Privacy Policy

This Privacy Policy describes how White Blink Private Limited (“Company,” “we,” “us,” or “our”), operating the product Orbit Hunt (accessible at app.orbithunt.com and related domains), collects, uses, stores, and protects information. Orbit Hunt is a product developed under the Latbase initiative of White Blink Private Limited.

This policy applies to two distinct categories of individuals:

• Customers — individuals or organizations that register for an Orbit Hunt account and use the platform to monitor their own websites.
• End Users (Website Visitors) — individuals who visit websites operated by our Customers, where our tracking script may be deployed.

By using Orbit Hunt, Customers acknowledge and agree to this Privacy Policy. End Users should refer to the privacy policy of the website they are visiting for information on how that website uses session recording tools such as Orbit Hunt.

It is important to understand the distinction between our role and our Customers’ role with respect to End User data:

• Our Customers are the Data Controllers. They decide to install Orbit Hunt’s tracking script on their websites. They determine the purpose and means of processing End User data. They are responsible for obtaining any necessary consent from End Users, providing privacy notices, and ensuring their use of Orbit Hunt complies with applicable data protection laws.
• Orbit Hunt is the Data Processor. We process End User data solely on behalf of and under the instructions of our Customers. We do not independently decide what End User data to collect, how to use it, or to whom it is disclosed. We provide the technical infrastructure that enables our Customers to record and analyze visitor sessions on their own websites.

For Customer account data (registration details, billing, etc.), Orbit Hunt acts as the Data Controller.

We use automated systems, including large language models (LLMs), to analyze the structure of our Customers’ web pages in order to identify page sections and calls-to-action. This analysis is used to generate meaningful behavioral metrics for our Customers.

What is sent to the LLM: Only the stripped HTML structure of the Customer’s webpage — specifically the DOM layout, headings, and button/link elements. This is the Customer’s own published website content.

What is NOT sent to the LLM: No End User data is ever sent to any LLM. This includes: no session recordings, no click events, no scroll data, no IP addresses, no form inputs, no personal data of any kind. The LLM never processes any End User behavioral data.

All behavioral metrics (engagement scores, scroll depth, CTA clicks, etc.) are computed by our own deterministic algorithms running on our infrastructure, without any external AI service involvement.

All data is stored and processed on secure cloud infrastructure located in the European Union. This includes:

• Databases — encrypted relational databases containing Customer account data and session metadata.
• Object Storage — encrypted cloud storage for session recording event files.
• Compute — serverless and managed compute services for automated session analysis and application hosting.
• Email — managed email delivery service for transactional emails.

We do not store data in regions outside of the EU unless explicitly requested or required for service delivery.

We implement the following technical and organizational measures to protect data:

• Password Security — Customer passwords are securely hashed with a cryptographic salt. We never store, log, or transmit plaintext passwords.
• Authentication — API access is secured using cryptographically signed tokens with time-limited expiry.
• IP Anonymization — End User IP addresses are truncated to CIDR block format before storage, removing individually identifying information.
• PII Detection in URLs — URL parameters that may contain personal data are detected and anonymized using one-way HMAC hashing before storage.
• Form Input Masking — All form field values are masked at the point of capture (client-side) before any data is transmitted to our servers.
• Authorization Header Exclusion — Authentication tokens are stripped from audit logs.
• Encrypted Transit — All data in transit is encrypted using TLS/HTTPS.
• Encrypted Storage — Data at rest is encrypted using industry-standard encryption.
• Role-Based Access Control — Organization members are assigned roles (Admin, Member, Viewer) with appropriate permission levels.
• Email Enumeration Prevention — Password reset and similar endpoints do not disclose whether an email address exists in our system.

Orbit Hunt provides Customers with configurable consent modes for their tracking scripts:

• Disabled — no consent mechanism; recording begins automatically. The Customer is responsible for ensuring this is permissible under applicable law (e.g., when recording is based on legitimate interest).
• Explicit Consent — a consent prompt is shown to End Users before recording begins. Recording only starts if the End User provides affirmative consent.
• Informational — an informational notice is displayed to End Users indicating that the session may be recorded.

It is the Customer’s responsibility to select and configure the appropriate consent mode for their jurisdiction and use case, and to ensure compliance with applicable laws such as the GDPR, ePrivacy Directive, CCPA, and others.

As Data Controllers, our Customers are responsible for:

• Obtaining any legally required consent from End Users before deploying the Orbit Hunt tracking script.
• Including appropriate disclosures about session recording in their own privacy policy.
• Configuring the appropriate consent mode in their Orbit Hunt tracker settings.
• Ensuring that the pages where the tracking script is deployed do not expose sensitive personal data in the DOM (e.g., in visible text or non-input elements) beyond what is reasonably expected.
• Responding to End User data subject requests (access, deletion, etc.) and notifying us if our assistance is required to fulfill such requests.
• Complying with all applicable data protection laws in the jurisdictions where their End Users are located.

We use the following third-party services in the operation of Orbit Hunt:

• Cloud Infrastructure Provider — for compute, storage, database hosting, and email delivery. Acts as a sub-processor. Data is processed in the EU.
• Email Validation Provider — used to verify deliverability of email addresses. Only the email address is shared with this service. This is used for Customer email addresses, not End User data.
• AI/LLM Provider — used solely for analyzing the HTML structure of Customer web pages (not End User data). Only the published HTML content of the Customer’s website is processed. No personal data, behavioral data, or End User data is shared.

We do not share, sell, rent, or trade any personal data with third parties for their own marketing or commercial purposes.

• Customer Account Data — retained for as long as the Customer maintains an active account. Upon account deletion, account data will be removed in accordance with our data deletion procedures.
• End User Session Recordings — retained for the duration of the Customer’s active subscription and in accordance with the Customer’s data retention settings (where available). Customers may request deletion of session data at any time.
• Audit and Security Logs — retained for a reasonable period necessary for security, fraud prevention, and legal compliance.
• Authentication Tokens — password reset tokens expire after 60 minutes; email verification tokens expire after 24 hours. Expired tokens are not usable.

Our primary infrastructure is located in the European Union. Data may be transferred to or accessed from other jurisdictions in the following limited circumstances:

• When our team members access data for the purposes of providing support, maintenance, or platform operations.
• When third-party sub-processors (as listed in Section 10) process data in accordance with their own data processing agreements.

Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions as required by applicable law.

For the purposes of the EU General Data Protection Regulation (GDPR):

• Customer Data — we process Customer account data as a Data Controller, relying on the legal bases of contract performance (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)).
• End User Data — we process End User session data as a Data Processor on behalf of our Customers. The legal basis for processing is determined by the Customer (Data Controller) and may include consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)), depending on the Customer’s configuration and jurisdiction.

We are committed to entering into Data Processing Agreements (DPAs) with Customers upon request, which outline the scope, nature, and purpose of processing, as well as the obligations and rights of each party.

For the purposes of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• We act as a Service Provider with respect to End User data, processing it solely on behalf of our Customers (the “Businesses”).
• We do not sell personal information of End Users or Customers.
• We do not share personal information for cross-context behavioral advertising.
• California residents who are Orbit Hunt Customers may exercise their rights under the CCPA by contacting us at the address below.

Orbit Hunt is a business-to-business service and is not intended for use by children under the age of 16 (or such other age as defined by applicable law). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. Our Customers are responsible for ensuring their websites comply with applicable child protection laws (such as COPPA) before deploying the Orbit Hunt tracking script.

In the event of a personal data breach that is likely to affect the rights and freedoms of individuals, we will:

• Notify affected Customers without undue delay and within the timeframes required by applicable law.
• Provide Customers with information necessary to meet their own data breach notification obligations to supervisory authorities and affected End Users.
• Cooperate with Customers and relevant authorities in investigating and remediating the breach.

While we implement industry-standard technical and organizational measures to protect data as described in this policy, no system is completely secure. We provide our services “as is” and do not guarantee that unauthorized access, data loss, or security incidents will never occur. Our liability is limited to the extent permitted by applicable law and as further specified in our Terms of Service.

Customers are solely responsible for the lawful deployment and use of the Orbit Hunt tracking script on their websites, including but not limited to: obtaining required consents, displaying required notices, and ensuring compliance with applicable privacy laws. Orbit Hunt shall not be liable for any Customer’s failure to comply with their obligations as Data Controllers.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify Customers via email or an in-app notification for significant changes.

Continued use of Orbit Hunt after changes are posted constitutes acceptance of the updated policy.

This Privacy Policy shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles. Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in India.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

White Blink Private Limited

Operating as Orbit Hunt (under the Latbase initiative)

Email: privacy@orbithunt.com

© 2026 Orbit Hunt — a product by White Blink Private Limited. All rights reserved.