This is an English translation provided for convenience. The Danish version is the legally binding original — Danish text prevails in case of conflict.
Privacy · Cookies · AI · GDPR

Privacy Policy

How we process your personal data when you use our websites, services and collaborate with us.

Version 2.0Effective May 1, 2026Replaces v1.x (2023)
Data controller
Firma360 ApS
Vandtårnsvej 106B
2860 Søborg
VAT/CVR 39493691
Personal-data contact
Email: dba@firma360.dk
Web: firma360.dk
Phone: +45 70 60 50 31
Contents

Table of contents

  1. 1Introduction and scope
  2. 2Data controller and contact
  3. 3Personal data we process
  4. 4Purposes and legal basis
  5. 5Cookies and similar technologies
  6. 6Recipients and disclosure
  7. 7Sub-processors
  8. 8Transfer to third countries
  9. 9Artificial intelligence (AI)
  10. 10Retention periods
  11. 11Security measures
  12. 12Your rights
  13. 13Complaints to the Danish DPA
  14. 14Changes and versioning
Section 1

1. Introduction and scope

1.1At Firma360 ApS ("Firma360", "we", "us" or "our") we process personal data as an inevitable part of delivering our services. We are committed to processing your data responsibly, transparently and in accordance with the General Data Protection Regulation (GDPR), the Danish Data Protection Act, the ePrivacy Directive and — to the extent relevant — the EU Artificial Intelligence Act.

1.2This privacy policy describes what personal data we collect, how we use it, who we share it with and what rights you have as a data subject.

1.3The policy applies when you:

  • visit firma360.dk, firmaapps.dk or any of our other websites
  • are a customer, supplier, partner or prospective customer of ours
  • contact us via form, email, phone, chat or social media
  • receive newsletters or marketing from us
  • apply for a job with us
  • use applications or systems we have developed in which we act as data controller

1.4This policy does not apply to processing in which we act as a data processor on behalf of our customers — for example for hosting, operations, app and web development or marketing carried out on behalf of the customer. Such processing is governed by our Data Processing Agreement (DPA v2.0) and the customer's own privacy policy.

Section 2

2. Data controller and contact

2.1Firma360 ApS is the data controller for the processing of personal data described in this policy. We are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37, but we have internally designated a contact person for all enquiries regarding personal data.

Data controller
Firma360 ApS
VAT/CVR 39493691
Vandtårnsvej 106B
2860 Søborg
Denmark
Personal-data enquiries
Jim Sandholm, contact person
Email: dba@firma360.dk
Web: firma360.dk
Phone: +45 70 60 50 31
Section 3

3. Personal data we process

3.1We primarily process ordinary personal data (GDPR Article 6) and only to a limited extent sensitive data. We never process special categories of personal data (Article 9) or data relating to criminal convictions and offences (Article 10), unless this is expressly agreed in writing and has a clear legal basis.

3.2 Overview of categories of personal data

Category of data subjectsTypes of personal data
Website visitorsIP address, browser and device information, language, pages visited, click and behavioural data, cookie IDs, referrer URL, visit timestamp
Leads and prospectsName, company name, email address, phone number, job title, message content, areas of interest, contact source
Customers (contact persons)Name, job title, company name, VAT/CVR number, email, phone number, billing details, correspondence, agreements and quotes, support cases
Suppliers and partnersName, company information, contact details, banking details, invoice data, correspondence
Newsletter recipientsName, email address, proof of consent (timestamp, IP, source), engagement data (opens, clicks), segmentation data
Job applicantsName, contact details, CV, application, education, work experience, references where applicable, photo (if attached)
Users of our apps/SaaSUsername, email, profile information, login history, usage data, preferences, content generated in the services
Public-sector customers (EAN)Contact details together with personal identification number (CPR) used as identifier for EAN invoicing (treated as confidential information)

3.3Sources. We collect personal data directly from you (when you fill in a form, contact us, enter into an agreement with us, apply for a job), automatically via our systems (cookies, server logs, analytics tools) or — in limited cases — from publicly available sources (the Danish Central Business Register, LinkedIn, the company's website) in connection with customer prospecting based on legitimate interests.

