This Privacy Policy explains how Orbits processes personal data when you use EmailIntel.
EmailIntel is an email analysis service. It helps users inspect suspicious emails, headers, links, sender information, embedded attachments, and technical indicators.
This Privacy Policy applies when you:
- upload an email file, such as
.emlor.msg; - upload raw email text, headers, or
.txtfiles; - send or forward an email to an EmailIntel analysis inbox;
- visit
emailintel.orbitstech.com; - contact Orbits about EmailIntel.
This Privacy Policy should be read together with the EmailIntel Terms of Service.
1. Who is responsible for your data
For the public EmailIntel upload page and public analysis inbox, Orbits is the controller for the personal data it processes.
Controller: Orbits Website: orbitstech.com Email: [email protected] Country: Netherlands
For future business, commercial, mail-routing, gateway, or managed analysis services, Orbits may act as a processor, joint controller, or independent controller depending on the exact service. Those services may require a separate agreement, Data Processing Agreement, or customer-specific privacy documentation.
2. GDPR principles
Orbits is based in the Netherlands and aims to process personal data in line with Regulation (EU) 2016/679, the General Data Protection Regulation.
Orbits applies the GDPR Article 5 principles, including:
- lawfulness, fairness, and transparency;
- purpose limitation;
- data minimisation;
- accuracy where relevant;
- storage limitation;
- integrity and confidentiality;
- accountability.
The short version: EmailIntel should process what it needs, explain why, avoid keeping full submitted emails after analysis, and protect the data it touches.
3. What personal data EmailIntel may process
Submitted emails can contain personal data. Even a boring phishing email can drag half the internet into the headers like it is collecting stamps.
Depending on what you submit, EmailIntel may process:
Email content and metadata
- sender email addresses;
- recipient email addresses;
- reply-to addresses;
- display names;
- subject lines;
- message body text;
- email headers;
- mail server routing data;
- timestamps;
- authentication results, such as SPF, DKIM, and DMARC information;
- message IDs;
- embedded URLs;
- domains;
- IP addresses;
- file names;
- file hashes;
- attachment metadata;
- attachment contents where the attachment is part of the submitted
.emlor.msgfile; - other technical artifacts contained in the submitted email.
Submission and service data
- the email address used to forward a message to EmailIntel;
- the email address used to receive analysis results, where applicable;
- upload time;
- submission method;
- browser and device metadata;
- IP address used to access the service;
- basic logs needed for security, abuse prevention, and troubleshooting.
Contact data
If you contact Orbits, Orbits may process:
- your name;
- email address;
- organization, where provided;
- message contents;
- support or commercial request details.
4. What EmailIntel does not intentionally keep
In the current version of EmailIntel, Orbits does not intentionally keep the full submitted email after analysis.
Submitted emails and uploaded email files are held temporarily while the analysis is performed. After analysis is completed, the submitted email content is deleted from the temporary analysis environment.
Orbits also does not use the original To recipient address from submitted emails for threat intelligence enrichment.
Where an email is forwarded to EmailIntel, Orbits may process the forwarding address to return results, prevent abuse, maintain technical records, or handle service-related communication.
Temporary system logs, mail server logs, security logs, queue metadata, infrastructure traces, or backups may exist for a limited time as part of normal technical operations. Orbits limits this where reasonably possible and does not use such logs as a replacement for storing submitted email bodies.
5. Extracted indicators and analysis metadata
After the submitted email has been analyzed and deleted, Orbits may retain extracted indicators and analysis metadata.
This may include:
- domains;
- URLs;
- IP addresses;
- file hashes;
- sender infrastructure indicators;
- authentication results;
- phishing or malware indicators;
- campaign patterns;
- classification results;
- timestamps;
- abuse patterns;
- anonymized or pseudonymized analysis data.
Orbits uses this data to improve EmailIntel, OrbitsIntel, and related security services.
Where practical, Orbits anonymizes, pseudonymizes, aggregates, or minimizes this data. Orbits aims to avoid retaining personal content where technical indicators are enough.
