This document has been replaced by a newer version, and is available for archival purposes
Privacy Policy
Last updated: June 9, 2026
Table of Contents
- Introduction
- Data Controller and roles
- Personal data we collect
- Sources of personal data
- Legal basis for processing
- Cookies and similar technologies
- Data sharing and subprocessors
- International data transfers
- Data retention
- Security measures
- Personal data breaches
- Your rights under GDPR
- Children
- Changes to this Privacy Policy
1. Introduction
Ornamental Tree AB, operating under the brand Orbi ("Orbi", "we", "us", "our"), is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).
This Privacy Policy explains what personal data we collect when you use the Orbi platform, why we collect it, how long we keep it, who we share it with, and which rights you have. It applies to all users of the Orbi platform — students, event participants, members and representatives of associations and event organizers.
A Swedish version of this Privacy Policy is available on request from privacy@orbi.io.
2. Data Controller and roles
Ornamental Tree AB
Org. no. 559032-9735
Vallgatan 26, 411 16 Gothenburg, Sweden
Email: privacy@orbi.io
All requests relating to personal data and this Privacy Policy are handled by the Orbi Privacy Team and can be sent to privacy@orbi.io. Orbi has assessed that a Data Protection Officer (DPO) is not required under GDPR Art. 37, but the Privacy Team serves as a dedicated point of contact for data protection matters.
Orbi acts as Data Controller for:
- User accounts and authentication
- General platform functionality
- Chat services between users
- Connect (Career)
- Aggregated platform analytics and infrastructure
- Direct marketing communications about the Orbi platform
Orbi acts as Data Processor when processing personal data on behalf of event organizers and associations that use Orbi for event administration, ticketing and membership management.
3. Personal data we collect
3.1 Account data (mandatory)
- First name
- Last name
- Email address
3.2 Optional profile data
- Profile image
- Free-text biography
- School, faculty and subject
- Graduation year and study year
3.3 Event and membership data
- Event participation
- Ticket ownership and ticket transfers
- QR check-ins
- Membership status (active / inactive)
- Food preferences (only when relevant to an event, e.g. catering)
3.4 Chat functionality
- Messages are encrypted in transit (TLS) and at rest
- Messages are not end-to-end encrypted
- Messages are stored for as long as the user account remains active
- A designated compliance representative may review specific chat messages solely in the event of an abuse report
- Chat data is never used for profiling, advertising or marketing
3.5 Connect (Career)
Connect (Career) is an optional feature that lets students share profile information with companies they choose to connect with.
Data shared with a company only when the student takes an explicit action to connect:
- Name
- Email address
- University
- Section (faculty)
- Study year
3.6 Technical and usage data
- Device type
- Anonymized IP address (Google Analytics IP anonymization enabled)
- Usage patterns and interaction events
4. Sources of personal data
We collect personal data primarily directly from you when you create an account, complete your profile, register for events, communicate through the platform or contact us.
In addition, an event organizer or association may upload contact lists (typically email addresses) to invite people to events or manage memberships. In those cases the organizer is the Data Controller for the upload and must have its own legal basis under GDPR.
5. Legal basis for processing
We process personal data on the following legal bases:
| Purpose of processing | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, authentication and core platform functionality | Performance of a contract — Art. 6(1)(b) |
| Event participation, ticketing and membership administration | Performance of a contract — Art. 6(1)(b) |
| Sharing participant and member lists with the relevant event organizer / association | Performance of a contract — Art. 6(1)(b) |
| Chat services between users | Performance of a contract — Art. 6(1)(b) |
| Payments and reconciliation via Stripe | Performance of a contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c) |
| Connect (Career) — sharing profile data with a company | Consent — Art. 6(1)(a) (requires an explicit user action) |
| Service improvement, troubleshooting and aggregated analytics | Legitimate interest — Art. 6(1)(f) |
| Direct marketing to existing users about Orbi features and updates | Legitimate interest — Art. 6(1)(f), subject to easy opt-out |
| Marketing to new audiences and non-essential cookies | Consent — Art. 6(1)(a) |
| Compliance with statutory obligations (e.g. accounting) | Legal obligation — Art. 6(1)(c) |
| Investigating abuse reports and protecting platform safety | Legitimate interest — Art. 6(1)(f) |
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
6. Cookies and similar technologies
Orbi uses cookies and similar technologies to operate the platform, remember your preferences, secure your session and understand how the service is used.
