Orbiko Solutions Limited (trading as Orbiko)

Privacy and Cookie Policy

Last updated: 15 April 2023

Section 1: Overview

What does this document do?

This document sets out what information Orbiko Solutions collects about people, what we use it for and who we share it with. It explains what legal rights individuals have in relation to their information and what to do if they have any concerns about how their information is being used.

Orbiko Solutions sometimes needs to update this document to reflect any changes to our business activities or to comply with new legal requirements. We will notify you of any important changes before they take effect.

If you have any questions about this document or the way Orbiko Solutions uses people’s information, please get in touch by:

  • Emailing [email protected]
  • Telephoning +44 (0)1225 781 867
  • Post at 14 Queen Square, Bath, BA1 2HN
  • Completing our webform available on our website

Our current data protection officer is Shaun Houghton, our Chief Information Officer, who can be reached at [email protected].

Who should read this document?

The information in this document will be relevant to you if you:

  • Visit our website at https://www.orbiko.co.uk/ or contact us via our email address, telephone number, post, and our webform, as stated above.
  • Interact with our corporate accounts on social media platforms.
  • Are a key contact working for an existing or prospective business customer of Orbiko Solutions and/or are an existing or prospective customer.
  • Have been provided login credentials and access to our website (User).
  • Are a person identified by any content uploaded, enquiry submitted, or information provided by a User, key contact, or website visitor.
  • Are a key contact working for an existing or prospective supplier of Orbiko Solutions.
  • Have been referred to our services by one of our partners.
  • Are a key contact working for an existing or prospective partner of Orbiko Solutions.
  • Sign up to our newsletter or otherwise indicate you wish to receive communications from us.

Who we are

We are Orbiko Solutions Limited (trading as Orbiko Solutions), a company registered in England and Wales under company number 12069827 whose registered office is at 14 Queen Square, Bath, BA1 2HN.

What we do

Orbiko Solutions Limited was founded in the traditional physical gold market. As our footprint grew and evolved, we realized a need to merge the traditional value and rarity of gold with the innovation, speed, and safety of the fast-developing stablecoin industry.

We are both a data processor and controller in relation to customer data.  As such we conform to all relevant GDPR regulations. 

We provide stablecoins backed by tangible physical assets.  These are offered for sale via our website and will be transferred as part of the sales process to customer’s own wallets on the Stellar blockchain.

These products are available to purchase on our website and via 3rd party exchanges. 

Our legal status under data protection law

As a company located in the UK, our use of people’s information is regulated by the Information Commissioner’s Office (ICO), the regulator responsible for ensuring organisations comply with UK data protection law. We are registered with the ICO under registration number ZB523125.

Whenever we collect, use, or share information about people located outside the UK we comply with additional local laws that apply.

For all visitors to our website, people who sign up to receive our newsletter as well as key contacts working for our suppliers, ORBIKO SOLUTIONS is the controller for your information (which means we decide what information we collect and how it is used).

If you purchase our goods, create an account and/or sign-up for our services in your own name and for your personal use, then ORBIKO SOLUTIONS also acts the controller for your information. Alternatively, if you work or are provided login credentials by from a business customer of ours, most of the time our business customer is the controller and ORBIKO SOLUTIONS is their processor (which means we must follow the instructions they give us). In limited circumstances, ORBIKO SOLUTIONS is the controller for your personal data, for example for any feedback you give us. For details about what information our business customer collects about you and what they use it for, you should read their privacy information.

Section 2: What information we collect and receive

Personal data means any information that can (or could be used to) identify a living person. We have grouped together the different types of personal data that we collect and where we receive it from in the table below:

Personal Data Received from
Identity data – first name, last name, title, job title, current employer, date of birth, gender, pronouns
  • you
  • business customer
  • ShufitPro Identity Verification service
Contact data – work email address, work telephone number, personal email address, personal telephone number, social media handle, home address, office address
  • you
  • business customer
  • referral source
  • social media platform
Official documents – passport, driving licence, national insurance number, visa
  • You
  • ShufitPro Identity Verification service
Recruitment – job titles, employment history, preferred working hours, qualifications or accreditations, professional memberships, CV, application form, outcome of recruitment process, current and desired salary, DBS checks
  • You
  • Recruitment agency
  • Social media platform
  • Background checking agencies
Financial – bank account, sort code, bank name, direct debit, payroll number, card type, card verification value (CVV) number, invoice reference number, remittance reference number, order reference number, purchase or transaction history, credit score
  • You
  • business customer
  • TakePayment payment provider
  • Credit checking agency
Location – attendance records, we automatically receive imprecise location information based on your Internet Protocol (IP) address – we only access precise real-time location information if you have given us specific permission to do so (e.g. by enabling GPS on your device) You (including via cookies or similar technologies)
Feedback and enquiries – any responses you provide when you rate our services and products or reply to a survey, any information you send when you contact us, submit an enquiry on our website or comment on our social media corporate accounts or content
  • you
  • customer
  • third party feedback services
  • social media platforms
Marketing – your status as a marketing recipient (e.g. if you have signed up to or opted out of receiving communications from us), your preferred method of communication and how you have interacted with our communications and content, your telephone preference service (TPS) status You (including via cookies or similar technologies)
Usage data – login credentials, access permissions, audit logs, chat logs, content or information input or uploaded, clickstream to and on our website, download or upload errors, length of visit, page interaction you (including via cookies and similar technologies)
Technical data – internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and type of device used to access our website or software or application.
  • you (including via cookies and similar technologies)
  • Mobile application
  • API services for B2B transactions

What happens if you do not provide your personal data?

