Permissions & Safety

What Orbis can and cannot do.

No marketing copy. Every claim on this page maps to an OAuth scope, a code-level guarantee, or a feature gate you can verify yourself.

Last updated: May 12, 2026

The top-line promise. Orbis cannot delete your emails, files, or calendar history today. Not as a policy, as a structural limit. The OAuth scopes you grant are read-only for Gmail and Drive, and the agent has no delete tool in its palette. If we ever ship a feature that needs write or delete access, you will see a new Google consent screen and have to approve it. Nothing changes silently.

Per-integration permissions

This is the full list of what Orbis requests today, and exactly what each scope allows.

Integration	Scope requested	Read	Write	Delete
Gmail	`gmail.readonly`	Yes	No	No
Google Drive	`drive.readonly`	Yes	No	No
Google Calendar	`calendar.readonly`	Yes	No	No
Outlook / Microsoft 365	`Mail.Read`, `Calendars.Read`	Yes	No	No
Slack	`channels:history`, `chat:write`, `users:read`	Yes	Approval-gated	No
HubSpot / Salesforce	Read + write via Pipedream Connect	Yes	Approval-gated	No
WhatsApp	Cloud API send / receive on your number	Yes	Yes (your number)	No
Stripe	Read only (your dashboard data)	Yes	No	No

Approval-gated means Orbis can compose the action (a Slack message, an email draft, a CRM update), but it shows you a preview card first and waits for you to click Send or Approve. The agent never fires these actions directly. This is enforced in the system prompt and at the tool layer.

How to verify yourself

You do not have to trust this page. The permissions Orbis holds on your account are visible in your own settings.

1Open myaccount.google.com/permissions

2Find "Orbis" in the list of connected apps.

3Click it. You will see exactly what was granted. For Gmail you should see "Read your email messages and settings", not "Send, delete, or manage your mail".

4Revoke anytime. One click removes Orbis's access entirely. You can re-authorize later from the Orbis dashboard.

For Microsoft 365: myaccount.microsoft.com/Apps. For Slack: workspace admin → Apps → Orbis.

The approval gate

For the integrations where Orbis can write (Slack messages, CRM updates, drafted emails), every outbound action passes through an approval card before it goes out.

Orbis decides an action is appropriate (for example, drafting a reply to a customer email).
Orbis posts a preview card to your Slack DM or web inbox. The card shows the recipient, subject, and full body.
Nothing is sent until you click Send. You can edit, cancel, or skip.
If you do not respond within 24 hours, the action quietly expires. It is not auto-sent.

This is why customers describe Orbis as "an assistant that writes the draft", not "a bot that sends mail on my behalf". The difference is structural, not stylistic.

Backups and accidental loss

Two separate concerns: what happens if Orbis loses its own data, and what happens if Orbis somehow affects your data.

If Orbis's infrastructure goes down

Operational data (your settings, conversation history, drafts) lives on Cloudflare D1 with automatic point-in-time recovery up to 30 days.
Nightly snapshots are exported to Cloudflare R2 storage with 30-day retention.
None of your underlying account data (your actual email, your actual calendar, your actual CRM) is stored by Orbis as a mirror. It stays in Google, Microsoft, HubSpot, etc. Orbis reads it on demand.

If Orbis "accidentally" affects your data

The most common worry, and the most direct answer: Orbis literally cannot delete, archive, or modify your email today. The Gmail OAuth scope is gmail.readonly. Google's API enforces that. There is no delete tool wired into the agent. Even if the AI were instructed to, it has no function to call and Google would reject the request.

For the integrations where Orbis can write (Slack, HubSpot drafts, calendar create), the approval gate above is the safety layer. The agent does not have a "delete" action for any of these either.

For belt-and-suspenders: Gmail has built-in Trash recovery for 30 days. Google Drive has version history and Trash recovery. If a delete somehow happened (it cannot today, but if scope ever expanded), it would be recoverable from the underlying provider.

If we ever expand scope

If a future feature requires write or delete access to an account that is currently read-only, you will:

See a new OAuth consent screen with the new permissions listed in plain English.
Have to actively click Allow. Nothing is granted by default.
See an in-app notice describing what the new capability does and how to turn it off.

Scope expansion never happens server-side. It is a user-driven re-authorization. This is not a promise, it is how OAuth works.

FAQ

Can Orbis read all my emails?

Yes, within the scope you granted. gmail.readonly grants read access to your inbox so Orbis can answer questions like "did anyone follow up on the Acme deal?" or "draft a reply to Maria". It cannot send, delete, or archive.

Are humans on the Orbis team reading my email?

No. Your data is processed by the Orbis AI agent in-memory at request time. Engineers cannot access your account data except (a) with your explicit consent for a specific support ticket, (b) where required by law, or (c) when investigating a security incident or technical fault on your account. This is documented in our Privacy Policy.

Is my email used to train AI models?

No. Anthropic's Claude API, which Orbis uses for inference, does not train on customer-routed traffic. Your email content stays inside the Orbis → Anthropic API boundary and is used only to generate the response you asked for.

What if I want to delete my Orbis account?

Email hello@imorbis.com and we delete your tenant database, drafts, and stored tokens within 30 days. Revoking the OAuth grants at myaccount.google.com/permissions additionally cuts off Orbis's read access immediately.

Reporting a concern

If you see Orbis doing something this page says it cannot do, that is a bug and a security issue. Email hello@imorbis.com with subject "Security:" and we will treat it as a P0. We would rather hear from you than have you wonder.