Service status
Current status of the service and its components.
Components
No component information is available.
Ongoing events
No active events right now.
Current status of the service and its components.
No component information is available.
No active events right now.
KU7YRWJPNU6X49U5-RAF59P620928JKJM-8RMA2TEW68HD6J6A-M7ACR2UK723R6VCY
KY263M69YY70UVEN-1KHJKHVE2TR600WP-P898M05FDM7CRJJ1-XRE8FYVK865J55PK
idle=7200s,
absolute=86400s,
php_gc=86400s
e44dd682…
dev
0.0.0
U2
DKHH
PN2679Y2
86V10H2PX1UJK1C4
D73KK1A7T2XDWVF5E76JV52WR5M5WRP8
{
"csrf_token": "[redacted]"
}
[]
Last updated: 2026-06-01
Before production: Configure
LEGAL_*environment variables so contact details in sections 2–3 are complete. Sections referencing the data model reflect tables installed viaInstallDb.php.
This privacy policy describes how ArcWind AB processes personal data when you use our websites, applications and APIs.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Swedish legislation.
You may use the service from age 9, but a parent or legal guardian must first approve the account through their own email address. We use your date of birth to apply the right protections. We do not send you marketing, load PostHog while you are signed in, or show automatic push onboarding. You or your guardian can contact hello@arcwind.se with questions or to request correction, withdraw consent or delete the account. Never enter someone else's email address without permission.
Organisation: ArcWind AB Organisation number: 559287-4894 Address: ArcWind AB, Box 152, 116 74 Stockholm, Sweden Email: hello@arcwind.se Phone: +46 8 - 121 486 70
Privacy enquiries: hello@arcwind.se
Data protection officer (if applicable):
users)guardian_consents)user_sessions, audit_logs)Session secrets (session_id) are stored internally for operations but are never included in data exports.
auth_otps, mfa_recovery_codes)email_preferences)orbit_lives, orbit_hubs, orbit_hub_memberships, orbit_sharing_scopes)news_items)/me; not tied to marketing cookies)See the cookie policy for details.
| Purpose | Legal basis |
|---|---|
| Provide the service | Contract |
| Account and access management | Contract |
| Orbit Life, Hub and sharing features | Contract |
| Age assurance and guardian consent for users aged 9–12 | Contract, parent or guardian consent and legal obligation |
| Information security and audit | Legitimate interest / Legal obligation |
| Operations, monitoring and troubleshooting | Legitimate interest |
| Limited anonymous web analytics (PostHog, in-memory) | Legitimate interest |
| Extended analytics and product statistics (PostHog) | Consent |
| Push notifications (OneSignal) | Consent (browser notification permission) |
| Marketing email | Consent |
| Incoming SMS/MMS follow-up (46 Elks) | Legitimate interest / Contract where enabled |
| Incoming call control (46 Elks) | Legitimate interest / Contract |
To maintain security, stability and traceability we may record:
audit_logs)Logs may include timestamps, IP addresses, user identifiers and technical error messages — not raw session IDs in exports or audit detail fields.
PHP and JavaScript errors may be sent to PostHog for operations and incident response regardless of cookie choices. A stack trace is always sent. Without analytics consent it is sanitized and other technical properties are anonymized; with consent, the error message, full stack trace, user agent and IP address may be included. Server errors may also be sent to MQTT under the organization's logging procedures.
For repeated production errors, the error message, file and line number may be sent to OneUptime regardless of cookie choices. These details are shown only internally in private alerts or internal incident notes. A public status page may show a generic incident description without error details.
Cloudflare Turnstile may be used during sign-in and account creation to distinguish legitimate users from automated abuse. When enabled, the verification token and technical data such as IP address are sent to Cloudflare for security verification.
PostHog is not loaded for signed-in users aged 9–12. Marketing channels and automatic push onboarding are also disabled for these accounts.
PostHog may operate at two levels:
Before analytics consent: the SDK may load with in-memory persistence (memory) and pseudonymous $pageview events without a persistent profile or identifying cookies. The distinct id is derived from date and page path — not from account or email.
After analytics consent: full PostHog analytics with persistent storage (cookies/localStorage), $identify on sign-in and extended event properties as described in the cookie policy.
Data is stored in the configured PostHog instance (see the cookie policy for retention).
We do not use automated decision-making or profiling that produces legal or similarly significant effects for users.
Personal data may be shared with:
When external providers process personal data on our behalf, data processing agreements are entered into.
When data is transferred outside the EU/EEA, appropriate safeguards are used such as the EU Commission's Standard Contractual Clauses (SCC) or adequacy decisions.
Normal retention periods according to current service configuration (RETENTION_*) are listed below.
| Data type | Normal retention |
|---|---|
| Account | While the account is active |
| Parent or guardian consent | While the child's account is active or until consent is withdrawn and the account has been handled |
| Orbit Life, Hub membership and sharing scope data | While the account, Life or Hub is active |
| OTP codes (sign-in) | 7 days |
| Used MFA recovery codes | 90 days |
| Audit logs | 365 days |
| Incoming SMS/MMS | 30 days |
| Revoked sessions | 90 days |
| Inactive sessions (auto-revoked after absolute timeout) | 90 days after revocation |
| Rate-limit data (files) | 7 days |
| Application logs (files) | 30 days |
After account deletion the user record is anonymized so audit logs retain traceability without remaining identifiable personal data.
Under GDPR you have the right to access, rectification, erasure, restriction, objection, data portability and to withdraw consent.
/me)| Right | How it is handled in the service |
|---|---|
| Access / portability | Export JSON via Export my data |
| Rectification | Update name, primary phone and alternative identifiers in your profile; date of birth is corrected manually after verification |
| Erasure | Delete my account (anonymizes the account and removes identifiable data) |
| Consent | Cookie settings in the footer or on /cookies |
For rights requiring manual review — e.g. restriction of processing, objection, correction of email/username, or questions about audit logs — contact:
We respond within one month under GDPR unless an extension is communicated.
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY).
We use measures including:
The latest version is always published on our website.
ArcWind AB ArcWind AB, Box 152, 116 74 Stockholm, Sweden hello@arcwind.se +46 8 - 121 486 70
We use necessary cookies for the site to work. With your consent we may also use cookies for preferences, analytics and marketing.
Last updated: 2026-06-01
Cookies are small text files stored on your device when you visit a website or use a digital service. We also use similar technologies such as local storage (localStorage) and session storage when required for functionality or after consent.
We use cookies and similar technologies to:
/me; not tied to marketing cookies)These are required for the site to work correctly and cannot be disabled.
Examples:
Used to remember choices and settings after consent to the Preferences category.
Examples:
Used for extended web analytics after consent to the Analytics category.
Before analytics consent, the PostHog SDK may load with in-memory persistence and pseudonymous page views without persistent ph_* cookies. This provides limited aggregated statistics without a person profile.
Anonymized PHP and JavaScript error events may be sent without analytics consent for necessary operations and troubleshooting. A sanitized stack trace is always sent; error messages and user-identifying technical properties are sent to PostHog only after analytics consent.
After analytics consent, persistent storage (cookies/localStorage), identification on sign-in and full event collection apply as described in the table below.
Provider: PostHog (self-hosted or configured instance per environment).
Typical cookies/identifiers after consent: ph_*, PostHog distinct id and session data.
Optional marketing technologies and communications that require consent in the cookie banner.
Used for browser push notifications when OneSignal is enabled for the service. Not tied to marketing cookies in the cookie banner. The browser asks for notification permission when you subscribe on a device or on first login. Which topics are sent via push is controlled under Notification settings on /me.
Provider: OneSignal.
Typical technologies: service worker, push subscription, OneSignal device identifiers.
| Name / technology | Category | Purpose | Retention | Provider |
|---|---|---|---|---|
cookie_consent |
Necessary | Stores your cookie choices and consent version | 365 days | ArcWind AB |
PHP session (e.g. PHPSESSID) |
Necessary | Keeps you signed in and manages a secure session | Session / until sign-out | ArcWind AB |
theme (localStorage) |
Preferences | Stores selected theme | Until you clear the browser | ArcWind AB |
font_size (localStorage) |
Preferences | Stores selected font size | Until you clear the browser | ArcWind AB |
PostHog (ph_* etc.) |
Analytics | Extended statistics and product improvement (after consent) | 90 days (PostHog project) | PostHog |
| PostHog (in-memory) | Necessary / operations | Limited pseudonymous page views before analytics consent | Session (memory) | PostHog |
| OneSignal push | Web push (browser) | Push after browser notification permission and choices under /me |
365 days or until subscription ends | OneSignal |
| Cloudflare Turnstile | Necessary / security | Protects sign-in and account creation against automated abuse when enabled | According to Cloudflare's security verification | Cloudflare |
This table reflects the actual implementation in this service. Third-party providers may update their cookie names; refer to each provider's documentation when needed.
The following services may process data via cookies or similar technologies:
| Service | Category | Purpose |
|---|---|---|
| Cloudflare Turnstile | Necessary / security | Protect sign-in and account creation against automated abuse |
| PostHog | Analytics | Usage statistics and troubleshooting |
| OneSignal | Web push | Push (browser notification permission and choices under /me) |
Where legislation requires consent, optional cookies or equivalent storage are not placed until you approve them in the cookie banner.
You can change or withdraw consent at any time via Cookie settings in the footer or on the cookies page.
Most browsers let you:
Note that some features may stop working if cookies are blocked.
ArcWind AB hello@arcwind.se +46 8 - 121 486 70