arrow_back Back to HomeLegal

Privacy Policy

Effective Date: April 19, 2026  |  Last Updated: May 24, 2026

This Privacy Policy explains how Arbos Folk, CVR 46278895, Byhøjvænget 17, 8380 Trige, Denmark ("Arbos Folk", "we", "us") collects, uses, stores, shares, and protects your personal data when you use the ARA platform ("ARA", "the Service"). This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), and the ePrivacy Directive.
01

Data Controller

Arbos Folk is the data controller for personal data collected directly through the ARA platform (account data, usage data, billing data).

For personal data entered by Sanctuary stewards about their members (Garden tasks assigned to people, Council votes, Ledger contributions, Gathering attendance, Rhythm rotations), the Sanctuary is the data controller and Arbos Folk is the data processor acting on the Sanctuary's instructions. This relationship is governed by our Data Processing Agreement (DPA), available on request at legal@arbosfolk.com.

For privacy-related inquiries, contact our Data Protection contact:

  • Arbos Folk, Attn: Data Protection
  • Byhøjvænget 17, 8380 Trige, Denmark
  • Email: legal@arbosfolk.com
  • Responsible person: Leif Pettersen
02

Personal Data We Collect

2.1 Account Data (collected directly from you)

  • Name (display name and/or real name)
  • Email address
  • Profile photo (optional, via upload or Google account)
  • Authentication credentials (password hash; or Google SSO provider token)
  • User profile data: bio, skills offered, interests, location (city/region, optional)

2.2 Sanctuary Data (entered by stewards and members)

  • Sanctuary roster (member names, emails, roles)
  • Garden membership and Seed (task) assignments
  • Council proposal authors, voters, and consent/abstain/block records
  • Gathering RSVPs and attendance
  • Rhythm (rotation) participation
  • Scroll authorship and editing history
  • Mycelium (federation) connection records

2.3 Financial Data

  • Subscription tier (Seedling, Village, Ecosystem) and billing cycle
  • Payment history and invoice records
  • Ledger entries: monetary contributions, expenses, in-kind donations logged by members
  • Exchange transactions: marketplace listings, purchases, and sales between members

Card data

Credit card numbers, bank account details, and other payment instrument data are processed and stored exclusively by Stripe, Inc. Arbos Folk does not have access to your full card number.

2.4 Content Data

  • Scrolls (documents) you author or edit, including version history
  • Comments and discussion threads on Seeds, Gatherings, and Proposals
  • Resource entries (The Shed): tools, vehicles, equipment listed for sharing
  • Exchange listings: offers, requests, bulk-buy proposals
  • Files and images uploaded to the Library or attached to Seeds

2.5 Usage and Technical Data (collected automatically)

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited, features used, and session duration
  • Engagement events (sign-up completion, sanctuary creation or joining, content posts, return visits after one week)
  • Referring URL
  • Firebase Analytics data (anonymised usage patterns)
  • Google Analytics data (see Section 8 on Cookies)

2.6 Cookie and consent records

  • Your cookie consent preferences and timestamp
  • Privacy Policy version in effect at the time of consent

2.7 What we do NOT collect

Listed explicitly so the absence of these is on the record:

  • No advertising data. ARA runs no ad business. We do not place advertising cookies, retargeting pixels, or social tracking tags.
  • No card data on our servers. Stripe handles all of it (Section 2.3).
  • No biometric or location-tracking data. ARA does not request device location, camera, or microphone permissions.
  • No cross-site tracking or device fingerprinting.
  • No AI training on sanctuary content. Your Scrolls, Council debates, Ledger entries, and Exchange listings are not used to train any machine-learning model, ours or anyone else's.
03

Sources of Personal Data

  • Directly from you: Account registration, profile updates, content uploads, Council votes, Scroll edits, Ledger entries.
  • From Sanctuary stewards: Membership records, Garden assignments, Rhythm rotations, role assignments.
  • From Stripe: Payment confirmation, subscription status, transaction metadata.
  • Automatically: Cookies, Firebase Analytics, Google Analytics, server logs.
  • From other members: Mentions, task assignments, contribution acknowledgments.
05

Who We Share Data With

We share personal data with the following categories of recipients:

5.1 Subprocessors

ServiceProviderPurposeLocation
Firebase / FirestoreGoogle LLCDatabase, authentication, file storage, cloud functionsEU/US (Google Cloud)
Firebase AnalyticsGoogle LLCApplication performance and usage analyticsEU/US (Google Cloud)
Google AnalyticsGoogle LLCWebsite traffic analytics (consent-gated)EU/US (Google Cloud)
StripeStripe, Inc.Payment processing, subscription billingUS / EU (Stripe EU entity)
Firebase HostingGoogle LLCWeb application hosting and CDNGlobal (CDN edge nodes)
Google Fonts & Material SymbolsGoogle LLCTypography and icon delivery via CDNGlobal (Google CDN)
SentryFunctional Software, Inc.Error monitoring and performance tracking (session replay enabled only with analytics consent)EU / US (Data Privacy Framework)

5.2 Other members

  • Sanctuary members: Your name, role, Garden assignments, Council votes, Ledger contributions, and Rhythm rotations are visible to other members of Sanctuaries you belong to.
  • Public Scrolls: If a Scroll is published with a public URL (/p/:scrollId), its content and the author's display name are accessible to anyone with the link, including search engines.
  • Exchange: Listings (offers, requests, bulk buys) you publish are visible to other members of your Sanctuary or, if explicitly federated, across connected Sanctuaries via Mycelium.
  • Mycelium federation: If your Sanctuary opts into federation with another, limited profile data (display name, role, contribution count) may be visible to members of the connected Sanctuary.