6. Why Orbits processes personal data
Orbits processes personal data for the following purposes:
To provide the requested analysis
This includes parsing the submitted email, extracting headers and indicators, checking suspicious links, identifying authentication failures, detecting phishing or malware signals, and generating an analysis result.
To send results or service messages
If the submission method requires a response, Orbits may use your email address to send the analysis result or operational notices.
To protect EmailIntel against abuse
Orbits may process technical data to detect misuse, automated abuse, excessive submissions, attempts to evade analysis, attempts to use EmailIntel to improve phishing, and attacks against the Service.
To improve security detections
Orbits may use extracted indicators and analysis metadata to improve EmailIntel, OrbitsIntel, and related security detection capabilities.
To perform threat intelligence and security research
Orbits may use extracted indicators to identify phishing infrastructure, malware infrastructure, campaign patterns, abuse clusters, and other security-relevant activity.
To communicate with you
If you contact Orbits, Orbits uses your contact details to respond.
To comply with legal obligations
Orbits may process or retain certain information where required by law, legal process, or a legitimate security or abuse investigation.
7. Lawful bases under GDPR Article 6
Depending on the situation, Orbits may rely on one or more lawful bases under GDPR Article 6.
Article 6(1)(b): requested service
When you submit an email for analysis, Orbits processes the submitted content to provide the requested EmailIntel service or to take steps requested by you before entering into a service relationship.
Article 6(1)(f): legitimate interests
Orbits may rely on legitimate interests for:
- securing EmailIntel;
- preventing abuse;
- improving detections;
- retaining extracted technical indicators;
- building and improving threat intelligence;
- detecting phishing, malware, fraud, spoofing, and infrastructure abuse;
- protecting users, Orbits, and others from security threats.
Orbits balances these interests against the rights and freedoms of the people whose personal data may appear in submitted emails.
Article 6(1)(a): consent
Where Orbits asks for consent, such as for optional marketing communication or optional cookies, Orbits relies on consent. You can withdraw consent where applicable.
Article 6(1)(c): legal obligation
Where Orbits is legally required to process or retain data, Orbits may rely on legal obligation.
8. Special categories of personal data
EmailIntel is not intended for submitting special categories of personal data, such as health data, political opinions, religious beliefs, biometric data, or similar sensitive data under GDPR Article 9.
However, submitted emails may accidentally contain sensitive data. You should remove or redact unnecessary sensitive information before submission where practical.
If special category data is present in a submitted email, Orbits will process it only as far as technically necessary to provide the requested analysis, protect the Service, or comply with applicable law.
9. Third-party enrichment and security services
EmailIntel may use third-party security, research, enrichment, infrastructure, or reputation services.
This may include sharing or querying:
- URLs;
- domains;
- IP addresses;
- file hashes;
- sender infrastructure data;
- authentication data;
- malware or phishing indicators;
- other technical artifacts extracted from submitted content.
These third parties may include security research companies, threat intelligence providers, abuse databases, reputation services, infrastructure lookup providers, sandboxing systems, or similar security services.
Orbits does not publish a full list of these third parties. This helps protect the integrity of EmailIntel and reduces the chance that attackers use the list to tune phishing or malware around known analysis paths.
Orbits aims to avoid sharing unnecessary personal data with third parties. Where third-party enrichment is used, Orbits shares the minimum information reasonably needed for analysis, enrichment, abuse prevention, security research, or threat intelligence.
10. International transfers
Some third-party services or infrastructure providers may process data outside the European Economic Area.
Where personal data is transferred outside the EEA, Orbits will use an appropriate transfer mechanism where required by GDPR Chapter V. This may include adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.
Orbits aims to minimize personal data in third-party enrichment so that technical indicators, rather than full personal content, are used wherever practical.
11. Retention
Orbits applies storage limitation under GDPR Article 5.
Submitted emails
Submitted emails and uploaded email files are held temporarily for analysis and deleted after analysis is completed.
Extracted indicators
Extracted indicators and analysis metadata may be retained for as long as they remain relevant for security, abuse prevention, threat intelligence, service improvement, or legal purposes.
