Privacy Policy

The data controller responsible for the personal data processed through arbosfolk.com (the "Site") and its related services is:

Arbos Folk is the parent house under which a number of brands operate, including the Techne products ARA (ara.earth) and HILT (hilt.my). Each product has its own privacy policy that governs the data processed within that product; this policy covers only the data we process through the arbosfolk.com website itself.

We have not appointed a formal Data Protection Officer, as our processing does not require one under Article 37 of the GDPR. For any privacy-related question or request, contact us at the address above.

We collect the categories of personal data described below.

2.1 Information you provide directly

• Newsletter subscription: when you sign up to "Join the Folk" we receive your email address through Formspree.
• Contact correspondence: if you email hello@arbosfolk.com or legal@arbosfolk.com we receive your email address, any name or signature attached to your message, and the contents of the message itself.
• Direct enquiries about commissions, prints, or licensing: the message you send and any contact details (name, email, postal address) needed to respond.

2.2 Information collected automatically

• Device & technical data: browser type and version, operating system, screen size, language preference, referring URL.
• Usage data: pages visited, time-on-page, click patterns, and approximate session duration. Used in aggregate only, and only with your consent to analytics cookies.
• IP address & access logs: retained by our hosting provider (Vercel) for security and abuse prevention.
• Cookie & consent records: a record of which cookie categories you have accepted or rejected, with a version number and timestamp, so we don't need to ask you again.

2.3 Information we do not collect on this Site

• We do not collect payment card data on arbosfolk.com. Purchases of crafts and prints are processed by Etsy; music purchases by Bandcamp; serialized fiction subscriptions by Substack. Those platforms operate as independent data controllers for the data you give them.
• We do not run advertising on this Site and do not collect data for targeted advertising.
• We do not use cross-site tracking pixels or device fingerprinting.

We obtain personal data from the following sources:

• Directly from you — through forms, email, or other voluntary submissions.
• Automatically — through your browser interacting with our hosting and analytics providers when you visit the Site.
• From third-party platforms — only insofar as those platforms (e.g. Etsy, Bandcamp, Substack) share aggregated reports about sales and subscribers with us. We do not receive your card data, address, or other personal details from those platforms beyond what is needed to fulfil an order you placed through them.

Under Articles 6 and 9 of the GDPR, we must rely on a lawful basis for each processing purpose. The table below summarises ours.

Where we rely on legitimate interest, we have carried out a balancing test and consider that our interest in operating, securing, and improving the Site does not override your rights and freedoms. You have the right to object — see Section 9.

We do not sell, rent, or trade your personal data. We share it only with the following categories of recipient, and only as necessary.

5.1 Service providers / subprocessors

The third parties listed below host, transmit, or otherwise process data on our behalf:

A more detailed breakdown of cookies set by these providers is available in our Cookie Policy.

5.2 Legal obligations and protection of rights

We may disclose personal data when required to do so by law, court order, or other valid legal process, or where disclosure is necessary to investigate, prevent, or respond to suspected illegal activity, fraud, threats to safety, or violations of our Terms of Service.

5.3 Business transfers

If Arbos Folk merges with, is acquired by, or sells substantially all of its assets to another entity, personal data may be transferred as part of that transaction. We will notify you (by email if we hold your address, otherwise by prominent notice on the Site) before any such transfer materially changes how your data is processed.

Several of our service providers are headquartered outside the European Economic Area (EEA), primarily in the United States. When personal data is transferred outside the EEA we rely on one or more of the following safeguards under Articles 45–49 of the GDPR:

• Adequacy decision — for transfers to the United States, we use providers self-certified under the EU–US Data Privacy Framework where available.
• Standard Contractual Clauses (SCCs) — the 2021 SCCs published by the European Commission, supplemented with technical and organisational measures where appropriate.
• Necessity for performance of a contract — for transfers strictly required to deliver a service you requested.

