ARFA
  • Realities
  • Blueprint
  • Vanguard

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how ARFA processes your personal data when you visit our websites at www.arfa.eu (corporate site) and www.arfa-studio.eu (app publishing and download portal), use our mobile application TerraSweep, or otherwise interact with us. We follow the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data ("Belgian DPA Act"), and Article 129 of the Belgian Act of 13 June 2005 on electronic communications ("Belgian Cookie Law").

Table of contents

  1. Controller and contact
  2. Scope of this policy
  3. What data we process
  4. Purposes and legal bases (Art. 6 GDPR)
  5. Cookies, SDKs and your consent (Consent Management Platform)
  6. Web and mobile analytics
  7. Advertising and "Recharge Boost" rewarded ads
  8. Marketing pixels (Meta, TikTok, LinkedIn)
  9. Error monitoring (Sentry)
  10. Recipients of your data
  11. International data transfers
  12. Retention periods
  13. Security
  14. Your rights under the GDPR
  15. Minors
  16. Automated decision-making
  17. Changes to this policy

1. Controller and contact

The controller responsible for processing your personal data within the meaning of Art. 4(7) GDPR is the natural person operating under the trade name "ARFA":

Philipp Hansmann, sole proprietor (zelfstandige in hoofdberoep / indépendant à titre principal) trading as ARFA
Rue Nothomb 75
1040 Etterbeek, Belgium
Enterprise number (KBO/BCE): 1036.008.104
VAT number: BE 1036.008.104
Email: legal@arfa-studio.eu
Websites: www.arfa.eu and www.arfa-studio.eu

ARFA operates as a sole proprietor based in Belgium. We have not appointed a Data Protection Officer because none of the conditions in Art. 37(1) GDPR apply to us: our core activities do not require regular and systematic monitoring of data subjects on a large scale, and we do not process special categories of data on a large scale. You can address all privacy-related requests to the email above.

2. Scope of this policy

This policy applies to:

  • the ARFA corporate website at www.arfa.eu and all subdomains;
  • the ARFA publishing and download portal at www.arfa-studio.eu and all subdomains — this domain hosts everything related to our mobile application TerraSweep, including marketing pages, support, store links and direct downloads where applicable;
  • the TerraSweep mobile application for iOS and Android (the "App");
  • all communication you have with us by email or other channels.

It does not apply to third-party websites or stores that this site or the App may link to (e.g. the Apple App Store, Google Play, partner websites). Those operators are independent controllers.

3. What data we process

3.1 Data you provide to us

  • Account data — email address, password (stored hashed), display name, country of residence;
  • Profile data — any optional information you add (e.g. preferences relevant to the App's features);
  • Communication data — content of messages you send us (support, feedback, contact form).

3.2 Data we collect automatically — website

  • IP address (shortened where required by consent settings);
  • Browser type and version, operating system, screen size, language;
  • Referrer URL, pages visited, date and time, duration;
  • Session and consent identifiers stored in cookies or local storage.

3.3 Data we collect automatically — mobile App

  • Device model, OS version, app version, language, country;
  • Crash logs and error events;
  • Pseudonymous instance identifiers (Firebase Installation ID / Instance ID);
  • Advertising identifiers — IDFA on iOS (only after you grant permission through Apple's App Tracking Transparency dialog) and Google Advertising ID (GAID/AAID) on Android (only after consent through our in-app consent banner);
  • Approximate location derived from IP address (no precise GPS data is collected unless a future feature explicitly asks for it).

3.4 Data we receive from third parties

  • Aggregated reports from advertising and analytics partners (e.g. number of installs attributed to a campaign);
  • Authentication data if you sign in via a third-party identity provider (only the data fields you approve in that flow).

We do not knowingly process special categories of personal data (Art. 9 GDPR). Please do not send us such data through any contact channel.