Some indicators may remain useful for long-term threat intelligence because phishing infrastructure, malware infrastructure, and abuse patterns can reappear later.
Logs
Technical logs may be retained for a limited period for security, abuse prevention, troubleshooting, legal, and operational purposes.
Contact messages
Messages sent to Orbits may be retained as long as needed to handle the request, maintain records, manage commercial communication, or comply with legal obligations.
12. Marketing communication
Submitting an email for analysis does not automatically subscribe you to unrelated marketing emails.
Orbits may send service-related communication, such as analysis results, operational notices, security notices, abuse notices, or legal notices.
Marketing emails, newsletters, product updates, or promotional messages will only be sent where Orbits has a lawful basis to do so, including consent where required. Marketing emails will include a way to unsubscribe where required.
13. Cookies and website analytics
EmailIntel may use strictly necessary cookies or similar technologies to operate the website, secure the Service, prevent abuse, remember technical choices, or handle uploads.
If Orbits uses optional analytics, tracking, or marketing cookies, Orbits will request consent where required.
EmailIntel should not require unnecessary tracking to perform email analysis.
14. Security
Orbits applies appropriate technical and organizational measures under GDPR Article 32.
These may include:
- temporary processing of submitted emails;
- deletion after analysis;
- access limitation;
- abuse controls;
- infrastructure logging;
- secure transport where available;
- data minimisation;
- pseudonymisation or anonymisation where practical;
- controlled use of third-party enrichment;
- monitoring for misuse of the Service.
No internet-facing service is perfectly secure. EmailIntel handles suspicious content by design, so Orbits may block, reject, isolate, detonate, or discard submissions when needed to protect the Service or others.
15. Automated analysis
EmailIntel uses automated analysis to classify emails, extract indicators, inspect headers, check infrastructure, and generate results.
EmailIntel does not make decisions that produce legal effects or similarly significant effects about individuals within the meaning of GDPR Article 22.
EmailIntel results are informational security outputs. They should not be used as the sole basis for legal, employment, financial, disciplinary, compliance, or high-impact security decisions.
16. Your GDPR rights
Depending on the situation and applicable law, you may have the following rights:
- right of access under GDPR Article 15;
- right to rectification under GDPR Article 16;
- right to erasure under GDPR Article 17;
- right to restriction of processing under GDPR Article 18;
- right to data portability under GDPR Article 20, where applicable;
- right to object under GDPR Article 21;
- right to withdraw consent where processing is based on consent;
- right to lodge a complaint with a supervisory authority.
Because EmailIntel deletes submitted emails after analysis, Orbits may no longer have the original submitted content available when a request is made.
For extracted indicators, logs, or contact data, Orbits will assess requests based on the data available, the requester’s relationship to the data, security needs, legal obligations, and the rights and freedoms of others.
To make a privacy request, contact:
Orbits may need to verify your identity before handling certain requests.
17. Complaints
If you are in the Netherlands, you can lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.
You can also contact Orbits first at:
18. Children
EmailIntel is not specifically directed at children.
If a child submits content to EmailIntel, Orbits will process the submission only as far as needed to provide the requested analysis, protect the Service, delete the submitted email after analysis, and handle any legal or safety obligations.
19. Business and organizational use
EmailIntel is available for personal and non-profit use. Business, commercial, or internal organizational use should be licensed through Orbits.
If an organization uses EmailIntel to process emails from employees, customers, users, patients, students, clients, or other individuals, that organization is responsible for ensuring it has a proper legal basis, internal authority, privacy notice, and contractual arrangement where required.
Future business services, mail-routing services, managed services, dashboards, customer accounts, or API access may require additional privacy terms, security terms, and data processing agreements.
20. Changes to this Privacy Policy
Orbits may update this Privacy Policy from time to time.
The updated version will be published on emailintel.orbitstech.com or orbitstech.com. The effective date at the top of this document will indicate when the latest version applies.
21. Contact
For privacy questions, GDPR requests, deletion requests, commercial use, abuse reports, or security issues, contact: