1. Who we are
This Privacy Policy explains how Petar Nikolushev, an independent sole trader (freelancer) registered in Bulgaria under BULSTAT/UIC No. 181061688 (“MyOrbio”, “we”, “us”, “our”), collects, uses, and protects your personal data when you use the MyOrbio mobile and web application and related services (the “Service”).
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and equivalent laws, we are the data controller of your personal data.
- Contact: support@myorbio.app
- Postal address: available on request to the email above (registered in Bulgaria).
2. Scope and your acceptance
This Policy applies to all users of the Service worldwide. By creating an account or using the Service, you acknowledge that you have read and understood this Policy. Where we rely on your consent, we will ask for it separately and you may withdraw it at any time.
This Policy is designed to comply with, among others: the GDPR (EU/EEA, including France, Germany, Norway and all member states), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (revFADP/nFADP), the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), the California Consumer Privacy Act/CPRA, and the Bulgarian Personal Data Protection Act. Region-specific rights are set out in Section 13.
3. Minimum age
The Service is intended only for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. By using the Service you confirm that you are at least 16 years old. If you believe a person under 16 has provided us with personal data, contact support@myorbio.app and we will delete it without undue delay. Where local law sets a higher age of digital majority, that higher age applies to you.
4. The personal data we collect
We collect only what we need to run an ambient-presence social app.
a) Information you give us
- Account data: email address and password (passwords are stored only in hashed form by our authentication provider; we never see them in plain text).
- Profile data: display name, a unique @username, and, optionally, a profile photo/avatar.
- Status & presence data: the availability status you set (e.g. Open, Busy, Focus, Resting) and related timestamps.
- Connections data: the people you connect with, connection/“sync” requests you send or receive, and who you pin to your orbit.
- Communications: messages you send to support.
b) Information collected automatically
- Technical & device data: IP address, device type, operating system, app version, and similar diagnostic data.
- Usage data: interactions with features, timestamps, and crash/error logs.
- Push token: if you enable notifications, a device push token used solely to deliver notifications to you.
- Local storage: preferences stored on your device (e.g. theme, boundary toggles). On the web we use only strictly necessary and preference storage; we do not use advertising cookies.
c) Information from third parties
- When you purchase Premium, we receive your subscription status (active/expired) from the app store and our subscription manager (RevenueCat). We do not receive your full payment-card details.
We sign in users with email and password only. We do not intentionally collect special categories of data (e.g. health, religion, sexuality). Please do not put such data in free-text fields like your display name or status.
5. Why we use your data and our legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Create and operate your account | Performance of a contract (Art. 6(1)(b)) |
| Show your presence/status to people you connect with | Performance of a contract (Art. 6(1)(b)) |
| Send connection/sync requests and notifications | Performance of a contract (Art. 6(1)(b)) |
| Keep the Service secure, prevent abuse and fraud | Legitimate interests (Art. 6(1)(f)) |
| Diagnose problems and improve the Service | Legitimate interests (Art. 6(1)(f)) |
| Process Premium subscription entitlements | Performance of a contract (Art. 6(1)(b)) |
| Send service/transactional emails | Performance of a contract / legitimate interests |
| Send optional marketing (if any) | Consent (Art. 6(1)(a)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have balanced them against your rights; you may object at any time (Section 13).
6. Who we share your data with
We do not sell your personal data. We share it only with:
- Other users, to the extent inherent in the Service: people you connect with can see your display name, photo, status/presence, and connection state. People can find you by name or @username in search.
- Service providers (processors) acting on our instructions under data-processing agreements:
- Supabase — database, authentication, and file storage hosting.
- RevenueCat — subscription/entitlement management for Premium.
- Expo — delivery of push notifications.
- Google Play (and the Apple App Store, where the app is made available) — app distribution and in-app purchase processing. Payment-card data is handled by the app stores, not by us.
- Authorities or third parties where required by law, court order, or to protect our rights, users, or the public.
- Successors in the event of a merger, acquisition, or asset sale, subject to this Policy.
7. International data transfers
We are based in Bulgaria (EU). Some providers may process data outside your country or the EEA. Where we transfer personal data internationally, we rely on an appropriate safeguard, such as transfers to countries with an EU adequacy decision; the European Commission’s Standard Contractual Clauses (SCCs) (and the UK Addendum / Swiss adaptations where relevant); or another lawful transfer mechanism. You may request a copy of the relevant safeguard by emailing support@myorbio.app.
8. How long we keep your data
- Account, profile, and connection data: for as long as your account is active.
- After you delete your account: we delete or irreversibly anonymise your personal data within 30 days, except where we must keep certain records longer to meet legal, tax, accounting, or dispute-resolution obligations (for accounting/tax records, up to the period required by Bulgarian law, which can be up to 10 years).
- Backups: residual copies in backups are deleted on our normal backup-rotation cycle.
- Logs: technical logs are kept for a limited period appropriate to security and diagnostics.
9. How we protect your data
We use technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), hashed passwords, access controls, row-level security on our database, and least-privilege access. No system is perfectly secure, so we cannot guarantee absolute security. If a personal-data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority and, where required, you, in line with Articles 33–34 GDPR.
10. Your choices
- You can edit your display name, photo, and status in the app.
- You can change your email or password in Settings.
- You can control connections and unpin people at any time.
- You can delete your account (Settings → Account → Delete Account, or by contacting us).
11. Automated decision-making
We do not carry out automated decision-making that produces legal or similarly significant effects about you under Article 22 GDPR.
12. Cookies and local storage
On the web, MyOrbio uses browser storage that is strictly necessary to keep you logged in and to remember your preferences (such as theme). We do not use third-party advertising or tracking cookies. Where consent is legally required for any non-essential storage, we will ask for it.
13. Your rights
13.1 EU/EEA, UK, Bulgaria, Norway, France and other GDPR/UK-GDPR jurisdictions
You have the right to: access your data; rectify inaccurate data; erase data (“right to be forgotten”); restrict processing; data portability; object to processing based on legitimate interests or to direct marketing; and withdraw consent at any time without affecting prior lawful processing.
To exercise these rights, email support@myorbio.app. We respond within one month (extendable by two further months for complex requests). You also have the right to lodge a complaint with a supervisory authority — in Bulgaria, the Commission for Personal Data Protection (CPDP / КЗЛД), cpdp.bg — or the authority in your country of residence (e.g. CNIL in France, Datatilsynet in Norway).
13.2 Switzerland (revFADP)
If you are in Switzerland, the revised Federal Act on Data Protection gives you rights of access, correction, deletion, and objection broadly equivalent to those above. You may contact the Federal Data Protection and Information Commissioner (FDPIC).
13.3 United Arab Emirates (PDPL)
If you are in the UAE, you have rights to access, rectification, erasure, restriction of processing, data portability, and to object, and to lodge a complaint with the UAE Data Office, subject to the conditions and exemptions of the PDPL.
13.4 California (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, to access and delete it, to correct it, and to opt out of “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined under the CPRA. We will not discriminate against you for exercising your rights.
13.5 Other jurisdictions
We aim to honour equivalent rights for users in other countries to the extent applicable law provides them. Contact us and we will do our best to assist.
14. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you in the app or by email before they take effect. The “Last updated” date shows the latest revision. Continuing to use the Service after changes take effect means you accept the updated Policy.
15. Contact
Questions or requests about your privacy:
Petar Nikolushev (sole trader)
BULSTAT/UIC No. 181061688 · Bulgaria
Email: support@myorbio.app