4. Purposes and legal bases (Art. 6 GDPR)

PurposeData categoriesLegal basis
Providing the website and core App functionality (account creation, sign-in, delivering features) Account, profile, device, log data Art. 6(1)(b) GDPR — performance of a contract / pre-contractual steps
Securing the service, preventing fraud, abuse and attacks IP address, device data, log data Art. 6(1)(f) GDPR — legitimate interest in operating a secure service; Art. 6(1)(c) for legal record-keeping
Responding to your contact requests Communication data, account data Art. 6(1)(b) or Art. 6(1)(f) GDPR — depending on whether the request relates to a contract
Web analytics (Google Analytics 4) Cookie identifiers, IP, browser/device data, page events Art. 6(1)(a) GDPR + Art. 129 Belgian Electronic Communications Act — consent
Mobile analytics and product telemetry (Firebase Analytics) Pseudonymous installation ID, app events, device data Art. 6(1)(a) GDPR + Art. 129 Belgian Electronic Communications Act — consent (read/write to terminal equipment)
Crash and error monitoring (Firebase Crashlytics, Sentry) Stack traces, app/OS version, pseudonymous device ID, optionally user ID if logged in Art. 6(1)(f) GDPR — legitimate interest in service stability; access to terminal equipment beyond what is strictly necessary requires consent under Art. 129 Belgian Electronic Communications Act
Serving non-personalized contextual ads (web and App) Coarse context (URL, app screen), IP-derived country, ad-request technical data Art. 6(1)(f) GDPR — legitimate interest in monetization; storage of any ad-related identifier on your device requires consent under Art. 129 Belgian Electronic Communications Act
Serving personalized ads (Google AdSense, Google AdMob, AppLovin MAX) Advertising ID, IP, behavioural data, interest segments Art. 6(1)(a) GDPR + Art. 129 Belgian Electronic Communications Act — consent
"Recharge Boost" rewarded ads — granting in-App rewards in exchange for watching an ad Advertising ID (if consented), ad-event data, reward fulfilment records Art. 6(1)(b) GDPR for the contractual reward fulfilment + Art. 6(1)(a) GDPR / Art. 129 Belgian Electronic Communications Act consent for the ad-tech component
Marketing pixels (Meta, TikTok, LinkedIn) — measuring campaign performance and retargeting Pixel/cookie identifiers, hashed email (CAPI), browser/device data Art. 6(1)(a) GDPR + Art. 129 Belgian Electronic Communications Act — consent
Complying with statutory obligations (tax, accounting, responses to authorities) Contract, billing and contact data Art. 6(1)(c) GDPR — legal obligation (e.g. Art. 60 of the Belgian VAT Code; Art. III.86 of the Belgian Code of Economic Law)

Where we rely on consent, you may withdraw it at any time with effect for the future via the consent settings link in the website footer or in the App settings (see Section 5). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Where we rely on legitimate interest (Art. 6(1)(f)), you have a right to object under Art. 21 GDPR (see Section 14).

5. Cookies, SDKs and your consent (Consent Management Platform)

When you first open the website or the App, we display a consent banner provided by our Consent Management Platform (CMP). The CMP records your choices and ensures that cookies and SDKs that are not strictly necessary are only activated after you give your consent. You can change or withdraw your choices at any time:

  • Website: click "Privacy settings" in the footer to reopen the consent banner.
  • App: open Settings → Privacy → Consent preferences.

We use the following categories of cookies and tracking technologies:

CategoryExamplesLegal basisDefault state
Strictly necessary Session cookies, security/CSRF tokens, consent state, load balancing Art. 129 §1, 3° Belgian Electronic Communications Act (strictly necessary exemption); Art. 6(1)(b)/(f) GDPR Always active
Analytics Google Analytics 4 (web), Firebase Analytics (App) Art. 129 Belgian Electronic Communications Act + Art. 6(1)(a) GDPR — consent Off by default
Crash & performance Sentry, Firebase Crashlytics Art. 129 Belgian Electronic Communications Act + Art. 6(1)(a)/(f) GDPR Off by default beyond what is strictly necessary for diagnostics
Advertising Google AdSense, Google AdMob, AppLovin MAX Art. 129 Belgian Electronic Communications Act + Art. 6(1)(a) GDPR — consent Off by default
Marketing & retargeting Meta Pixel, TikTok Pixel, LinkedIn Insight Tag Art. 129 Belgian Electronic Communications Act + Art. 6(1)(a) GDPR — consent Off by default

The CMP also signals your choices to advertising partners via the IAB Transparency & Consent Framework (TCF v2.2) and to Google partners via Google Additional Consent Mode v2 where applicable.

6. Web and mobile analytics

6.1 Google Analytics 4 (web)

If you consent, we use Google Analytics 4, a service operated in the EU/EEA by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and in third countries by Google LLC (USA). GA4 helps us understand how visitors use the website. We have activated IP anonymization (the IP address is truncated within the EU before being transmitted to Google servers in the US), data sharing with other Google products is disabled by default, and we have concluded a Data Processing Agreement based on Art. 28 GDPR with Google.

