Privacy Policy.

This Privacy Policy ("Policy") sets out the practices of Montford Orbis Limited ("Montford Orbis", "we", "us", or "our"), the legal entity that owns, operates, and publishes the CalBrix OS calibration operations platform ("CalBrix" or the "Service").

This Policy applies to (a) visitors to calbrixos.com and related marketing properties ("Websites"), (b) authorised users of the CalBrix application ("Users"), and (c) individuals whose personal data is entered into, processed by, or generated through the Service by a customer organisation ("Customer Data Subjects").

Where CalBrix is used by a customer organisation ("Customer"), that organisation is the controller of personal data it loads into or generates within the Service, and Montford Orbis acts as a processor on the Customer’s documented instructions pursuant to the Data Processing Agreement published at /dpa. For visitors to the Websites and for direct account registrations, Montford Orbis is the controller of the personal data collected.

By using the Service or the Websites you acknowledge the practices described in this Policy. Where applicable law requires consent, we will request it at the point of collection.

Publisher

Montford Orbis Limited, the corporate entity responsible for the CalBrix OS service.

Product

CalBrix OS — a calibration operations platform delivered as a software-as-a-service and, on request, as a single-tenant or on-premise deployment.

Privacy contact

philip.montford@calbrixos.com — written inquiries regarding this Policy, data-subject requests, or processing concerns may be addressed to this email and will be handled by the founding engineer and designated data-protection point of contact.

The categories of personal data we process depend on whether you are a Website visitor, a registered User, or a Customer Data Subject. We limit processing to what is necessary for the purposes described in this Policy.

• Identity and account data: given name, surname, organisational role or job title, work email address, workspace (tenant) identifier, and authentication credentials (stored in hashed form only).
• Operational records: calibration records, asset metadata, work orders, worksheets, measurement results, uncertainty budgets, certificates, and any other content entered by Users in the course of their normal use of the Service.
• Technical and usage data: Internet Protocol (IP) address, user-agent string, session identifiers, feature-usage events, application logs, and security telemetry collected for the purposes of providing, securing, and improving the Service.
• Communications data: the content of messages, support requests, and correspondence sent to us, including associated metadata such as date, time, and sender identity.
• Commercial data: billing contact information, subscription plan, invoices, and transaction references — billing operations are processed through a regulated payment service provider; full card numbers are not stored on our systems.

We do not knowingly collect special categories of personal data (as defined under the EU General Data Protection Regulation) or the personal data of children under 16. If you believe such data has been provided to us, please contact the privacy contact above so we may delete it.

We process personal data only where we have a lawful basis to do so. The applicable basis depends on the purpose of processing:

• Performance of a contract — to deliver, maintain, and support the Service to Customers and Users, including authentication, workspace provisioning, and customer support.
• Legitimate interests — to secure the Service against abuse, maintain reliability, detect and prevent fraud or misuse, improve the product, and communicate important operational or security notices. Where we rely on legitimate interests, we balance those interests against the rights and freedoms of the data subject.
• Legal obligation — to comply with accounting, tax, anti-fraud, and other legal obligations to which Montford Orbis Limited is subject.
• Consent — where required by applicable law, for example for optional marketing communications. Consent, where given, may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.
• Processor instructions — where we process personal data on behalf of a Customer, we do so strictly on that Customer’s documented instructions as set out in the Data Processing Agreement.

• To provide the Service and respond to requests, including account administration, technical support, and feature delivery.
• To secure the Service, including authentication, access control, abuse detection, logging, rate-limiting, and incident response.
• To maintain reliability and quality through diagnostic logging, error monitoring, and restricted operational access for support purposes.
• To communicate operational matters such as security advisories, maintenance notices, breach notifications (where legally required), and material changes to policies or terms.
• To comply with legal, regulatory, accounting, and audit obligations applicable to Montford Orbis Limited.

We do not sell personal data. We do not share personal data with advertising networks. We do not use Customer operational data to train third-party artificial-intelligence models or to produce derivative datasets for unrelated customers.

