Privacy Policy

Orbit (the "Service") is a Solana-only token launch and trading terminal operated by Orbit Deployer ("Orbit", "we", "us"). This Privacy Policy explains what data we collect, how we use it, and the rights you have over it. By using the Service you agree to the practices described here.

Orbit is browser-first. The majority of user data — wallet secrets, trade history, launch configurations — is generated and stored on your own device, encrypted under a key derived from your Discord identity. The server only sees the encrypted ciphertext.

1. Information we collect

We collect only the minimum data required to operate the Service:

• Discord identity. When you sign in via the /key slash command, we receive your Discord user ID and username. These are used to authenticate your session and to derive your encryption key. We do not request access to your Discord email, friends list, servers, or any other Discord data.
• Invite-code identity. If you sign in with an invite code instead of Discord, we generate a synthetic identifier tied to that code. We do not collect any additional personal information at sign-in.
• Encrypted state blob. To enable cross-device sync, your browser uploads an AES-256-GCM-encrypted copy of your local state (wallets, drafts, launch records) to our Supabase database, keyed by your Discord ID. The encryption key is derived in your browser; the server never sees it in plaintext.
• On-chain activity. Every Solana transaction you sign through Orbit is, by the nature of the public blockchain, visible to anyone. We do not control that visibility. Wallets you generate inside Orbit will appear on-chain explorers like Solscan, Solana FM, or DexScreener.
• Server logs. Our hosting provider (Vercel) records standard request metadata: IP address, user agent, request path, response status. We use these logs to debug outages and detect abuse. We do not sell or share these logs.

2. Information we do NOT collect

• We do not request or store your real name, postal address, or phone number.
• We do not collect KYC information. Orbit is non-custodial.
• We do not have access to your wallet private keys in plaintext. They are encrypted in your browser and never transmitted to our servers in unencrypted form.
• We do not run third-party analytics, advertising, or fingerprinting scripts.

3. How we use the information

• Authentication. Your Discord ID identifies the session; the derived KMS key encrypts your local state.
• State synchronization. Your encrypted blob is fetched on login and updated when your local state changes, so you can sign in from any device and keep your wallets.
• Service operation. Server logs are used solely to keep the Service running, debug incidents, and identify abuse (e.g. denial-of-service traffic).
• Trade execution. Transactions are signed in your browser and submitted to public Solana RPC endpoints (publicnode.com by default). Orbit does not see the transaction body before it hits the network.

4. Third-party services we depend on

The Service uses these providers in normal operation:

• Discord — for the /key sign-in interaction. See Discord's privacy policy for how they handle interaction metadata.
• Vercel — hosts the application and serves request logs to us.
• Supabase — stores the encrypted state blobs. Supabase has no access to the decryption key and cannot read your data.
• Solana RPC providers (publicnode.com, Helius, etc.) — process the transactions you sign. The transaction is broadcast publicly to the chain.
• GeckoTerminal & DexScreener — used for on-chain price + activity data. Read-only; no personal data is sent.
• Pinata (IPFS) — used to host token metadata + images you upload when creating a launch. Uploaded content is public and may be served by any IPFS gateway.
• TradingView — chart rendering library. No personal data is sent to TradingView beyond standard request metadata.
• TweetScout — used by the X Tracker feature to poll for public tweets mentioning a token. No personal data is sent.

5. How we secure your data

• End-to-end encryption of wallet secrets. The decryption key never leaves your browser.
• HTTPS for every connection. Vercel terminates TLS at the edge.
• Row-level security on the Supabase database. Only the service-role key (held by our backend) can read or write your blob; anonymous keys cannot.
• No long-lived secrets stored in plaintext on our servers, except for the bot secret used to derive KMS seeds (a single Vercel-managed env var).

6. Data retention

Your encrypted state blob persists until you delete it. You can sign out at any time, which leaves the blob on the server but removes the local key from your browser. To request full deletion of your encrypted blob, email support@orbitaldeployer.com from the Discord-linked account, and we will remove the row.

7. Your rights (GDPR / CPRA)

• Access. You can request a copy of the data we hold about you.
• Erasure. You can request deletion of your encrypted state blob from our database.
• Portability. Your local state can be exported as a JSON backup from Settings → Data at any time without contacting us.
• Objection. You can object to any of our processing activities by ceasing to use the Service.

For any of the above, write to support@orbitaldeployer.com.

8. Children

Orbit is not directed at users under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us and we will delete the data.

9. Changes to this policy

We may update this Privacy Policy as the Service evolves. Material changes will be flagged with an updated date at the top of this page. Continued use after a change constitutes acceptance.

10. Contact

Questions or requests about this policy: support@orbitaldeployer.com.