ARKO
FR

PRIVACY POLICY – ARKO

Effective Date: 18/02/2026

This Privacy Policy describes how the Arko mobile application and the showcase website accessible at https://arkofactory.com (hereinafter "Arko" or the "Service") collect, use, and protect users' personal data, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and the French law n°78-17 as amended, known as "Informatique et Libertés".

1. Data Controller

The data controller is:
Antoine Pertuy, Entrepreneur individuel (EI), trading as ArkoFactory.
SIREN: 101398477
Address: RUE jean martin 13005 Marseille FRANCE
Email: privacy@arkofactory.com

The data controller determines the purposes and means of the personal data processing carried out via the Service.

No Data Protection Officer (DPO) has been appointed to date.

Any request regarding personal data may be sent to the address mentioned above.

2. Personal Data Collected

2.1 Account Identification Data

When creating an account on the Arko application:

  • Email address
  • First name
  • Last name

The email address is stored via the Firebase Authentication service provided by Google.

2.2 Data Related to the Use of the Service

As part of using the application, so-called "business" data may be associated with the user account, including:

  • Orchestra membership
  • Role within an orchestra
  • Information related to musical organization (calls, availability, instruments, internal planning)

This data is necessary for the operation of the Service and is visible only to authorized members of the concerned orchestra.

2.3 Minimum Technical Data

When using the site or the application, certain technical data may be processed:

  • Internal technical identifiers
  • Technical logs necessary for the security and proper functioning of the service
  • Secure connection data (server logs)

No advertising profiling is carried out. No data is resold to third parties.

3. Purposes and Legal Bases

Processing is based on the following legal bases:

3.1 Performance of the contract (Article 6.1.b GDPR)
- User account creation and management
- Secure authentication
- Management of orchestras and internal features
- Provision of services included in the subscription
- User support

3.2 Legitimate interest (Article 6.1.f GDPR)
- Infrastructure security
- Prevention of fraud and abuse
- Technical service improvement
- Incident management

The legitimate interest pursued is proportionate and does not infringe on the rights and freedoms of users.

3.3 Legal obligation (Article 6.1.c GDPR)
- Retention of certain data in case of legal obligation (e.g., accounting obligations if applicable)

No data is processed on the basis of consent, unless specific subsequent features require it.

4. Mandatory Nature of Data

Identification data (email, first name, last name) are necessary for account creation. In the absence of this information, access to the Service is not possible.

5. Data Recipients

Personal data is accessible to:
- The data controller
- Authorized persons within the organization
- Strictly necessary technical subcontractors

5.1 Main Subcontractors

Personal data may be processed, on behalf of the data controller, by the following technical subcontractors:

  • Google Ireland Ltd / Google LLC – Provision of Firebase services (authentication, hosting infrastructure, databases, and associated services)
  • RevenueCat Inc. – Technical management service for in-app subscriptions and validation of subscription statuses with Apple App Store and Google Play platforms.

RevenueCat only processes pseudonymized technical identifiers (internal user ID and data related to subscription status) and does not have access to the content of users' business data.

OVH SAS – Hosting of the arkofactory.com website.

These providers act as subcontractors within the meaning of Article 28 of the GDPR and are contractually bound to guarantee the confidentiality, security, and integrity of personal data.

For information regarding potential data transfers outside the European Union and associated safeguards, the user is invited to refer to section 6 – Transfers outside the European Union.

No personal data is sold or assigned to third parties for commercial purposes.

6. Transfers Outside the European Union

Services provided by Google (Firebase) may involve data transfers outside the European Union.

When such transfers take place, they are framed by:

  • Standard Contractual Clauses adopted by the European Commission
  • Appropriate technical and organizational safeguards

Users can obtain additional information on these safeguards by sending a request to the data controller.

7. Retention Period

Personal data is retained according to the following principles:

  • Account data: retained as long as the account is active
  • In case of account deletion: deletion within a maximum period of 30 days
  • Technical logs: retention limited to the duration strictly necessary for security and proper functioning
  • Data required by legal obligation: retention according to applicable legal periods

Technical backups may lead to a temporary residual persistence, automatically purged according to the backup rotation cycle.

8. Deletion of Account and Data

The user can request the deletion of their account:

  • Directly from the application
  • Or by sending a request to: privacy@arkofactory.com

Account deletion leads to the deletion of associated personal data, subject to legal retention obligations.

9. User Rights

In accordance with the GDPR, every user has the following rights:

  • Right of access
  • Right of rectification
  • Right to erasure
  • Right to restriction
  • Right to object
  • Right to portability
  • Right to withdraw consent if applicable
  • Right to define directives regarding the fate of their data after death

Requests can be addressed to: privacy@arkofactory.com.

In case of an unresolved difficulty, the user may file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL): https://www.cnil.fr

10. Data Security

Appropriate technical and organizational measures are implemented, notably:

  • Encryption of communications (HTTPS/TLS)
  • Access control to administration environments
  • Management of authorizations
  • Secure backups
  • Logging of technical access

The data controller undertakes to notify any data breach in accordance with the obligations provided for by the GDPR.

11. Cookies and Trackers (Showcase Site)

The showcase site may use only cookies strictly necessary for its operation.

No advertising cookies or non-essential third-party trackers are deployed without prior consent.

In case of evolution, a policy dedicated to cookies will be made available.

12. Modification of the Policy

This Policy may be updated at any time to reflect legal or technical developments. The date of the last update is indicated in the header.