Back to home

Privacy Policy

Last updated: May 23, 2026

1. Introduction

This Privacy Policy describes how White Blink Private Limited (“Company,” “we,” “us,” or “our”), operating the product Orbit Hunt, collects, uses, stores, and protects information. Orbit Hunt is a product developed under the Latbase initiative of White Blink Private Limited.

This policy covers the following Orbit Hunt surfaces:

  • Marketing Site — the public-facing website at orbithunt.com (and subdomains other than app.orbithunt.com) that describes the product and supports signup.
  • Product Dashboard — the authenticated application at app.orbithunt.com used by Customers to manage trackers, view recordings, and configure their organization.
  • Tracking Script & Events API — the JavaScript snippet and HTTP API that Customers install or call from their own websites and backends to send session and event data to Orbit Hunt.

This policy applies to two distinct categories of individuals:

  • Customers — individuals or organizations that register for an Orbit Hunt account and use the platform to monitor their own websites and customer journeys.
  • End Users (Website Visitors) — individuals who visit websites operated by our Customers, where our tracking script may be deployed or where customer events may be submitted to Orbit Hunt via the Events API.

By using Orbit Hunt, Customers acknowledge and agree to this Privacy Policy. End Users should refer to the privacy policy of the website they are visiting for information on how that website uses session recording and customer-event tools such as Orbit Hunt.

2. Our Role: Data Processor, Not Data Controller

It is important to understand the distinction between our role and our Customers’ role with respect to End User data:

  • Our Customers are the Data Controllers. They decide to install Orbit Hunt’s tracking script on their websites. They determine the purpose and means of processing End User data. They are responsible for obtaining any necessary consent from End Users, providing privacy notices, and ensuring their use of Orbit Hunt complies with applicable data protection laws.
  • Orbit Hunt is the Data Processor. We process End User data solely on behalf of and under the instructions of our Customers. We do not independently decide what End User data to collect, how to use it, or to whom it is disclosed. We provide the technical infrastructure that enables our Customers to record and analyze visitor sessions on their own websites.

For Customer account data (registration details, billing, etc.), Orbit Hunt acts as the Data Controller.

3. Information We Collect

3.1 Customer Account Data (Data Controller)

When you register for an Orbit Hunt account, we collect:

  • First name and last name
  • Email address
  • Phone number (optional)
  • Company name and designation (optional)
  • Country
  • Password (stored only in securely hashed form; we never store plaintext passwords)
  • Organization details (name, city, state, country)
  • Timezone and theme preferences

3.2 End User Session Data (Data Processor)

When our Customer’s tracking script is active on their website, the following data may be collected from End Users visiting that website:

  • DOM Snapshots — structural snapshots of the webpage as rendered in the browser (used for session replay).
  • User Interactions — mouse clicks, scroll events, mouse movements, viewport resize events, and input events on form fields (the content of those input fields is masked, as described in Section 3.4).
  • Page URL — the URL of the page being visited (URL parameters containing potential personal data are anonymized via one-way hashing before storage).
  • IP Address — stored in anonymized CIDR block format (e.g., the last octet is removed), not as a full IP address.
  • Approximate Geolocation — city-level location derived from the anonymized IP address.
  • Browser and Device Information — device type (desktop, mobile, tablet), browser type, and operating system.
  • Referrer URL and UTM Parameters — for traffic source attribution.
  • Web Performance Metrics — Largest Contentful Paint (LCP), Cumulative Layout Shift (CLS), First Input Delay (FID), and Time to First Byte (TTFB).
  • Session Timing — session start and end timestamps, total duration.

3.3 Customer-Submitted Event Data (Data Processor)

In addition to data captured by the tracking script, Customers may submit their own customer-event data to Orbit Hunt through the Events API. This typically originates from the Customer’s backend, CRM, mobile app, or other systems and is sent to Orbit Hunt to stitch together a unified customer journey. Data submitted through the Events API may include:

  • Event name and timestamp — e.g., visited_lander, added_to_cart, purchase_completed, phone_call_received.
  • Customer-supplied user identifiers — such as a CRM user ID, customer ID, or hashed email used to link multiple events to the same customer profile.
  • Event properties — optional structured fields the Customer chooses to send with each event (for example product SKU, order value, channel, or campaign source).
  • Source / destination context — information about the system the event originated from (e.g., landing page, CRM, mobile app, phone-call platform).

Orbit Hunt acts as a Data Processor for all data submitted through the Events API. The Customer determines what fields are sent, under what legal basis, and is solely responsible for ensuring that event payloads do not contain excessive or unnecessary personal data. We do not use Customer-submitted event data for our own marketing, advertising, or profiling.

3.4 What We Do NOT Collect

We have implemented technical safeguards to limit the data collected from End Users:

  • Form input values are masked. For session replay, our tracking script captures the timing and structure of input events on form fields (so that the act of typing into a field is reflected in the replay), but the actual text entered into input fields, textareas, and select elements is replaced with asterisks (****) before transmission. We never capture the plaintext of passwords, credit card numbers, personal messages, or any text typed into forms.
  • No cross-Customer tracking. Our tracking script and the Events API operate only within the deployments of the Customer that installed them. We do not link, share, or combine an End User's data across deployments belonging to different Customers, and we do not share End User data with third parties for advertising or marketing purposes.

End User Identification. To support session replay, customer-journey stitching, and the Customer Identification feature, Orbit Hunt may store persistent browser-derived identifiers in End Users' browser storage (for example a stable visitor ID, optionally combined with additional browser-derived signals) and may combine these with identifiers the Customer explicitly supplies through the Events API or Identify call. These identifiers can be used to recognize the same End User across sessions, devices, and across the various websites or applications where a single Customer has deployed Orbit Hunt. They are scoped to that Customer's account and are not used to track End Users across deployments belonging to different Customers.

Where applicable law (for example the GDPR or the ePrivacy Directive) requires consent for these identifiers, it is the Customer's responsibility to obtain that consent from the End User before deploying Orbit Hunt in a mode that creates them, using the consent modes described in Section 8.

3.5 Audit and Security Logs

For security and fraud prevention purposes, we log the following information when Customers interact with our platform:

  • IP address of the request
  • User agent string
  • HTTP request headers (excluding authorization tokens)
  • Event type (e.g., login, registration)
  • Timestamps

4. How We Use Information

4.1 Customer Account Data

  • To create and manage your account
  • To authenticate your identity and authorize access
  • To send transactional emails (account verification, password reset, organization invitations, and related notifications)
  • To validate email addresses for deliverability (using third-party email validation services)
  • To provide customer support
  • To enforce our terms of service

4.2 End User Session Data and Customer-Submitted Event Data

End User session data and Customer-submitted event data are processed solely to provide our Customers with the following services:

  • Session Replay — enabling Customers to visually replay End User sessions on their own websites.
  • Behavioral Analytics — generating aggregated metrics including scroll depth, click patterns, engagement scoring, dead session detection, CTA interaction analysis, section-level engagement, and drop-off analysis.
  • Performance Monitoring — providing Customers with insight into how their website performs for End Users (page load times, Web Vitals).
  • Traffic Attribution — identifying traffic sources and channels for the Customer’s website.
  • Customer Journey Stitching — combining session data and Customer-submitted events into a unified view of each customer’s interactions across landing pages, CRMs, phone calls, mobile apps, and other channels the Customer connects.
  • AI Agent Access — making the Customer’s own analytics, metrics, and journey data available to AI agents (for example via the Model Context Protocol) under the Customer’s explicit authorization, so that the Customer can use agents such as Claude or other LLM-based tools to query and act on their data.

We do not use End User session data or Customer-submitted event data for our own marketing, advertising, profiling, or any purpose unrelated to providing the service to our Customers. We do not sell End User data to any third party.

5. Automated Analysis and AI Processing

We use automated systems, including large language models (LLMs), to analyze the structure of our Customers’ web pages in order to identify page sections and calls-to-action. This analysis is used to generate meaningful behavioral metrics for our Customers.

What is sent to the LLM: Only the stripped HTML structure of the Customer’s webpage — specifically the DOM layout, headings, and button/link elements. This is the Customer’s own published website content.

What is NOT sent to the LLM: No End User data is ever sent to any LLM. This includes: no session recordings, no click events, no scroll data, no IP addresses, no form inputs, no personal data of any kind. The LLM never processes any End User behavioral data.

All behavioral metrics (engagement scores, scroll depth, CTA clicks, etc.) are computed by our own deterministic algorithms running on our infrastructure, without any external AI service involvement.

6. Data Storage and Infrastructure

All data is stored and processed on secure cloud infrastructure located in the European Union. This includes:

  • Databases — encrypted relational databases containing Customer account data and session metadata.
  • Object Storage — encrypted cloud storage for session recording event files.
  • Compute — serverless and managed compute services for automated session analysis and application hosting.
  • Email — managed email delivery service for transactional emails.

We do not store data in regions outside of the EU unless explicitly requested or required for service delivery.

7. Data Security

We implement the following technical and organizational measures to protect data:

  • Password Security — Customer passwords are securely hashed with a cryptographic salt. We never store, log, or transmit plaintext passwords.
  • Authentication — API access is secured using cryptographically signed tokens with time-limited expiry.
  • IP Anonymization — End User IP addresses are truncated to CIDR block format before storage, removing individually identifying information.
  • PII Detection in URLs — URL parameters that may contain personal data are detected and anonymized using one-way HMAC hashing before storage.
  • Form Input Masking — All form field values are masked at the point of capture (client-side) before any data is transmitted to our servers.
  • Authorization Header Exclusion — Authentication tokens are stripped from audit logs.
  • Encrypted Transit — All data in transit is encrypted using TLS/HTTPS.
  • Encrypted Storage — Data at rest is encrypted using industry-standard encryption.
  • Role-Based Access Control — Organization members are assigned roles (Admin, Member, Viewer) with appropriate permission levels.
  • Email Enumeration Prevention — Password reset and similar endpoints do not disclose whether an email address exists in our system.

8. Consent Mechanisms for End Users

Orbit Hunt provides Customers with configurable consent modes for their tracking scripts:

  • Disabled — no consent mechanism; recording begins automatically. The Customer is responsible for ensuring this is permissible under applicable law (e.g., when recording is based on legitimate interest).
  • Explicit Consent — a consent prompt is shown to End Users before recording begins. Recording only starts if the End User provides affirmative consent.
  • Informational — an informational notice is displayed to End Users indicating that the session may be recorded.

It is the Customer’s responsibility to select and configure the appropriate consent mode for their jurisdiction and use case, and to ensure compliance with applicable laws such as the GDPR, ePrivacy Directive, CCPA, and others.

9. Customer Obligations as Data Controllers

As Data Controllers, our Customers are responsible for:

  • Obtaining any legally required consent from End Users before deploying the Orbit Hunt tracking script.
  • Including appropriate disclosures about session recording in their own privacy policy.
  • Configuring the appropriate consent mode in their Orbit Hunt tracker settings.
  • Ensuring that the pages where the tracking script is deployed do not expose sensitive personal data in the DOM (e.g., in visible text or non-input elements) beyond what is reasonably expected.
  • Responding to End User data subject requests (access, deletion, etc.) and notifying us if our assistance is required to fulfill such requests.
  • Complying with all applicable data protection laws in the jurisdictions where their End Users are located.