We disclose personal data only to the following categories of recipients, under appropriate contractual, technical, and legal safeguards:

• Subprocessors engaged to provide essential infrastructure, email delivery, error monitoring, analytics, payment processing, and similar operational services. The current list of subprocessors is published in, or available on request as part of, the Data Processing Agreement (/dpa) and is updated with advance notice to Customers before any material change.
• Professional advisors (legal, accounting, audit, insurance) subject to duties of confidentiality, where disclosure is required for the proper conduct of the business.
• Acquirers or successors in the event of a merger, acquisition, reorganisation, or sale of assets involving Montford Orbis Limited, subject to equivalent privacy protections for the data transferred.
• Competent authorities, where disclosure is required to comply with a valid legal process, to enforce our terms, or to protect the rights, property, or safety of Montford Orbis, our Customers, or others. Where legally permitted, we will notify the affected Customer before responding.

Production data is primarily hosted in European Union data centres. Where personal data is transferred to a jurisdiction outside the European Economic Area, the United Kingdom, or another region recognised as providing an adequate level of protection, we rely on appropriate safeguards — including the European Commission’s Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum — together with supplementary technical and organisational measures as required by law.

Customers requiring a specific region of hosting or single-tenant deployment may request this in writing and it will be addressed as part of the applicable order form or Master Services Agreement.

• Customer account data is retained for the duration of the active subscription and for a reasonable period thereafter to permit export, final billing, and statutory retention.
• Operational records entered into a Customer workspace are retained for the Customer’s subscription period. Upon termination, Customers are given an export window (by default thirty (30) days) after which production data is deleted.
• Encrypted backups age out within the retention window described at /security (by default not exceeding thirty (30) days post-deletion) unless extended retention is contractually required.
• Security, audit, and transaction logs are retained for periods consistent with applicable statutory retention obligations, fraud investigation needs, and ordinary audit cycles.
• Marketing contact data is retained only so long as the contact remains relevant and consent (where required) has not been withdrawn.

Montford Orbis implements appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. A summary of these measures is published at /security and includes transport encryption, storage encryption, role-based access control, vulnerability management, security monitoring, and a documented incident-response procedure.

No method of transmission or storage is entirely secure. Customers and Users remain responsible for safeguarding their own credentials and for configuring access appropriately within their workspace.

Subject to applicable law, data subjects may exercise the following rights in relation to their personal data:

• Right of access — to obtain confirmation as to whether personal data concerning them is processed and to request a copy.
• Right to rectification — to have inaccurate personal data corrected or incomplete data completed.
• Right to erasure — to request deletion of personal data in defined circumstances.
• Right to restriction — to request restriction of processing in defined circumstances.
• Right to data portability — to receive personal data in a structured, commonly used, and machine-readable format where processing is based on consent or contract.
• Right to object — to object to processing based on legitimate interests, including profiling.
• Right to withdraw consent — where processing is based on consent.
• Right to lodge a complaint — with a competent supervisory authority in the jurisdiction of habitual residence, place of work, or alleged infringement.

Where Montford Orbis acts as a processor on behalf of a Customer, requests are routed to that Customer as controller. Where Montford Orbis is the controller, requests may be addressed to philip.montford@calbrixos.com. We may need to verify identity before responding and will respond within statutory timeframes.

The Websites and application use only the cookies and local-storage items strictly necessary for delivering the requested service and maintaining authenticated sessions. We use privacy-preserving analytics that do not rely on cross-site identifiers or cookies requiring consent under the EU ePrivacy regime. If we introduce non-essential cookies, we will first present a consent banner consistent with applicable law.

We do not make decisions producing legal or similarly significant effects on data subjects solely through automated processing (including profiling). Any artificial-intelligence or automation features within the Service operate under Customer control and are designed to assist, not to replace, qualified human judgment.

We may update this Policy to reflect changes in law, our practices, or the Service. When we make a material change, we will update the effective date and, where we hold your contact details and the change materially affects you, provide advance notice by email. Continued use of the Service or the Websites after the effective date constitutes acknowledgement of the updated Policy.

This Policy is published by Montford Orbis Limited, a company incorporated in the Republic of Ghana, and shall be construed in accordance with the laws of the Republic of Ghana, without prejudice to any mandatory consumer or data-protection rights of the reader under local law.

All privacy inquiries should be directed to philip.montford@calbrixos.com. We aim to acknowledge inquiries within two (2) business days and to substantively respond within the statutory timeframe applicable to the request.