This document has been replaced by a newer version, and is available for archival purposes

Privacy Policy

Last updated: June 9, 2026

Table of Contents

  1. Introduction
  2. Data Controller and roles
  3. Personal data we collect
  4. Sources of personal data
  5. Legal basis for processing
  6. Cookies and similar technologies
  7. Data sharing and subprocessors
  8. International data transfers
  9. Data retention
  10. Security measures
  11. Personal data breaches
  12. Your rights under GDPR
  13. Children
  14. Changes to this Privacy Policy

1. Introduction

Ornamental Tree AB, operating under the brand Orbi ("Orbi", "we", "us", "our"), is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).

This Privacy Policy explains what personal data we collect when you use the Orbi platform, why we collect it, how long we keep it, who we share it with, and which rights you have. It applies to all users of the Orbi platform — students, event participants, members and representatives of associations and event organizers.

A Swedish version of this Privacy Policy is available on request from privacy@orbi.io.

2. Data Controller and roles

Ornamental Tree AB
Org. no. 559032-9735
Vallgatan 26, 411 16 Gothenburg, Sweden
Email: privacy@orbi.io

All requests relating to personal data and this Privacy Policy are handled by the Orbi Privacy Team and can be sent to privacy@orbi.io. Orbi has assessed that a Data Protection Officer (DPO) is not required under GDPR Art. 37, but the Privacy Team serves as a dedicated point of contact for data protection matters.

Orbi acts as Data Controller for:

  • User accounts and authentication
  • General platform functionality
  • Chat services between users
  • Connect (Career)
  • Aggregated platform analytics and infrastructure
  • Direct marketing communications about the Orbi platform

Orbi acts as Data Processor when processing personal data on behalf of event organizers and associations that use Orbi for event administration, ticketing and membership management.

3. Personal data we collect

3.1 Account data (mandatory)

  • First name
  • Last name
  • Email address

3.2 Optional profile data

  • Profile image
  • Free-text biography
  • School, faculty and subject
  • Graduation year and study year

3.3 Event and membership data

  • Event participation
  • Ticket ownership and ticket transfers
  • QR check-ins
  • Membership status (active / inactive)
  • Food preferences (only when relevant to an event, e.g. catering)

3.4 Chat functionality

  • Messages are encrypted in transit (TLS) and at rest
  • Messages are not end-to-end encrypted
  • Messages are stored for as long as the user account remains active
  • A designated compliance representative may review specific chat messages solely in the event of an abuse report
  • Chat data is never used for profiling, advertising or marketing

3.5 Connect (Career)

Connect (Career) is an optional feature that lets students share profile information with companies they choose to connect with.

Data shared with a company only when the student takes an explicit action to connect:

  • Name
  • Email address
  • University
  • Section (faculty)
  • Study year

3.6 Technical and usage data

  • Device type
  • Anonymized IP address (Google Analytics IP anonymization enabled)
  • Usage patterns and interaction events

4. Sources of personal data

We collect personal data primarily directly from you when you create an account, complete your profile, register for events, communicate through the platform or contact us.

In addition, an event organizer or association may upload contact lists (typically email addresses) to invite people to events or manage memberships. In those cases the organizer is the Data Controller for the upload and must have its own legal basis under GDPR.

5. Legal basis for processing

We process personal data on the following legal bases:

Purpose of processingLegal basis (GDPR Art. 6)
Account creation, authentication and core platform functionalityPerformance of a contract — Art. 6(1)(b)
Event participation, ticketing and membership administrationPerformance of a contract — Art. 6(1)(b)
Sharing participant and member lists with the relevant event organizer / associationPerformance of a contract — Art. 6(1)(b)
Chat services between usersPerformance of a contract — Art. 6(1)(b)
Payments and reconciliation via StripePerformance of a contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c)
Connect (Career) — sharing profile data with a companyConsent — Art. 6(1)(a) (requires an explicit user action)
Service improvement, troubleshooting and aggregated analyticsLegitimate interest — Art. 6(1)(f)
Direct marketing to existing users about Orbi features and updatesLegitimate interest — Art. 6(1)(f), subject to easy opt-out
Marketing to new audiences and non-essential cookiesConsent — Art. 6(1)(a)
Compliance with statutory obligations (e.g. accounting)Legal obligation — Art. 6(1)(c)
Investigating abuse reports and protecting platform safetyLegitimate interest — Art. 6(1)(f)

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

6. Cookies and similar technologies

Orbi uses cookies and similar technologies to operate the platform, remember your preferences, secure your session and understand how the service is used.

  • Strictly necessary cookies — required for authentication, session management and security. These cannot be disabled.
  • Analytics cookies — set by Google Analytics / Firebase with IP anonymization enabled, used in aggregated form.
  • Functional cookies — used to remember user preferences.

7. Data sharing and subprocessors

Orbi's current subprocessors are:

ProviderPurposeLocationTransfer
Google CloudHosting and infrastructureEU (Netherlands)SCCs
Google AnalyticsProduct analyticsEU-configuredSCCs
StripePayment processingEUSCCs
HubSpotCRM operationsEUSCCs
Customer.ioMarketing commsEUSCCs
RefinerFeedback collectionEUSCCs

This list is also maintained in Annex 2 of Orbi's Data Processing Agreement.

8. International data transfers

Personal data is primarily stored and processed within the European Union, with hosting in the Google Cloud Platform Netherlands region.

Where a subprocessor's support or engineering personnel may need incidental access from outside the EU/EEA, such transfers are protected by appropriate safeguards under GDPR Chapter V, primarily the European Commission's Standard Contractual Clauses (SCCs).

9. Data retention

We apply the principles of data minimization and storage limitation. Specific retention periods are set out below:

Data categoryRetention period
Account data (name, email, optional profile data)For as long as the account is active. Deleted upon account deletion by the user.
Inactive accountsAccounts with no login for 84 consecutive months may be deleted after prior notice by email.
Chat messagesStored while the account is active; permanently deleted on account deletion. Flagged messages are retained only as long as needed to investigate.
Event and ticket dataRetained for the duration of the organizer's use of Orbi, subject to the organizer's own retention rules.
Payment and accounting dataRetained for 7 years as required by the Swedish Bookkeeping Act.
Analytics data (Google Analytics / Firebase)Retained according to Google's EU retention settings (currently 14 months, in aggregated form).
BackupsRetained on a rolling basis and overwritten within 30 days.
Marketing preferences and unsubscribe recordsRetained for as long as needed to honour the user's choices.

10. Security measures

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:

  • Encryption in transit (TLS) and at rest
  • Role-based and least-privilege access controls
  • Restricted internal access
  • Confidentiality obligations for all personnel
  • Logging, monitoring and intrusion detection
  • Backup and recovery procedures
  • Secure EU-based cloud infrastructure (Google Cloud Platform — Netherlands)

11. Personal data breaches

If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay using the email address registered in your Orbi account, in accordance with GDPR Art. 34. We notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required by GDPR Art. 33.

12. Your rights under GDPR

As a data subject, you have the following rights:

  • Right of access — obtain a copy of the personal data we hold about you
  • Right to rectification — have inaccurate data corrected
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to object to processing based on legitimate interest, including profiling
  • Right to data portability
  • Right to withdraw consent at any time where processing is based on consent
  • Right to lodge a complaint with a supervisory authority

To exercise your rights, contact privacy@orbi.io. We will respond within one month of receiving your request, free of charge.

13. Children

Orbi is intended for university-level users and is generally used by individuals aged 18 and above. Orbi is not directed at children and we do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a person under 16 has provided personal data to Orbi, please contact privacy@orbi.io and we will delete the data.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements or industry practice. Material changes will be communicated through the Orbi platform and/or by email to the address registered in your account before the changes take effect. The "Last updated" date at the top of this document indicates the latest version.

Privacy Policy

Last updated: June 9, 2026

Table of Contents

  1. Introduction
  2. Data Controller and roles
  3. Personal data we collect
  4. Sources of personal data
  5. Legal basis for processing
  6. Cookies and similar technologies
  7. Data sharing and subprocessors
  8. International data transfers
  9. Data retention
  10. Security measures
  11. Personal data breaches
  12. Your rights under GDPR
  13. Children
  14. Changes to this Privacy Policy

1. Introduction

Ornamental Tree AB, operating under the brand Orbi ("Orbi", "we", "us", "our"), is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).

This Privacy Policy explains what personal data we collect when you use the Orbi platform, why we collect it, how long we keep it, who we share it with, and which rights you have. It applies to all users of the Orbi platform — students, event participants, members and representatives of associations and event organizers.

A Swedish version of this Privacy Policy is available on request from privacy@orbi.io.

2. Data Controller and roles

Ornamental Tree AB
Org. no. 559032-9735
Vallgatan 26, 411 16 Gothenburg, Sweden
Email: privacy@orbi.io

All requests relating to personal data and this Privacy Policy are handled by the Orbi Privacy Team and can be sent to privacy@orbi.io. Orbi has assessed that a Data Protection Officer (DPO) is not required under GDPR Art. 37, but the Privacy Team serves as a dedicated point of contact for data protection matters.

Orbi acts as Data Controller for:

  • User accounts and authentication
  • General platform functionality
  • Chat services between users
  • Connect (Career)
  • Aggregated platform analytics and infrastructure
  • Direct marketing communications about the Orbi platform

Orbi acts as Data Processor when processing personal data on behalf of event organizers and associations that use Orbi for event administration, ticketing and membership management.

3. Personal data we collect

3.1 Account data (mandatory)

  • First name
  • Last name
  • Email address

3.2 Optional profile data

  • Profile image
  • Free-text biography
  • School, faculty and subject
  • Graduation year and study year

3.3 Event and membership data

  • Event participation
  • Ticket ownership and ticket transfers
  • QR check-ins
  • Membership status (active / inactive)
  • Food preferences (only when relevant to an event, e.g. catering)

3.4 Chat functionality

  • Messages are encrypted in transit (TLS) and at rest
  • Messages are not end-to-end encrypted
  • Messages are stored for as long as the user account remains active
  • A designated compliance representative may review specific chat messages solely in the event of an abuse report
  • Chat data is never used for profiling, advertising or marketing

3.5 Connect (Career)

Connect (Career) is an optional feature that lets students share profile information with companies they choose to connect with.

Data shared with a company only when the student takes an explicit action to connect:

  • Name
  • Email address
  • University
  • Section (faculty)
  • Study year

3.6 Technical and usage data

  • Device type
  • Anonymized IP address (Google Analytics IP anonymization enabled)
  • Usage patterns and interaction events

4. Sources of personal data

We collect personal data primarily directly from you when you create an account, complete your profile, register for events, communicate through the platform or contact us.

In addition, an event organizer or association may upload contact lists (typically email addresses) to invite people to events or manage memberships. In those cases the organizer is the Data Controller for the upload and must have its own legal basis under GDPR.

5. Legal basis for processing

We process personal data on the following legal bases:

Purpose of processingLegal basis (GDPR Art. 6)
Account creation, authentication and core platform functionalityPerformance of a contract — Art. 6(1)(b)
Event participation, ticketing and membership administrationPerformance of a contract — Art. 6(1)(b)
Sharing participant and member lists with the relevant event organizer / associationPerformance of a contract — Art. 6(1)(b)
Chat services between usersPerformance of a contract — Art. 6(1)(b)
Payments and reconciliation via StripePerformance of a contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c)
Connect (Career) — sharing profile data with a companyConsent — Art. 6(1)(a) (requires an explicit user action)
Service improvement, troubleshooting and aggregated analyticsLegitimate interest — Art. 6(1)(f)
Direct marketing to existing users about Orbi features and updatesLegitimate interest — Art. 6(1)(f), subject to easy opt-out
Marketing to new audiences and non-essential cookiesConsent — Art. 6(1)(a)
Compliance with statutory obligations (e.g. accounting)Legal obligation — Art. 6(1)(c)
Investigating abuse reports and protecting platform safetyLegitimate interest — Art. 6(1)(f)

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

6. Cookies and similar technologies

Orbi uses cookies and similar technologies to operate the platform, remember your preferences, secure your session and understand how the service is used.

