Legal

Privacy policy

Last updated: June 8, 2026. Base is a product for marketing agencies. This policy explains how we handle data — yours and your clients'.

Who we are

Base is operated by Orbit Lane LLC "Orbit Lane," "we," "us," "our". Base "Base" is our software product for marketing agencies — it helps teams monitor client health, reduce churn, and grow recurring revenue. Our services are business-to-business (B2B) — we don't market to or knowingly collect data from consumers directly. If you have questions, reach us at conor@orbitlane.co.

Data we collect

We collect different categories of data depending on how you interact with us:

  • Account and contact data — your name, work email, company name, job title, and billing details when you sign up, talk to sales, or manage your subscription.
  • Usage and product data — features you use, pages you view, actions you take inside Base, and device or browser information. This helps us operate and improve the product.
  • Client data you bring— information about your own clients that you connect or upload: CRM records, project statuses, communication signals, billing data, and similar. You determine what you send. We process it only to provide the service you've contracted for.
  • Communications — when you contact support or sales, we retain those conversations to help resolve issues and improve our service.
  • Cookies and similar technologies — we use session cookies for authentication, preference cookies to remember your settings, and analytics cookies to understand aggregate usage. You can control cookie settings in your browser; disabling some cookies may affect product functionality.

How we use data

  • Provide, operate, and improve the Base product and related services.
  • Authenticate users, maintain account security, and prevent fraud.
  • Send transactional messages: account confirmations, billing receipts, security alerts, and product updates you've requested.
  • Respond to support requests and communicate about your account, including limited account access when needed to troubleshoot (see Support access).
  • Comply with applicable laws, regulations, and legal obligations.
  • Enforce our Terms of Service and protect our rights and the rights of others.

We do not use your client data to train models, build advertising profiles, or benchmark against other Base customers without explicit written consent.

Support access

Authorized Orbit Lane support personnel may temporarily sign in as your account to diagnose and resolve technical issues — including testing integrations such as Gmail, Google Drive, and meetings sync. Access is time-limited (typically 30 minutes), logged, and accompanied by a conspicuous in-product notice during the session (for example, a support banner with a countdown). Actions taken during a support session run as your user and may modify account data when required to reproduce or fix an issue. We use this capability only for legitimate troubleshooting — not for routine browsing, sales, or unrelated purposes. See our Security page for how we limit and review employee access to production data.

Legal basis for processing (EEA / UK)

Where applicable, we rely on the following legal bases under the GDPR and UK GDPR:

  • Contract— processing necessary to deliver the services you've agreed to.
  • Legitimate interests — security, fraud prevention, product improvement, support troubleshooting, and direct communications with existing customers about relevant features.
  • Legal obligation — where we must process data to comply with applicable law.
  • Consent — for optional marketing communications. You can withdraw consent at any time.

Connected integration data

When you connect third-party services (Google Drive, Gmail, Meta, HubSpot, Stripe, and others from Data sources), Base accesses only the data authorized by your OAuth grants or API keys. That data powers workspace features — health scores, meetings, Throughline, analytics — and stays scoped to your agency workspace.

  • Google services — see Google API Services below (Limited Use, folder-scoped Drive access, revoke instructions).
  • Client portal — clients see only what your team publishes; internal health, upsell, and raw Throughline data remain agency-side by default.
  • Disconnecting — revoke integrations from Data sources and vendor account settings. We stop new syncs immediately; cached data is removed per the retention section below.

Google API Services

Base connects to Google products only when an agency administrator authorizes OAuth. When you connect Google services, you grant Base access on behalf of your organization — not outside the scope of your agency's client relationships. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements:

  • We use Google user data only to provide or improve user-facing features in Base that the connecting administrator has enabled.
  • We do not use Google user data for advertising, retargeting, or interest-based profiling.
  • We do not sell Google user data to third parties.
  • We do not use Google user data to train generalized machine learning models unrelated to your workspace.
  • Human access is limited to personnel with a documented need (e.g., support investigations), is logged, and follows our Support access practices.

