Privacy policy

Orbit Software Ltd (trading as OrbitSoft)
Last updated: June 2026

1. Who we are

Orbit Software Ltd ("OrbitSoft", "we", "us") is a software company incorporated in England and Wales. We build and operate software products for schools and organisations, including OrbitCanteen, OrbitTutor, OrbitCare, and related licensing and integration services (together, the "Products").

This policy explains how we handle personal data in connection with our Products, our website, and our business operations. It applies to all OrbitSoft Products unless a Product-specific notice says otherwise.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR 2016/679), including national implementing laws in the EU member states where our clients operate.

2. Our role: controller or processor

How we handle your data depends on the context:

When you use one of our Products through your school or organisation, that school or organisation is the data controller. It decides what data is collected and why. OrbitSoft acts as a data processor, handling personal data only on the documented instructions of the controller under a signed Data Processing Agreement. Questions about how your data is used in a Product should be directed to your school or organisation in the first instance.

When you visit our website, contact us, or do business with us directly, OrbitSoft is the data controller for that information.

3. Data we process

Within our Products (as processor): depending on the Product, this may include names, roles, year groups, contact details, meal selections, allergen and dietary profiles, tuition and learning records, care records, identifiers such as QR codes, usage and consumption records, billing data, and system access logs. Some of this data relates to children, and some (such as allergen, dietary, health, or care information) may be special category data under Article 9 GDPR. We apply heightened protection to such data and process it solely to deliver the relevant service.

On our website and in our business (as controller): contact details you provide (name, email, organisation, role), correspondence, contractual and billing information, and limited technical data such as IP address and browser type collected for security and service operation.

4. Why we process data and lawful bases

As a processor, we process Product data because our client (the controller) instructs us to, under contract.

As a controller, we rely on:

Performance of a contract — delivering services to clients.

Legitimate interests — responding to enquiries, securing our systems, managing our business relationships.

Legal obligation — accounting, tax, and regulatory records.

Consent — where required, for example optional marketing communications, which you can withdraw at any time.

5. Children's data

Our Products are used by schools and may involve the personal data of children. Children's data is processed only on the instructions of the school as controller, only for delivery of the service, and never for marketing, profiling, or any secondary purpose. We apply appropriate technical and organisational measures reflecting the sensitivity of children's data.

6. Sharing and sub-processors

We do not sell personal data. We share personal data only with:

Sub-processors engaged to help deliver our services (such as hosting providers), under contracts imposing data protection obligations equivalent to our own.

Professional advisers where necessary.

Authorities where required by law.

For Product data, sub-processors are engaged only with the authorisation of the controller, and we remain fully responsible for their performance.

7. International transfers

We do not transfer personal data outside the UK or the European Economic Area unless an adequate transfer mechanism is in place, such as a UK or EU adequacy decision, the UK International Data Transfer Agreement or Addendum, or EU Standard Contractual Clauses, together with any supplementary measures required. For Product data, international transfers also require the prior consent of the controller.

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures reflect the nature of the data we process, including children's and health-related data, and include access controls, encryption in transit, environment separation, and personnel confidentiality obligations.

9. Retention

Product data is retained only for the duration of the active subscription with the relevant client. On termination, we delete or return personal data at the controller's election, normally within 30 days, unless retention is required by law. Business and contractual records are retained for as long as needed to manage the relationship and meet legal obligations (typically up to six years for accounting records).

10. Data breaches

If a personal data breach occurs affecting Product data, we will notify the affected controller without undue delay and in any event within 72 hours of becoming aware, with sufficient detail to enable the controller to meet its own obligations. Where we are the controller, we will notify the relevant supervisory authority and affected individuals where required by law.

11. Your rights

Under the UK and EU GDPR you have rights over your personal data, including:

Access to your personal data.

Rectification of inaccurate or incomplete data.

Erasure in certain circumstances.

Restriction of processing.

Data portability.

Objection to processing based on legitimate interests.

Withdrawal of consent where processing is based on consent.

If your data is processed within a Product, please contact your school or organisation (the controller); we will assist them in responding within statutory timeframes. If OrbitSoft is the controller, contact us directly using the details below.

You also have the right to lodge a complaint with a supervisory authority: in the UK, the Information Commissioner's Office (ico.org.uk); in the EU, the supervisory authority of your member state (for Luxembourg, the CNPD, cnpd.public.lu).

12. Cookies and website data

Our website uses only the cookies necessary for it to function and, where applicable, analytics cookies subject to your consent. We do not use cookies for advertising.

13. Changes to this policy

We may update this policy from time to time. The latest version will always be available on our website with the date of last revision shown above.

14. Contact

Orbit Software Ltd (OrbitSoft)

Email: privacy@orbitsoft.co.uk

Website: orbitsoft.co.uk

Phone: +44 20 3355 9980