Orbit

Privacy Policy

Last updated: 2026-05-21

What we collect

  • Account data: business name, contact email, hashed password (managed by Supabase Auth).
  • PayMongo credentials: your API keys are encrypted at rest with AES-256-GCM and never logged.
  • Transaction metadata: machine ID, slot, product code, price, PayMongo payment IDs, status. We do not see card numbers or e-wallet credentials — those go directly to PayMongo.
  • Operational logs: request timestamps, IPs, error traces. Retained 30 days for debugging and abuse prevention.

How we use it

  • To operate your machines and process payments.
  • To send transactional emails (verification, password reset, billing).
  • To detect abuse, fraud, and platform misuse.
  • To meet record-keeping obligations under Philippine law.

Who we share it with

  • PayMongo: for payment processing.
  • Supabase: our database and authentication provider.
  • Render: hosting infrastructure.
  • Inngest: background job queueing.

We do not sell or rent your data to anyone, ever.

Your rights (DPA 2012)

Under the Philippine Data Privacy Act, you can request access to, correction of, or deletion of your personal data. Email zandreetresvalles22@gmail.com with the request. We respond within 15 business days.

End-customer data

QR scanners at vending machines are anonymous end-customers. We don't collect their names, phone numbers, or location — only the payment amount and PayMongo's payment reference. PayMongo holds whatever the end-customer authenticated with (GCash, Maya, etc.) under its own policy.

Cookies

We use a single session cookie to keep you signed in. No third-party tracking or analytics cookies.

Contact

Privacy questions or DPA requests: zandreetresvalles22@gmail.com.

This is a v1 plain-language Privacy Policy aligned with the PH Data Privacy Act of 2012. It is not legal advice. Before launching to paying customers, have a PH lawyer review.