Privacy Policy

Last updated: August 26, 2025

Introduction

SENTIENT MIND LTD ("we," "our," or "us") operates the Orbit application (the "Service"). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and explains your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR).

Data Controller: SENTIENT MIND LTD
Contact: support@orbitscribe.ai
Data Protection Officer: Available upon request at support@orbitscribe.ai

Information We Collect

Personal Information

• Account Information: Email address, full name, company name
• Profile Information: Avatar image, industry, profession, preferences
• Authentication Data: Login credentials, session tokens
• Billing Information: Payment details, subscription status, invoicing address

Voice and Audio Data

• Audio Recordings: Voice recordings you create using the app
• Transcription Data: Text transcriptions generated from your audio recordings
• Recording Metadata: Timestamps, duration, tags, customer associations

Technical Information

• Device Information: Device type, operating system, unique device identifiers
• Usage Data: App interactions, feature usage, crash reports
• Performance Data: Audio quality metrics, processing times
• Cookies and Tracking: As detailed in our Cookie Policy

Legal Basis for Processing (GDPR Article 6)

For users in the European Union and other jurisdictions with similar data protection laws, we process your personal data under the following legal bases:

Contract Performance (Article 6(1)(b))

• Providing the transcription and audio processing services you've requested
• Managing your account and subscription
• Delivering customer support
• Processing payments and billing

Legitimate Interests (Article 6(1)(f))

• Improving our Service quality and functionality
• Ensuring security and preventing fraud
• Conducting analytics to understand service usage
• Developing new features based on user needs

Balancing Test: Our legitimate interests are balanced against your privacy rights, and we implement appropriate safeguards.

Consent (Article 6(1)(a))

• Marketing communications (where required)
• Optional features like AI summarization
• Non-essential cookies and tracking

Withdrawal: You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Legal Obligation (Article 6(1)(c))

• Complying with tax and accounting requirements
• Responding to lawful requests from authorities
• Meeting regulatory compliance obligations

Vital Interests (Article 6(1)(d))

• Protecting your vital interests or those of another person in emergency situations

How We Use Your Information

Primary Uses

• Service Provision: Process audio recordings and provide transcriptions
• Account Management: Create and manage your user account
• Data Synchronization: Sync your data across devices
• Customer Support: Respond to your inquiries and provide assistance

Service Improvement

• Analytics: Understand how our Service is used to improve functionality
• Performance Optimization: Enhance audio processing and transcription accuracy
• Feature Development: Develop new features based on usage patterns

Communications

• Service Updates: Notify you about important changes to our Service
• Support Communications: Respond to your requests and provide assistance
• Security Notifications: Alert you about security-related matters
• Marketing: With your consent, send promotional materials about our services

Data Processing and Storage

Audio Processing

• Cloud Processing: Audio recordings are processed using Cloudflare Workers AI
• Encryption: All audio data is encrypted during transmission (TLS 1.2+) and storage (AES-256)
• Global Processing: Audio may be processed in any region where our service providers operate
• Legal Safeguards: All processing protected by appropriate data protection agreements

Data Storage

• Secure Cloud Storage: Your data is stored on secure, encrypted cloud servers via Supabase
• Global Infrastructure: Data stored across multiple global regions for performance and reliability
• No Geographic Guarantees: We cannot guarantee data will remain in specific geographic regions
• Compliance Focus: We ensure appropriate legal safeguards regardless of data location
• Backup Systems: Regular encrypted backups ensure data availability and security
• Data Minimization: We only collect and store data necessary for service provision

Data Sharing and Disclosure

Third-Party Service Providers (Data Processors)

We may share your information with trusted third-party service providers who assist us in operating our Service. We ensure appropriate data protection safeguards are in place with all service providers:

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, following due process and notifying you where legally permitted.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.

International Data Transfers

GDPR Article 44-49 Compliance

• Global Processing: Your data may be processed in any country where our service providers operate
• Appropriate Safeguards: All international transfers are protected by:
  • Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
  • Data Processing Agreements: Binding commitments from all processors
  • Adequacy Decisions: Where available for specific countries
• Transparency: We are transparent about the global nature of our processing

Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to ensure adequate protection for international transfers and maintain GDPR compliance through legal safeguards rather than geographic restrictions.

Your Rights Under GDPR (Chapter III)

Right of Access (Article 15)

• Request confirmation of whether we process your personal data
• Obtain a copy of your personal data
• Receive information about processing purposes, categories, and recipients

Response Time: We aim to respond within 1 month (extendable by 2 months for complex requests)

Right to Rectification (Article 16)

• Correct inaccurate personal data
• Complete incomplete personal data

Implementation: We aim to reflect updates across all systems within 72 hours

Right to Erasure/"Right to be Forgotten" (Article 17)

Request deletion of your personal data when:

• No longer necessary for original purposes
• You withdraw consent
• Data has been unlawfully processed
• Required for legal compliance

Exceptions: We may retain data for legal obligations or legitimate interests

Right to Restrict Processing (Article 18)

• Limit how we use your data in specific circumstances
• Data marked for restriction is stored but not processed

Right to Data Portability (Article 20)

• Receive your data in a structured, commonly used format
• Transfer data directly to another controller where technically feasible

Formats Available: JSON, CSV, or other machine-readable formats

Right to Object (Article 21)

• Object to processing based on legitimate interests
• Object to direct marketing at any time

Implementation: We stop processing unless we demonstrate compelling legitimate grounds

Rights Related to Automated Decision-Making (Article 22)

• Not be subject to solely automated decision-making with legal effects

Current Practice: We do not engage in automated decision-making that significantly affects users

How to Exercise Your Rights

• Email: support@orbitscribe.ai
• Response Time: We aim to respond within 1 month of receipt
• Verification: We may request identity verification for security
• Free of Charge: Generally free, but we may charge for excessive or repetitive requests

Data Retention (GDPR Article 5(1)(e))

Retention Periods

• Account Data: Retained while your account is active plus 30 days after deletion
• Audio Recordings:
  • Free Plan: 3 months
  • Pro Plan: 6 months
  • Enterprise: 12 months (customizable)
• Transcription Data: Same as audio recordings
• Billing Records: 7 years for tax and accounting purposes
• Support Communications: 3 years
• Marketing Data: Until consent is withdrawn plus 30 days

Automated Deletion

• Data is deleted according to retention schedules
• We aim to provide notifications before deletion where possible
• We aim to provide a grace period for data recovery after account deletion

Data Security (GDPR Article 32)

Technical Measures

• Encryption: AES-256 at rest, TLS 1.2+ in transit
• Access Controls: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring
• Secure Development: Automated security scanning and code reviews

Organizational Measures

• Access Limitation: Strict need-to-know basis for data access
• Incident Response: Established procedures for security incidents

Regular Security Assessments

• Vulnerability Scanning: Continuous automated scanning
• Security Audits: Regular internal and external audits
• Compliance Reviews: Quarterly GDPR compliance assessments

Data Breach Notification (GDPR Articles 33-34)

Authority Notification (Article 33)

• Timeline: Within 72 hours of becoming aware of a breach
• Supervisory Authority: Relevant EU data protection authority
• Information Provided: Nature, categories, approximate numbers, consequences, and measures taken

Individual Notification (Article 34)

• High Risk Breaches: Direct notification to affected individuals
• Timeline: Without undue delay
• Content: Clear description of breach, contact details, likely consequences, and mitigation measures

Breach Response Plan

1. Detection and Assessment: Immediate containment and impact assessment
2. Documentation: Detailed breach register maintained
3. Notification: Authorities and individuals notified as required
4. Remediation: Immediate steps to address vulnerabilities
5. Review: Post-incident analysis and process improvements

Privacy by Design and Default (GDPR Article 25)

Data Protection by Design

• Built-in Privacy: Privacy considerations integrated into system design
• Proactive Measures: Anticipating and preventing privacy invasions
• Default Settings: Most privacy-friendly settings as default
• Lifecycle Protection: Privacy measures throughout data lifecycle

Data Protection by Default

• Minimal Data Processing: Only necessary data processed by default
• Limited Purpose: Data processed only for specified purposes
• Restricted Access: Data accessible only to authorized personnel
• Short Retention: Shortest retention periods by default

Children's Privacy

Our Service is not intended for children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately.

Supervisory Authority Rights

Your Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

• Your Local Supervisory Authority: The data protection authority in your EU member state
• Lead Supervisory Authority: Information Commissioner's Office (ICO) in the UK
• Contact Information: Available at https://edpb.europa.eu/about-edpb/board/members_en

Our Cooperation

We commit to cooperating fully with supervisory authorities and implementing any required corrective measures promptly.

Changes to This Privacy Policy

Notification Process

• Material Changes: 30 days advance notice via email and in-app notification
• Minor Updates: Notice on our website and updated "Last updated" date
• Continued Use: Constitutes acceptance of changes unless you object

Version Control

• Previous versions available upon request
• Change log maintained for transparency

Contact Information

Data Protection Inquiries

• Email: support@orbitscribe.ai
• Subject Line: "Privacy/GDPR Inquiry"
• Response Time: We aim to provide an initial response within 72 hours

Data Protection Officer

• Availability: Upon request for complex privacy matters
• Contact: Via support@orbitscribe.ai with subject "DPO Request"

Company Information

SENTIENT MIND LTD
Registration: 16234530
Address: 20 Wenlock Road, London, England, N1 7GU
Email: support@orbitscribe.ai

Zoom Integration Addendum

Last updated: January 15, 2025

SENTIENT MIND LTD ("Sentient Mind", "we", "our") offers an optional Zoom Integration for its Orbit Scribe product ("Orbit") that lets you pull your cloud meetings into Orbit for transcription and summarisation. This addendum describes, in plain English, how that integration handles your data. It complements—does not replace—our main Privacy Policy.

1. Permissions we request from Zoom

• cloud_recording:read:list_recording_files – list the files that belong to each completed cloud recording so we can choose the audio track.
• cloud_recording:read:recording – download the selected audio (M4A) and any Zoom-generated transcript (VTT).
• user:read:user – know which Zoom user connected, show "Connected as ..." and route the recording to the right Orbit workspace.

2. Data we import & why

We do not access Zoom chat, video tracks, or participant lists.

3. How long we keep Zoom data

• Default – no longer than 12 months after import.
• Free / Pro plans – shorter default windows (3 / 6 months).
• Enterprise – you set the window or request on-demand deletion.
• You can also delete any individual recording at any time from within Orbit.

When you disconnect Orbit from Zoom, we revoke all OAuth tokens immediately and erase associated Zoom data within 10 days.

4. Where the data lives & how we protect it

• Global Infrastructure – Data stored and processed across multiple global regions
• Legal Protections – Comprehensive data protection agreements with all processors
• Encryption – TLS 1.2+ in transit; AES-256 at rest.
• Access control – employee access is role-based and limited to those who need it.
• Secure development – automated dependency scanning, static analysis, and third-party security reviews.
• Incident response – we'll notify affected customers within 48 hours of any confirmed data breach.
• Compliance – GDPR-level protections applied worldwide

5. Trusted service providers (sub-processors)

We regularly review these vendors for security & privacy compliance. If we change the list, we'll update this page and, where required, notify admins in advance.

6. Your choices & rights

• Disconnect Zoom at any time from Settings → Integrations. We revoke tokens instantly and purge Zoom data within 10 days.
• Delete or download any recording from its menu in Orbit.
• Ask us anything – email support@orbitscribe.ai to access, correct, or erase your personal data.

Questions? Email support@orbitscribe.ai and we'll respond promptly.

Google Meet Integration Addendum

Last updated: January 15, 2025

SENTIENT MIND LTD offers an optional Google Meet Integration for its Orbit Scribe product that automatically imports your Google Meet transcripts and allows optional audio file import. This addendum describes how that integration handles your data and complements our main Privacy Policy.

1. Permissions we request from Google

• openid, email, profile – identify your Google account and show "Connected as ..." in your Orbit workspace.
• meetings.space.readonly – access your Google Meet transcripts and meeting metadata.
• drive.file – access only to audio/video files you explicitly select through our file picker.

2. Data we import & why

We only access audio/video files that you explicitly select through our Google Drive file picker. We do not have access to your broader Google Drive files or other Google Meet recordings unless you specifically choose them.

3. How long we keep Google Meet data

• Default – no longer than 12 months after import.
• Free / Pro plans – shorter default windows (3 / 6 months).
• Enterprise – you set the window or request on-demand deletion.
• You can delete any individual transcript or audio file at any time from within Orbit.

When you disconnect Orbit from Google Meet, we revoke all OAuth tokens immediately and erase associated Google Meet data within 10 days.

4. Where the data lives & how we protect it

• Global Infrastructure – Data stored and processed across multiple global regions (transcripts, audio files, metadata)
• Encryption – TLS 1.2+ in transit; AES-256 at rest.
• Access control – employee access is role-based and limited to those who need it.
• Secure development – automated dependency scanning, static analysis, and third-party security reviews.
• Incident response – we'll notify affected customers within 48 hours of any confirmed data breach.

5. Trusted service providers (sub-processors)

We regularly review these vendors for security & privacy compliance. Audio files are never sent to external processing services – they remain securely stored in our global infrastructure with appropriate legal safeguards and GDPR-level protections worldwide.

6. Your choices & rights

• Disconnect Google Meet at any time from Integrations. We revoke tokens instantly and purge Google Meet data within 10 days.
• Control automatic AI summarization – toggle off to prevent transcript text from being sent to OpenAI for processing.
• Delete or download any transcript or audio file from its menu in Orbit.
• Audio file selection – you have complete control over which (if any) audio files to import from your Google Drive.
• Ask us anything – email support@orbitscribe.ai to access, correct, or erase your personal data.

Questions? Email support@orbitscribe.ai and we'll respond promptly.