Privacy policy

Updated: July 3, 2026 (Effective 16 July 2026)

  1. Introduction

Ornamental Tree AB, operating under the brand Orbi ("Orbi", "we", "us", "our"), is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).

This Privacy Policy explains what personal data we collect when you use the Orbi platform, why we collect it, how long we keep it, who we share it with, and which rights you have. It applies to all users of the Orbi platform — students, event participants, members and representatives of associations and event organizers.

A Swedish version of this Privacy Policy is available on request from privacy@orbi.io.

2. Data Controller and roles

Ornamental Tree AB
Org. no. 559032-9735
Vallgatan 26, 411 16 Gothenburg, Sweden
Email: privacy@orbi.io

All requests relating to personal data and this Privacy Policy are handled by the Orbi Privacy Team and can be sent to privacy@orbi.io. Orbi has assessed that a Data Protection Officer (DPO) is not required under GDPR Art. 37, but the Privacy Team serves as a dedicated point of contact for data protection matters.

Orbi acts as Data Controller for:

  • User accounts and authentication

  • General platform functionality

  • Chat services between users

  • Connect (Career)

  • Aggregated platform analytics and infrastructure

  • Direct marketing communications about the Orbi platform

Orbi acts as Data Processor when processing personal data on behalf of event organizers and associations that use Orbi for event administration, ticketing and membership management. The relationship is governed by Orbi's Data Processing Agreement (DPA), which is accepted by organizations as part of Orbi's Terms & Conditions.

Event organizers and associations act as independent Data Controllers for the personal data they process about their own members and event participants, including any contact lists they upload to Orbi.

  1. Personal data we collect

3.1 Account data (mandatory)

  • First name

  • Last name

  • Email address

3.2 Optional profile data

  • Profile image

  • Free-text biography

  • School, faculty and subject

  • Graduation year and study year

This data is used inside the Orbi platform to personalize the user experience and to support optional features such as Connect (Career). It is not shared externally unless the user explicitly chooses to do so — see section 3.5.

Users are responsible for ensuring that the optional profile data they provide does not contain sensitive personal data (special categories under GDPR Art. 9), such as health information, religious beliefs or political opinions.

3.3 Event and membership data

  • Event participation

  • Ticket ownership and ticket transfers

  • QR check-ins

  • Membership status (active / inactive)

  • Food preferences (only when relevant to an event, e.g. catering)

Payment transactions are processed exclusively by Stripe. Orbi does not store payment card details.

Participant and member lists are shared with the relevant event organizer or association as necessary for event administration and contract fulfilment. For this processing, the organizer is the Data Controller.

3.4 Chat functionality

  • Messages are encrypted in transit (TLS) and at rest

  • Messages are not end-to-end encrypted

  • Messages are stored for as long as the user account remains active and are permanently deleted when the user deletes their account

  • A designated compliance representative at Orbi may review specific chat messages solely in the event of an abuse report or where required by law

  • Chat data is never used for profiling, advertising or marketing

3.5 Connect (Career)

Connect (Career) is an optional feature that lets students share profile information with companies they choose to connect with.

Data used inside Orbi for the student's own benefit (filters, recommendations) and never shared with companies:

  • Employment type the student is interested in

  • Geographic locations the student is evaluating jobs and employers in

Data that is shared with a company only when the student takes an explicit action to connect with that company:

  • Name

  • Email address

  • University

  • Section (faculty)

  • Study year

Consent is collected separately for each connection. The student may withdraw a connection at any time.

Once the student has actively connected, the relevant company becomes an independent Data Controller for the personal data it receives and applies its own privacy policy. Orbi has a data sharing agreement with each company on the Connect feature to require GDPR-compliant handling.

Other facts about Connect: no CV is stored on Orbi; no automated decision-making in the sense of GDPR Art. 22 takes place; education-related data (such as graduation year) is only used inside Orbi to support the feature and is not shared with companies unless explicitly listed above.

Orbi may share aggregated and anonymized statistics with companies (for example, the number of views or clicks on their content). Such statistics never contain personal data and cannot be linked to an individual student.

3.6 Technical and usage data

  • Device type

  • Anonymized IP address (Google Analytics IP anonymization enabled)

  • Usage patterns and interaction events

Technical and usage data is collected in anonymized or aggregated form and is not linked to individual user identities. We use Google Analytics and Firebase for this purpose. Stripe-related transactional metadata is processed in connection with payments.

4. Sources of personal data

We collect personal data primarily directly from you when you create an account, complete your profile, register for events, communicate through the platform or contact us.

In addition, an event organizer or association may upload contact lists (typically email addresses) to invite people to events or manage memberships. In those cases the organizer is the Data Controller for the upload and must have its own legal basis under GDPR. Orbi does not import other personal data about you from external sources.

5. Legal basis for processing

We process personal data on the following legal bases:

Purpose of processing Legal basis (GDPR Art. 6)
Account creation, authentication and core platform functionality Performance of a contract — Art. 6(1)(b)
Event participation, ticketing and membership administration Performance of a contract — Art. 6(1)(b)
Sharing participant and member lists with the relevant event organizer / association Performance of a contract — Art. 6(1)(b)
Chat services between users Performance of a contract — Art. 6(1)(b)
Payments and reconciliation via Stripe Performance of a contract — Art. 6(1)(b) and legal obligation — Art. 6(1)(c)
Connect (Career) — sharing profile data with a company Consent — Art. 6(1)(a), requires an explicit user action
Service improvement, troubleshooting and aggregated analytics Legitimate interest — Art. 6(1)(f), improving and securing the service
Direct marketing to existing users about Orbi features and updates Legitimate interest — Art. 6(1)(f), subject to easy opt-out in every message
Marketing to new audiences and non-essential cookies Consent — Art. 6(1)(a)
Compliance with statutory obligations, such as accounting Legal obligation — Art. 6(1)(c)
Investigating abuse reports and protecting platform safety Legitimate interest — Art. 6(1)(f)

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Where processing is based on legitimate interest, we have carried out a balancing test. You have the right to object to such processing at any time, and you may opt out of marketing communications from us by using the unsubscribe link in every message or by contacting privacy@orbi.io.