A copy of the relevant safeguards in place for a specific transfer can be requested at legal@arbosfolk.com.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

When the retention period ends, data is either deleted, anonymised so it can no longer be linked to you, or — where deletion would compromise our backup integrity — isolated until the next backup cycle overwrites it.

We use a small number of cookies and similar technologies on this Site. We classify them into four categories — strictly necessary, analytics, functional, and marketing — and only the strictly necessary category is set without your consent.

A detailed list of each cookie, its purpose, duration, and provider is available in our Cookie Policy.

You can change your consent at any time:

• Open Cookie Preferences
• By clearing cookies for arbosfolk.com in your browser, which will cause the banner to reappear.

We honour the Global Privacy Control (GPC) signal where the browser sends one — receipt of GPC is treated as an opt-out of any sale or sharing of personal data, although we do not currently sell or share personal data with third parties for advertising.

Depending on where you live and the legal basis we rely on, you have a number of rights regarding the personal data we hold about you. We will respond to a valid request within 30 days; complex requests may be extended by a further 60 days, in which case we will tell you why.

9.1 Under the GDPR (EEA) and UK GDPR

• Access — request a copy of the personal data we hold about you (Art. 15).
• Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
• Erasure — ask us to delete your data, subject to legal retention obligations (Art. 17).
• Restriction — ask us to limit how we process your data (Art. 18).
• Data portability — receive data you've provided in a structured, machine-readable format (Art. 20).
• Object — object to processing based on legitimate interest or direct marketing (Art. 21).
• Withdraw consent — where we rely on consent, you may withdraw it at any time without affecting prior processing (Art. 7(3)).
• Lodge a complaint — with your local supervisory authority. The Danish authority is Datatilsynet (datatilsynet.dk). UK residents may contact the Information Commissioner's Office (ico.org.uk).

9.2 Under the CCPA / CPRA (California)

California residents have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, the right to opt out of any "sale" or "sharing" of personal information, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA.

9.3 How to exercise your rights

Send your request from the email address you used to contact us, to legal@arbosfolk.com. We may ask for additional verification if the request is unusual or involves data we cannot otherwise tie to you. Exercising your rights is free of charge except where requests are manifestly unfounded or excessive.

We do not carry out solely automated decision-making, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Article 22 of the GDPR.

The Site is not directed at children under the age of 16, and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, please contact legal@arbosfolk.com and we will delete the data promptly.

Some of our products (board games and novels in particular) are suitable for mature audiences and carry their own content guidance. The age guidance for each product is stated on the relevant page.

We use reasonable and appropriate technical and organisational measures to protect personal data, including:

• TLS 1.2+ encryption for all traffic to and from the Site.
• Hosting on Vercel, which provides DDoS mitigation, hardware isolation, and SOC 2 Type II controls.
• Limited, role-based access to inboxes and form submissions on a need-to-know basis.
• Versioned cookie consent storage so changes in our practices trigger a fresh consent prompt.
• No card or other payment data stored on our infrastructure.

No method of transmission or storage on the Internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security and you transmit it at your own risk.

In the event of a personal data breach affecting your rights and freedoms, we will notify the Danish Data Protection Authority within 72 hours of becoming aware of it, as required by Article 33 GDPR, and will inform affected individuals where the breach is likely to result in a high risk to their rights.

We may update this Privacy Policy from time to time, for example to reflect changes in our service providers, the law, or our internal practices. When we do, we will:

• Update the "Last updated" date at the top of this page.
• For material changes, post a notice on the Site for at least 30 days and, where we hold your email address for the affected purpose, notify you by email before the change takes effect.
• Where the change affects what we ask consent for, re-prompt you for cookie consent.

We encourage you to review this page periodically.

If you have a concern about how we handle your personal data, please contact us first at legal@arbosfolk.com. We will try to resolve the issue with you directly.

You also have the right to complain to a data-protection supervisory authority. Ours is:

EU residents may also use the European Commission's Online Dispute Resolution platform.