- Strictly necessary cookies — required for authentication, session management and security. These cannot be disabled.
- Analytics cookies — set by Google Analytics / Firebase with IP anonymization enabled, used in aggregated form.
- Functional cookies — used to remember user preferences.
7. Data sharing and subprocessors
Orbi's current subprocessors are:
| Provider | Purpose | Location | Transfer |
|---|---|---|---|
| Google Cloud | Hosting and infrastructure | EU (Netherlands) | SCCs |
| Google Analytics | Product analytics | EU-configured | SCCs |
| Stripe | Payment processing | EU | SCCs |
| HubSpot | CRM operations | EU | SCCs |
| Customer.io | Marketing comms | EU | SCCs |
| Refiner | Feedback collection | EU | SCCs |
This list is also maintained in Annex 2 of Orbi's Data Processing Agreement.
8. International data transfers
Personal data is primarily stored and processed within the European Union, with hosting in the Google Cloud Platform Netherlands region.
Where a subprocessor's support or engineering personnel may need incidental access from outside the EU/EEA, such transfers are protected by appropriate safeguards under GDPR Chapter V, primarily the European Commission's Standard Contractual Clauses (SCCs).
9. Data retention
We apply the principles of data minimization and storage limitation. Specific retention periods are set out below:
| Data category | Retention period |
|---|---|
| Account data (name, email, optional profile data) | For as long as the account is active. Deleted upon account deletion by the user. |
| Inactive accounts | Accounts with no login for 84 consecutive months may be deleted after prior notice by email. |
| Chat messages | Stored while the account is active; permanently deleted on account deletion. Flagged messages are retained only as long as needed to investigate. |
| Event and ticket data | Retained for the duration of the organizer's use of Orbi, subject to the organizer's own retention rules. |
| Payment and accounting data | Retained for 7 years as required by the Swedish Bookkeeping Act. |
| Analytics data (Google Analytics / Firebase) | Retained according to Google's EU retention settings (currently 14 months, in aggregated form). |
| Backups | Retained on a rolling basis and overwritten within 30 days. |
| Marketing preferences and unsubscribe records | Retained for as long as needed to honour the user's choices. |
10. Security measures
We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:
- Encryption in transit (TLS) and at rest
- Role-based and least-privilege access controls
- Restricted internal access
- Confidentiality obligations for all personnel
- Logging, monitoring and intrusion detection
- Backup and recovery procedures
- Secure EU-based cloud infrastructure (Google Cloud Platform — Netherlands)
11. Personal data breaches
If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay using the email address registered in your Orbi account, in accordance with GDPR Art. 34. We notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required by GDPR Art. 33.
12. Your rights under GDPR
As a data subject, you have the following rights:
- Right of access — obtain a copy of the personal data we hold about you
- Right to rectification — have inaccurate data corrected
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to object to processing based on legitimate interest, including profiling
- Right to data portability
- Right to withdraw consent at any time where processing is based on consent
- Right to lodge a complaint with a supervisory authority
To exercise your rights, contact privacy@orbi.io. We will respond within one month of receiving your request, free of charge.
13. Children
Orbi is intended for university-level users and is generally used by individuals aged 18 and above. Orbi is not directed at children and we do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a person under 16 has provided personal data to Orbi, please contact privacy@orbi.io and we will delete the data.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements or industry practice. Material changes will be communicated through the Orbi platform and/or by email to the address registered in your account before the changes take effect. The "Last updated" date at the top of this document indicates the latest version.
