Skip to content

OrOrbit is in pre-launch. Downloads, accounts, and sponsorship open at launch.

Privacy Policy

Last updated: May 14, 2026

This policy covers OrOrbit (the software and this website). For Pulsar cloud services, see the Pulsar Privacy Policy.

OrOrbit is Self-Hosted

In Plain English When you run your own server, your data stays on your hardware. We have no access to it. There is no central server that sees your messages.

OrOrbit is designed so that you run your own server. Your messages, voice conversations, files, and user data live on hardware you control. We have no access to your server, your database, or anything on it. There is no central message store, no telemetry pipeline, and no analytics SDK baked into the application.

When you host an OrOrbit server, you are the data controller. You decide what data is stored, how long it is retained, and who has access.

Connecting to Someone Else's Server

In Plain English If you join a server you do not operate, the server owner can see everything you send — messages, files, metadata. This is like email: your app is private, but the server is controlled by its operator. Join servers run by people you trust.

When you join an OrOrbit server operated by someone else, your data is stored on and processed by their server. The server operator has full access to messages, files, user profiles, and metadata stored on their server. OrOrbit (the application) does not phone home or share data with us, but the server you connect to sees everything you send to it.

This is similar to how email works: your email client does not spy on you, but the email server operator could read your messages. OrOrbit's maintainers have no control over, access to, or responsibility for data on third-party servers.

If you don't trust the operator, don't join. If privacy is critical, consider running your own server.

The OrOrbit Application

In Plain English The OrOrbit app itself does not track you, phone home, or collect analytics. It talks only to the servers you connect to.

The OrOrbit application (web client, desktop app, mobile app) does not currently collect analytics, telemetry, crash reports, or usage data. It communicates only with the OrOrbit servers you connect to. No data is sent to OrOrbit maintainers, third-party analytics services, or any other external party.

The application uses browser localStorage and IndexedDB for local settings, cached data, and session state. This data stays on your device and is never sent to OrOrbit maintainers or any third party. The OrOrbit server you connect to receives only what is necessary to authenticate and sync — exactly like an email client talks to its email server.

The ororbit.com Website

In Plain English This website is static. No cookies, no analytics, no tracking.

This website (ororbit.com) is a static site. It does not use cookies, does not run analytics scripts, and does not collect any personal information. There are no tracking pixels, no third-party ad networks, and no fingerprinting. The site is served via a CDN, and standard web server access logs (IP address, user agent, timestamp) may be retained by the hosting provider for operational purposes, but we do not process or analyze them.

What the OrOrbit App Does Not Collect

In Plain English The app does not spy on you. It does not read your messages, record your voice, track your clicks, or fingerprint your device.

As of this writing, the OrOrbit application does not collect:

  • Message content, chat history, or channel data (this lives on the server you connect to)
  • Voice or video data
  • Browsing behavior, click tracking, or usage analytics
  • Device fingerprints, hardware identifiers, or installed software lists
  • Contacts, friend lists, or social graphs
  • Keystroke data, clipboard contents, or screen recordings

If this changes in the future (e.g. opt-in crash reporting), this policy will be updated before any such change takes effect.

How Server Traffic Flows

In Plain English OrOrbit servers run in one of two modes. In standalone mode, no third-party service sees your server — the operator shares an ororbit:// link out-of-band and members connect directly. In pulsar mode, your server checks in with Pulsar so invite links work without manual sharing, but only the invite-redemption handshake and heartbeats touch Pulsar. Chat, voice, and file transfer always go directly between members and the server — in either mode.

OrOrbit servers operate in one of two privacy modes, chosen by the operator at setup:

  • Standalone mode (default): the server does not register with Pulsar. Pulsar sees nothing related to the server, and Cloudflare's network is not involved at all. The operator shares a copy-pasteable ororbit:// URI with members out-of-band (private message, email, QR code); members paste it into their client, which connects directly to the server's IP.
  • Pulsar mode (opt-in): the server posts periodic heartbeats to Pulsar so Pulsar can return the current IP when someone redeems an invite. The invite-redemption call is the only traffic that transits Pulsar/Cloudflare; after redemption the member's client connects directly to the operator's IP for everything else. Pulsar's privacy practices apply to that handshake — see the Pulsar Privacy Policy under "How Your Server's Traffic Flows" for the full per-mode breakdown.

