Privacy Policy

Orbit Consulting LLC ("Orbit," "we," "our," or "us") is committed to protecting the privacy of individuals who visit our website at orbitconsultingfirm.com (the "Site") and who use our Risk Management Framework (RMF) Tool, our Wealthpilot AI-powered financial management application, and related professional services (collectively, the "Services"). This Privacy Policy explains what information we collect, how we use and protect it, and the choices available to you.

Because the Services include both a federal cybersecurity compliance tool (the RMF Tool) and a personal/business financial management tool (Wealthpilot), certain sections of this Policy apply specifically to one product. Those sections are clearly labeled. All other sections apply to both products.

By accessing or using our Site and Services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with this policy, please discontinue use of our Site and Services.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Contact information: Name, email address, phone number, job title, and organization name when you submit our contact form, request access to the RMF Tool, or communicate with us.
• Account credentials: Username and password when you register for or log in to the RMF Tool. Passwords are stored using bcrypt hashing and are never stored in plaintext.
• Professional information: Agency or organization name, system categorization data, and other information you enter into the RMF Tool in the course of using our services.
• Communications: Records of correspondence if you contact us by email or through our Site.

1.2 Information Collected Automatically

When you visit our Site or use our Services, we automatically collect certain technical information:

• Log data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.
• Authentication tokens: JSON Web Tokens (JWTs) stored in your browser's local storage to maintain your authenticated session with the RMF Tool.
• Usage data: Audit logs of actions performed within the RMF Tool, including control status changes, assessment entries, and user management actions, for security and compliance purposes.

1.3 Wealthpilot Financial Information

Wealthpilot, our AI-powered personal and business financial management application, is designed with a local-first storage model. The financial information you enter into Wealthpilot — including:

• Account and transaction data: Account balances, transaction history, merchant names, and categorization data that you manually enter or import (e.g., via file upload);
• Financial profile information: Income, budgets, financial goals, net worth estimates, and similar information you provide to receive AI-generated insights;
• AI interaction data: Questions, prompts, and conversations with Wealthpilot's AI assistant;

is stored locally on your device (e.g., in your browser's local storage or an on-device database), not on Orbit's servers, except as described below.

Wealthpilot does not connect to your bank, brokerage, or credit card accounts, and does not use third-party financial data aggregation services. All AI-generated insights are produced by models running on your device — your financial data is never transmitted to Orbit's servers or to any third-party AI provider. You remain in control of your financial data at all times, and it does not leave your device unless: (a) you choose to export it; or (b) you enable an optional cloud-sync or backup feature, which will be clearly disclosed and require your affirmative opt-in.

1.4 Information from Third Parties

We do not purchase or acquire personal information from data brokers or other third-party sources. Any information received from third parties is limited to what is necessary to provide contracted services.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the RMF Tool and associated services;
• To create and manage your user account and authenticate your identity;
• To respond to your inquiries, service requests, and access requests;
• To send transactional communications, including account credentials, password resets, and service notifications;
• To generate security audit logs and maintain an audit trail for compliance with federal cybersecurity requirements;
• To improve the performance, security, and reliability of our Site and Services;
• To comply with applicable legal, regulatory, and contractual obligations;
• To detect, prevent, and investigate potential security incidents or unauthorized access.

We do not sell, rent, or lease your personal information to third parties for marketing purposes. We do not use your personal data to build advertising profiles or engage in behavioral advertising.

3. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data (such as under the GDPR or applicable state privacy laws), we rely on the following:

• Contract performance: Processing necessary to deliver services you have requested or to which you have agreed;
• Legitimate interests: Processing necessary for our legitimate business interests, including security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights;
• Legal obligation: Processing necessary to comply with applicable law, regulation, or legal process;
• Consent: Where we rely on consent, you may withdraw it at any time by contacting us.

4. Information Sharing and Disclosure

We do not sell or share your personal information with third parties except as described below:

• Service providers: We engage trusted third-party vendors to support our operations (e.g., cloud hosting, transactional email delivery). These providers are contractually restricted from using your data for any purpose other than providing services to us and are required to protect your information in accordance with this policy.
• Legal requirements: We may disclose information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Orbit, our clients, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections described here.
• With your consent: We may share information for any other purpose with your explicit consent.

5. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to provide our services, and to comply with our legal, regulatory, and contractual obligations.

• Account data: Retained for the duration of your account and for a reasonable period thereafter to support transition or legal obligations.
• Audit logs: Retained in accordance with applicable federal recordkeeping requirements and our contractual obligations, typically for a minimum of three (3) years.
• Contact inquiries: Retained for up to two (2) years from the date of last contact.

When data is no longer needed, we securely delete or anonymize it.

6. Security Safeguards

We implement administrative, technical, and physical safeguards to protect your personal information, including:

• Encryption of data in transit using TLS 1.2 or higher;
• Password hashing using bcrypt with a work factor designed to resist brute-force attacks;
• Role-based access controls restricting access to personal data on a need-to-know basis;
• Audit logging of all privileged actions within the RMF Tool;
• Regular security assessments aligned with NIST SP 800-53 Rev 5 controls;
• Strict-Transport-Security (HSTS) and other HTTP security headers.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

7. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you;
• Correction: Request correction of inaccurate or incomplete information;
• Deletion: Request deletion of your personal information, subject to our legal retention obligations;
• Restriction: Request that we restrict processing of your information in certain circumstances;
• Portability: Request a machine-readable copy of your information;
• Objection: Object to processing based on legitimate interests.

