Privacy Policy
Last updated: April 7, 2026
1. Introduction
This Privacy Policy describes how Northmark Analytics Inc., a federally incorporated Canadian corporation operating under the brand name Orbix Firm ("Company," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you access or use our platform at https://orbixfirm.com/ (the "Platform").
This Policy applies to all Users of the Platform, regardless of location. We are committed to complying with applicable privacy and data protection laws, including:
- PIPEDA (Personal Information Protection and Electronic Documents Act) — Canada
- GDPR (General Data Protection Regulation) — European Economic Area (EEA)
- LGPD (Lei Geral de Proteção de Dados) — Brazil
- Other applicable privacy laws in the jurisdictions where our Users are located
By creating an Account or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, you must not use the Platform.
Capitalized terms not defined in this Policy have the meanings set forth in our Terms of Service.
2. Data Controller
The data controller responsible for your personal information is:
Northmark Analytics Inc.
Operating as Orbix Firm
Email: support@orbixfirm.com
If you have any questions or concerns about how we handle your personal information, you may contact us at the email address above.
3. Information We Collect
3.1 Information You Provide
| Data Category | Details | When Collected |
|---|---|---|
| Account information | Full name, email address, password (stored as a cryptographic hash — we never store plaintext passwords) | Registration |
| Identity verification (KYC) | Government-issued photo ID, proof of address document, selfie or liveness check image | Before first Payout request |
| Payment information | Billing details provided to Paddle (our payment processor). We do not receive, process, or store your full credit or debit card number. Paddle provides us with limited transaction data (amount, currency, transaction ID, payment status). | Challenge purchase |
| Payout information | Bank account details (for Wise transfers) or cryptocurrency wallet address (for USDT/USDC payments) | Payout request |
| Communications | Messages, feedback, or other content you send to us via email or the Platform's support channels | When you contact us |
| Profile and preferences | Any optional profile information you choose to provide, language preferences, notification settings | Account settings |
3.2 Information Collected Automatically
| Data Category | Details | Purpose |
|---|---|---|
| Platform activity | Predictions placed, evaluation results, prediction history, Virtual Balance changes, timestamps of activity | Service delivery, evaluation processing, fraud detection |
| IP address | Your Internet Protocol address | Geographic restriction enforcement, fraud detection, security |
| Device and browser information | Browser type and version, operating system, device type, screen resolution | Platform optimization, security |
| Session data | Session tokens, authentication state, login timestamps | Authentication, security, session management |
| Cookies and similar technologies | Essential, functional, and analytics cookies — see our Cookie Policy for full details | Authentication, preferences, analytics |
| Referral data | Referral code used (if any), referring URL | Affiliate program attribution |
3.3 Information from Third Parties
| Source | Data | Purpose |
|---|---|---|
| Paddle | Payment confirmation, transaction status, limited billing details, fraud signals | Payment processing, fraud prevention |
| Identity verification provider (e.g., Sumsub or Veriff) | Verification results, risk scores, document authenticity assessment. We receive the verification outcome; original documents are processed and stored by the verification provider. | KYC compliance, fraud prevention |
| Vercel Analytics | Aggregated, anonymous web analytics data (page views, visitor counts, performance metrics). Vercel Analytics is privacy-focused and does not use cookies or track individual users. | Platform performance monitoring |
| PostHog | Product analytics events, feature usage patterns, session data | Product improvement, user experience optimization |
3.4 Information We Do Not Collect
- We do not collect or store full credit or debit card numbers
- We do not share your personal information with third-party sports data providers (The Odds API) — sports data queries contain no user-identifiable information
- We do not sell your personal information to third parties
4. Legal Bases for Processing (GDPR / LGPD)
If you are located in the European Economic Area (EEA), the United Kingdom, or Brazil, we process your personal information on the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Performance of a contract (GDPR Art. 6(1)(b) / LGPD Art. 7(V)) | Account creation, evaluation processing, Prediction tracking, Payout processing, customer support — all necessary to provide the Services you have purchased |
| Legitimate interests (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)) | Fraud detection, multi-account detection, platform security, enforcing geographic restrictions, internal analytics and product improvement. We balance our interests against your rights and freedoms — see Section 4.1 |
| Consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)) | Non-essential analytics cookies (PostHog), marketing communications (if applicable). You may withdraw consent at any time — see Section 9 |
| Legal obligation (GDPR Art. 6(1)(c) / LGPD Art. 7(II)) | Compliance with applicable laws, responding to lawful requests from authorities, tax record-keeping, anti-money laundering obligations |
4.1 Legitimate Interest Balancing
Where we rely on legitimate interests, we have assessed that our processing is necessary for our legitimate business purposes and does not override your fundamental rights and freedoms. Specifically:
- Fraud detection and prevention — necessary to protect the integrity of the Platform and all Users. We use IP analysis, behavioral patterns, and multi-account detection. This processing is proportionate given the financial nature of Performance Payouts.