IP Certificates & Transparency Logs

In Plain English OrOrbit servers use Let's Encrypt certificates bound to their IP address. Every Let's Encrypt certificate is published to public Certificate Transparency logs, so a CT-log search for a public IP can reveal whether that IP has had a recent Let's Encrypt IP certificate issued for it. The logs do not reveal what is running on the IP, who operates it, or anything about users.

OrOrbit servers obtain TLS certificates from Let's Encrypt under the ACME IP Identifier Validation Extension (RFC 8738), which permits certificates issued directly to an IP address. All Let's Encrypt certificates — including IP-bound ones — are published to public Certificate Transparency logs (RFCs 6962 and 9162). Anyone can search a CT log aggregator such as crt.sh for a public IP and observe whether a Let's Encrypt IP certificate was recently issued for it.

CT logging is a property of the public web PKI and applies to every certificate Let's Encrypt issues. OrOrbit does not currently support a certificate authority that issues without CT logging. Operators whose threat model treats CT log discoverability as a concern should consider running behind a different transport.

Pulsar Integration (Optional)

In Plain English Some OrOrbit features are powered by Pulsar. These are always optional and clearly labeled. When a feature involves Pulsar, the app marks it so you know.

Pulsar (pulsar.ororbit.com) is a separate, optional cloud service that provides convenience infrastructure for OrOrbit server operators — DNS subdomains, identity backup, email relay, and more.

The OrOrbit application integrates with Pulsar for certain optional features. Any feature that communicates with Pulsar is clearly identified in the interface with a Pulsar indicator, so you always know when data may be sent to an external service. No Pulsar feature is enabled by default — you opt in to each one individually.

If you use Pulsar features, your data is governed by the Pulsar Privacy Policy, which details what data is collected, how it is stored, and your rights.

Sponsorship & Donations (Optional, via Pulsar)

In Plain English If you choose to subscribe or donate to support the project, payments are processed by Stripe through Pulsar. We never see your card details. The OrOrbit app surfaces a public list of opted-in supporters, but the data itself is fetched from Pulsar — no payment data ever touches your OrOrbit server.

OrOrbit's sponsorship and donation flow is operated entirely through Pulsar — the OrOrbit application and the OrOrbit server you run do not handle payment data at all. When you subscribe or donate, your card details go directly to Stripe. We retain only the Stripe customer / subscription / payment-intent IDs and amount totals (mirrored from Stripe webhooks into Pulsar's database). For full details see the Pulsar Privacy Policy and Stripe's privacy policy.

The OrOrbit landing site and the OrOrbit app's Settings → Support tab display a "supporter wall" of folks who have explicitly opted in to public listing. The wall data is fetched live from pulsar.ororbit.com — the wall display name and optional URL are user-supplied and editable at any time. Default is off; nobody appears on the wall without explicit consent.

Your Rights

In Plain English If you run your own server, you control everything. If you use Pulsar, see their privacy policy for data rights.

For self-hosted servers, you have full control over your data. You can export, back up, or delete your database at any time.

Depending on your jurisdiction, you may have additional rights under privacy regulations (GDPR, CCPA, etc.), including the right to access, correct, delete, or port your personal data, and the right to lodge a complaint with a supervisory authority. For data held by Pulsar, see the Pulsar Privacy Policy. For data on a third-party OrOrbit server, contact the server operator.

Changes to This Policy

We may update this policy as the software evolves. The "Last updated" date at the top reflects the most recent revision. For material changes, we will make reasonable efforts to notify the community via the project's GitHub repository.

Contact

For privacy questions, data requests, or concerns, contact us at: