audit logs), except for (a) the optional Automatic Update Checks and Anonymous Usage Telemetry features described in Section 3 below, and (b) the optional marketing contact opt-in described in Section 4.2, in each case where data is sent from a self-hosted OrbisID instance back to Orbis Identity Ltd. Processing of data within the OrbisID software product itself, other than as described in Sections 3 and 4.2, is governed by the data processing agreement entered into with each enterprise customer, in which the customer acts as the data controller and Orbis Identity Ltd acts as a data processor.

3. Automatic Update Checks and Anonymous Usage Telemetry

This section describes the two optional data flows from a self-hosted OrbisID instance back to Orbis Identity Ltd. Both are off by default. Neither is used for advertising, profiling, or any purpose other than operating the update-check service and improving the product.

3.1 What we collect

If “Check for Updates” is enabled – on by default, unlike usage telemetry below:

FieldDescription
Current versionThe OrbisID version number installed
Install IDA random identifier generated once per OrbisID instance (see below)

We record these two fields, together with a first-seen and last-seen timestamp, against the Install ID, so that we can count how many distinct OrbisID instances are in use and their version distribution. This is the only thing stored from this request – we do not log or retain anything else about it (see Retention below for how long).

If “Send Anonymous Usage Statistics” is enabled, in addition to the above, roughly weekly:

FieldDescription
Install IDThe same random identifier — used only to de-duplicate submissions from the same instance over time
OrbisID version, Java version, host OS familyEnvironment information used to prioritise compatibility testing
Licence tier (Community / Pro / Enterprise)Not the licence key itself
Aggregate countsNumbers of connected systems (grouped by connector type, e.g. “3 Active Directory, 1 AWS”), accounts (by category: human/non-human, linked/unlinked, privileged, PAM-managed, standing-privilege, shared), identities, active users, active Endpoint Sensors, and open/confirmed Threat Detections

We never collect or transmit: hostnames, IP addresses of your systems, usernames, identity names or email addresses, entitlement or account names, credentials of any kind, licence keys, or any other value that could identify your organisation, its personnel, or its specific infrastructure.

3.2 The Install ID and IP addresses

The Install ID is a random value generated locally by your OrbisID instance the first time it starts; it has no connection to your licence key, company name, or any other identifying detail, and cannot on its own identify you. However, like any web request, requests to our servers necessarily pass through our infrastructure and are recorded in standard web server
access logs, which include the source IP address, for a limited period for security and abuse-prevention purposes. We do not otherwise store or associate IP addresses with the Install ID or with any telemetry payload. Because an IP address combined with a persistent identifier can, in some circumstances, constitute personal data under GDPR/UK GDPR, we treat this data as pseudonymous rather than fully anonymous where those regimes apply, and process it on the basis of our legitimate interest in operating and improving OrbisID (Art. 6(1)(f) GDPR), balanced against the minimal, non-identifying nature of what is collected and your ability to disable either feature at any time.

3.3 Retention

  • The check-in record kept from update-check requests (Install ID, version, first/last-seen timestamps) is retained for as long as the instance continues to check in, and is automatically deleted after 24 months without a further check-in.
  • Usage telemetry submissions are retained for 24 months before being deleted or fully aggregated, after which the underlying submissions are removed.

3.4 How to disable

Either feature can be turned off at any time by an administrator, from within OrbisID under Administration → Settings (“Check for Updates” / “Send Anonymous Usage Statistics”). Turning a feature off stops all further transmissions of that kind immediately; it does not affect any other functionality of the product.

3.5 Third parties

We do not sell, rent, or share this data with third parties. It is used solely by Orbis Identity Ltd to operate the update-check service and to understand aggregate, anonymised product usage trends for our own product planning.

4. Personal Data We Collect

4.1 Contact and Enquiry Forms

When you submit an enquiry via our Website, we collect:

  • your full name;
  • your business email address;
  • your company name and job title (if provided);
  • the content of your message or enquiry.