Some of the personal data we request is optional and we can provide our goods and/or services without that information. In other cases, if you do not provide the information, we may not be able to provide our service to you (e.g., if you do not a valid postal address, we may not be able to deliver our goods). If you have not provided personal data which means we cannot provide our service to you, we will attempt to contact you to notify you.

Section 3: How we use your information

UK data protection law requires controllers to identify a legal justification (also known as a lawful basis) to collect and use your personal data. There are six lawful basis which organisations can rely on to justify their collection and use of personal data.

Whenever ORBIKO SOLUTIONS acts as the controller for personal data (please see Section 1 for an explanation of when ORBIKO SOLUTIONS acts as a controller and when we act as a processor), we rely on the following lawful basis:

  • to enter into and perform our contract with you;
  • to pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy);
  • to comply with a legal obligation that we have;
  • to do something that you have given your consent (permission) for.

The table below provides more detail about the reasons ORBIKO SOLUTIONS may use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update this document and notify you.

Reason Legal Justification
taking steps to enter into the contract with consumers and business customers performance of contract (for consumers) and legitimate interests (for business customers, as necessary to conclude our contract and correspond with key contacts within the customer’s organisation.
to arrange, track and confirm delivery of our goods and/or services performance of contract (for consumers) and legitimate interests (for business customers, as necessary to perform our obligations under the contract with our customer.
to provide our service to our customer performance of contract (for consumers) and legitimate interests (for business customers, as necessary to perform our obligations under the contract with our customer.
to investigate and respond to complaints legitimate interest – necessary to remedy errors, improve service and protect our reputation
to obtain feedback legitimate interest – necessary to improve our services.
to respond to requests for technical support and other queries legitimate interest – necessary to perform our obligation under the contract with our customer and ensure our website is functioning correctly
to process payments and recover any monies owed to us legitimate interest – necessary to generate revenue and recover debts due
to better understand how our website and services are used legitimate interest – necessary to improve our services consent – where this information is obtained by non-essential cookies and similar technologies
to provide and protect our services, websites and internal systems legitimate interest – necessary to provide our services and website, monitor and improve network security and prevent fraud
to send you service notifications and updates performance of contract (for consumers) and legitimate interests (for business customers, as necessary to perform our obligations under the contract with our customer
to lodge or respond to a legal claim legitimate interest – necessary to enforce our contractual or legal right or to effectively respond to a claim made against us
to notify you about changes to this document legal obligation
to enable a person to exercise their legal rights legal obligation
to comply with obligations imposed by the FCA legal obligation
to send marketing communications legitimate interest – necessary to promote and grow our business consent legitimate interest – where you have indicated your interest in a similar service or product, e.g. a previous purchase
Section 4: Marketing

Where you are an individual, we always ask for consent before we send your marketing information. Where you have bought services from us before, we may send you marketing messages about similar services or products we think would be of interest to you.

If you work for a business customer (existing or prospective) we market on a business-to-business basis – but we make sure we only ever send marketing communications to work contact details. We always include a link in our emails so you can unsubscribe at any time. We will also remove your details from our systems if our customer informs us, you no longer work for them.

Where you have bought services from us before, we may send you marketing messages about similar services or products we think would be of interest to you. We’ll stop doing this if you indicate you do not want to receive these types of messages, e.g., you unsubscribe via the link in the email.

ORBIKO SOLUTIONS uses Humanit.co to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future of our messages.

Pixels (which are a similar technology to cookies) within those emails enable us to see:

  • if the email was opened
  • where the device opening the email was located (based on the device’s IP address)
  • the type of email service (e.g. Outlook) that was used
  • if the email (or its content) were shared on social media
  • if the email was flagged as spam
Section 5: Who we share your information with

We share (or may share) your personal data with:

  • Our staff: ORBIKO SOLUTIONS employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
  • Our customers (existing and prospective): where we correspond or administer our services. Our customer is the controller they receive from us (which means they make decisions about how they use that information. Where we act as the processor for our customer, we only use personal data in the way they expressly authorise us to in writing or in our contract with them). If you have any questions about how they use the information they receive, you should ask to see their privacy information.
  • Users: the personal data that a User can view, access, edit, download, delete or interact with depends on their account permissions. Users must accept our terms of use before they can access our services (which set out what they can and cannot do).
  • Our supply chain: other organisations we engage to help us provide our services and website (which includes third party cloud server providers IT infrastructure, security, marketing support, website analytics, payment providers, and identity verification support. We ensure these organisations only have access to the information required to provide the support we use them for and have a contract with them that contains confidentiality and data protection obligations.
  • Regulatory authorities: such as HM Revenue & Customs
  • Our professional advisers: such as our accountants or legal advisors where we require specialist advice to help us conduct our business.
  • Any actual or potential buyer of our business.