  • Strictly necessary cookies — required for authentication, session management and security. These cannot be disabled.
  • Analytics cookies — set by Google Analytics / Firebase with IP anonymization enabled, used in aggregated form.
  • Functional cookies — used to remember user preferences.

7. Data sharing and subprocessors

Orbi's current subprocessors are:

ProviderPurposeLocationTransfer
Google CloudHosting and infrastructureEU (Netherlands)SCCs
Google AnalyticsProduct analyticsEU-configuredSCCs
StripePayment processingEUSCCs
HubSpotCRM operationsEUSCCs
Customer.ioMarketing commsEUSCCs
RefinerFeedback collectionEUSCCs

This list is also maintained in Annex 2 of Orbi's Data Processing Agreement.

8. International data transfers

Personal data is primarily stored and processed within the European Union, with hosting in the Google Cloud Platform Netherlands region.

Where a subprocessor's support or engineering personnel may need incidental access from outside the EU/EEA, such transfers are protected by appropriate safeguards under GDPR Chapter V, primarily the European Commission's Standard Contractual Clauses (SCCs).

9. Data retention

We apply the principles of data minimization and storage limitation. Specific retention periods are set out below:

Data categoryRetention period
Account data (name, email, optional profile data)For as long as the account is active. Deleted upon account deletion by the user.
Inactive accountsAccounts with no login for 84 consecutive months may be deleted after prior notice by email.
Chat messagesStored while the account is active; permanently deleted on account deletion. Flagged messages are retained only as long as needed to investigate.
Event and ticket dataRetained for the duration of the organizer's use of Orbi, subject to the organizer's own retention rules.
Payment and accounting dataRetained for 7 years as required by the Swedish Bookkeeping Act.
Analytics data (Google Analytics / Firebase)Retained according to Google's EU retention settings (currently 14 months, in aggregated form).
BackupsRetained on a rolling basis and overwritten within 30 days.
Marketing preferences and unsubscribe recordsRetained for as long as needed to honour the user's choices.

10. Security measures

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:

  • Encryption in transit (TLS) and at rest
  • Role-based and least-privilege access controls
  • Restricted internal access
  • Confidentiality obligations for all personnel
  • Logging, monitoring and intrusion detection
  • Backup and recovery procedures
  • Secure EU-based cloud infrastructure (Google Cloud Platform — Netherlands)

11. Personal data breaches

If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay using the email address registered in your Orbi account, in accordance with GDPR Art. 34. We notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required by GDPR Art. 33.

12. Your rights under GDPR

As a data subject, you have the following rights:

  • Right of access — obtain a copy of the personal data we hold about you
  • Right to rectification — have inaccurate data corrected
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to object to processing based on legitimate interest, including profiling
  • Right to data portability
  • Right to withdraw consent at any time where processing is based on consent
  • Right to lodge a complaint with a supervisory authority

To exercise your rights, contact privacy@orbi.io. We will respond within one month of receiving your request, free of charge.

13. Children

Orbi is intended for university-level users and is generally used by individuals aged 18 and above. Orbi is not directed at children and we do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a person under 16 has provided personal data to Orbi, please contact privacy@orbi.io and we will delete the data.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements or industry practice. Material changes will be communicated through the Orbi platform and/or by email to the address registered in your account before the changes take effect. The "Last updated" date at the top of this document indicates the latest version.