Cap Orbit
privacy-policy.md

Privacy Policy

How Cap Orbit handles personal information as a business or controller.

Effective date: June 18, 2026 Last updated: June 18, 2026

This Privacy Policy explains how Cap Orbit, Inc., a Delaware corporation ("Cap Orbit", "we", "us", or "our"), the operator of the Cap Orbit platform (the "Service"), handles Personal Information when we act as a business or controller. Cap Orbit provides a conversational AI command layer for institutional commercial real estate ("CRE") deal teams. The Service is offered to organizations on a business-to-business basis and is not directed to consumers or to personal, family, or household use.

For purposes of this Policy, "Personal Information" means information that identifies, relates to, or could reasonably be linked to a particular individual, as defined by applicable US state privacy laws. Capitalized terms not defined in this Policy have the meanings given in the Cap Orbit Terms of Service or the Cap Orbit Data Processing Addendum.

This Policy is governed by the United States privacy laws that apply to Cap Orbit's processing of Personal Information, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the "CCPA") and comparable comprehensive US state privacy laws in effect from time to time. It does not address, and is not intended to create rights or obligations under, any non-US privacy law.

1. Scope, and the Controller / Service Provider Carve-Out

This Policy applies only to Personal Information that Cap Orbit collects and uses as a business or controller in its own right. That means:

  • Website visitors. Individuals who visit our public marketing website at cap-orbit.com.
  • Account and billing contacts. The administrators, billing contacts, and Authorized Users associated with a Customer organization that subscribes to the Service.
  • Usage Data. Metadata about use of the Service, as described in Section 2.

Customer Content is not governed by this Policy. When an organization (the "Customer") and its Authorized Users upload documents to, submit Inputs to, or generate Outputs in the Service, that "Customer Content" is processed by Cap Orbit as a service provider and processor on the Customer's behalf and on the Customer's instructions, not as a business or controller. The Customer organization is the business and controller for the personal and financial information contained in Customer Content (including information about borrowers, guarantors, tenants, principals, and other third parties). The handling of Customer Content is governed by the Cap Orbit Terms of Service and the Cap Orbit Data Processing Addendum (the "DPA"), not by this Privacy Policy.

In this Privacy Policy, "you" and "your" refer to the individual whose Personal Information we process (such as a website visitor or an account or billing contact), which may differ from how those terms are defined in the Terms of Service and the Data Processing Addendum.

If you are an individual whose personal or financial information appears inside documents that a Customer uploaded to the Service (for example, because you are a borrower, guarantor, tenant, or principal in a transaction), Cap Orbit does not control that information and cannot respond to rights requests about it directly. Please direct any such request to the Customer organization that holds the relationship with you; that organization is the controller, and we will support it in responding as required by the DPA and applicable law.

Deployment models. Cap Orbit is offered in two deployment models, and they differ in where Customer Content resides:

  • In the per-seat hosted model ("Pro"), Customer Content is hosted in Cap Orbit-operated AWS infrastructure in the United States (the us-east-1 region), and Cap Orbit processes it as the Customer's service provider and processor.
  • In the bring-your-own-cloud model ("Enterprise" or "BYOC"), the platform is deployed into infrastructure that the Customer owns (the Customer's own AWS account and region). In that model, Customer Content stays in the Customer's cloud, Cap Orbit does not take possession of it, Cap Orbit does not hold credentials that can write into it, cross-account access is trigger-only, and the Customer controls its own retention, deletion, encryption keys, audit logs, and access revocation.

In both models, the limited categories of Personal Information that Cap Orbit handles as a business or controller (website logs, account and billing contact data, and Usage Data) are handled as described in this Policy. The DPA, not this Policy, addresses the deployment-model differences as they affect Customer Content.

2. Categories of Personal Information We Collect, and Our Sources

Cap Orbit is deliberately minimal in the Personal Information it collects and stores as a controller. The categories below, organized to the statutory categories used by the CCPA, describe what we collect, where it comes from, and (in Section 3) why.

2.1 Account and identity data

Sign-in to the Service runs through WorkOS AuthKit, with single sign-on against the Customer's identity provider (including SAML) supported where the Customer configures it. As a result, Cap Orbit's application databases store only a minimal set of account identifiers:

  • an opaque identity-provider user id,
  • the organization id, and
  • a permissions list associated with that user.