10. Third-Party Service Providers

We use the following third-party services in the operation of Orbit Hunt:

  • Cloud Infrastructure Provider — for compute, storage, database hosting, and email delivery. Acts as a sub-processor. Data is processed in the EU.
  • Paddle — our authorised reseller and Merchant of Record for paid subscriptions. Paddle receives the Customer’s billing information (name, email, billing address, and payment instrument, which is entered directly into Paddle’s own interface) and processes payments, taxes, invoicing, and refund requests on our behalf. See Paddle’s privacy notice at paddle.com/legal/privacy for details of its own data handling.
  • Email Validation Provider — used to verify deliverability of email addresses. Only the email address is shared with this service. This is used for Customer email addresses, not End User data.
  • AI/LLM Provider — used solely for analyzing the HTML structure of Customer web pages (not End User data). Only the published HTML content of the Customer’s website is processed. No personal data, behavioral data, or End User data is shared.
  • Google Tag Manager — used on the marketing site (orbithunt.com) as a tag-management container. See Section 13.3 for details of which tags are loaded.
  • Orbit Hunt Events Service (events.orbithunt.com) — our own first-party events endpoint used on the marketing site to record signup-funnel events such as visited_lander and signup. This is Orbit Hunt dogfooding its own product.

We do not share, sell, rent, or trade any personal data with third parties for their own marketing or commercial purposes.

11. Data Retention

  • Customer Account Data — retained for as long as the Customer maintains an active account. Upon account deletion, account data will be removed in accordance with our data deletion procedures.
  • End User Session Recordings — retained for the duration of the Customer’s active subscription and in accordance with the Customer’s data retention settings (where available). Customers may request deletion of session data at any time.
  • Audit and Security Logs — retained for a reasonable period necessary for security, fraud prevention, and legal compliance.
  • Authentication Tokens — password reset tokens expire after 60 minutes; email verification tokens expire after 24 hours. Expired tokens are not usable.

12. Data Subject Rights

12.1 For Customers

If you are an Orbit Hunt Customer, you have the following rights with respect to your account data (subject to applicable law):

  • Access — request a copy of the personal data we hold about you.
  • Rectification — update or correct inaccurate personal data via your account settings or by contacting us.
  • Erasure — request deletion of your account and associated data.
  • Restriction — request that we limit the processing of your data in certain circumstances.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to our processing of your data where we rely on legitimate interest.

12.2 For End Users

If you are an End User whose session has been recorded on a Customer’s website, your data rights should be exercised directly with the website operator (our Customer), who is the Data Controller for your data. The website operator’s own privacy policy governs the collection of your data through tools like Orbit Hunt.

If a Customer receives a data subject request from an End User that requires our assistance (e.g., locating or deleting specific session data), we will cooperate with the Customer to fulfill such request in a timely manner.

13. Cookies and Local Storage

Orbit Hunt is composed of three distinct surfaces — the product dashboard at app.orbithunt.com, the tracking script deployed on Customer websites, and the marketing site at orbithunt.com. Each surface uses cookies and local storage differently; the sub-sections below describe each in turn.

13.1 Orbit Hunt Dashboard (app.orbithunt.com)

The Orbit Hunt dashboard does not use cookies. We use browser localStorage to store:

  • Authentication token — a secure token to keep you logged in. This token expires after 24 hours and is removed on logout.
  • Organization preference — the ID of your currently selected organization for navigation purposes.

No third-party analytics, advertising, or tracking cookies or scripts are used on the Orbit Hunt dashboard.

13.2 Tracker Script (on Customer Websites)

The Orbit Hunt tracking script deployed on Customer websites stores a persistent visitor identifier in browser storage (and may use additional browser-derived signals) to associate multiple page views, sessions, and devices with the same End User across the websites or applications where a single Customer has deployed Orbit Hunt. As described in Section 3.4, these identifiers are scoped to that Customer's account and are only created where the Customer has obtained the consent required by applicable law from the End User.

Where the Customer additionally supplies a stable user identifier through the Events API or Identify call, that identifier is associated with the visitor identifier to support cross-session and cross-device customer recognition for that Customer's account only.

