Privacy Policy

This Privacy Policy describes how Orbit (the "Service", operated at 3133t.net) collects, uses, stores, and discloses information when you use the Service. The Service is built so that the operators cannot read the contents of your messages, files, voice, or video. This policy explains exactly what we do and do not have access to.

1. Information you provide to us

2. Information we do not collect

3. Information collected automatically

4. How encryption works

Conversations are end-to-end encrypted between you and your contact using AES-GCM with a 256-bit key. The key is derived automatically: your browser performs an ECDH key agreement (curve P-256) between your private key and your contact's public key, then expands the shared secret with HKDF-SHA256 bound to both of your Orbit numbers and key generations. Neither the conversation key nor your private key is ever transmitted to the Service. Safety numbers (a hash of both parties' identities and public keys) let you verify the exchange in person.

Voice and video calls use WebRTC's native DTLS-SRTP. Media streams travel peer-to-peer when network conditions allow; otherwise they pass through a TURN relay we operate, which forwards the already-encrypted stream and cannot decrypt it. The Service relays only the signaling needed to establish the connection.

The Key Vault uses AES-GCM with a 256-bit key derived from your vault passphrase via PBKDF2-SHA256 (250,000 iterations) and a per-account salt.

5. How we use your information

We do not sell, rent, or share your information with advertisers, data brokers, or third-party marketers under any circumstance.

6. Third parties

7. Data retention

8. Your rights

9. Children

The Service is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

10. Security

Passwords are hashed with bcrypt. All transport is HTTPS / WSS with HSTS. Session cookies are HTTP-only, Secure, and SameSite=Strict. Login is rate-limited per IP and slowed per username on repeated failure. End-to-end encryption uses AES-GCM with ECDH/HKDF-derived keys generated in your browser. No system is perfectly secure; if you discover a vulnerability, please contact us before disclosing it publicly.

11. International transfers

The Service is hosted in the United States. By using the Service, you consent to your data being processed there.

12. Changes to this policy

If we materially change how we handle your information, we will update this page and revise the "Last updated" date above. Continued use of the Service after a change constitutes acceptance of the revised policy.

13. Contact

Questions about this policy or your data: admin@3133t.net.