Privacy Policy
This Privacy Policy describes how Orbit (the "Service", operated at 3133t.net) collects, uses, stores, and discloses information when you use the Service. The Service is built so that the operators cannot read the contents of your messages, files, voice, or video. This policy explains exactly what we do and do not have access to.
1. Information you provide to us
- Account credentials. A username you choose. A password, which we never store in plaintext — we keep only a one-way bcrypt hash with a per-password salt.
- Public encryption key. Your browser generates a P-256 keypair when you create your account. The public half is stored on the Service so contacts can encrypt to you. The private half never leaves your device unencrypted.
- Contacts list. The user IDs of contacts you add. The Service must know who you are connected to in order to deliver messages.
- Encrypted message ciphertext. Every text message you send is encrypted in your browser (AES-GCM 256-bit, key derived via ECDH between your private key and your contact's public key, expanded with HKDF-SHA256). The Service stores only the ciphertext and the per-message initialization vector. We cannot read the plaintext.
- Encrypted file blobs. Files and images you send are encrypted in your browser with the same per-conversation key, then uploaded to the Service. We store only ciphertext, the IV, and basic envelope metadata (filename, MIME type, size, sender, recipient, timestamp). We cannot view the file contents.
- Encrypted Key Vault (optional). If you enable the Key Vault, your private key is encrypted in your browser using a vault passphrase that only you know (PBKDF2-SHA256, 250,000 iterations), then stored on our server as ciphertext. We never receive your vault passphrase and cannot decrypt your vault.
- Push notification subscription (optional). If you enable push notifications, your browser provides a push endpoint URL and two cryptographic keys, which we store and use to send notifications via your browser vendor's push service.
- Call log. When you place or receive a call, the Service records who called whom, when, the call type (voice/video), and the outcome (answered, missed, declined) so missed calls can be shown to you. Call content is never recorded or accessible to us.
2. Information we do not collect
- Plaintext message content, file content, or call audio/video.
- Your private encryption key or vault passphrase.
- Phone number, email address, real name, address, payment information, or government identifiers.
- Your contacts from your phone or email account.
- Browsing or behavioral analytics. We do not embed third-party analytics, advertising trackers, or fingerprinting libraries.
3. Information collected automatically
- Session cookies. A signed, HTTP-only, Secure session cookie identifies your logged-in browser. It contains an opaque session ID, no personal data.
- Front-end access logs. The reverse proxy in front of the Service (Caddy) writes standard access logs including the requesting IP address, timestamp, request path, response status, and user agent. These are retained for short-term operational debugging and not used for advertising or profiling.
- Server error logs. When the Service encounters an error, it logs the error message and a stack trace to assist debugging. These do not include message content.
4. How encryption works
Conversations are end-to-end encrypted between you and your contact using AES-GCM with a 256-bit key. The key is derived automatically: your browser performs an ECDH key agreement (curve P-256) between your private key and your contact's public key, then expands the shared secret with HKDF-SHA256 bound to both of your Orbit numbers and key generations. Neither the conversation key nor your private key is ever transmitted to the Service. Safety numbers (a hash of both parties' identities and public keys) let you verify the exchange in person.
Voice and video calls use WebRTC's native DTLS-SRTP. Media streams travel peer-to-peer when network conditions allow; otherwise they pass through a TURN relay we operate, which forwards the already-encrypted stream and cannot decrypt it. The Service relays only the signaling needed to establish the connection.
The Key Vault uses AES-GCM with a 256-bit key derived from your vault passphrase via PBKDF2-SHA256 (250,000 iterations) and a per-account salt.
5. How we use your information
- To deliver your encrypted messages and files to your intended recipients.
- To send push notifications you have enabled, telling you that an encrypted message, file, or call has arrived. Notification payloads do not contain message content or filenames; only the sender's username.
- To enforce account uniqueness, security limits (such as login rate limiting and upload quotas), and account-management actions you perform.
- To debug operational issues with the Service.
We do not sell, rent, or share your information with advertisers, data brokers, or third-party marketers under any circumstance.
6. Third parties
- Browser push services. Push notifications are delivered through your browser vendor's push infrastructure (Apple, Google/FCM, or Mozilla, depending on your browser). We send your encrypted notification payload to the endpoint your browser provides; from there your browser vendor delivers it to your device. Their privacy policies govern that leg.
- STUN servers. Voice and video calls may consult public STUN servers (e.g., Google's public STUN) to help peers find each other across NAT. STUN servers see your public IP address but no call content.
- TURN relay. When a direct path isn't possible, calls relay through a TURN server we operate ourselves (turn.3133t.net). It sees the same encrypted packets any internet router would.
- Bot protection. Registration may be protected by Cloudflare Turnstile, which runs a challenge in your browser. Cloudflare's privacy policy governs that interaction.
- Hosting infrastructure. The Service runs on virtual machines we control. We do not use third-party SaaS for storage or processing of user data.
7. Data retention
- Messages and files persist until either party deletes them, deletes the contact, or deletes their account.
- Push subscriptions are removed automatically when your browser revokes them, when you disable push, or when you delete your account.
- Key Vault persists until you delete it or delete your account.
- Call log entries persist until you delete the contact or your account.
- Server access logs are kept for operational use and rotated routinely.
8. Your rights
- Access. Everything we hold about your account is visible inside the app: your username, Orbit #, contacts, message and file history, push subscriptions, key fingerprint, vault status.
- Deletion. The Delete my account action in My Account immediately and permanently removes your account, contacts, messages, files, vault, call log, and push subscriptions from our database.
- Export. You can copy plaintext messages out of the app manually. Encrypted ciphertext export is not currently supported.
9. Children
The Service is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
10. Security
Passwords are hashed with bcrypt. All transport is HTTPS / WSS with HSTS. Session cookies are HTTP-only, Secure, and SameSite=Strict. Login is rate-limited per IP and slowed per username on repeated failure. End-to-end encryption uses AES-GCM with ECDH/HKDF-derived keys generated in your browser. No system is perfectly secure; if you discover a vulnerability, please contact us before disclosing it publicly.
11. International transfers
The Service is hosted in the United States. By using the Service, you consent to your data being processed there.
12. Changes to this policy
If we materially change how we handle your information, we will update this page and revise the "Last updated" date above. Continued use of the Service after a change constitutes acceptance of the revised policy.
13. Contact
Questions about this policy or your data: admin@3133t.net.