LEGAL

Privacy Policy

How Orbex Data collects, uses, shares, and protects personal information when you use our logistics management platform, websites, and related services.

Effective date:
January 1, 2026
Posted:
January 1, 2026
Read time:
18 min

Introduction

Orbex Data, Inc. ("Orbex Data," "we," "us," or "our") provides a cloud-based logistics management platform for freight forwarders, third-party logistics providers (3PLs), shippers, and related supply chain professionals. This Privacy Policy describes how we handle personal information when you visit orbexdata.com, use app.orbexdata.com, interact with our APIs, or otherwise engage with our products and services (collectively, the "Services").

We process personal information to deliver shipment visibility, documentation workflows, carrier integrations, analytics, and collaboration tools that help logistics teams operate more efficiently. Because our customers often upload data about their own employees, customers, and shipment parties, this policy explains both how we handle information about direct users of the Services and how we process information on behalf of our business customers.

By accessing or using the Services, you acknowledge that you have read this Privacy Policy. If you use the Services on behalf of an organization, you represent that you have authority to bind that organization to this policy. Where we process personal information as a processor on behalf of a customer, our Data Processing Addendum and the customer's instructions govern that processing.

This policy does not apply to third-party websites, carrier portals, or logistics partners linked from the Services. Those parties maintain their own privacy practices.

Roles & Responsibilities

Orbex Data may act in different roles depending on the context of processing. When you create an account, subscribe to the Services, or contact us directly, we generally act as a controller (or business, under applicable U.S. state privacy laws) for the personal information we collect about you.

When a customer uploads shipment records, contact directories, billing details, or other business data into the platform, we typically process that information as a processor (or service provider) on the customer's behalf. In those cases, the customer determines the purposes and means of processing and is responsible for providing any required notices and obtaining any required consents from data subjects.

Controller vs. processor responsibilities

  • Orbex Data determines how we use account, billing, security, and product analytics data relating to administrators and authorized users.
  • Customers determine how they use shipment, consignee, driver, and commercial contact data entered into their tenant environment.
  • Customers must ensure they have a lawful basis to share personal information with Orbex Data and must not upload sensitive categories of data unless expressly permitted under their agreement.
  • Orbex Data implements technical and organizational measures described in this policy and in our Data Processing Addendum to protect all data processed through the Services.

If you are an individual whose information appears in a customer's workspace—for example, as a consignee, customs broker, or driver—and you have questions about how that information is used, please contact the organization that submitted the data. We will assist our customers in responding to valid requests where required by law.

Data We Collect

The personal information we collect depends on how you interact with the Services, your role within a customer organization, and the integrations you enable. We collect information directly from you, automatically through your use of the platform, and from third parties such as identity providers, payment processors, and logistics data partners.

We do not intentionally collect information from children under 16, and the Services are not directed to children. Customers should not upload children's personal information unless permitted by applicable law and necessary for legitimate logistics operations.

Categories of personal information
CategoryExamplesTypical source
Account & profileName, work email, job title, phone number, company name, password or SSO identifiers, profile photo, language and timezone preferencesProvided by you or your organization during signup, onboarding, or profile updates
Authentication & securityLogin timestamps, IP address, device identifiers, MFA tokens, session logs, audit trail entries, role and permission assignmentsGenerated when you access app.orbexdata.com or related APIs
Customer business dataShipment references, B/L numbers, consignee and shipper contacts, commercial invoices, customs data, carrier bookings, warehouse events, proof-of-delivery recordsUploaded or synced by customers, integrations, or EDI/API connections
CommunicationsSupport tickets, chat transcripts, email correspondence, feedback surveys, training session notesProvided when you contact us or participate in customer success programs
Billing & transactionsSubscription plan, payment method tokens, billing address, tax identifiers, invoice history, purchase order referencesProvided by account owners and processed through our payment partners
Usage & analyticsFeature interactions, page views, error reports, performance metrics, clickstream data, referral URLsCollected through cookies, SDKs, and server logs on our websites and application
Marketing preferencesNewsletter opt-ins, event registrations, campaign attribution, communication opt-out statusProvided by you through forms on orbexdata.com or partner events

Information from third parties

  • Single sign-on providers (such as Microsoft Entra ID, Google Workspace, or Okta) may share name, email, and group membership when your organization enables SSO.
  • Carrier, TMS, WMS, and visibility partners may transmit shipment status, location events, and reference data when you activate integrations.
  • Payment processors provide confirmation of successful charges and limited billing metadata; we do not store full payment card numbers on our servers.
  • Professional networking and lead enrichment services may supplement business contact details for sales outreach where permitted by law.