If we were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. Where Orbiko Solutions acts as the processor for that information, we will also check before the controller before any information is released (unless the law does not allow us to do so).

Section 6: Where your information is located or transferred to

ORBIKO SOLUTIONS will only transfer personal data outside the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located, e.g., by only sending it to territories approved by or under contracts approved by UK Secretary of State).

We use cloud servers for our infrastructure with servers located in the United Kingdom.

Section 7: How we keep your information safe

We have security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

  • access controls and user authentication (including multi-factor authentication)
  • internal IT and network security
  • regular testing and review of our security measures
  • staff policies and training
  • incident and breach reporting processes
  • business continuity and disaster recovery processes

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

Section 8: How long we keep your information

When our customer ends their contract with us, we ask them whether they would like ORBIKO SOLUTIONS to export or delete information associated with their staff, customers, User accounts and which has been uploaded by Users. If we do not hear from our customer, we automatically delete that information from our systems 30 days after the contract end date. Our back-ups are made every 24 hours and retained for 90 days so it can take longer than 90 days for personal data to be completely removed.

Where we are the controller, we usually keep information for 7 years from the date our contract with our customer ends before we convert it into anonymised information, unless we are required by law to keep it for longer. Sometimes we need to keep it longer to investigate complicated errors or defend ourselves from legal claims.

We keep the contact details of people who have subscribed to our mailing lists until we receive a request to remove their details or unsubscribe them.

The longest we keep information about how visitors browse and interact with our website is 2 years.

Section 9: Your legal rights

Under UK law, you have specific rights in relation to your personal data. If you are located outside the UK, you may have different or additional legal rights. If you want to exercise any of these rights, please email [email protected].

We do not respond directly to requests which relate to personal data where we are the processor. In this situation, we forward your request to our customer and await their instruction before we take any action.

UK data protection law grants the following legal rights:

  • the right of access (obtaining a copy of your personal data)
  • the right to rectification (correcting your personal data)
  • The right to erasure (deleting your personal data)
  • The right to restrict processing (to stop use of your personal data for a time limited period)
  • The right to data portability (to move your personal data to another organisation)
  • The right to object (to object to our use of your personal data)
  • The right to complain to the ICO (you can find further details of how to do this on their website) - note: if you are located outside the UK, you can also complain to the regulator responsible for data protection compliance in the country you are located.

There are some limited exemptions to these rights, so they may not apply in every scenario and ORBIKO SOLUTIONS may decline your request (but we would explain our decision in writing if this was the case). ORBIKO SOLUTIONS will also not action a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive.

Section 10: Cookies and similar technologies

Our website uses cookies and similar technologies.

Cookies are small text files that are downloaded to your device. Cookies contain uniquely generated references which are used to distinguish you from other users. They allow information gathered on one webpage to be stored until it is needed for use on another, allowing our website to provide you with a personalised experience (like remembering your favourites) and provide us with statistics about how you interact with our website.

Cookies are not harmful to your devices (like a virus or malicious code) but some individuals prefer not to share their information (for example, to avoid targeted advertising).

We mention similar technologies because there are other technologies which perform similar functions (e.g. beacons and pixels) and their use is regulated by the same laws that apply to cookies.

Different types of cookies

Session vs. persistent cookies: cookies have a limited lifespan. Cookies which only last a short time or end when you close your browser are called session cookies. Cookies which remain on your device for longer are called persistent cookies (these are the type of cookies allow websites to remember your details when you log back onto them).

First party vs third party cookies: cookies placed on your device by the website owner are called first party cookies. When the website owner uses other businesses’ technology to help them manage and monitor their website, the cookies added by the other business are called third party cookies.

Categories of cookies: cookies can be grouped by what they help the website or website owner do (the Purpose).

  • Necessary cookies are cookies which help the website to run properly (when they are strictly necessary cookies it means their only function is to help the website work).
  • Performance cookies help a website owner understand and analyse how website visitors use their website.
  • Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, etc.
  • Marketing cookies tailor online adverts to reflect the content you have previously browse and help inform companies about your interests so they can show you relevant adverts.
What does ORBIKO SOLUTIONS use cookies for?

We use cookies to:

  • to track how visitors use our website, to improve our service and user experience
  • to record whether you have seen specific messages we display on our website
  • to keep you signed into our website, to improve our service and user experience
  • where we post content and links to content, we use cookies to capture and analyse information such as number of views and shares

The cookies we use are:

Cookie Purpose What it does Duration
cookie_name purpose description duration

We can only use cookies with your permission (you will be prompted by a message when you first visit our Website, also known as a cookie banner, where you can choose to accept or decline our cookies).

You can update your cookie settings on our website by selecting ‘Accept’ or ‘Reject’ on the cookie banner.

Orbiko Solutions

Learn more about Orbiko Solutions Gold Token (OSGT) in our white paper.