Back to home
Legal · Privacy

Privacy Policy

How Arbsafe collects, processes, and protects personal data across our mobile app and web admin console. Written to comply with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Swedish data-protection law.

Last updated: 25 April 2026Effective: 25 April 2026Version: 2.0

In short. Arbsafe is built for arborists and tree-care crews. We collect only the personal data we need to operate the service, document safety, and support our customers. We never sell personal data, we encrypt data in transit and at rest, and you keep full ownership of your risk assessments, jobs, and compliance documents.

1. Who we are

The data controller responsible for your personal data is:

Nordic Social Media AB
Stockholm, Sweden
Email: herman@nordicsocialmedia.com
Operating the Arbsafe service at arbsafeapp.com and the Arbsafe mobile applications (collectively, the "Service").

We have not appointed a designated Data Protection Officer (DPO) as we are not required to under Article 37 GDPR. Privacy questions go to the email above.

2. Scope

This Policy applies to personal data processed when you:

  • visit arbsafeapp.com or any subdomain we operate;
  • download, install, register, or use the Arbsafe mobile app;
  • use the Arbsafe web admin console as a dispatcher, foreman, or organisation administrator;
  • contact our support team or otherwise communicate with us.

3. Data we collect

3.1 Account & identity data

  • Name, email address, phone number, profile picture (if you upload one), password hash, language and timezone preferences.
  • For team members: role (climber, groundie, foreman, dispatcher, admin), employer organisation, and any certifications or qualifications you choose to upload (e.g. ISA, ECS, chainsaw tickets, MEWP licences).

3.2 Organisation & operational data

  • Company name, billing address, VAT/registration numbers, branch and crew structure.
  • Jobs, sites and addresses, client information you choose to enter, scheduled assignments, internal notes.
  • Risk assessments, method statements, hazard registers, near- miss and incident reports, deviations, photographs, sketches, voice notes, and signatures captured in the field.
  • Compliance documents (e.g. insurance certificates, training records, equipment inspection logs) you upload to the Service.

3.3 Device & technical data

  • IP address, device identifiers, operating system and version, app version, browser type, crash logs, diagnostic data, pages and screens viewed, and timestamps of activity.
  • Approximate or precise geolocation when you create a geotagged risk assessment, log a job arrival, or use a feature that depends on location. Location is collected only when the relevant feature is in use and only with the permission you grant in your operating system.

3.4 Payment data

We use PCI-DSS-certified payment processors (Stripe for web subscriptions; Apple App Store and Google Play for in-app purchases). We never see or store your full card number. We receive a token, the last four digits, the card brand, and the billing country.

3.5 Communications

Support emails, chat messages, in-app feedback, and any attachments you send to us. We retain these to handle the request and to keep an audit trail.

3.6 Special category data

Risk assessments and incident reports may incidentally contain information about employee injuries, near-misses, or fitness for work. To the extent this constitutes data concerning health under Article 9 GDPR, your employer (the customer organisation) is the controller of that data. We process it strictly under documented instructions on their behalf — see section 5.

4. Purposes & legal bases

We process personal data for the following purposes, each of which is supported by at least one legal basis under Article 6 GDPR:

PurposeLegal basis
Provide and operate the Service (accounts, jobs, risk assessments, dispatch).Performance of a contract — Art. 6(1)(b)
Process payments and prevent fraud.Contract — Art. 6(1)(b); legitimate interests — Art. 6(1)(f)
Customer support, account communications, security notices.Contract; legitimate interests
Improve, secure, and debug the Service; prevent abuse.Legitimate interests — running and protecting our platform
Marketing emails about new features (only with your consent or to existing customers under soft opt-in).Consent — Art. 6(1)(a); legitimate interests
Legal, regulatory, tax, and accounting obligations.Legal obligation — Art. 6(1)(c)
Establish, exercise, or defend legal claims.Legitimate interests — Art. 6(1)(f)

5. Controller vs. processor

Our role under the GDPR depends on the data:

  • We act as controller for account data of individual users we contract with (e.g. the admin who signed up the organisation), website visitor data, billing data, and our own marketing communications.
  • We act as processor for personal data that a customer organisation pushes into the Service about its workers, clients, jobs, and risk assessments. The organisation is the controller. Our processing is governed by a Data Processing Agreement (DPA) which forms part of our Terms of Service and is available on request.

