Privacy policy
Updated: July 3, 2026 (Effective 16 July 2026)
Introduction
Ornamental Tree AB, operating under the brand Orbi ("Orbi", "we", "us", "our"), is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).
This Privacy Policy explains what personal data we collect when you use the Orbi platform, why we collect it, how long we keep it, who we share it with, and which rights you have. It applies to all users of the Orbi platform — students, event participants, members and representatives of associations and event organizers.
A Swedish version of this Privacy Policy is available on request from privacy@orbi.io.
2. Data Controller and roles
Ornamental Tree AB
Org. no. 559032-9735
Vallgatan 26, 411 16 Gothenburg, Sweden
Email: privacy@orbi.io
All requests relating to personal data and this Privacy Policy are handled by the Orbi Privacy Team and can be sent to privacy@orbi.io. Orbi has assessed that a Data Protection Officer (DPO) is not required under GDPR Art. 37, but the Privacy Team serves as a dedicated point of contact for data protection matters.
Orbi acts as Data Controller for:
User accounts and authentication
General platform functionality
Chat services between users
Connect (Career)
Aggregated platform analytics and infrastructure
Direct marketing communications about the Orbi platform
Orbi acts as Data Processor when processing personal data on behalf of event organizers and associations that use Orbi for event administration, ticketing and membership management. The relationship is governed by Orbi's Data Processing Agreement (DPA), which is accepted by organizations as part of Orbi's Terms & Conditions.
Event organizers and associations act as independent Data Controllers for the personal data they process about their own members and event participants, including any contact lists they upload to Orbi.
Personal data we collect
3.1 Account data (mandatory)
First name
Last name
Email address
3.2 Optional profile data
Profile image
Free-text biography
School, faculty and subject
Graduation year and study year
This data is used inside the Orbi platform to personalize the user experience and to support optional features such as Connect (Career). It is not shared externally unless the user explicitly chooses to do so — see section 3.5.
Users are responsible for ensuring that the optional profile data they provide does not contain sensitive personal data (special categories under GDPR Art. 9), such as health information, religious beliefs or political opinions.
3.3 Event and membership data
Event participation
Ticket ownership and ticket transfers
QR check-ins
Membership status (active / inactive)
Food preferences (only when relevant to an event, e.g. catering)
Payment transactions are processed exclusively by Stripe. Orbi does not store payment card details.
Participant and member lists are shared with the relevant event organizer or association as necessary for event administration and contract fulfilment. For this processing, the organizer is the Data Controller.
3.4 Chat functionality
Messages are encrypted in transit (TLS) and at rest
Messages are not end-to-end encrypted
Messages are stored for as long as the user account remains active and are permanently deleted when the user deletes their account
A designated compliance representative at Orbi may review specific chat messages solely in the event of an abuse report or where required by law
Chat data is never used for profiling, advertising or marketing
3.5 Connect (Career)
Connect (Career) is an optional feature that lets students share profile information with companies they choose to connect with.
Data used inside Orbi for the student's own benefit (filters, recommendations) and never shared with companies:
Employment type the student is interested in
Geographic locations the student is evaluating jobs and employers in
Data that is shared with a company only when the student takes an explicit action to connect with that company:
Name
Email address
University
Section (faculty)
Study year
Consent is collected separately for each connection. The student may withdraw a connection at any time.
Once the student has actively connected, the relevant company becomes an independent Data Controller for the personal data it receives and applies its own privacy policy. Orbi has a data sharing agreement with each company on the Connect feature to require GDPR-compliant handling.
Other facts about Connect: no CV is stored on Orbi; no automated decision-making in the sense of GDPR Art. 22 takes place; education-related data (such as graduation year) is only used inside Orbi to support the feature and is not shared with companies unless explicitly listed above.
Orbi may share aggregated and anonymized statistics with companies (for example, the number of views or clicks on their content). Such statistics never contain personal data and cannot be linked to an individual student.
3.6 Technical and usage data
Device type
Anonymized IP address (Google Analytics IP anonymization enabled)
Usage patterns and interaction events
Technical and usage data is collected in anonymized or aggregated form and is not linked to individual user identities. We use Google Analytics and Firebase for this purpose. Stripe-related transactional metadata is processed in connection with payments.
4. Sources of personal data
We collect personal data primarily directly from you when you create an account, complete your profile, register for events, communicate through the platform or contact us.
In addition, an event organizer or association may upload contact lists (typically email addresses) to invite people to events or manage memberships. In those cases the organizer is the Data Controller for the upload and must have its own legal basis under GDPR. Orbi does not import other personal data about you from external sources.
5. Legal basis for processing
We process personal data on the following legal bases:
| Purpose of processing | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, authentication and core platform functionality | Performance of a contract — Art. 6(1)(b) |
| Event participation, ticketing and membership administration | Performance of a contract — Art. 6(1)(b) |
| Sharing participant and member lists with the relevant event organizer / association | Performance of a contract — Art. 6(1)(b) |
| Chat services between users | Performance of a contract — Art. 6(1)(b) |
| Payments and reconciliation via Stripe | Performance of a contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c) |
| Connect (Career) — sharing profile data with a company | Consent — Art. 6(1)(a), requires an explicit user action |
| Service improvement, troubleshooting and aggregated analytics | Legitimate interest — Art. 6(1)(f), improving and securing the service |
| Direct marketing to existing users about Orbi features and updates | Legitimate interest — Art. 6(1)(f), subject to easy opt-out in every message |
| Marketing to new audiences and non-essential cookies | Consent — Art. 6(1)(a) |
| Compliance with statutory obligations, such as accounting | Legal obligation — Art. 6(1)(c) |
| Investigating abuse reports and protecting platform safety | Legitimate interest — Art. 6(1)(f) |
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Where processing is based on legitimate interest, we have carried out a balancing test. You have the right to object to such processing at any time, and you may opt out of marketing communications from us by using the unsubscribe link in every message or by contacting privacy@orbi.io.