Email addresses and names are held by the identity provider (WorkOS) and are not stored in Cap Orbit's primary application databases. Cap Orbit may access an Authorized User's email address or name through WorkOS for authentication, account administration, billing setup, support, security, service communications, and related operational purposes. Your browser session is maintained by an encrypted, HttpOnly functional session cookie issued by the identity provider (see Section 4).

  • CCPA categories: identifiers (online identifiers, account / user id, organization id); professional or employment-related information (the fact and role of a person's association with a Customer organization).
  • Sources: the Customer's identity provider (WorkOS) at authentication; the Customer's account administrator, who provisions and assigns seats.

2.2 Billing contact data

When an organization subscribes, billing is processed through Stripe (payments and subscription) and metered through Metronome. Billing-contact details (for example, the name and business email of the billing contact) and tokenized payment-method information are collected and processed through Stripe; Cap Orbit does not store full payment card numbers. Cap Orbit may access billing-contact details through Stripe and stores control-plane billing data such as the organization id, Stripe customer and subscription identifiers, Metronome customer / contract / subscription identifiers, plan state, billing-period dates, per-seat assignments keyed to the opaque user id, and the seat price. This control-plane billing data is held in Cap Orbit AWS infrastructure in the United States in both deployment models.

  • CCPA categories: identifiers; customer records under Cal. Civ. Code section 1798.80 (contact and billing details, tokenized payment information); commercial information (plan, seats, subscription history).
  • Sources: the Customer (its billing contact and administrator); our payment and metering processors (Stripe, Metronome).

2.3 Usage Data (metadata)

"Usage Data" means metadata about use of the Service (for example model identifiers, token counts, request duration, timestamps, and feature interactions), excluding Customer Content. For each request, Cap Orbit records usage metadata such as the model identifier, input/output and cache token counts, request duration, the surface used, a session id, and the opaque user id. Usage Data contains no Customer Content. Because some Usage Data is keyed to the opaque user id (which can be linked to an individual through the identity provider), we treat Usage Data as potentially Personal Information and describe it here.

In both deployment models, including Enterprise / BYOC, Usage Data flows to and is held in Cap Orbit's United States control plane for metering and billing, consistent with the control-plane billing data described in Section 2.2. It remains metadata only and contains no Customer Content.

  • CCPA categories: internet or other electronic network activity information; identifiers (opaque user id, session id).
  • Sources: automatically generated by the Service as Authorized Users interact with it.

2.4 Marketing website server logs

Our public marketing website is hosted on Vercel. Like any web host, Vercel receives standard server request logs when a browser requests a page, including IP address, user-agent string, and referrer. There is no JavaScript analytics and no advertising technology on the marketing website (see Section 4).

  • CCPA categories: internet or other electronic network activity information; identifiers (IP address); geolocation (approximate, inferred from IP address).
  • Sources: automatically, from your browser and device when you visit cap-orbit.com, via our hosting provider (Vercel).

2.5 Support communications

If you contact us (for example at hello@cap-orbit.com), we receive the contents of your message and any contact details you choose to include.

  • CCPA categories: identifiers; customer records under Cal. Civ. Code section 1798.80; commercial information; and the contents of the communication you send us.
  • Sources: directly from you.

We do not knowingly collect sensitive Personal Information for the purpose of inferring characteristics about any individual. We do not use the Service's authentication mechanism to derive race, ethnicity, religion, health, sexual orientation, or similar categories, and we do not maintain those categories in our controller records.

3. How and Why We Use Personal Information

We use the Personal Information described in Section 2 for the following business and commercial purposes:

  • To provide, secure, and operate the Service: to authenticate Authorized Users against the Customer's identity provider, maintain sessions, manage seats and permissions, deliver the AI terminal and deal workflows, and keep the Service available and reliable.
  • To meter and bill: to count usage, apply per-seat and any usage-based charges, manage subscriptions and renewals, and process payments through Stripe and Metronome.
  • To support Customers: to respond to questions, troubleshoot, and communicate about the Service, including service and security notices.
  • To improve and develop the Service: using Usage Data and aggregated and de-identified data that does not identify any Customer or individual. We will not attempt to re-identify any data that we have de-identified or aggregated.
  • For security, integrity, and fraud prevention: to detect, investigate, and prevent abuse, unauthorized access, and other malicious or unlawful activity, and to enforce the Terms of Service and the Acceptable Use Policy. The user-facing surface sits behind a web application firewall with rate limiting.
  • For legal and compliance purposes: to comply with applicable law, respond to lawful requests and legal process, establish or exercise our legal rights, and defend against claims.