6. Sharing & sub-processors

We do not sell personal data. We share it only with vetted sub-processors that help us run the Service, and only to the minimum extent necessary. Categories include:

  • Cloud hosting & infrastructure — primary hosting in the EU/EEA.
  • Database & storage — for application data and uploaded files (photos, PDFs).
  • Authentication — sign-in and session management.
  • Payment processing — Stripe, Apple, Google.
  • Transactional email — for receipts, magic links, and notifications.
  • Crash and product analytics — pseudonymous diagnostics so we can fix bugs and improve usability.
  • Customer support tooling — ticketing, chat, and help-desk software.
  • Professional advisors — auditors, lawyers, and accountants under confidentiality.
  • Authorities — only when required by a valid legal request, court order, or to defend our rights.
  • Successors — in the event of a merger, acquisition, or sale of assets, subject to equivalent protections.

A current list of sub-processors is available to customers on request and is updated when we add or replace a vendor. Customer organisations may object to a new sub-processor on reasonable data-protection grounds.

7. International transfers

We host primary data within the European Economic Area (EEA). Where a sub-processor processes data outside the EEA, we rely on one or more of: an adequacy decision under Article 45 GDPR; the EU Standard Contractual Clauses (Decision 2021/914) supplemented by additional safeguards where needed; or another lawful transfer mechanism. A copy of the relevant safeguards is available on request.

8. Retention

  • Account data — kept while your account is active and for up to 12 months after closure, then deleted or anonymised.
  • Customer-controlled data (jobs, risk assessments, deviations) — kept for as long as the customer organisation instructs us to keep it. On termination, we return or delete it within 30 days unless law requires longer retention.
  • Billing & tax records — 7 years, as required by the Swedish Bookkeeping Act (Bokföringslagen 1999:1078).
  • Support tickets — up to 3 years from resolution.
  • Server logs — typically 30–90 days.
  • Backups — overwritten on a rolling cycle of up to 35 days.

9. Security

We implement appropriate technical and organisational measures, including: TLS 1.2+ in transit; encryption at rest for production databases and file storage; least-privilege access controls and audit logging; segregated production and development environments; secret management; regular third-party penetration testing; documented incident response with notification within 72 hours of becoming aware of a personal-data breach; and ongoing employee security training. No system is 100% secure — if you suspect unauthorised access, contact us immediately.

10. Your rights under the GDPR

Subject to the conditions in the GDPR, you have the right to:

  • access the personal data we hold about you (Art. 15);
  • rectify inaccurate or incomplete data (Art. 16);
  • erase your data (Art. 17), subject to our legal retention obligations;
  • restrict processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests or for direct marketing (Art. 21);
  • withdraw consent at any time, without affecting prior lawful processing (Art. 7).

To exercise any of these rights, email herman@nordicsocialmedia.com. If your data is held by us as a processor on behalf of your employer, please direct the request to them; we will support their response. We may need to verify your identity before acting on a request and will respond within one month, with an option to extend by two further months for complex requests.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or with the supervisory authority of your habitual residence.

11. Cookies & analytics

Our website uses strictly necessary cookies to keep you signed in and to remember preferences. With your consent we may also use functional and analytics cookies to understand aggregate product usage. You can manage cookies via your browser settings or our cookie banner, where available. The mobile app uses platform-equivalent identifiers and respects the privacy controls of iOS and Android.

12. Children

Arbsafe is a workplace tool intended for adults in professional tree-care operations. The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided personal data, contact us and we will delete it.

13. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing, including profiling, within the meaning of Article 22 GDPR.

14. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top of this page reflects the most recent version. For material changes, we will notify you by email or in-app notice at least 14 days before the change takes effect, where reasonably practicable. Continued use of the Service after the effective date constitutes acceptance.

15. Contact

Questions, requests, or complaints about this Policy or our processing of personal data:

Nordic Social Media AB
Email: herman@nordicsocialmedia.com
Postal correspondence available on request.

This Privacy Policy is provided in English. In case of conflict with any translated version, the English text prevails. Defined terms used here have the meanings given to them in the GDPR.