How We Use Data

We use personal information to provide, secure, and improve the Services, to communicate with users and prospects, and to comply with legal obligations. We process data only where we have a valid legal basis, such as contract performance, legitimate interests, consent, or legal requirement.

Primary purposes of processing

  • Provision and administration of accounts, workspaces, roles, and multi-tenant environments.
  • Execution of shipment tracking, documentation, exception management, reporting, and workflow automation requested by customers.
  • Authentication, fraud prevention, access control, incident detection, and maintenance of audit logs.
  • Customer support, onboarding, training, and troubleshooting of platform issues.
  • Billing, subscription management, tax calculation, and accounts receivable operations.
  • Product analytics, reliability monitoring, and development of new logistics features.
  • Marketing of Orbex Data products where permitted, including newsletters, webinars, and industry events, subject to your preferences.
  • Compliance with applicable laws, regulatory inquiries, and enforcement of our Terms of Service.

We may create aggregated or de-identified datasets derived from usage and operational data to analyze industry trends, benchmark performance, and improve routing algorithms. These datasets do not identify individuals or specific customers unless disclosed with appropriate safeguards and contractual restrictions.

We do not use customer business data uploaded to the platform to train generalized artificial intelligence models for unrelated third-party products. Any machine learning features offered within the Services are designed to operate within your tenant boundary or under explicit contractual terms.

How We Share Data

We share personal information only as described in this policy, as directed by our customers, or with your consent. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

Categories of recipients

  • Service providers and sub-processors that host infrastructure, deliver email, process payments, provide customer support tools, or perform security monitoring on our behalf.
  • Integration partners selected by customers, such as carriers, customs brokers, accounting systems, and visibility networks, when you enable those connections.
  • Professional advisors including lawyers, accountants, and insurers, under confidentiality obligations.
  • Affiliates within the Orbex Data corporate group for internal administration, subject to this policy.
  • Law enforcement, regulators, or other parties when required by law, court order, or to protect rights, safety, and integrity of the Services.
  • Successors in connection with a merger, acquisition, financing, or sale of assets, subject to continued protection of personal information.

Customers may configure user access within their organization and may share shipment data with external parties such as consignees, customs authorities, or partners through exports, portals, or API credentials. Orbex Data is not responsible for sharing initiated by customers outside the platform's access controls.

A current list of sub-processors used in delivering the Services is available in our Data Processing Addendum and may be updated with notice as described therein.

Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Our security program is aligned with industry practices for cloud SaaS providers serving regulated logistics and trade environments.

  • Encryption in transit using TLS 1.2 or higher for web and API traffic, and encryption at rest for databases and object storage containing customer data.
  • Role-based access controls, least-privilege principles, and multi-factor authentication for Orbex Data personnel accessing production systems.
  • Network segmentation, vulnerability management, penetration testing, and continuous monitoring of critical infrastructure.
  • Tenant isolation controls to separate customer environments in multi-tenant deployments.
  • Security awareness training for employees and contractors with access to customer information.
  • Incident response procedures, including customer notification where required by contract or law.

No method of transmission or storage is completely secure. While we strive to protect personal information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for configuring appropriate access permissions within your organization.

Enterprise customers may request additional security documentation, including summaries of control frameworks, during procurement. Contact hello@orbexdata.com for trust and security materials.

International Transfers

Orbex Data is headquartered in the United States and may process personal information in the U.S. and in other countries where we or our service providers operate data centers or support functions. When personal information is transferred across borders, we implement appropriate safeguards consistent with applicable data protection laws.

For transfers of personal information originating from the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing an adequate level of protection, we rely on mechanisms such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer tools incorporated into our Data Processing Addendum.

  • Customers may select preferred hosting regions where available under their subscription tier.
  • Sub-processors are contractually required to implement equivalent protection measures.
  • We assess government access requests and will challenge overbroad demands where permitted by law.
  • Transfer impact assessments may be conducted for high-risk processing activities and updated as regulatory guidance evolves.

By using the Services, you acknowledge that personal information may be transferred to and processed in countries other than your country of residence, which may have different data protection rules.

Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, to meet contractual obligations with customers, and to comply with legal, tax, and regulatory requirements applicable to logistics and trade records.

General retention principles

  • Account and profile data is retained for the duration of the subscription and for a limited period thereafter to manage renewals, disputes, and legal holds.
  • Customer business data is retained according to the customer's subscription settings and Data Processing Addendum, and is deleted or returned upon contract termination unless longer retention is required by law or requested by the customer.
  • Security and audit logs may be retained for a defined period to support incident investigation and compliance obligations.
  • Marketing contact data is retained until you opt out or we determine the record is no longer relevant for business communications.
  • Backup copies may persist for a limited window before automated purging as part of disaster recovery processes.

Customers may configure retention policies for certain document types within the platform where supported. When retention periods expire, we delete or de-identify personal information using commercially reasonable methods, subject to technical limitations of archived backups.

Your Rights

Depending on your location and applicable law, you may have rights regarding your personal information. These rights may include access, correction, deletion, restriction, portability, objection, and withdrawal of consent where processing is consent-based.

  • Access: Request a copy of personal information we hold about you as a direct user of the Services.
  • Correction: Request correction of inaccurate or incomplete account or profile information.
  • Deletion: Request deletion of personal information, subject to exceptions for ongoing contracts, legal obligations, or legitimate business needs.
  • Portability: Receive certain information in a structured, commonly used, machine-readable format where technically feasible.
  • Objection: Object to processing based on legitimate interests, including direct marketing.
  • Restriction: Request that we limit processing in certain circumstances.
  • Complaint: Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise rights relating to information we process as a controller, contact hello@orbexdata.com. We may verify your identity before responding and will reply within the timeframe required by applicable law. If we process your information on behalf of a customer, we will redirect your request to that customer where appropriate.

We will not discriminate against you for exercising privacy rights. Authorized agents may submit requests on your behalf where permitted by law and supported by valid proof of authorization.

California Residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides additional rights and requires specific disclosures about our collection and use of personal information.

Categories collected in the preceding 12 months

  • Identifiers such as name, email, account name, IP address, and online identifiers.
  • Commercial information such as subscription history and records of Services purchased.
  • Internet or network activity such as usage logs and interaction with the platform.
  • Professional or employment-related information such as job title and company affiliation.
  • Inferences drawn from usage data to improve product experience, where applicable.

We do not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA. We retain personal information for the periods described in the Retention section.

California residents may submit verifiable consumer requests to know, delete, or correct personal information by emailing hello@orbexdata.com or by using any self-service privacy tools we make available. You may designate an authorized agent to submit requests on your behalf. We will not discriminate against you for exercising CCPA rights.

Children

The Services are designed for business use by logistics professionals and are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16 through orbexdata.com or app.orbexdata.com.

If we learn that we have collected personal information from a child under 16 without appropriate authorization, we will take steps to delete that information promptly. If you believe a child has provided personal information to us, contact hello@orbexdata.com.

Customers remain responsible for ensuring that any personal information they upload about minors complies with applicable laws and is limited to what is necessary for legitimate shipment or regulatory purposes.

Contact

If you have questions about this Privacy Policy or our privacy practices, contact us using the details below. We will respond to good-faith inquiries within a reasonable timeframe.

  • General inquiries: hello@orbexdata.com
  • Website: https://orbexdata.com
  • Application: https://app.orbexdata.com
  • Postal address: Orbex Data, F#08 st 10, RusseyKeo, Phnom Penh, Cambodia

For data protection inquiries from the European Economic Area or United Kingdom, you may contact us at hello@orbexdata.com. Where required, we will provide representative contact details in supplemental notices.

Changes

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or industry practices. When we make material changes, we will post the updated policy on orbexdata.com/legal/privacy-policy and update the effective date at the top of this page.

Where required by law or contract, we will provide additional notice—such as email notification to account administrators or an in-app banner—before material changes take effect. Your continued use of the Services after the effective date of an updated policy constitutes acknowledgment of the changes, except where further consent is required.

We encourage you to review this policy periodically. Prior versions may be available upon request by contacting hello@orbexdata.com.

Questions about this policy? Contact us at hello@orbexdata.com.

Orbex Data · F#08 st 10, RusseyKeo, Phnom Penh, Cambodia

Trust & security on About →