Privacy

Last updated: June 2026

Who is responsible (data controller)

The data controller for this website is Orion Tasks. You can reach us at hello@orionapp.co for any privacy-related question or request.

What we collect

When you join the beta we collect your email address so we can send your invite and updates about the beta.

When you sign up, we also check a CAPTCHA challenge (Cloudflare Turnstile) to prevent spam. Your IP address is shared with Cloudflare solely for that verification and is not stored by us for that purpose.

To protect the signup form from abuse we keep short-term rate-limiting logs that include your IP address and a timestamp. These logs are kept for 24 hours and then automatically removed.

Legal bases per purpose (GDPR Art. 6)

We process personal data only where we have a lawful basis under Art. 6(1) GDPR. The table below maps each processing activity to its specific purpose, the data involved, and the legal basis we rely on.

PurposeDataLegal basis
Beta waitlist signup and beta-related emailsEmail address, submission timestampConsent — Art. 6(1)(a). Given by submitting the signup form; withdrawable at any time via the unsubscribe link or by emailing us.
Product analytics and session replayPseudonymous device/usage events, replay of interactions on this siteConsent — Art. 6(1)(a). Given via the cookie banner; withdrawable at any time through "Manage cookie preferences".
Anti-abuse: CAPTCHA, rate-limiting, security logsIP address, request headers, Turnstile token, timestampsLegitimate interests — Art. 6(1)(f). See LIA below.
Service delivery (hosting, CDN, TLS termination)IP address, request metadata, technical logsLegitimate interests — Art. 6(1)(f) in operating and securing the site; strictly necessary for the service you request.
Responding to your privacy requests and other emails to usEmail address, message contentLegal obligation — Art. 6(1)(c) for GDPR rights requests (Art. 12–22); legitimate interests — Art. 6(1)(f) for general correspondence.
Strictly necessary cookies (consent record)Your cookie choice, timestamp, policy versionNot consent-based — required to remember your choice (ePrivacy "strictly necessary" exemption); processed under legitimate interests — Art. 6(1)(f).

Legitimate Interests Assessment (LIA). For anti-abuse and service-delivery processing, our interest is in keeping the site secure, available, and free from spam and automated abuse. This processing is necessary because no less intrusive means achieves the same protection, and the data involved (IP, request metadata, short-lived security tokens) is limited, not used for advertising or profiling, retained only as long as needed, and does not override your rights and freedoms. You can object at any time under Art. 21 by contacting us.

Analytics and session replay

We use Mixpanel for product analytics. If you grant consent via the banner, Mixpanel receives event data such as:

  • Page views (page path, URL, referrer)
  • Beta signup completions
  • UTM parameters (source, medium, campaign, etc.)
  • Device and browser information
  • IP address (used for approximate location)

Mixpanel may also record sessions (session replay) to help us understand how people interact with the site. Password fields and elements marked as sensitive are automatically masked and will appear as hidden blocks in any recording. We do not record the content of password inputs.

Analytics only starts after you click Accept on the consent banner. You can decline or withdraw consent at any time — see Your rights below.

How we use your data

Your email is used only to send you beta-related communications. Analytics data is used to improve the product and website experience. We do not sell or share your personal data with third parties for marketing purposes.

Sub-processors

We share data with the following processors who help us run this service. Each operates under a data processing agreement with us and processes data only on our documented instructions.

ProcessorPurposeCountryTransfer safeguard
SupabaseDatabase and backend hosting (beta signups)EU (Ireland)No transfer outside EEA
Cloudflare, Inc.Website hosting, CDN, TLS, CAPTCHA (Turnstile)Global edge (incl. US)EU–US Data Privacy Framework; EU SCCs + UK IDTA for non-DPF transfers
Mixpanel, Inc.Product analytics and session replayEUNo transfer outside EEA (EU data residency)
LovableHosting platform and deployment infrastructure for this siteEU, with US sub-processorsEU SCCs and, where applicable, EU–US Data Privacy Framework
Transactional email providerDelivering beta confirmation and update emailsEU / USEU–US Data Privacy Framework or EU SCCs

We will update this list before engaging a new sub-processor that processes personal data on our behalf. You can request the current list at any time by emailing hello@orionapp.co.