Information on Google's data handling: policies.google.com/privacy. Opt-out via the consent banner or browser add-on: tools.google.com/dlpage/gaoptout.

6.2 Firebase Analytics & Crashlytics (App)

In the App we use Firebase Analytics and Firebase Crashlytics, provided by Google Ireland Limited / Google LLC. These SDKs collect pseudonymous event data, installation identifiers and, if a crash occurs, stack traces and device state. We collect this data based on your in-App consent (analytics) and our legitimate interest in keeping the App stable (Crashlytics — with consent where required for non-essential identifiers). Information: firebase.google.com/support/privacy.

7. Advertising and "Recharge Boost" rewarded ads

7.1 Why we show ads

ARFA is partly funded by advertising. We display ads on the website (via Google AdSense) and inside the App (via Google AdMob, mediated by AppLovin MAX). Showing personalized ads, or storing/reading any ad-tech identifier on your device, requires your prior consent under Art. 129 Belgian Electronic Communications Act and Art. 6(1)(a) GDPR.

7.2 Google AdSense (website)

Provider: Google Ireland Limited / Google LLC. AdSense uses cookies and similar technologies to serve and measure ads. With your consent we share information such as your IP address, ad-interaction data and browsing context with Google for the purposes of ad delivery, frequency capping and measurement. More information: policies.google.com/technologies/ads.

7.3 Google AdMob (App)

Provider: Google Ireland Limited / Google LLC. AdMob uses your advertising identifier (IDFA on iOS, GAID on Android) and ad-request data to serve ads in the App. On iOS, AdMob may only use the IDFA if you grant permission via Apple's App Tracking Transparency (ATT) dialog. On Android, ad personalization requires consent through our CMP.

7.4 AppLovin MAX (App, ad mediation)

Provider: AppLovin Corporation, 1100 Page Mill Road, Palo Alto, CA 94304, USA. AppLovin MAX is a mediation layer that decides which ad network fills a given ad slot. With your consent, AppLovin and its participating ad networks may process your advertising identifier, IP address and ad-event data to deliver and measure ads. More information: applovin.com/privacy.

7.5 "Recharge Boost" — rewarded ads

"Recharge Boost" is a feature where you can choose to watch a video ad in exchange for an in-App reward (e.g. additional credits or a feature unlock). Participation is always voluntary; you can use ARFA without ever using Recharge Boost.

When you start a rewarded ad we process:

  • your decision to start the rewarded ad (used to record the contractual reward entitlement);
  • ad-tech data described in 7.3 / 7.4 (only if you have consented to advertising);
  • a server-side confirmation that the ad was completed, so we can credit the reward to your account.

Legal bases: Art. 6(1)(b) GDPR (delivering the reward you requested) combined with Art. 6(1)(a) GDPR / Art. 129 Belgian Electronic Communications Act for the underlying ad-tech.

8. Marketing pixels (Meta, TikTok, LinkedIn)

On the website we use marketing pixels to measure the performance of our campaigns and, if you have consented, to retarget visitors. The pixels run only after you give consent through the CMP.

  • Meta Pixel — Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. We act as joint controllers with Meta for the collection and transmission of pixel data under Art. 26 GDPR; the essential terms of our joint-controller arrangement are available here: facebook.com/legal/controller_addendum. Meta's privacy policy: facebook.com/privacy/policy.
  • TikTok Pixel — TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland. Privacy info: tiktok.com/legal/privacy-policy-eea.
  • LinkedIn Insight Tag — LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Privacy info: linkedin.com/legal/privacy-policy.

9. Error monitoring (Sentry)

We use Sentry (Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) to capture errors and exceptions from the website and App. Sentry typically receives stack traces, browser/OS information, request metadata and — depending on the error — a pseudonymous user identifier. We have concluded a Data Processing Agreement with Sentry and rely on EU Standard Contractual Clauses for the transfer of personal data to the US. Legal basis: Art. 6(1)(f) GDPR for the legitimate interest in service stability; access to terminal-equipment information beyond what is strictly necessary takes place only after consent under Art. 129 of the Belgian Electronic Communications Act.