6. Cookies and similar technologies

Orbi uses cookies and similar technologies to operate the platform, remember your preferences, secure your session and understand how the service is used. We use the following categories:

  • Strictly necessary cookies — required for authentication, session management and security. These cannot be disabled.

  • Analytics cookies — set by Google Analytics / Firebase with IP anonymization enabled, used in aggregated form.

  • Functional cookies — used to remember user preferences.

Non-essential cookies are set only with your consent, which is collected through our cookie banner. You may withdraw or change your consent at any time through the cookie settings in the platform. A separate Cookie Policy with the full list of cookies, their providers, purposes and lifetimes is available on the Orbi website.

7. Data sharing and subprocessors

We share personal data only where necessary to provide the service. Categories of recipients are:

  • Event organizers and associations, for the events and memberships you participate in

  • Companies you actively connect with through the Connect (Career) feature, limited to the data set listed in section 3.5

  • Our subprocessors listed below, who process data on our behalf under GDPR-compliant agreements

  • Public authorities, where we are required to disclose data by law

In addition, Orbi may share aggregated and anonymized statistics — for example views and conversions on a company's content — with event organizers, associations and companies. Such statistics are not personal data and cannot be linked to an individual user.

Orbi's current subprocessors are:

Provider Purpose Processing location Transfer mechanism
Google Cloud Platform Hosting and infrastructure EU (Netherlands) SCCs where applicable
Google Analytics / Firebase Product analytics and service support (IP anonymization enabled) EU-configured SCCs where applicable
Stripe Payment processing EU SCCs where applicable
HubSpot CRM and customer operations EU SCCs where applicable
Customer.io Transactional and marketing communications EU SCCs where applicable
Refiner NPS and product feedback collection EU SCCs where applicable
Sentry Application monitoring, error tracking and diagnostics United States SCCs where applicable
SendGrid Transactional email delivery EU SCCs where applicable

This list is also maintained in Annex 2 of Orbi's Data Processing Agreement. Orbi will inform affected organizations of material changes to subprocessors relevant to services covered by the DPA.

8. International data transfers

Personal data is primarily stored and processed within the European Union, with hosting in the Google Cloud Platform Netherlands region.

Where a subprocessor's support or engineering personnel may need incidental access from outside the EU/EEA, such transfers are protected by appropriate safeguards under GDPR Chapter V, primarily the European Commission's Standard Contractual Clauses (SCCs) supplemented by technical and organizational measures. A copy of the relevant safeguards can be requested from privacy@orbi.io.

9. Data retention

We apply the principles of data minimization and storage limitation. Specific retention periods are set out below:

Data category Retention period
Account data (name, email, optional profile data) For as long as the account is active. Deleted upon account deletion by the user.
Inactive accounts Accounts with no login for 84 consecutive months may be deleted after prior notice by email.
Chat messages Stored while the account is active; permanently deleted on account deletion. Flagged messages are retained only as long as needed to investigate the report.
Event and ticket data Retained for the duration of the organizer's use of Orbi, subject to the organizer's own retention rules and applicable law.
Payment and accounting data Retained for 7 years as required by the Swedish Bookkeeping Act (Bokföringslagen).
Analytics data (Google Analytics / Firebase) Retained according to Google's EU retention settings (currently 14 months, in aggregated form).
Backups Retained on a rolling basis and overwritten within 30 days.
Marketing preferences and unsubscribe records Retained for as long as needed to honour the user's choices.

10. Security measures

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:

  • Encryption in transit (TLS) and at rest

  • Role-based and least-privilege access controls

  • Restricted internal access, with access to sensitive information generally limited to the Tech Lead and CEO where required

  • Confidentiality obligations for all personnel with access to personal data

  • Logging, monitoring and intrusion detection

  • Backup and recovery procedures

  • Documented incident handling procedures

  • Secure EU-based cloud infrastructure (Google Cloud Platform — Netherlands)

11. Personal data breaches

If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay using the email address registered in your Orbi account, in accordance with GDPR Art. 34. We notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required by GDPR Art. 33.

12. Your rights under GDPR

As a data subject, you have the following rights:

  • Right of access — obtain a copy of the personal data we hold about you

  • Right to rectification — have inaccurate data corrected

  • Right to erasure ("right to be forgotten")

  • Right to restriction of processing

  • Right to object to processing based on legitimate interest, including profiling

  • Right to data portability

  • Right to withdraw consent at any time where processing is based on consent

  • Right to lodge a complaint with a supervisory authority

To exercise your rights, contact privacy@orbi.io. We will respond within one month of receiving your request, free of charge. The period may be extended by up to two further months for complex requests, in which case we will inform you within one month.

You can also lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), Box 8114, 104 20 Stockholm, imy@imy.se, www.imy.se, or with the supervisory authority in the EU/EEA member state where you live or work.

13. Children

Orbi is intended for university-level users and is generally used by individuals aged 18 and above. Orbi is not directed at children and we do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a person under 16 has provided personal data to Orbi, please contact privacy@orbi.io and we will delete the data.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our service, legal requirements or industry practice. Material changes will be communicated through the Orbi platform and/or by email to the address registered in your account before the changes take effect. The "Last updated" date at the top of this document indicates the latest version.