- Geographic restriction enforcement — required to comply with applicable laws and our Terms of Service. We use IP address data for this purpose.
- Product analytics — helps us improve the Platform experience. We minimize data collection and use pseudonymized data where possible.
You have the right to object to processing based on legitimate interests — see Section 9.
5. How We Use Your Information
We use your personal information for the following purposes:
5.1 Service Delivery
- Creating and managing your Account
- Processing Challenge purchases and payments
- Running Evaluations and tracking Predictions against sporting event outcomes
- Calculating Virtual Balances, drawdowns, and evaluation pass/fail results
- Processing Performance Payouts to qualified Users
5.2 Identity Verification
- Verifying your identity before processing Payouts (KYC)
- Confirming you are not located in a Restricted Jurisdiction
- Preventing identity fraud and document forgery
5.3 Security and Fraud Prevention
- Detecting and preventing multi-accounting, collusion, and platform abuse
- Monitoring for suspicious activity, unauthorized access, and account compromise
- Enforcing geographic restrictions
- Investigating and responding to potential Terms of Service violations
- IP address logging and analysis
5.4 Communications
- Sending transactional emails (account verification, password reset, evaluation results, Payout status updates)
- Responding to your support inquiries
- Sending service-related announcements (e.g., Terms updates, scheduled maintenance)
5.5 Platform Improvement
- Analyzing aggregated and anonymized usage patterns to improve Platform features
- Monitoring Platform performance and reliability
- Conducting internal research and development
5.6 Legal and Compliance
- Complying with applicable laws, regulations, and legal processes
- Responding to lawful requests from law enforcement or regulatory authorities
- Establishing, exercising, or defending legal claims
- Maintaining records as required by applicable law
6. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
6.1 Service Providers
We share information with third-party service providers who process data on our behalf:
| Provider | Data Shared | Purpose |
|---|---|---|
| Paddle (United Kingdom) | Payment details, transaction data, email address | Payment processing, fraud prevention |
| Resend (United States) | Email address, name | Transactional email delivery |
| Identity verification provider (varies) | ID documents, selfie, name, address | KYC verification |
| Vercel (United States) | Anonymous/aggregated web analytics | Platform hosting and performance analytics |
| PostHog (United States / EU) | Pseudonymized usage events, session data | Product analytics |
| Cloud infrastructure provider | All Platform data (encrypted at rest and in transit) | Platform hosting and infrastructure |
All service providers are contractually bound to process your data only for the purposes we specify and in accordance with applicable data protection laws.
6.2 The Odds API (Sports Data)
We use The Odds API and potentially other sports data providers to retrieve sporting event information, odds, and results. No user personal information is shared with sports data providers. API requests contain only event and sport identifiers.
6.3 Legal and Regulatory Disclosure
We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to:
- Comply with a legal obligation, court order, or lawful request from a government authority;
- Protect and defend the rights, property, or safety of the Company, our Users, or the public;
- Detect, prevent, or address fraud, security issues, or technical problems; or
- Enforce our Terms of Service.
6.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy.
7. International Data Transfers
Northmark Analytics Inc. is based in Canada. Your personal information may be transferred to and processed in Canada and other countries where our service providers operate (primarily the United Kingdom and the United States).
These countries may have data protection laws that differ from those in your jurisdiction. We take the following safeguards to protect your information during international transfers:
- Canada — The European Commission has recognized Canada (for the private sector, under PIPEDA) as providing an adequate level of data protection.
- United Kingdom — The European Commission has granted the UK an adequacy decision, meaning transfers to UK-based providers (such as Paddle, our payment processor) do not require additional safeguards under the GDPR.
- United States and other countries — Where we transfer data to countries that have not received an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Data Processing Agreements with our service providers that include appropriate technical and organizational security measures; and
- Where applicable, the service provider's certification under recognized data protection frameworks.
By using the Platform, you acknowledge that your information may be transferred to and processed in countries outside your country of residence.
8. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Account information | Duration of your Account plus two (2) years after Account closure or termination |
| Evaluation and Prediction data | Duration of your Account plus two (2) years — retained for audit, dispute resolution, and fraud prevention |
| Payment and transaction records | Two (2) years from the date of the transaction — retained for financial record-keeping and legal compliance |
| KYC verification documents | Two (2) years after Account closure — retained to comply with anti-fraud and identity verification obligations |
| Payout records | Two (2) years from the date of the Payout |
| IP addresses and security logs | Two (2) years from the date of collection — retained for fraud detection and security purposes |
| Analytics data | Retained in pseudonymized or aggregated form; individual session data retained for up to one (1) year |
| Support communications | Two (2) years from the date of the last communication |
After the applicable retention period expires, we will securely delete or anonymize your personal information, except where a longer retention period is required by law or necessary for the establishment, exercise, or defense of legal claims.