International data transfers

Some of our processors — notably Cloudflare — are established in the United States, and Cloudflare additionally serves traffic from a global edge network. This means your personal data may be transferred outside the European Economic Area (EEA), the United Kingdom, and Switzerland.

For these transfers we rely on the following safeguards under GDPR Chapter V (and the equivalent UK GDPR and Swiss FADP provisions):

  • EU–US Data Privacy Framework (DPF) — where the recipient is self-certified under the DPF and its UK Extension, providing an EU/UK adequacy decision basis for the transfer.
  • EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor), where DPF coverage does not apply.
  • UK International Data Transfer Addendum (IDTA) to the EU SCCs for transfers from the United Kingdom.
  • Swiss addendum to the SCCs for transfers from Switzerland under the revised FADP.
  • Supplementary measures — TLS in transit, encryption at rest, pseudonymisation of analytics identifiers, least-privilege access, and a transfer impact assessment for each non-EEA processor we engage.

You can request a copy of the relevant safeguards (SCCs, IDTA, or DPF certifications) by emailing hello@orionapp.co.

Data retention

We keep personal data only for as long as needed for the purpose it was collected, plus any period required by law. Concrete periods per data category are listed below.

Data categoryRetention periodTrigger for deletion
Beta signup email and submission timestampUntil the beta programme ends, or 24 months from signup, whichever is soonerProgramme end, retention cap reached, or your deletion request
Support and privacy-request correspondenceUp to 24 months after the request is closedAutomatic purge after the retention period, unless needed for a legal claim
Rate-limiting and anti-abuse logs (IP + timestamp)24 hoursAutomatic rolling deletion
Security and access logs (hosting, CDN)Up to 30 daysAutomatic rotation by the hosting provider
Product analytics events (Mixpanel)12 months from collectionAutomatic deletion in Mixpanel after the retention window
Session replay recordings (Mixpanel)30 days from collectionAutomatic deletion in Mixpanel after the retention window
CAPTCHA verification payload (Cloudflare Turnstile)Not storedProcessed in transit only
Consent record (cookie / local storage)12 months, or until you clear it or change your choiceRe-prompt on expiry or policy version change
Encrypted infrastructure backupsUp to 30 daysAutomatic rotation; deletion requests are honoured in live systems immediately and propagate to backups within this window

Where we are legally required to keep data longer (for example to defend a legal claim or comply with a tax or accounting obligation), we restrict processing to that purpose until the obligation ends, then delete it.

Security measures (GDPR Art. 32)

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit (HTTPS/TLS) for all traffic between your browser, our site, and our processors.
  • Encryption at rest for data stored in our managed database and backups.
  • Strict access controls: only a small number of authorised people can access production data, protected by strong authentication and multi-factor authentication.
  • Use of vetted sub-processors with their own security certifications (e.g. SOC 2, ISO 27001) and Data Processing Agreements in place.
  • Principle of data minimisation: we only collect what we need and delete it when it is no longer necessary.
  • Regular review of access logs, dependencies, and security practices.

No system can be guaranteed 100% secure. If you believe you have found a security issue, please email us at hello@orionapp.co.

Breach notification

We take organisational and technical security measures to protect your personal data. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art. 33 GDPR).
  • Notify you directly if the breach is likely to result in a high risk to your rights and freedoms, unless we have implemented measures that render the data unintelligible to unauthorised persons or the notification would involve disproportionate effort (Art. 34 GDPR).

Any breach notification will include: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its potential adverse effects.

Cookies and local storage

We use the following client-side storage. Strictly necessary items are set without consent; analytics items are only set after you click Accept on the consent banner.

NameTypePurposeCategoryLifetime
orion_consent_v1Local storageRecords your consent choice, timestamp, and policy versionStrictly necessaryUntil cleared
cf_clearance, __cf_bmCookieCloudflare bot/CAPTCHA verification for the signup formStrictly necessaryUp to 30 minutes / 1 year
mp_* (e.g. mp_xxx_mixpanel)Cookie / local storageMixpanel anonymous identifier and event queueAnalytics (consent)Up to 1 year
__mpq_*Local storageMixpanel session replay bufferAnalytics (consent)Session

When you make a choice on the consent banner, we store your decision along with the date and the version of this policy in effect at the time, so we can demonstrate the consent you gave (GDPR Art. 7(1)).

Do Not Track and Global Privacy Control

We respect the browser signals that communicate your privacy preferences automatically:

  • Do Not Track (DNT) — When your browser sends a DNT signal (HTTP header DNT: 1 or the equivalent navigator property), we do not initialise analytics tracking and treat analytics cookies as declined.
  • Global Privacy Control (GPC) — When your browser or extension sends a GPC signal (Sec-GPC: 1), we honour it in the same way: analytics cookies are declined and no analytics events are collected.

If you send a DNT or GPC signal, the consent banner will still appear briefly to confirm that analytics have been disabled based on your signal. You do not need to click "Reject" — the signal alone is sufficient.

You can learn more about enabling GPC at globalprivacycontrol.org.

Children's data

We do not knowingly collect or process personal data from children under the age of 16. Our service is intended for adults who can enter into legally binding contracts. If we learn that we have collected personal data from a child under 16 without verified parental consent, we will delete that data as soon as possible. If you believe a child under 16 has provided us with personal data, please contact us at hello@orionapp.co.

Automated decision-making and profiling

We do not carry out automated individual decision-making, including profiling, that produces legal effects or similarly significantly affects you (Art. 22 GDPR). We do not use algorithms to evaluate personal aspects such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Your rights

Under the GDPR and the UK GDPR you have the following rights in relation to your personal data:

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Erasure / "right to be forgotten" (Art. 17) — ask us to delete your personal data.
  • Restriction of processing (Art. 18) — ask us to limit how we use your data while a question about it is being resolved.
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format, or have it transmitted to another controller where technically feasible.
  • Objection (Art. 21) — object to processing based on our legitimate interests (e.g. CAPTCHA and rate-limiting logs).
  • Withdraw consent (Art. 7(3)) — where processing is based on consent (beta email, analytics, session replay), withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Rights related to automated decision-making (Art. 22) — we do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, email hello@orionapp.co. We respond within one month, as required by Art. 12(3). To withdraw analytics consent without contacting us, clear this site's local storage in your browser — the consent banner will reappear on your next visit.

Data Protection Officer and EU representative

We have not appointed a Data Protection Officer (DPO) under Art. 37 GDPR because we are not a public authority, and our core activities do not involve systematic monitoring of data subjects on a large scale or processing of special categories of personal data on a large scale.

We are established in the European Union and therefore do not require an Art. 27 EU representative.

For all privacy-related questions and requests, please contact us directly:

Orion Tasks
Email: hello@orionapp.co

Right to lodge a complaint

If you believe our processing of your personal data infringes the GDPR or UK GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A directory of EU data protection authorities is available from the European Data Protection Board. In the UK, the supervisory authority is the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns directly before you approach a regulator — please contact us first if you can.

Changes to this policy

We may update this privacy policy from time to time to reflect changes to our service, our sub-processors, or applicable law. The "Last updated" date at the top of this page always shows when the current version took effect.

For material changes that affect how we process your personal data, we will notify you in advance by email (to the address you provided when joining the beta) and/or by a prominent notice on the site, before the changes take effect. Where the change requires your consent under GDPR, we will ask for it again rather than rely on the previous one.

Contact

Email hello@orionapp.co with any questions, access requests, or withdrawal of consent.