We, Kristian Krogh Bang, are the data controller for the processing of the personal data we have received about you.
This privacy policy describes how we, Kristian Krogh Bang, CVR no. 43309641 (“we”, “us”, “our”), collect and process personal data in accordance with the General Data Protection Regulation (“GDPR”).
It sets out the rights you have as a customer and/or business partner in connection with our handling of your personal data.
If your inquiry concerns access, erasure, rectification, restriction, objection, or data portability, you can find your rights as the person whose personal data we collect and process (the “data subject”) in section 12.
This policy forms part of our documentation demonstrating that we, as a company, comply with the applicable GDPR rules and fulfil our duty to provide information under Article 13 of the GDPR.
In various respects, we act as the data controller for your personal data, as well as for the processing and activities associated with it.
The processing activities carried out by us are described in sections 1 and 2. The individual legal bases for processing are set out in section 1.
General inquiries regarding personal data, GDPR in general, or related matters may only be made by contacting us.
Contact Information
Kristian Krogh Bang
Agertoften 10
3660 Stenløse
CVR No.: 43309641
Telephone: (+45) 28 94 16 02
E-mail: [email protected]
We respond to inquiries from data subjects, including you, as quickly as possible and no later than 1 month after we have received the request.
If the request is complex, we have up to 3 months from receipt to respond to the request.
We ensure that requests made pursuant to your rights as a data subject are handled without undue delay.
1. The Purposes of and Legal Basis for the Collection and Processing of Your Personal Data
We process your personal data for the following purposes:
- To perform a contract to which you are a party, or to take steps at your request prior to entering into such a contract with you, including handling your license and customer relation with us.
- To comply with a legal obligation to which we are subject.
- To establish, exercise, or defend a legal claim.
- To carry out processing necessary for us or a third party to pursue a legitimate interest, provided that your interests and rights do not override our or the third party’s legitimate interest. The legitimate interests we pursue are:
- performance of an agreement for the delivery of services
- marketing to which you have consented, or which is otherwise permitted under Danish law
- customer satisfaction and product development.
Our primary purpose for collecting and processing your personal data is to enable us to provide the service ordered by the individual customer and otherwise fulfil our contractual obligations.
The legal basis for our processing of your personal data is derived from:
Regulation (EU) 2016/679 of 27 April 2016 (GDPR):
- Article 6(1)(a) and, where applicable, Article 9(2)(a) (consent).
- Article 6(1)(b), where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract.
- Article 6(1)(c), where the processing is necessary for compliance with a legal obligation to which we are subject.
- Article 6(1)(f), where the processing is necessary for the purposes of our or a third party’s legitimate interests, unless your interests or fundamental rights and freedoms override those interests.
- Article 9(2)(e), where the processing relates to personal data which you have manifestly made public.
- Article 9(2)(f), where the processing is necessary for the establishment, exercise, or defence of legal claims.
Whether information is necessary for us depends on the purpose for which the personal data is to be used. However, we limit our processing to what is necessary in relation to the purposes for which the personal data is processed, also referred to as data minimisation under Article 5(1)(c) GDPR.
We process only personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which the processing takes place.
2. Categories of Personal Data
We only process personal data that is relevant in relation to the purposes listed in section 1. In most cases, this means that we only process information that is relevant to your specific case.
Below you can see which categories of personal data we process about you:
- Name
- Address
- Telephone number
- Email address
- Individual notes relating to the customer relationship
- Information that you send to us via platforms and other digital media
- User ID related to services and platforms used in services
3. Recipients or Categories of Recipients
We disclose or transfer your personal data to the following recipients, where relevant for the purpose of the processing and where we are legally permitted to do so:
- Our data processors
- Public authorities
- The Danish courts, arbitration tribunals, appeal boards, etc.
- Third parties to whom you request that we disclose information
4. Roles and Data Flows: Distinction Between Data Controller and Data Processor
Under data protection law, we act in two distinct roles depending on the processing context, and we ensure that each role is governed by the appropriate legal framework, including our Data Processing Agreement (DPA) where we act as processor.