10. Recipients of your data

We share personal data only with the following categories of recipients and only to the extent necessary:

  • IT and hosting providers acting as our processors under Art. 28 GDPR (cloud hosting, email infrastructure, backups);
  • Analytics, error-monitoring and advertising providers as described in sections 6–9;
  • Payment service providers (where relevant for paid features);
  • Professional advisors (lawyers, tax advisors, auditors) where required;
  • Public authorities if we are legally required to disclose data;
  • Acquirers in the context of a merger, asset sale or restructuring, subject to the requirements of the GDPR.

11. International data transfers

Some of our processors and joint controllers are based outside the EU/EEA, in particular in the United States (Google LLC, AppLovin Corporation, Sentry, Meta, TikTok, LinkedIn — to the extent that they process data on US servers).

For these transfers we rely on the following safeguards under Chapter V GDPR:

  • the EU–U.S. Data Privacy Framework (Commission adequacy decision of 10 July 2023) where the recipient is certified — this applies to Google LLC, Meta Platforms, Inc. and (where certified) AppLovin and Sentry;
  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) combined with additional technical and organisational measures, for recipients that are not (or not yet) DPF-certified;
  • your explicit consent under Art. 49(1)(a) GDPR where neither of the above is available and you have been clearly informed of the risks.

We can provide a copy of the relevant transfer mechanism on request to legal@arfa-studio.eu.

12. Retention periods

DataRetention
Account dataFor the duration of your account; deleted within 30 days after account closure, unless retention is required by law.
Communication data (support emails)Up to 3 years after the last contact for evidentiary purposes, in line with the limitation periods set by the Belgian Civil Code (Art. 2262bis old Civil Code / Book 5, Title 9 new Civil Code).
Web server log dataUp to 14 days, then automatically deleted or anonymized.
Analytics data (GA4, Firebase)GA4 default of 14 months; Firebase event data up to 14 months.
Crash & error data (Crashlytics, Sentry)Up to 90 days.
Advertising / consent-mode dataUp to 13 months (technical lifetime of the cookies/identifiers).
Consent records (CMP log)Up to 3 years to demonstrate compliance with Art. 7(1) GDPR.
Invoices, contracts, tax-relevant records10 years from the close of the financial year, under Art. 60 §4 of the Belgian VAT Code and Art. III.86 of the Belgian Code of Economic Law.

13. Security

We implement appropriate technical and organisational measures under Art. 32 GDPR — including TLS encryption in transit, encrypted backups, access controls, principle-of-least-privilege for staff and third-party processors, and regular review of these measures. No method of transmission over the internet is 100% secure; we therefore cannot guarantee absolute security but we work to maintain a level of protection appropriate to the risk.

14. Your rights under the GDPR

Subject to the conditions set by the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15 GDPR);
  • Request rectification of inaccurate data (Art. 16);
  • Request erasure ("right to be forgotten") (Art. 17);
  • Request restriction of processing (Art. 18);
  • Receive your data in a portable, machine-readable format (data portability) (Art. 20);
  • Object to processing based on legitimate interest, including profiling (Art. 21) — in particular, you can object to direct marketing at any time and without giving reasons;
  • Withdraw consent at any time with effect for the future (Art. 7(3));
  • Lodge a complaint with a data protection supervisory authority (Art. 77). The competent authority for ARFA is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium — dataprotectionauthority.be — email contact@apd-gba.be. You can also contact the supervisory authority of your habitual residence or place of the alleged infringement.

To exercise any of these rights, write to legal@arfa-studio.eu. We may ask for information to verify your identity. We will respond within one month of receiving your request (Art. 12(3) GDPR), with a possible extension of two further months for complex requests.

15. Minors

ARFA is not directed at children. The App and websites are intended for users aged 13 and over, which corresponds to the age of digital consent set by Article 7 of the Belgian Act of 30 July 2018 in conjunction with Art. 8 GDPR for information-society services in Belgium. If you are under 13, please do not use the service or provide personal data without the consent of a holder of parental responsibility. If we become aware that we have collected personal data from a child under 13 without such consent, we will delete it without undue delay.

16. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. Ad personalization (where consented) is based on automated processing but does not produce legal or similarly significant effects.

17. Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, in the providers we use, or in applicable law. The current version always carries the "Last updated" date at the top of this page. For material changes we will inform you in the App or by email before the changes take effect.

ARFA

© 2026 ARFA. Assembled Realities For All.

Privacy Policy Cookie Policy Terms of Service TerraSweep arfa-studio.eu