To exercise any of these rights, please contact us at privacy@orbitconsultingfirm.com. We will respond within the timeframe required by applicable law. We may need to verify your identity before fulfilling your request.

8. Cookies and Tracking Technologies

Our Site uses minimal cookies and local storage:

• Authentication tokens: Stored in browser local storage to maintain your logged-in session with the RMF Tool. These are not cookies and cannot be sent to third parties.
• Wealthpilot financial data: As described above, Wealthpilot stores your financial information in your browser's local storage or on-device database as its primary data store — not for tracking purposes, but as the application's core data storage mechanism.
• Session functionality: We do not use third-party analytics cookies, advertising cookies, or social media tracking pixels on our Site.

Because we do not use tracking cookies, there is no cookie consent banner required. You may clear your browser's local storage at any time; doing so will log you out of the RMF Tool and will permanently delete your locally stored Wealthpilot financial data unless you have exported a backup or enabled optional cloud sync.

Wealthpilot — Financial Data & AI Processing

This section applies specifically to Wealthpilot, Orbit's AI-powered personal and business financial management application, and supplements the information provided elsewhere in this Policy.

Local-First Storage

Wealthpilot stores your financial data locally on your device — for example, in your web browser's local storage, IndexedDB, or an on-device application database — rather than on Orbit's servers. This means:

• Your account balances, transactions, budgets, and financial goals remain on your device and are not transmitted to or stored on Orbit's infrastructure by default;
• Orbit personnel do not have routine access to your Wealthpilot financial data;
• If you clear your browser data, uninstall the application, or switch devices without exporting your data, your locally stored financial information may be permanently lost. We recommend periodically exporting a backup.

No Bank Account Linking

Wealthpilot does not connect to, or request credentials for, your bank, credit card, brokerage, or other financial institution accounts, and does not use third-party financial account aggregation services (such as Plaid). All financial data is entered manually or imported by you from files you choose to upload (e.g., CSV statements).

On-Device AI — No External Data Transmission

Wealthpilot's AI-generated budgeting insights, spending categorization, savings recommendations, and similar features run entirely on your device. Your financial data is not sent to Orbit's servers, to Anthropic, OpenAI, or any other third-party AI provider, in order to generate these insights. Because no financial data is transmitted off your device for AI processing, Orbit has no server-side access to, and does not retain copies of, your Wealthpilot financial data or your interactions with the AI assistant.

• AI-generated outputs are provided for informational and educational purposes only and do not constitute financial, investment, tax, or legal advice;
• Because models run locally, the quality and accuracy of insights may depend on your device's capabilities and the data you have entered;
• You should independently verify AI-generated insights and consult a licensed financial professional before making financial decisions.

If a future version of Wealthpilot introduces an optional feature that sends data to an external AI provider, that feature will be off by default, clearly disclosed, and will require your affirmative opt-in before any data leaves your device.

Optional Cloud Sync or Backup

If Wealthpilot offers an optional cloud-sync, account, or backup feature, that feature will be off by default and clearly disclosed at the point you enable it. Enabling such a feature means the financial data you choose to sync will be transmitted to and stored on Orbit's servers (or a designated cloud storage provider) in encrypted form, and the data-handling practices described elsewhere in this Policy (retention, security safeguards, your rights) will apply to that synced data. You may disable cloud sync and request deletion of any previously synced data at any time.

How We Use Wealthpilot Data

To the extent any Wealthpilot data is transmitted to Orbit (e.g., for AI processing of a specific query, or because you enabled optional cloud sync), we use it solely to: provide the feature you requested; maintain the security and integrity of the Service; and, with your consent, improve Wealthpilot's features. We do not sell your financial data, and we do not use it to build advertising profiles.

Your Choices for Financial Data

Because your financial data is stored locally, you control it directly: you can export, edit, or permanently delete it at any time from within Wealthpilot's settings, including by clearing the application's local data. If you have enabled optional cloud sync, you can also request deletion of synced data by contacting us at privacy@orbitconsultingfirm.com.

9. Third-Party Links

Our Site may contain links to external websites operated by third parties. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the privacy practices or content of external sites.

10. Children's Privacy

Our Site and Services are intended for use by professionals and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected such information, we will promptly delete it. If you believe we have collected information from a minor, please contact us at privacy@orbitconsultingfirm.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. Where required by law, we will notify you of significant changes by email or through prominent notice on our Site. Your continued use of our Services following notification of changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@orbitconsultingfirm.com
• General inquiries: info@orbitconsultingfirm.com
• Website: orbitconsultingfirm.com
• Mailing address: Orbit Consulting LLC, Washington, D.C. Metropolitan Area

© 2025 Orbit Consulting LLC · All rights reserved · Terms of Service · Privacy Policy