4.2 Newsletter and Marketing Sign-Up

When you subscribe to our newsletter or request marketing communications, we collect:

  • your full name;
  • your business email address;
  • your marketing preferences.

You can also provide these same details directly from within the OrbisID product itself, via the optional “Stay in Touch” opt-in shown once during first-run setup (and re-visitable from Administration > Settings). In that case we additionally collect your country and, optionally, a phone number. This in-product opt-in is unticked by default and entirely separate from the product’s Check for Updates and Anonymous Usage Statistics features described in Section 3 — providing these details is never required to use OrbisID. Submissions from certain destinations are not accepted due to UK/US export control and trade sanctions restrictions.

4.3 Analytics and Cookie Data

We use analytics tools (including Google Analytics) to understand how visitors interact with the Website. This may include:

  • your IP address (anonymised where applicable);
  • browser type, version, and operating system;
  • pages visited, time spent on pages, and navigation paths;
  • referring URLs;
  • device type and screen resolution.

This data is collected via cookies and similar tracking technologies. Please refer to Section 8 (Cookies) for further detail.

4.4 Data We Do Not Collect

We do not knowingly collect special category data (such as health information, racial or ethnic origin, or biometric data) through the Website. We do not direct our Website at children under the age of 16 and do not knowingly collect their personal data.

5. Legal Bases for Processing

We rely on the following legal bases to process your personal data:

PurposeLegal Basis
Responding to enquiries and contact form submissionsLegitimate Interests (Article 6(1)(f) UK/EU GDPR) — responding to a business enquiry submitted at your request.
Sending newsletters and marketing communicationsConsent (Article 6(1)(a) UK/EU GDPR) — you provide explicit opt-in consent at the point of sign-up.
Website analytics (non-essential cookies)Consent (Article 6(1)(a) UK/EU GDPR) — obtained via our Cookie Consent Manager.
Security monitoring and fraud preventionLegitimate Interests (Article 6(1)(f) UK/EU GDPR) — protecting our systems and users.
Compliance with legal obligationsLegal Obligation (Article 6(1)(c) UK/EU GDPR).
OrbisID software telemetry (opt-in)Legitimate interests (Art. 6(1)(f) GDPR).

Where we rely on legitimate interests, we have carried out a balancing test to confirm that our interests are not overridden by your rights and interests.

6. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

  • to respond to your enquiries and provide information about OrbisID;
  • to send newsletters, product updates, and marketing communications (where you have opted in);
  • to analyse Website usage and improve the user experience;
  • to detect and prevent fraudulent or malicious activity;
  • to comply with our legal and regulatory obligations;
  • to manage our business relationship with you or your employer.

7. Sharing Your Personal Data

7.1 Third-Party Service Providers

We may share your personal data with trusted third-party service providers acting as data processors on our behalf, including:

  • email and CRM platforms (for managing enquiries and newsletter delivery);
  • analytics providers (e.g. Google Analytics);
  • cloud hosting and infrastructure providers;
  • IT security and monitoring services.

All processors are subject to data processing agreements and are required to handle your data securely and only for the purposes we specify.

7.2 Legal Disclosure

We may disclose your personal data where required by law, court order, or regulatory authority — for example, to the Information Commissioner’s Office (ICO) in the United Kingdom.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity, subject to the same protections set out in this policy.

7.4 No Selling of Data

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

8. International Data Transfers

Our Website infrastructure and some of our third-party service providers may process personal data outside the United Kingdom (UK) and the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission and/or the UK ICO;
  • transfers to countries covered by a UK Adequacy Regulation or EU adequacy decision;
  • binding corporate rules or other approved transfer mechanisms.

For California residents: where applicable, we comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Please refer to Section 11 for your California-specific rights.

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us recognise your browser, remember your preferences, and understand how you use our Website.