9. Your Rights
Depending on your location and applicable law, you may have some or all of the following rights regarding your personal information:
9.1 Rights Under GDPR (EEA and UK Users)
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal information we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal information |
| Erasure (Art. 17) | Request deletion of your personal information ("right to be forgotten"), subject to legal retention requirements |
| Restriction (Art. 18) | Request that we restrict processing of your personal information in certain circumstances |
| Data portability (Art. 20) | Request a copy of your data in a structured, commonly used, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests or direct marketing |
| Withdraw consent (Art. 7(3)) | Withdraw consent for processing based on consent at any time, without affecting the lawfulness of prior processing |
| Automated decision-making (Art. 22) | See Section 10 below |
9.2 Rights Under LGPD (Brazilian Users)
Brazilian Users have rights under the LGPD that substantially mirror those listed above, including the rights of confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent (LGPD Arts. 17–18).
9.3 Rights Under PIPEDA (Where Applicable)
Under PIPEDA, individuals have the right to access their personal information held by the Company, to challenge its accuracy, and to withdraw consent for non-essential processing.
9.4 Exercising Your Rights
To exercise any of these rights, contact us at:
Email: support@orbixfirm.com
Subject line: "Privacy Rights Request — [Your Right]"
We will respond to your request within:
- 30 days for GDPR requests (extendable by 60 days for complex requests, with notice)
- 15 days for LGPD requests
- 30 days for PIPEDA requests (extendable in limited circumstances, with notice)
We may ask you to verify your identity before processing your request to ensure we do not disclose personal information to unauthorized persons.
9.5 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with:
- EEA/UK: Your local Data Protection Authority (a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en)
- Brazil: The Autoridade Nacional de Proteção de Dados (ANPD)
- Canada: The Office of the Privacy Commissioner of Canada (OPC)
We encourage you to contact us first so we can try to resolve your concern directly.
10. Automated Decision-Making
10.1. The Platform uses automated systems to evaluate User performance. Specifically:
- Evaluation pass/fail determinations are made automatically based on predefined, objective rules (profit targets, drawdown limits, daily loss limits, consistency rule, minimum betting days). These rules are published on the Platform and apply equally to all Users.
- Fraud detection signals are generated automatically based on behavioral patterns (e.g., IP address anomalies, multi-account indicators). These signals flag accounts for review but do not result in automatic suspension or termination — flagged accounts are reviewed by Company personnel before any action is taken.
10.2. Right to human review. If you believe an automated evaluation determination is incorrect, you may contact support@orbixfirm.com to request a human review of the decision. We will review the relevant data and rules and provide a response within a reasonable timeframe.
11. Children's Privacy
The Platform is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
If you believe we have inadvertently collected information from a minor, please contact us immediately at support@orbixfirm.com.
12. Security Measures
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit — All data transmitted between your browser and the Platform is encrypted using TLS (HTTPS)
- Encryption at rest — Sensitive data stored in our databases is encrypted at rest
- Password security — Passwords are cryptographically hashed using industry-standard algorithms; we never store plaintext passwords
- Access controls — Access to personal information is restricted to authorized personnel on a need-to-know basis
- Session management — Secure session tokens with expiration, session revocation capabilities, and monitoring for unauthorized access
- Infrastructure security — Our cloud infrastructure provider implements physical and network security controls
- Regular security reviews — We conduct periodic reviews of our security practices and infrastructure
No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you become aware of a security vulnerability or suspect unauthorized access to your Account, please contact us immediately at support@orbixfirm.com.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
13.1. Notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33;
13.2. Notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34, LGPD Article 48, and PIPEDA breach notification requirements;
13.3. Provide notification that includes, to the extent known:
- The nature of the breach and the categories of data affected;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach; and
- Contact information for further inquiries.
14. Cookies and Tracking Technologies
We use cookies and similar technologies on the Platform. For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please refer to our Cookie Policy.
In summary:
- Essential cookies are required for the Platform to function and cannot be disabled
- Analytics cookies (Vercel Analytics, PostHog) are used to understand Platform usage and improve our Services — these require your consent where applicable
- You can manage your cookie preferences through the cookie consent banner displayed on the Platform
15. Third-Party Links
The Platform may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through or in connection with the Platform.
16. Changes to This Privacy Policy
16.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
16.2. If we make material changes, we will notify you by:
- Posting the updated Privacy Policy on the Platform with a revised "Last Updated" date; and
- Sending an email notification to the address associated with your Account.
16.3. We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after the posting of changes constitutes your acceptance of those changes.
16.4. Where required by applicable law (e.g., GDPR), we will obtain your consent before processing your data in a materially different way than described in the version of the Privacy Policy in effect at the time of collection.
17. Contact Us
If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
Northmark Analytics Inc.
Operating as Orbix Firm
Email: support@orbixfirm.com
For privacy-specific requests, please include "Privacy" in your email subject line to ensure prompt routing.