Legal

Privacy Policy

Effective date: March 2026

Sovereign Orbital · sovereignorbital.org

1. Who We Are

Sovereign Orbital is a pre-launch satellite company based in Boston, Massachusetts, operating at sovereignorbital.org. We build and intend to launch CubeSats for research, enterprise, and individual operators.

For privacy inquiries, contact us at hello@sovereignorbital.org. Our Data Protection contact is the same address.

2. What Data We Collect

We collect only what is necessary to operate our intent platform:

DataSourcePurpose
NamePre-order & account formsOrder fulfillment, account identification
Email addressPre-order & account formsCommunications about your intent, account management
CountryPre-order formsLaunch planning, regulatory compliance
Account credentialsAccount registrationAuthentication; passwords stored as PBKDF2-SHA512 hashes only
IP address & browser infoServer logs (Vercel)Security monitoring, debugging

3. Why We Collect It

  • To fulfill pre-launch intent registrations and communicate mission status
  • To manage your account and authenticate your sessions
  • To comply with regulatory requirements for satellite operations
  • To maintain the security and integrity of our platform

4. Legal Basis for Processing (GDPR)

For users in the European Union, our legal bases are:

  • Consent — when you submit a pre-order or account registration form
  • Legitimate interests — security logging, fraud prevention, and platform integrity
  • Legal obligation — export control and satellite regulatory compliance

5. Data Retention

  • Account data is retained until you request deletion
  • Pre-order intent data is retained for the mission fulfillment period (until your mission is complete or cancelled)
  • Server logs (IP, browser) are retained for up to 30 days by our infrastructure providers
  • Upon deletion request, your account and associated personal data are purged within 30 days

6. We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to any third party for any commercial purpose. This applies globally, including under the California Consumer Privacy Act (CCPA).

We do not run advertising tracking, behavioral profiling, or marketing retargeting of any kind.

7. Cookies

We use one cookie:

so_session
Authentication session cookie. httpOnly, Secure, SameSite=Lax. Expires after 7 days. Required for account login. No tracking.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

8. Third-Party Services

We use the following infrastructure providers who may process your data:

Vercel
Web hosting and CDNProcesses IP addresses and request logs. US-based.
Turso (ChiselStrike)
DatabaseStores account and pre-order data. Encrypted at rest. US-based.
Resend
Transactional emailUsed only to deliver order confirmation and account emails. No marketing.

9. International Transfers

Our infrastructure (Vercel, Turso) is primarily US-based. If you are located in the EU/EEA, your data may be transferred to the United States. We rely on our processors' standard contractual clauses and GDPR-compliant data processing agreements for these transfers.

10. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data
  • Data portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Lodge a complaint — with your local supervisory authority (e.g., your country's Data Protection Authority)

11. Your Rights (CCPA — California)

If you are a California resident, you have the right to:

  • Know — what personal information we collect and how it is used
  • Delete — request deletion of your personal information
  • Opt-out of sale — we do not sell personal information
  • Non-discrimination — we will not discriminate against you for exercising your rights

12. How to Exercise Your Rights

To exercise any of your rights, email us at hello@sovereignorbital.org with the subject line "Privacy Request" and a description of your request. We will respond within 30 days (GDPR) or 45 days (CCPA).

13. Security

  • Passwords are hashed with PBKDF2-SHA512 (100,000 iterations). We cannot recover your password.
  • All connections are encrypted in transit via TLS
  • Database data is encrypted at rest via Turso
  • Optional TOTP two-factor authentication is available for all accounts
  • Sessions are cryptographically signed JWTs with 7-day expiry

14. Children

Our platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us immediately.

15. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will notify registered users by email and update the effective date above. Continued use of the platform after changes constitutes acceptance of the updated policy.

16. Contact

For any privacy-related questions or requests:

Data Protection Contact: hello@sovereignorbital.org
Address: Boston, Massachusetts, USA
Terms of ServiceSecurityHome