- When we act as Data Controller (our own customers and business contacts): We are the Data Controller for personal data relating to our own customers and business contacts. This includes, for example, names, email addresses, phone numbers, company details, meeting notes, and payment information about customer contact persons. These data are processed in systems such as HubSpot, Google Sheets, Gmail, Slack, Asana, and Stripe, strictly for purposes described in this policy and on the lawful bases set out herein. Disclosures to our processors in this context are governed by Article 28 GDPR-compliant data processing terms and appropriate safeguards.
- When we act as Data Processor (our customers’ end users): We act as Data Processor for personal data that we process on behalf of our customers about their end users in connection with our services. This processing occurs in environments and tools such as Stape.io, Google Tag Manager and our customers’ websites and platforms. In particular, when we configure Server-Side Tracking, we set up systems that collect and forward end-user events (e.g., page views and purchases) and personal data (e.g., hashed emails, phone numbers, names, and IP addresses) from the customer’s website to advertising platforms strictly on documented instructions. As a rule, these data are not permanently stored by us but are transmitted through servers and configurations we administer for the customer. This processing is governed by the DPA entered into with each customer, which sets out the subject matter, duration, nature, and purpose of processing, the types of personal data and categories of data subjects, security measures, and rules for sub-processing, international transfers, and assistance obligations.
Sub-processors and international transfers Any use of sub-processors when we act as Data Processor is subject to the DPA, including prior authorization and written flow-down obligations under Article 28 GDPR. Where processing involves transfers outside the EEA/UK (including support access), we rely on the European Commission’s Standard Contractual Clauses, conduct transfer impact assessments, and implement supplementary technical and organisational measures. The current list of sub-processors and processors is set out in Section 8 of this policy, which we update as needed.
6. Transfers to Recipients in Third Countries, Including International Organisations
We engage certain processors to support the delivery, operation, and support of our licensed product. All processors act on our documented instructions under Article 28 GDPR and are bound by data processing agreements, confidentiality, and appropriate technical and organisational measures. Where personal data is transferred outside the EEA/UK, we implement the European Commission’s Standard Contractual Clauses (SCCs), conduct transfer impact assessments, and apply supplementary safeguards (including encryption, access controls, and data minimisation). Copies of the relevant SCCs can be requested using the contact details in this policy.
All transfers of personal data to recipients outside the EEA/UK are limited to the sub-processors and data processors listed in Section 9 (Sub-processors and Data Processors). Where any such recipient is located in a third country (including the USA) or provides support from a third country, we implement the European Commission’s Standard Contractual Clauses, conduct transfer impact assessments, and apply appropriate supplementary safeguards (such as encryption, access controls, and data minimisation). Updated information on recipients and transfer safeguards follows the list maintained in Section 8.
6. Retention of Your Personal Data
We retain personal data in accordance with the applicable retention periods under Danish law. For example, we store invoices containing your name and address for 5 years, cf. section 10(1) of the Danish Bookkeeping Act.
Other information about you in our customer records is deleted 24 months after the end of the customer relationship or after inactivity.
Information relating to job applicants is deleted at the earliest of either (i) 3 months after the position has been filled, or (ii) 6 months after the application was received. However, we may retain such information for up to 6 months after the position has been filled if you give us your consent to do so.
Our deletion procedures for employees are communicated in connection with employment.
If we specifically assess that there is no legitimate reason to retain the information, we will delete your personal data at an earlier point in time. In making this assessment, we consider whether legislation grants us a right or imposes an obligation to retain the information, whether you have a reasonable interest in having the information deleted that outweighs our interest in retaining it, and whether the continued storage of the information entails a risk to you as a data subject.
7. Automated Decisions, Including Profiling
We do not use your personal data for automated decision-making or profiling. This means that we do not make decisions based solely on automated processing that may have legal or similarly significant effects on you.
If we change this practice at any time, we will inform you in advance and ensure that this takes place in accordance with Article 22 of the GDPR.