Which Google services we use

Depending on what you connect from Data sources, Base may request access to:

  • Google Drive — read files in folders you explicitly select (meetings folder and optional client documents folder). We do not scan your entire Drive. See Meetings & Emails for routing modes and scoped comms ingestion.
  • Gmail — read email metadata and message content for connected agency mailboxes to power Throughline and client comms signals.
  • Google Ads — read campaign and performance metrics for ad accounts mapped to client workspaces.
  • Google Analytics (GA4) — read analytics properties you authorize for client performance views.

Exact OAuth scopes are shown in the Google consent screen at connection time. We request the minimum scopes needed for each integration.

Built with Google limits in mind

We design sync and analysis around Google API quotas and fair use:

  • Incremental sync — track modification times instead of re-downloading entire libraries every run.
  • Folder-scoped access — Drive connectors only watch folders you pick.
  • Deduped agency scans — shared agency inbox folders are scanned once per sync cycle.
  • Batched background analysis — meeting enrichment runs on scheduled jobs, not on every page load.
  • No bulk export — no tools to mass-export Google user data outside your workspace workflows.

Google data storage, retention, and revocation

OAuth refresh tokens and integration metadata are stored encrypted (Supabase on AWS). Content pulled from Google — meeting transcripts, email excerpts for Throughline, etc. — is retained while the integration remains connected and your account is active. When you disconnect from Data sources, we revoke tokens and stop new syncs; cached content is deleted per the retention section below (typically within 90 days of account closure; sooner on verified deletion requests).

To revoke access:

  1. In Base: open Data sources, select the Google integration, and disconnect.
  2. In Google: visit Google Account permissions and remove Base / Orbit Lane access.
  3. Email conor@orbitlane.co for help or confirmed deletion timelines.

Google user data is not shared with third parties except subprocessors that host or process data solely to operate Base, under contractual obligations consistent with this policy. See our Security page for encryption and workspace isolation details.

Marketing site analytics

runonbase.com uses Google Analytics 4 (measurement ID G-9DLPRVQHJH) to understand aggregate traffic — page views, referrals, and device types. This does not include your Base app workspace data. You can limit tracking via browser settings or opt-out tools provided by Google.

Sharing and subprocessors

We share data only as necessary to deliver our services or as required by law:

  • Service providers (subprocessors) — cloud infrastructure, database, deployment, analytics (marketing site), billing, and Google APIs when you connect them. See our published Subprocessors list. Subprocessors are contractually bound to handle data only on our instructions. You can also request the list at conor@orbitlane.co.
  • Business transfers— if Base is involved in a merger, acquisition, or asset sale, data may be transferred as part of that transaction. We'll provide notice where required by law.
  • Legal and safety — we may disclose data in response to valid legal process or to protect the rights, property, or safety of Base, our customers, or others.

We do not sell your personal information.

International transfers

Base is operated from the United States. If you access our services from outside the US, your data may be transferred to and processed in the US. Where we transfer personal data of EEA or UK individuals, we use appropriate safeguards including Standard Contractual Clauses (SCCs). Contact us for a copy of the relevant safeguards.

Data retention

We retain account and usage data for as long as your account is active and for a reasonable period afterward to fulfill our legal and contractual obligations. Client data you connect is retained as configured in your account settings; you can delete it at any time. When you close your account, we delete or anonymize your data within 90 days, except where we're required by law to retain it longer.

Your rights

Depending on where you live, you may have rights including:

  • Access — request a copy of personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — request deletion of personal data we hold, subject to our legal obligations.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / restriction — object to certain processing or ask us to restrict how we use your data.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email conor@orbitlane.co. We aim to respond within 30 days. We may need to verify your identity before acting on a request. If you're in the EEA or UK and believe we've handled your data unlawfully, you have the right to lodge a complaint with your local data protection authority.

Children's privacy

Base is a B2B tool for business users. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we'll delete it promptly.

Changes to this policy

We may update this policy from time to time. When we make material changes, we'll post the updated policy here with a new "last updated" date and, where appropriate, notify you via email or in-product notice. Continued use of the services after changes take effect constitutes acceptance of the updated policy.

Contact

Questions or concerns? conor@orbitlane.co. We're a small team and read every message.