ORBIPASSPORTBack to ORBI Passport

Privacy & data protection

A family learning passport, private by design.

ORBI Passport is built from the outset around privacy, child safety, data minimisation and institutional trust. This chapter explains how we collect, use, protect, retain and delete personal data, in line with the GDPR and Portuguese Law 58/2019.

Last updated 5 June 2026. This is ORBI Passport's data protection chapter for the demo and pilot phase.

1.Strategic positioning

ORBI Passport is a family learning passport, designed from the outset around privacy, child safety, data minimisation and institutional trust. It is not a business built around the exploitation of children's data.

2.Summary

Because ORBI Passport involves children, families, engagement metrics, progression history, referrals and future institutional pilots, data protection is treated as a structural part of the product. Our approach rests on privacy by design, granular consent, pseudonymisation, aggregation and strong parental control.

3.Purpose of this chapter

This chapter sets out how ORBI Passport collects, uses, protects, retains and deletes personal data across the demo, the Passport system, digital seals, offline missions, referrals, analytics dashboards and future institutional pilots.

4.Legal framework

Our primary framework is the GDPR. In Portugal, Law 58/2019 implements the GDPR nationally and sets 13 years of age as the practical consent threshold in the relevant context. The CNPD is the supervisory authority. We consider Data Protection Impact Assessments before larger-scale deployments involving children and institutional partners.

5.Our privacy principles

Data minimisation, privacy by design, family transparency, pseudonymisation, aggregation, a prohibition on child-data exploitation, parental control and proportionate security guide every product decision.

6.Whose data we handle

Data subjects may include children, parents, guardians, families, teachers, facilitators, institutional staff and referred families participating through invitation mechanisms.

7.What we collect during the demo

We work with pseudonymised family or session identifiers, an adult email where necessary, progression events, opened worlds, completed experiences, challenge interactions, seals earned, offline mission declarations, wishlist selections, language preferences and the technical diagnostics required to operate the platform.

8.What we avoid collecting during the demo

The demo deliberately avoids collecting children's full names, exact dates of birth where age bands are sufficient, precise locations, photographs, videos, audio recordings, biometric information, health information, school identifiers and behavioural advertising profiles.

9.Purposes of processing

Processing is limited to platform operation, Passport progression, achievement systems, product improvement, pilot evaluation, authorised communication, referral management and platform security.

10.Legal bases

Our likely legal bases are performance of a service, consent, parental consent where applicable, legitimate interests for security and technical improvement, and legal obligations where required.

11.Parent and child consent

Essential and optional consents are kept separate. Parents receive clear explanations of what data is collected and why, and children receive age-appropriate explanations. Consent is granular, revocable and documented.

12.How this works in the demo

Our approach is to present a short consent screen before the experience. During the experience, no intrusive forms interrupt learning, and the platform relies on pseudonymised identifiers while avoiding unnecessary data collection.

13.Passport and dashboards

The Passport celebrates progression without exposing unnecessary personal information. Dashboards prioritise aggregated metrics, pseudonymised identifiers and restricted access.

14.Offline missions

Offline missions rely on self-declared completion. No mandatory evidence, photographs, geolocation data, audio recordings or videos are required during the demo phase.

15.Interconnected families and referrals

Referrals are adult-led, consent-based and respectful. Invited family contact details do not become marketing records without independent consent.

16.Institutional pilots

Institutional deployments define controller and processor responsibilities, minimise data collection, provide parental transparency, avoid public identification of children and prioritise aggregated reporting.

17.Security, retention and deletion

ORBI applies encryption, access controls, administrative logging, secure backups and supplier agreements. Identifiable data is retained only for as long as necessary, and is then deleted or anonymised.

18.Rights of families and children

Families can access, correct, export and delete their data, withdraw consent, restrict processing and exercise their applicable GDPR rights through practical mechanisms. See the contact details below to make a request.

19.Data Protection Impact Assessments

Before any large-scale public, educational or institutional deployment, ORBI conducts a proportionate Data Protection Impact Assessment covering data flows, risks, necessity, proportionality and safeguards.

20.Technical safeguards

We store consent records, use pseudonymised identifiers, maintain export and deletion workflows, restrict dashboard access, preserve auditability and keep mandatory and optional consent mechanisms separate.

21.Privacy as an advantage

We treat privacy as a competitive advantage. Families, schools, museums, science centres, aquariums, partners and investors are more likely to trust a product that demonstrates maturity before scale.

22.Our positioning

ORBI Passport is not a child-data exploitation business. It is a family learning passport, designed from the beginning with privacy, safety, transparency and child protection at its core.

Contact and your rights

To access, correct, export or delete your data, withdraw consent, or ask any data protection question, contact the ORBI Passport team at privacy@orbipassport.com. You may also lodge a complaint with the Portuguese Data Protection Authority (CNPD).

Legal references

  • Regulation (EU) 2016/679 (GDPR)
  • Portuguese Law No. 58/2019
  • Portuguese Data Protection Authority (CNPD)
  • European Commission guidance on children's privacy and parental consent
  • GDPR Article 35, Data Protection Impact Assessments (DPIAs)