5.3 Legal obligations

We may disclose personal data to law enforcement, regulatory authorities, or courts where required by law, legal process, or enforceable governmental request.

06

International Data Transfers

Some of our subprocessors (Firebase/Google, Stripe) may process personal data outside the European Economic Area (EEA), primarily in the United States. Where data is transferred outside the EEA, we ensure adequate protection through:

  • EU-US Data Privacy Framework: Both Google and Stripe are certified under the EU-US Data Privacy Framework, providing an adequacy basis for transfers.
  • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we rely on the European Commission's Standard Contractual Clauses as the transfer mechanism.
  • Google's Data Processing Terms: Firebase operates under Google's Cloud Data Processing Addendum, which includes SCCs and commitments to comply with GDPR.
  • Stripe's DPA: Stripe's Data Processing Agreement incorporates SCCs for international transfers.
07

Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy. Specific retention periods:

Data CategoryRetention Period
Account dataDuration of account + 90 days after deletion request
Sanctuary dataDuration of Sanctuary membership + 12 months
Financial and billing records5 years after the transaction (Danish Bogføringslov, §10)
Council proposals and votesDuration of Sanctuary lifetime (governance audit trail)
Ledger entries5 years (treated as financial records under Danish law)
Scroll content (private)Until deleted by author or Sanctuary stewards
Public Scroll contentUntil unpublished by the author; cached copies may persist briefly in CDN nodes
Dormant Sanctuaries (lapsed paid plan)Read-only state for at least 12 months before deletion, with email notice
Usage and analytics data26 months (Google Analytics default), then automatically deleted
Server logs (IP, access logs)90 days

After the applicable retention period, data is permanently deleted or anonymised such that it can no longer be linked to an individual.

08

Cookies and Tracking Technologies

Full detail and a per-cookie inventory live on the dedicated Cookies Policy page. The short version:

8.1 Strictly necessary cookies

Essential for the Service to function. Authentication tokens (Firebase Auth), session management, and security cookies. These do not require consent under the ePrivacy Directive.

8.2 Analytics and error-tracking cookies

Firebase Analytics and Google Analytics capture anonymised usage patterns so we can improve the Service. Sentry captures crashes and failed requests so we can fix them. Both require your consent, collected through our cookie banner. If you decline, no analytics or error-tracking SDK is loaded.

8.3 Managing cookies

You can manage your cookie preferences through:

  • The cookie consent banner shown on first visit.
  • The "Cookies" link in the site footer, which re-opens the preferences panel.
  • Settings → Account & Privacy → Cookie Preferences → Manage, once signed in.
  • Your browser settings (blocking or deleting cookies).
  • Google Analytics opt-out: tools.google.com/dlpage/gaoptout.

Disabling strictly necessary cookies may prevent ARA from functioning properly. Disabling analytics cookies does not affect your use of the Service.

8.4 Consent records

When you make a cookie consent choice, we record the following for accountability purposes (GDPR Art. 5(2)):

  • Your consent preferences (which categories you accepted or rejected)
  • A timestamp of when the choice was made
  • The version of this Privacy Policy in effect at the time
  • Your browser's user agent string (to identify the device)
09

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact legal@arbosfolk.com. We will respond within 30 days (extendable to 90 days for complex requests, with notification).

9.1 Right of access (Art. 15)

You have the right to request a copy of all personal data we hold about you, along with information about how we process it. You can download a JSON bundle of your personal data directly from Settings → Account & Privacy → Download My Data.

9.2 Right to rectification (Art. 16)

You can request correction of inaccurate personal data, or completion of incomplete data. Much of your data can be directly edited through your Settings page.

9.3 Right to erasure (Art. 17)

You can request deletion of your personal data. We will comply unless retention is required by law (for example, financial records under the Danish Bookkeeping Act) or for the establishment, exercise, or defence of legal claims. Delete your account directly from Settings → Account & Privacy → Delete My Account. Authorship on shared Sanctuary content (Tasks, Proposals, Contributions) is anonymised. The content itself stays in place because it belongs to your Sanctuary as a joint controller.

9.4 Right to restriction of processing (Art. 18)

You can request that we restrict processing of your data while a dispute about accuracy or legality is being resolved.

9.5 Right to data portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format. Use Settings → Account & Privacy → Download My Data for a JSON export of your personal data. Sanctuary stewards can additionally export Seeds, Ledger entries, and Resource inventories as CSV from the Sanctuary tab.

9.6 Right to object (Art. 21)

You can object to processing based on legitimate interest (Section 4) at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Right to withdraw consent (Art. 7(3))

Where processing is based on consent (analytics cookies, error tracking, public Scrolls, marketing), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal. For cookie and error-tracking consent specifically, go to Settings → Account & Privacy → Cookie Preferences → Manage, or use the Cookie Preferences link in the site footer. Your choice is re-prompted automatically every 12 months.

9.8 Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is:

  • Datatilsynet (Danish Data Protection Agency)
  • Carl Jacobsens Vej 35, 2500 Valby, Denmark
  • Website: datatilsynet.dk
  • Email: dt@datatilsynet.dk

You may also lodge a complaint with the supervisory authority of your own EU member state of residence.

10

California Residents (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act and California Privacy Rights Act. These rights mostly mirror what GDPR already grants you under Section 9 above, plus the following:

  • Right to know what personal information we collect, the sources, the purposes of collection, and the categories of third parties with whom it is shared (see Sections 2, 3, and 5 above).
  • Right to delete personal information we hold about you (see 9.3 above).
  • Right to correct inaccurate personal information (see 9.2 above).
  • Right to opt out of "sale" or "sharing" of personal information. ARA does not sell or share personal information as those terms are defined under the CCPA / CPRA.
  • Right to limit use of sensitive personal information. ARA does not use sensitive personal information for any purpose beyond providing the requested Service.
  • Right to non-discrimination for exercising any of these rights.

To exercise these rights, write to legal@arbosfolk.com. We may ask for additional verification if the request is unusual or involves data we cannot otherwise tie to you.

11

Global Privacy Control

ARA honours the Global Privacy Control (GPC) signal. If your browser or extension sends a Sec-GPC: 1 header or sets navigator.globalPrivacyControl to true, we treat the signal as a binding opt-out of any sale or sharing of personal data and as a directional opt-out of analytics tracking we have not yet bound to a separate consent choice. ARA does not currently sell or share personal data with advertisers (see Section 5), so GPC operates here mainly as a stronger consent signal than the banner alone.

12

Automated Decision-Making

ARA does not use automated decision-making that produces legal effects or significantly affects you. Council vote tallies and Ledger balance calculations are deterministic computations, not profiling. No automated profiling is used for marketing, credit, or access decisions.

13

Children's Data

ARA is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account, please contact us at legal@arbosfolk.com and we will promptly delete the account and associated data.

Sanctuaries may include members between 16 and 18 years of age (for example, teenagers participating in eco-village life). Sanctuary stewards are responsible for ensuring that parental or guardian consent has been obtained for minors in accordance with their local laws before entering their data into ARA.

14

Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption in transit (TLS/HTTPS for all connections)
  • Encryption at rest (Firebase/Google Cloud default encryption, AES-256)
  • Firestore Security Rules restricting data access to authorised members
  • Authentication via Firebase Auth with support for Google SSO
  • Role-based access controls within Sanctuaries (member, steward, owner)
  • Privileged fields (subscription tier, billing status) writable only via Cloud Functions
  • Content Security Policy headers and HSTS on all served pages
  • Stripe PCI-DSS compliance for all payment data

Full detail and the field-level enforcement story live on the dedicated Security & Privacy page.

No system is perfectly secure. If we become aware of a data breach that poses a high risk to your rights and freedoms, we will notify Datatilsynet within 72 hours and notify affected individuals without undue delay, as required by GDPR Articles 33 and 34.

15

Business Transfers

If Arbos Folk merges with, is acquired by, or sells substantially all of its assets to another entity, personal data may be transferred as part of that transaction. In that case:

  • We will notify you by email (if we hold your address) or by a prominent notice on the Service before any such transfer materially changes how your data is processed.
  • The acquiring entity will be bound by the commitments in this Privacy Policy, or an equivalent updated policy that you can review before it takes effect.
  • You will have the right to delete your data before the transfer completes if you do not wish to continue under the new operator.
16

Data Processing Agreement (DPA)

Because ARA processes personal data on behalf of Sanctuaries (who act as data controllers for their member data), we offer a Data Processing Agreement in compliance with GDPR Article 28. The DPA covers:

  • Subject matter, nature, and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller (the Sanctuary) and processor (Arbos Folk)
  • Subprocessor engagement and notification
  • Security measures (Article 32 compliance)
  • Data breach notification procedures
  • Assistance with data subject access requests
  • Data deletion or return upon contract termination
  • International transfer safeguards

Sanctuary stewards can request a copy of our DPA by contacting legal@arbosfolk.com.

17

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. For material changes, we will provide at least 30 days' notice via email or an in-app notification before the changes take effect. The "Last Updated" date at the top of this page indicates when the Policy was last revised.

18

Contact

If you have questions about this Privacy Policy, want to exercise your data subject rights, or have a privacy concern, please contact us:

Entity

Arbos Folk

CVR 46278895

Address

Byhøjvænget 17
8380 Trige, Denmark

Responsible person

Leif Pettersen