8. Sub-processors and Data Processors
In certain cases, we may use sub-processors and data processors for the performance of contracts entered into with us, as well as where consent has been given or where other legitimate interests justify the processing of personal data in cooperation with our sub-processors and data processors.
8.1. List of Data Processors / Sub-processors:
Google Workspace
Provider: Google LLC
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
Service area: Business email, file storage, document management, spreadsheets, shared drives, and collaboration tools
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for email communication, file storage in Drive, CRM-related spreadsheets in Sheets, and document and project collaboration in Docs.
HubSpot
Provider: HubSpot, Inc.
Address: 25 First Street, 2nd Floor, Cambridge, MA 02141, United States
Service area: CRM, lead management, sales pipeline management, contact and company records, and deal administration
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: CRM system used for handling leads, contacts, companies, and deals.
Asana
Provider: Asana, Inc.
Address: 633 Folsom Street, Suite 100, San Francisco, CA 94107, United States
Service area: Project management, task management, workflow planning, and internal collaboration
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Project and task management system containing customer names, task details, comments, and access-related information.
Slack
Provider: Slack Technologies Limited
Address: Salesforce Tower, 60 R801, North Dock, Dublin, Ireland
Service area: Internal and external messaging, file sharing, team collaboration, and workspace communication
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for internal communication and communication with customers and business partners.
Zoom
Provider: Zoom Communications, Inc.
Address: 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, United States
Service area: Video meetings, webinars, calls, recordings, transcripts, and meeting collaboration
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for video meetings and related communication, including recordings and transcripts where enabled.
Fathom AI
Provider: Fathom Video Inc.
Address: 2261 Market Street #4156, San Francisco, CA 94114, United States
Service area: AI meeting assistant, meeting recording, transcription, summaries, and meeting intelligence
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for AI-generated meeting notes, summaries, transcripts, and follow-up materials.
Stripe
Provider: Stripe Technology Company Limited
Address: One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland
Service area: Billing, invoicing, payment processing, and related financial administration
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for invoicing and payment handling.
Make (formerly Integromat)
Provider: Make s.r.o.
Address: Senovazne namesti 978/23, 110 00 Praha 1, Czech Republic.
Service area: Workflow automation and data exchange between applications and systems
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for automation of workflows and data synchronisation across systems.
Stape.io
Provider: Stape, Inc.
Address: 8 The Green, Suite #12892, Dover, DE 19901, United States
Service area: Hosting of server-side Google Tag Manager (sGTM), tagging infrastructure, and server-side event forwarding
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used as hosting provider for server-side GTM, through which browser and conversion-related request data may pass.
Google Tag Manager & Google Analytics 4
Provider: Google LLC
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
Service area: Tag deployment, analytics, traffic measurement, reporting, and conversion tracking
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement, where applicable to the relevant service configuration.
Description: Used for tracking infrastructure and website analytics.
Cookiebot (Usercentrics)
Provider: Usercentrics A/S
Address: Havnegade 39, 1058 Copenhagen, Denmark
Service area: Consent management, cookie scanning, consent storage, and implementation of Consent Mode
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for management of cookie consent and implementation of Consent Mode.
Cloudflare, Inc.
Address: 101 Townsend Street, San Francisco, CA 94107, USA
Service area: CDN, DNS, website security, and secure data storage
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement.
Description: Used for website hosting (Cloudflare Pages), content delivery, DNS management, DDoS protection, and secure storage of configuration data including API tokens and third-party service credentials. Network traffic, including IP addresses and request metadata, passes through Cloudflare's infrastructure.
Our sub-processors and data processors may change over time as a result of changes in suppliers and/or cooperation agreements with third parties. We will always inform data subjects accordingly, and we continuously update this policy.
This privacy policy will be updated in the event that we engage sub-processors or data processors. Any disclosure or sharing with sub-processors and data processors will always take place in accordance with the applicable provisions of Article 6 of the GDPR.