6. Cookies and similar technologies
Orbi uses cookies and similar technologies to operate the platform, remember your preferences, secure your session and understand how the service is used. We use the following categories:
Strictly necessary cookies — required for authentication, session management and security. These cannot be disabled.
Analytics cookies — set by Google Analytics / Firebase with IP anonymization enabled, used in aggregated form.
Functional cookies — used to remember user preferences.
Non-essential cookies are set only with your consent, which is collected through our cookie banner. You may withdraw or change your consent at any time through the cookie settings in the platform. A separate Cookie Policy with the full list of cookies, their providers, purposes and lifetimes is available on the Orbi website.
7. Data sharing and subprocessors
We share personal data only where necessary to provide the service. Categories of recipients are:
Event organizers and associations, for the events and memberships you participate in
Companies you actively connect with through the Connect (Career) feature, limited to the data set listed in section 3.5
Our subprocessors listed below, who process data on our behalf under GDPR-compliant agreements
Public authorities, where we are required to disclose data by law
In addition, Orbi may share aggregated and anonymized statistics — for example views and conversions on a company's content — with event organizers, associations and companies. Such statistics are not personal data and cannot be linked to an individual user.
Orbi's current subprocessors are:
| Provider | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Google Cloud Platform | Hosting and infrastructure | EU (Netherlands) | SCCs where applicable |
| Google Analytics / Firebase | Product analytics and service support (IP anonymization enabled) | EU-configured | SCCs where applicable |
| Stripe | Payment processing | EU | SCCs where applicable |
| HubSpot | CRM and customer operations | EU | SCCs where applicable |
| Customer.io | Transactional and marketing communications | EU | SCCs where applicable |
| Refiner | NPS and product feedback collection | EU | SCCs where applicable |
| Sentry | Application monitoring, error tracking and diagnostics | United States | SCCs where applicable |
| SendGrid | Transactional email delivery | EU | SCCs where applicable |
This list is also maintained in Annex 2 of Orbi's Data Processing Agreement. Orbi will inform affected organizations of material changes to subprocessors relevant to services covered by the DPA.
8. International data transfers
Personal data is primarily stored and processed within the European Union, with hosting in the Google Cloud Platform Netherlands region.
Where a subprocessor's support or engineering personnel may need incidental access from outside the EU/EEA, such transfers are protected by appropriate safeguards under GDPR Chapter V, primarily the European Commission's Standard Contractual Clauses (SCCs) supplemented by technical and organizational measures. A copy of the relevant safeguards can be requested from privacy@orbi.io.
9. Data retention
We apply the principles of data minimization and storage limitation. Specific retention periods are set out below:
| Data category | Retention period |
|---|---|
| Account data (name, email, optional profile data) | For as long as the account is active. Deleted upon account deletion by the user. |
| Inactive accounts | Accounts with no login for 84 consecutive months may be deleted after prior notice by email. |
| Chat messages | Stored while the account is active; permanently deleted on account deletion. Flagged messages are retained only as long as needed to investigate the report. |
| Event and ticket data | Retained for the duration of the organizer's use of Orbi, subject to the organizer's own retention rules and applicable law. |
| Payment and accounting data | Retained for 7 years as required by the Swedish Bookkeeping Act (Bokföringslagen). |
| Analytics data (Google Analytics / Firebase) | Retained according to Google's EU retention settings (currently 14 months, in aggregated form). |
| Backups | Retained on a rolling basis and overwritten within 30 days. |
| Marketing preferences and unsubscribe records | Retained for as long as needed to honour the user's choices. |
10. Security measures
We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:
Encryption in transit (TLS) and at rest
Role-based and least-privilege access controls
Restricted internal access, with access to sensitive information generally limited to the Tech Lead and CEO where required
Confidentiality obligations for all personnel with access to personal data
Logging, monitoring and intrusion detection
Backup and recovery procedures
Documented incident handling procedures
Secure EU-based cloud infrastructure (Google Cloud Platform — Netherlands)
11. Personal data breaches
If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay using the email address registered in your Orbi account, in accordance with GDPR Art. 34. We notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required by GDPR Art. 33.
12. Your rights under GDPR
As a data subject, you have the following rights:
Right of access — obtain a copy of the personal data we hold about you
Right to rectification — have inaccurate data corrected
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to object to processing based on legitimate interest, including profiling
Right to data portability
Right to withdraw consent at any time where processing is based on consent
Right to lodge a complaint with a supervisory authority
To exercise your rights, contact privacy@orbi.io. We will respond within one month of receiving your request, free of charge. The period may be extended by up to two further months for complex requests, in which case we will inform you within one month.
You can also lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), Box 8114, 104 20 Stockholm, imy@imy.se, www.imy.se, or with the supervisory authority in the EU/EEA member state where you live or work.
13. Children
Orbi is intended for university-level users and is generally used by individuals aged 18 and above. Orbi is not directed at children and we do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a person under 16 has provided personal data to Orbi, please contact privacy@orbi.io and we will delete the data.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements or industry practice. Material changes will be communicated through the Orbi platform and/or by email to the address registered in your account before the changes take effect. The "Last updated" date at the top of this document indicates the latest version.