3.1 Customer Content and AI training

The contractually binding form of this commitment as to Customer Content, Inputs, and Outputs is set out in the Terms of Service and the DPA; this Policy restates it here for transparency.

(a) We do not train on Customer Content by default. Cap Orbit does not use Customer Content, Inputs, or Outputs to train, fine-tune, or otherwise improve any artificial-intelligence or machine-learning model unless the Customer expressly opts in or gives written instructions for that use in an Order or other written or electronic agreement.

(b) We do collect metadata to run and improve the Service. Cap Orbit collects Usage Data (metadata only, not Customer Content) to operate, secure, meter, bill for, support, analyze, and improve the Service, as described above. We may also use aggregated or de-identified data for legitimate business purposes consistent with this Policy and applicable law.

(c) AI inference runs inside Amazon Bedrock. The Claude models used by the Service are accessed exclusively through Amazon Bedrock (Anthropic is not a separate, direct recipient of Customer Content). Amazon Web Services states, in its published Amazon Bedrock FAQs (as of the date of this Policy; source: https://aws.amazon.com/bedrock/faqs/), that "AWS and the third-party model providers will not use any inputs to or outputs from Amazon Bedrock to train Amazon Nova, Amazon Titan, or any third-party models," and that "Users' inputs and model outputs are not shared with any model providers." This architectural separation (AWS-operated model deployment accounts to which model providers have no access) is the basis on which inputs and outputs sent to the model are not shared with the model providers. These are AWS service-level commitments concerning processing inside Amazon Bedrock; they are separate from, and additional to, Cap Orbit's own commitments in (a) and (b) above.

We do not use Personal Information to make decisions that produce legal or similarly significant effects about you through solely automated processing. The Service is a productivity and drafting tool: its Outputs are AI-generated, must be independently reviewed and verified by a qualified human before they are relied on, and do not constitute investment, valuation, appraisal, accounting, tax, legal, or brokerage advice. The Terms of Service govern those obligations in full.

4. Cookies and Tracking

Our use of cookies and similar technologies is intentionally minimal, and this disclosure is kept as thin as that reality.

  • In the Service: we use essential and functional cookies, including an encrypted, HttpOnly session cookie issued by the identity provider to keep you signed in and limited preference cookies for user-interface state. There are no analytics cookies, no advertising cookies, no third-party tags, and no tracking pixels in the application.
  • On the marketing website: there is no JavaScript analytics and no advertising technology. As described in Section 2.4, our hosting provider (Vercel) receives standard server request logs (IP address, user-agent, referrer) as any web host would, but there is no client-side tracking, profiling, or ad tech.

Because we do not use advertising or cross-context behavioral tracking technologies, there is no advertising-cookie consent banner and no "Do Not Sell or Share" advertising opt-out to operate. We nonetheless honor browser-based opt-out preference signals as described in Section 6.

5. How We Disclose Personal Information

We do not sell or rent Personal Information (see Section 6). We disclose Personal Information only as follows.

5.1 To Subprocessors and service providers

We engage a small set of Subprocessors and service providers to provide the Service on our behalf, under contracts that limit their use of Personal Information to providing services to us. Our current Subprocessors and service providers are identified in the Cap Orbit Subprocessor List, and include:

  • Amazon Web Services (AWS): compute, storage, database, content delivery, and AI model inference through Amazon Bedrock; United States region. In the Enterprise / BYOC model, AWS is the Customer's own account for Customer Content and is not a Cap Orbit Subprocessor for that content.
  • WorkOS: identity, authentication, and organization / seat membership (holds email and name; see Section 2.1).
  • Stripe: payment processing and subscription billing.
  • Metronome: usage metering and billing.
  • Vercel: hosting of the public marketing website only (no Customer Content).

Anthropic is not a direct recipient. The Claude models are accessed exclusively through Amazon Bedrock; Customer Content is not sent to Anthropic as a separate processor. AWS Bedrock is the contractual and technical boundary for model inference.

The categories of recipients in this Section align with the Subprocessor List and with our DPA. Where this Policy and the Subprocessor List differ in detail, the Subprocessor List is the authoritative, current source.

5.2 For legal and compliance reasons

We may disclose Personal Information to comply with applicable law, regulation, legal process, or an enforceable governmental or law-enforcement request; to enforce our agreements (including the Terms of Service and the Acceptable Use Policy); and to establish, exercise, or defend legal claims, or to protect the rights, property, or safety of Cap Orbit, our Customers, or others.

5.3 In a business transfer

If Cap Orbit is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, Personal Information may be transferred as part of that transaction, subject to the receiving party's continued obligation to handle Personal Information consistent with this Policy or to provide notice of any material change.

5.4 With your direction or the Customer's

We disclose Personal Information at the direction of the Customer organization that holds the account, or with your consent.

6. Sales, Targeted Advertising, and Advertising Sharing

Cap Orbit does not sell Personal Information, and Cap Orbit does not share Personal Information for cross-context behavioral advertising or targeted advertising, as those terms are defined under the CCPA and comparable US state privacy laws. In the preceding twelve months, we have not sold Personal Information and have not shared it for cross-context behavioral advertising. We do not engage in targeted advertising, and we do not process sensitive Personal Information for the purpose of inferring characteristics about any individual.

This section does not restrict Cap Orbit from disclosing Personal Information to service providers, Subprocessors, payment processors, identity providers, hosting providers, professional advisors, legal authorities, or other recipients described in Section 5. Those disclosures are made to operate the Service, process payments, provide support, comply with law, protect rights and security, or at the direction of the Customer or individual.

Because we do not sell Personal Information or use or share it for targeted advertising, no "Do Not Sell or Share My Personal Information" advertising opt-out is required to operate. As a matter of practice, we recognize and process browser-based opt-out preference signals, including the Global Privacy Control (GPC), as a valid request to opt out of any sale or targeted-advertising sharing for the browser or device from which the signal is sent, even though we do not engage in such activities.

7. Data Retention

We retain each category of Personal Information for as long as needed to fulfill the purposes described in this Policy, unless a longer period is required or permitted by law. In particular:

  • Account and identity data (opaque user id, organization id, permissions): retained for the duration of the Customer relationship and the associated account, and thereafter as needed for our legal, tax, and audit obligations and to resolve disputes and enforce agreements.
  • Billing data (organization id, Stripe and Metronome identifiers, plan state, billing-period dates, seat assignments and seat price): retained for the duration of the subscription and thereafter as required for tax, accounting, audit, and legal-compliance purposes.
  • Usage Data: retained for audit, security, and billing purposes, in Cap Orbit's United States control plane in both deployment models.
  • Marketing website server logs: retained for the limited period our hosting provider maintains standard request logs, for security and operational purposes.

The retention of Customer Content is governed by the Terms of Service and the DPA, not by this Policy. For context: within the Service, deleted files move to a trash area that is retained for 30 days and then purged; deals and chat sessions may be soft-archived and are retained until they are hard-deleted; and usage metadata is retained for audit and billing as described above. In the Pro / hosted model, on termination Cap Orbit deletes remaining Customer Content within sixty (60) days unless the Customer instructs otherwise. There is no automated self-service bulk erasure across all data; deletion requests are handled operationally. In the Enterprise / BYOC model, the Customer controls retention and deletion directly, because Customer Content resides in the Customer's own account.

When Personal Information is no longer needed for these purposes, we delete, de-identify, or aggregate it.

8. Security

We design the Service for hard tenant isolation and least-privilege, non-standing access. Our security posture includes:

  • Per-tenant hard isolation: each organization gets its own database, its own object storage, and its own execution roles. Nothing is pooled across customers.
  • Brokered, short-lived, scoped access: the application holds no direct standing credentials to tenant data. Each request mints a short-lived (about 15 minute), scoped access token through a broker that re-verifies the user's identity first; the token then expires. No long-lived keys sit in the data path.
  • Identity re-verification: sign-in runs through WorkOS AuthKit, with single sign-on against the Customer's identity provider where configured, and every service re-verifies the session on each call. There is no shared internal API key in the data path.
  • Encryption: data is encrypted in transit using TLS / HTTPS everywhere, and at rest using AWS-managed server-side encryption (and KMS). Storage access uses SigV4-signed requests and time-limited signed URLs (about 15 minutes).
  • Network controls: a web application firewall with rate limiting sits in front of the user-facing surface.

In the Enterprise / BYOC model, because resources live in the Customer's own account, the Customer's security team can audit every resource, log, and access path with its own tools and revoke access at any time.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your sign-in credentials and for access controls within your organization.

9. Your US Privacy Rights

Depending on your state of residence, and subject to legal exceptions, you may have some or all of the rights below with respect to Personal Information that Cap Orbit handles as a business or controller. We honor these rights for California residents, including business contacts, and extend the corresponding rights to residents of other US states whose laws provide them, for Personal Information that is not exempt. Information that we process about you solely because you act in a business-to-business or employment capacity may be exempt under some state laws.

  • Right to know / access: to learn the categories and specific pieces of Personal Information we have collected, the sources, the purposes, and the categories of recipients.
  • Right to delete Personal Information we have collected, subject to statutory exceptions.
  • Right to correct inaccurate Personal Information.
  • Right to opt out of the sale of Personal Information (we do not sell; see Section 6).
  • Right to opt out of sharing for cross-context behavioral advertising and of targeted advertising (we do not share or target; see Section 6).
  • Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.
  • Right to limit the use and disclosure of sensitive Personal Information. We do not use sensitive Personal Information beyond the purposes permitted by law and do not use it to infer characteristics, so this right is not triggered by our processing.
  • Right to data portability: to receive a copy of certain Personal Information in a portable, usable format.
  • Right to non-discrimination for exercising your privacy rights.
  • Right to use an authorized agent to submit a request on your behalf.
  • Right to appeal a denial of a rights request, where your state law provides an appeal process (for example, Virginia, Colorado, Connecticut, and other states). California residents may instead file a complaint with the California Privacy Protection Agency or the California Attorney General.

Important scope note for Customer Content. The rights above concern Personal Information that Cap Orbit handles as a business or controller (website logs, account and billing contact data, and Usage Data). If your request concerns personal or financial information contained in Customer Content (for example, information about you in deal documents that a Customer uploaded), the Customer organization is the controller, and you should direct your request to that organization. We will assist the Customer in responding as required by the DPA and applicable law.

9.1 How to exercise your rights

To exercise a right, contact us at privacy@cap-orbit.com. You may also reach us at the mailing address in Section 12. Because we operate exclusively online and interact with account holders directly, we accept requests by email and, where provided, through a web form.

Verification. To protect your information, we will verify your identity before fulfilling a request, typically by matching information you provide against information available to us (for example, your account association) and, where appropriate, by requiring you to be signed in. We may apply a higher level of verification for deletion and correction requests.

Authorized agents. You may use an authorized agent to submit a request. We may require the agent to provide proof of authorization, and may require you to verify your identity directly with us or to confirm that you gave the agent permission.

Timing. We will acknowledge and respond to verified privacy requests within the time required by applicable law. Where an appeal right applies, we will decide the appeal within the period your state's law requires and explain our decision in writing.

We will not discriminate against you for exercising your privacy rights.

10. Minors

The Service is offered to businesses and is not directed to individuals under 18 years of age. We do not knowingly collect Personal Information from minors. If you believe a minor's Personal Information has been provided to us, please contact us at privacy@cap-orbit.com so we can take appropriate steps to delete it.

11. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date above and, where required by law, provide additional notice. We will provide advance notice of material changes that affect how we process Personal Information, and, where required by law, those changes will not apply retroactively. We review this Policy at least every twelve months. The current effective date is June 18, 2026. This Policy is a disclosure rather than a contract; the terms governing your use of the Service are set out in the Cap Orbit Terms of Service.

12. Contact Us

For privacy questions or to exercise a privacy right, contact us at:

  • Privacy requests: privacy@cap-orbit.com
  • Legal notices: legal@cap-orbit.com
  • General contact: hello@cap-orbit.com

This Policy is provided in a format intended to be reasonably accessible to individuals with disabilities. If you require this Policy in an alternative format, contact us at privacy@cap-orbit.com.

Entity: Cap Orbit, Inc., a Delaware corporation Mailing address: 1111B South Governors Avenue, Suite 40882, Dover, DE 19904

This Privacy Policy should be read together with the Cap Orbit Terms of Service, the Data Processing Addendum, the Acceptable Use Policy, and the Subprocessor List. For the handling of Customer Content, the Terms of Service and the Data Processing Addendum control.

(c) 2026 Cap Orbit