Privacy Policy

Last updated: April 7, 2026

Orbit Verse ("we", "our", or "Orbit") operates the Orbit mobile application. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our service.

By creating an account or using Orbit, you consent to the collection and use of information in accordance with this policy. If you do not agree, do not use the service.

1. Definitions

• "Personal Data": any information relating to an identified or identifiable natural person, as defined by Brazilian Law No. 13,709/2018 (LGPD).
• "Processing": any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, or control of information.
• "Data Subject": the natural person to whom the personal data refers.
• "Controller": Orbit Verse, the legal entity responsible for decisions regarding the processing of personal data.

2. Personal Data Collected

2.1. Data provided by you:

• Name and surname
• Date of birth (for age calculation and majority verification)
• CPF (encrypted, for fraud prevention and duplicate account detection)
• Gender and gender interest
• City of residence
• Profession
• Profile and gallery photos
• Content of messages sent to other users

2.2. Automatically collected data:

• Geographic location data (latitude, longitude, and altitude, collected EXCLUSIVELY at the moment of check-in, never in the background)
• IP address
• Device identifier
• Operating system and app version
• Date and time of access
• Usage and navigation data within the application

2.3. Third-party data:

• Authentication information via Apple ID or Google (name and email)
• Transaction data processed by the Apple App Store (we have no access to credit card data)

2.4. Sensitive data:

Orbit collects gender and gender interest data for the purpose of compatibility between users. This data is processed based on the explicit consent of the data subject.

3. Legal Basis for Processing (LGPD Art. 7)

We process your data based on the following legal grounds:

• Consent of the data subject (Art. 7, I): for collection of profile, location, and preference data
• Contract performance (Art. 7, V): for providing the contracted service
• Regular exercise of rights (Art. 7, VI): for defense in judicial or administrative proceedings
• Legitimate interest (Art. 7, IX): for fraud prevention, platform security, and service improvement
• Compliance with legal obligation (Art. 7, II): for responding to court orders and requests from authorities

4. Purposes of Processing

We use your personal data to:

• Create and manage your account
• Validate your location at the moment of check-in
• Display your profile to other compatible users at the same venue
• Calculate and display your age (from date of birth)
• Prevent fraud, fake accounts, and platform abuse
• Detect location falsification (GPS spoofing)
• Process subscriptions and payments
• Send relevant notifications (matches, likes, security alerts)
• Respond to support requests
• Comply with legal and regulatory obligations
• Improve the quality and security of the service

5. Data Sharing

5.1. With other users:

Your first name, age, city, profession, and photos are visible to other users at the same location. Sensitive data such as CPF, phone, full address, and exact date of birth are NEVER shared with other users.

5.2. With service providers:

• Supabase (infrastructure and database)
• Apple App Store (payment processing)
• RevenueCat (subscription management)
• Google Places API (venue information)
• Resend (transactional email delivery)

5.3. With authorities:

We may share personal data upon court order, police request, or determination of the National Data Protection Authority (ANPD).

5.4. We do NOT sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

6. Storage and Security

6.1. Your data is stored on secure servers operated by Supabase, with encryption in transit (TLS/SSL) and at rest.

6.2. Security measures implemented:

• CPF encrypted with pgcrypto (symmetric encryption)
• Row Level Security (RLS) on all sensitive tables
• Mandatory authentication on all server functions
• Rate limiting for abuse prevention
• GPS spoofing detection (altitude, accuracy, impossible velocity)
• Protection against data scraping
• Audit logs for administrative actions

6.3. No system is 100% secure. Although we employ adequate technical and organizational measures to protect your data, we cannot guarantee absolute security against unauthorized access.

7. Data Retention

• Active profile data: maintained while the account exists
• Check-in history: up to 2 years after the check-in
• Messages: up to 2 years after sending
• Photos: up to 2 years after upload or until deleted by the account
• Security and fraud logs: up to 5 years (legitimate interest and legal obligation)
• Financial transaction data: up to 5 years (tax obligation)
• After account deletion: personal data is anonymized or eliminated within 30 days, except when there is a legal obligation for retention

8. Data Subject Rights (LGPD Art. 18)

You have the right to:

• Confirmation of the existence of processing
• Access your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary data or data processed in non-compliance
• Data portability to another service provider
• Deletion of data processed based on consent
• Information about sharing of data with third parties
• Information about the possibility of not providing consent and its consequences
• Revocation of consent at any time

8.1. To exercise your rights, send a request to: suporte@orbitverse.io

8.2. Response time: up to 15 (fifteen) business days, in accordance with Art. 19 of the LGPD.

9. Minors' Data

Orbit is exclusively intended for persons over 18 years old. We do not intentionally collect data from minors under 18. If we become aware that data from a minor has been collected, we will proceed with immediate deletion.

10. International Data Transfer

Your data may be transferred to servers located outside Brazil (Supabase operates on global infrastructure). This transfer is carried out based on Art. 33 of the LGPD, through standard contractual clauses and adequate protection guarantees.

11. Cookies and Similar Technologies

The Orbit application does not use cookies. Device identifiers and session tokens may be used for authentication and security purposes.

12. Data Protection Officer (DPO)

The Data Protection Officer can be contacted via email: suporte@orbitverse.io

13. Changes to this Policy

We may update this Privacy Policy periodically. We will notify you of significant changes through an in-app notice or by email. Continued use of the service after changes are published constitutes acceptance of them.

14. Contact

For questions, requests, or complaints regarding this Privacy Policy:

Email: suporte@orbitverse.io

General support email: suporte@orbitverse.io

15. Applicable Legislation

This Privacy Policy is governed by Brazilian law, in particular Law No. 13,709/2018 (LGPD), the Consumer Protection Code (Law No. 8,078/1990), and the Brazilian Internet Civil Framework (Law No. 12,965/2014).