13.3 Marketing Site (orbithunt.com)

The Orbit Hunt marketing site at orbithunt.com may use the following cookies, local storage items, and tracking scripts:

  • Google Tag Manager — a tag-management container that loads and runs downstream measurement, analytics, and marketing tags configured by Orbit Hunt. The specific tags loaded by this container are managed by Orbit Hunt and may change over time. The container itself does not collect data; cookies and other storage items set by any downstream tag are governed by the privacy policy of the provider of that tag. Tags loaded via Google Tag Manager may include (now or in the future) first-party and third-party web analytics, conversion-tracking pixels, and retargeting pixels supplied by advertising and analytics providers. Where any such third-party tag collects data about you, that third party acts as an independent data controller for the data it collects and uses that data in accordance with its own privacy policy.
  • Orbit Hunt tracker on the marketing site — Orbit Hunt uses its own product on its own marketing site (“dogfooding”). The tracker stores a first-party identifier in browser localStorage under the key __gtm_cid, scoped to the orbithunt.com domain, used to associate signup-funnel events with the same browser session.
  • First-party signup-funnel events — the marketing site fires events such as visited_lander (on homepage load) and signup (after successful account creation) against the Orbit Hunt events endpoint at events.orbithunt.com. These events are used by Orbit Hunt for its own product-marketing analytics and are processed in accordance with this policy.

Where applicable law requires consent for the cookies, storage items, or third-party tags described above, Orbit Hunt will provide a mechanism for you to manage that consent on the marketing site. For information on how a particular third-party tag uses the data it collects, please refer to that third party's own privacy policy.

14. International Data Transfers

Our primary infrastructure is located in the European Union. Data may be transferred to or accessed from other jurisdictions in the following limited circumstances:

  • When our team members access data for the purposes of providing support, maintenance, or platform operations.
  • When third-party sub-processors (as listed in Section 10) process data in accordance with their own data processing agreements.

Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions as required by applicable law.

15. GDPR Compliance

For the purposes of the EU General Data Protection Regulation (GDPR):

  • Customer Data — we process Customer account data as a Data Controller, relying on the legal bases of contract performance (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)).
  • End User Data — we process End User session data as a Data Processor on behalf of our Customers. The legal basis for processing is determined by the Customer (Data Controller) and may include consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)), depending on the Customer’s configuration and jurisdiction.

We are committed to entering into Data Processing Agreements (DPAs) with Customers upon request, which outline the scope, nature, and purpose of processing, as well as the obligations and rights of each party.

16. CCPA / CPRA Compliance (California)

For the purposes of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • We act as a Service Provider with respect to End User data, processing it solely on behalf of our Customers (the “Businesses”).
  • We do not sell personal information of End Users or Customers.
  • We do not share personal information for cross-context behavioral advertising.
  • California residents who are Orbit Hunt Customers may exercise their rights under the CCPA by contacting us at the address below.

17. Children's Privacy

Orbit Hunt is a business-to-business service and is not intended for use by children under the age of 16 (or such other age as defined by applicable law). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. Our Customers are responsible for ensuring their websites comply with applicable child protection laws (such as COPPA) before deploying the Orbit Hunt tracking script.

18. Data Breach Notification

In the event of a personal data breach that is likely to affect the rights and freedoms of individuals, we will:

  • Notify affected Customers without undue delay and within the timeframes required by applicable law.
  • Provide Customers with information necessary to meet their own data breach notification obligations to supervisory authorities and affected End Users.
  • Cooperate with Customers and relevant authorities in investigating and remediating the breach.

19. Limitation of Liability

While we implement industry-standard technical and organizational measures to protect data as described in this policy, no system is completely secure. We provide our services “as is” and do not guarantee that unauthorized access, data loss, or security incidents will never occur. Our liability is limited to the extent permitted by applicable law and as further specified in our Terms of Service.

Customers are solely responsible for the lawful deployment and use of the Orbit Hunt tracking script on their websites, including but not limited to: obtaining required consents, displaying required notices, and ensuring compliance with applicable privacy laws. Orbit Hunt shall not be liable for any Customer’s failure to comply with their obligations as Data Controllers.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page.
  • Notify Customers via email or an in-app notification for significant changes.

Continued use of Orbit Hunt after changes are posted constitutes acceptance of the updated policy.

21. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles. Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in India.

22. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

White Blink Private Limited

Operating as Orbit Hunt (under the Latbase initiative)

Email: privacy@orbithunt.com

© 2026 Orbit Hunt — a product by White Blink Private Limited. All rights reserved.