9.2 Types of Cookies We Use

Cookie TypePurpose / Description
Strictly NecessaryEssential for the Website to function correctly. These cannot be disabled. No consent required.
Analytics / PerformanceUsed via Google Analytics to collect anonymised data about how visitors use the site. Enabled only with your consent.
FunctionalRemembers your preferences (e.g. cookie consent choice). May be enabled without consent where strictly necessary.
Marketing / TrackingWe do not currently use marketing or advertising tracking cookies.

9.3 Managing Cookies

When you first visit our Website, you will be presented with a Cookie Consent Manager that allows you to accept or decline non-essential cookies. You may update your preferences at any time via the cookie settings link in the Website footer.

You may also control cookies at the browser level. Instructions for major browsers are available at:

  • Google Chrome: chrome://settings/cookies
  • Mozilla Firefox: about:preferences#privacy
  • Microsoft Edge: edge://settings/privacy

Please note that disabling certain cookies may affect the functionality of the Website.

10. Data Retention

We retain personal data only for as long as is necessary for the purposes described in this policy, or as required by law. Our standard retention periods are:

Data CategoryRetention Period
Contact and enquiry form submissions24 months from date of submission, or until the matter is resolved.
Newsletter subscriber dataUntil you unsubscribe, or 36 months from last engagement, whichever is sooner. This applies equally to opt-ins submitted from within the OrbisID product.
Analytics data (Google Analytics)14 months (Google Analytics default data retention setting).
Server and security logs90 days.

Following expiry of the relevant retention period, data will be securely deleted or anonymised.

11. Your Rights Under UK and EU GDPR

Depending on your location, you have the following rights in relation to your personal data:

RightDescription
Right of AccessTo request a copy of the personal data we hold about you (Subject Access Request).
Right to RectificationTo request correction of inaccurate or incomplete personal data.
Right to ErasureTo request deletion of your personal data (‘right to be forgotten’), subject to legal retention obligations.
Right to Restrict ProcessingTo request that we limit how we use your data in certain circumstances.
Right to Data PortabilityTo receive your data in a structured, commonly used, machine-readable format.
Right to ObjectTo object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw ConsentTo withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.
Rights re. Automated DecisionsWe do not make solely automated decisions with significant legal effects based on Website data.

To exercise any of these rights, please contact us at privacy@orbisid.com. We will respond within one calendar month of receiving your request. We may request proof of identity before actioning your request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

  • United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
  • European Union: Your local EU data protection authority.

12. Additional Rights for California Residents (CCPA / CPRA)

If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following additional rights:

  • Right to Know: the right to know what personal information we collect, use, disclose, or sell about you.
  • Right to Delete: the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: we do not sell or share personal information as defined by CCPA. No opt-out mechanism is required.
  • Right to Limit Use of Sensitive Personal Information: we do not collect sensitive personal information as defined by CPRA via the Website.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights.

To submit a CCPA/CPRA request, contact us at privacy@orbisid.com. You may also submit a request on behalf of a minor child. We will respond within 45 days of a verifiable consumer request, with an option to extend by a further 45 days where reasonably necessary.

Categories of personal information collected in the last 12 months: Identifiers (name, email address); Internet or other electronic network activity (browsing data, analytics). We have not sold or shared personal information for cross-context behavioural advertising.

13. Security of Your Personal Data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • TLS encryption for all data transmitted to and from the Website;
  • access controls and authentication requirements for staff with access to personal data;
  • regular security assessments and vulnerability monitoring;
  • data minimisation and pseudonymisation practices where appropriate.

Whilst we take all reasonable steps to protect your data, no method of transmission over the internet is completely secure. We cannot guarantee the absolute security of data transmitted to us.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where required.

14. Third-Party Links

Our Website may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any external sites you visit. We are not responsible for the privacy practices of third-party websites.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the services we provide. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify you by email or via a notice on the Website.

We encourage you to review this policy periodically. Continued use of the Website following the posting of any changes constitutes your acceptance of the revised policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we process your personal data, please contact us:

Contact MethodDetails
Emailprivacy@orbisid.com
PostOrbis Identity Ltd, 128 City Road, London, United Kingdom, EC1V 2NX
Websiteorbisid.com