9. The Right to Withdraw Consent
You have the right to withdraw your consent at any time. You may do so by contacting us using the contact details set out above in the introduction of this privacy policy.
If you choose to withdraw your consent, this will not affect the lawfulness of our processing of your personal data based on your consent before its withdrawal.
Accordingly, if you withdraw your consent, it will only have effect from that time onwards.
10. Your Right As Data Subject
Under the General Data Protection Regulation, you have a number of rights in relation to our processing of your personal data. If you wish to exercise your rights, please contact us.
Right of access
You have the right to obtain access to the personal data we process about you, as well as a range of additional information.
Right to rectification
You have the right to have inaccurate personal data about yourself corrected. You also have the right to have incomplete personal data completed.
As data controller, we always ensure that personal data is corrected if we become aware that it is inaccurate. We also ensure that we process personal data that is complete and up to date.
Right to erasure
In certain circumstances, you have the right to have personal data about you erased before the time at which our general deletion procedures would otherwise apply.
The right to erasure applies if you withdraw your consent or otherwise invoke this right against us. This may not apply if we have another legal basis for continuing to process your personal data in whole or in part. You will be informed accordingly if a lawful exception applies.
Right to restriction of processing
In certain circumstances, you have the right to obtain restriction of the processing of your personal data. If you are entitled to restriction of processing, we may in the future only process the data - apart from storage - with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of a person or important public interests.
Right to object
In certain circumstances, you have the right to object to our otherwise lawful processing of your personal data. You also have the right to object to the processing of your data for direct marketing purposes.
Upon receipt of such an objection, we will weigh the objection against the legitimate interests, contractual relationship, and other relevant considerations applicable to your personal data.
Right to data portability
In certain circumstances, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have those personal data transmitted from one controller to another without hindrance.
You can read more about your rights in the guidance issued by the Danish Data Protection Agency, available on its website: www.datatilsynet.dk.
11. Handling of Requests
We respond to inquiries from you, as the data subject, as quickly as possible and no later than 1 month after we have received the request.
If the request is complex, we have up to 3 months from receipt to respond to the request.
We ensure that requests made pursuant to your rights as a data subject are handled without undue delay.
12. Security Measures
We ensure an appropriate level of data security for the collection, processing, storage, and disclosure of personal data in accordance with Article 24 of the GDPR.
We have implemented technical and organisational measures to prevent your personal data from being accidentally or unlawfully deleted, disclosed, lost, degraded, accessed by unauthorised persons, misused, or otherwise processed in violation of applicable law.
In the event of a personal data breach, all affected registered users will be contacted within 72 hours and informed of which data has been lost, together with guidance on what they should do in response. In such a situation, our first priority is to close the security gap in order to minimise data loss for users.
We have implemented both privacy by default and privacy by design in our systems. This means, among other things, that we have configured our IT systems to protect personal data as a default setting within the system itself.
We have several technical and organisational security measures in place designed to protect personal data against accidental or unlawful destruction, loss, alteration, degradation, misuse, irresponsible processing, or any other processing contrary to data protection legislation.
Our employees are instructed on how to process personal data responsibly and in accordance with applicable law.
At all times, we ensure that our employees and business partners process personal data lawfully and on the basis of our internal policies, recommendations, and guidelines for proper data processing.
13. Complaint to the Danish Data Protection Agency
You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way in which we process your personal data.
If you wish to do so, we encourage you to contact us first in order to seek a resolution to any issue.
Complaints regarding our processing of your personal data may be submitted to the Danish Data Protection Agency:
Email: [email protected]
Complaint form: https://www.datatilsynet.dk/generelt-om-databeskyttelse/klage-til-datatilsynet/
You can read more about your rights in the guidance issued by the Danish Data Protection Agency concerning the rights of data subjects, which is available at www.datatilsynet.dk
This Privacy Policy was last updated on 6 April 2026.
This Privacy Policy has been drafted by Skafsgaard Law ApS.
© 2026 Kristian Krogh Bang