Privacy Policy
Last updated: June 9, 2026
Table of Contents
- Introduction
- Data Controller and roles
- Personal data we collect
- Sources of personal data
- Legal basis for processing
- Cookies and similar technologies
- Data sharing and subprocessors
- International data transfers
- Data retention
- Security measures
- Personal data breaches
- Your rights under GDPR
- Children
- Changes to this Privacy Policy
1. Introduction
Ornamental Tree AB, operating under the brand Orbi ("Orbi", "we", "us", "our"), is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).
This Privacy Policy explains what personal data we collect when you use the Orbi platform, why we collect it, how long we keep it, who we share it with, and which rights you have. It applies to all users of the Orbi platform — students, event participants, members and representatives of associations and event organizers.
A Swedish version of this Privacy Policy is available on request from privacy@orbi.io.
2. Data Controller and roles
Ornamental Tree AB
Org. no. 559032-9735
Vallgatan 26, 411 16 Gothenburg, Sweden
Email: privacy@orbi.io
All requests relating to personal data and this Privacy Policy are handled by the Orbi Privacy Team and can be sent to privacy@orbi.io. Orbi has assessed that a Data Protection Officer (DPO) is not required under GDPR Art. 37, but the Privacy Team serves as a dedicated point of contact for data protection matters.
Orbi acts as Data Controller for:
- User accounts and authentication
- General platform functionality
- Chat services between users
- Connect (Career)
- Aggregated platform analytics and infrastructure
- Direct marketing communications about the Orbi platform
Orbi acts as Data Processor when processing personal data on behalf of event organizers and associations that use Orbi for event administration, ticketing and membership management.
3. Personal data we collect
3.1 Account data (mandatory)
- First name
- Last name
- Email address
3.2 Optional profile data
- Profile image
- Free-text biography
- School, faculty and subject
- Graduation year and study year
3.3 Event and membership data
- Event participation
- Ticket ownership and ticket transfers
- QR check-ins
- Membership status (active / inactive)
- Food preferences (only when relevant to an event, e.g. catering)
3.4 Chat functionality
- Messages are encrypted in transit (TLS) and at rest
- Messages are not end-to-end encrypted
- Messages are stored for as long as the user account remains active
- A designated compliance representative may review specific chat messages solely in the event of an abuse report
- Chat data is never used for profiling, advertising or marketing
3.5 Connect (Career)
Connect (Career) is an optional feature that lets students share profile information with companies they choose to connect with.
Data shared with a company only when the student takes an explicit action to connect:
- Name
- Email address
- University
- Section (faculty)
- Study year
3.6 Technical and usage data
- Device type
- Anonymized IP address (Google Analytics IP anonymization enabled)
- Usage patterns and interaction events
4. Sources of personal data
We collect personal data primarily directly from you when you create an account, complete your profile, register for events, communicate through the platform or contact us.
In addition, an event organizer or association may upload contact lists (typically email addresses) to invite people to events or manage memberships. In those cases the organizer is the Data Controller for the upload and must have its own legal basis under GDPR.
5. Legal basis for processing
We process personal data on the following legal bases:
| Purpose of processing | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, authentication and core platform functionality | Performance of a contract — Art. 6(1)(b) |
| Event participation, ticketing and membership administration | Performance of a contract — Art. 6(1)(b) |
| Sharing participant and member lists with the relevant event organizer / association | Performance of a contract — Art. 6(1)(b) |
| Chat services between users | Performance of a contract — Art. 6(1)(b) |
| Payments and reconciliation via Stripe | Performance of a contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c) |
| Connect (Career) — sharing profile data with a company | Consent — Art. 6(1)(a) (requires an explicit user action) |
| Service improvement, troubleshooting and aggregated analytics | Legitimate interest — Art. 6(1)(f) |
| Direct marketing to existing users about Orbi features and updates | Legitimate interest — Art. 6(1)(f), subject to easy opt-out |
| Marketing to new audiences and non-essential cookies | Consent — Art. 6(1)(a) |
| Compliance with statutory obligations (e.g. accounting) | Legal obligation — Art. 6(1)(c) |
| Investigating abuse reports and protecting platform safety | Legitimate interest — Art. 6(1)(f) |
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
6. Cookies and similar technologies
Orbi uses cookies and similar technologies to operate the platform, remember your preferences, secure your session and understand how the service is used.
- Strictly necessary cookies — required for authentication, session management and security. These cannot be disabled.
- Analytics cookies — set by Google Analytics / Firebase with IP anonymization enabled, used in aggregated form.
- Functional cookies — used to remember user preferences.
7. Data sharing and subprocessors
Orbi's current subprocessors are:
| Provider | Purpose | Location | Transfer |
|---|---|---|---|
| Google Cloud | Hosting and infrastructure | EU (Netherlands) | SCCs |
| Google Analytics | Product analytics | EU-configured | SCCs |
| Stripe | Payment processing | EU | SCCs |
| HubSpot | CRM operations | EU | SCCs |
| Customer.io | Marketing comms | EU | SCCs |
| Refiner | Feedback collection | EU | SCCs |
This list is also maintained in Annex 2 of Orbi's Data Processing Agreement.
8. International data transfers
Personal data is primarily stored and processed within the European Union, with hosting in the Google Cloud Platform Netherlands region.
Where a subprocessor's support or engineering personnel may need incidental access from outside the EU/EEA, such transfers are protected by appropriate safeguards under GDPR Chapter V, primarily the European Commission's Standard Contractual Clauses (SCCs).
9. Data retention
We apply the principles of data minimization and storage limitation. Specific retention periods are set out below:
| Data category | Retention period |
|---|---|
| Account data (name, email, optional profile data) | For as long as the account is active. Deleted upon account deletion by the user. |
| Inactive accounts | Accounts with no login for 84 consecutive months may be deleted after prior notice by email. |
| Chat messages | Stored while the account is active; permanently deleted on account deletion. Flagged messages are retained only as long as needed to investigate. |
| Event and ticket data | Retained for the duration of the organizer's use of Orbi, subject to the organizer's own retention rules. |
| Payment and accounting data | Retained for 7 years as required by the Swedish Bookkeeping Act. |
| Analytics data (Google Analytics / Firebase) | Retained according to Google's EU retention settings (currently 14 months, in aggregated form). |
| Backups | Retained on a rolling basis and overwritten within 30 days. |
| Marketing preferences and unsubscribe records | Retained for as long as needed to honour the user's choices. |
10. Security measures
We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:
- Encryption in transit (TLS) and at rest
- Role-based and least-privilege access controls
- Restricted internal access
- Confidentiality obligations for all personnel
- Logging, monitoring and intrusion detection
- Backup and recovery procedures
- Secure EU-based cloud infrastructure (Google Cloud Platform — Netherlands)
11. Personal data breaches
If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay using the email address registered in your Orbi account, in accordance with GDPR Art. 34. We notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required by GDPR Art. 33.
12. Your rights under GDPR
As a data subject, you have the following rights:
- Right of access — obtain a copy of the personal data we hold about you
- Right to rectification — have inaccurate data corrected
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to object to processing based on legitimate interest, including profiling
- Right to data portability
- Right to withdraw consent at any time where processing is based on consent
- Right to lodge a complaint with a supervisory authority
To exercise your rights, contact privacy@orbi.io. We will respond within one month of receiving your request, free of charge.
13. Children
Orbi is intended for university-level users and is generally used by individuals aged 18 and above. Orbi is not directed at children and we do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a person under 16 has provided personal data to Orbi, please contact privacy@orbi.io and we will delete the data.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements or industry practice. Material changes will be communicated through the Orbi platform and/or by email to the address registered in your account before the changes take effect. The "Last updated" date at the top of this document indicates the latest version.