Section 4

4. Purposes and legal basis

4.1We process personal data only for specific, explicitly stated and legitimate purposes, and only to the extent necessary to fulfil that purpose. Below is an overview of the primary processing activities, purposes and legal bases.

PurposeExample of processingLegal basis (GDPR)
Operation of websiteContent delivery, security, performance, troubleshootingArticle 6(1)(f) — legitimate interest
Statistics and analysisUser behaviour, content optimisationArticle 6(1)(a) — consent (via Cookiebot)
Marketing and advertisingRetargeting, social media, trackingArticle 6(1)(a) — consent
NewslettersDistribution of relevant content and offersArticle 6(1)(a) — consent (Marketing Practices Act §10)
Lead and customer dialogueResponding to enquiries, preparing proposalsArticle 6(1)(b) — contract or pre-contractual measures
Contract conclusion and deliveryProject management, support, invoicingArticle 6(1)(b) — contract
Bookkeeping and accountingInvoices, chart of accounts, vouchersArticle 6(1)(c) — legal obligation (Danish Bookkeeping Act)
Credit assessmentAssessment for large orders or prepaymentArticle 6(1)(f) — legitimate interest
Job applicationsRecruitment, candidate evaluationArticle 6(1)(b) — pre-contractual measures
Security and IT operationsLogging, protection against misuse, troubleshootingArticle 6(1)(f) — legitimate interest
Legal claims and disputesDefence of claims, documentationArticle 6(1)(f) — legitimate interest / 6(1)(c)
Section 5

5. Cookies and similar technologies

5.1We use cookies and similar tracking technologies on our websites to ensure proper functionality, measure usage, improve content and — subject to consent — display targeted marketing. Cookies are small text files stored on your device.

5.2We use four categories of cookies:

  • Necessary cookies — required for the basic functionality of the website. Used without consent (Danish Cookie Order §3(2)).
  • Preferences — remember language, region and your choices.
  • Statistics — anonymous/pseudonymous measurement of visits and behaviour.
  • Marketing — targeted advertising, retargeting and cross-site tracking.

Cookies in categories 2–4 are set only if you have given active consent via our cookie banner.

5.3Consent and withdrawal. Your consent is managed via Cookiebot, our Consent Management Platform (CMP). You can change or withdraw your consent at any time by clicking "Cookie settings" at the bottom of the website, or by deleting cookies in your browser.

Cookie declaration

The list below is updated automatically by Cookiebot and reflects the current scan of our website. You can also open your preferences via the link in the footer.

Section 6

6. Recipients and disclosure

6.1We do not disclose your personal data to third parties unless this is necessary to deliver our services, perform an agreement with you, comply with legislation or pursue a legitimate interest that overrides your rights.

6.2We may disclose personal data to the following categories of recipients:

  • Sub-processors acting on our instructions — see section 7.
  • Bank, auditor and advisors — in connection with invoicing, accounting and legal advice, where necessary.
  • Public authorities — the Danish Tax Agency, the Danish DPA, police etc., where we are legally obliged.
  • Acquired or divested business units — in case of merger, acquisition or divestment, cf. section 18 of our Terms of Service.

6.3We do not sell your personal data to third parties, nor do we use it for purposes you have not been informed about.

Section 7

7. Sub-processors

7.1We use a number of suppliers for hosting, operations, automation, communication, analytics and AI services. They act as sub-processors for us when we act as data processor for customers — and as data processors for us when we process data for our own purposes (for example our own CRM, email system and newsletter).

7.2The complete and up-to-date list of sub-processors is set out in Appendix B of our Data Processing Agreement. The list is publicly available at firma360.dk/databehandleraftale.

7.3 Selected key data processors

SupplierFunctionLocation
Simply.comWeb hostingDK
Hetzner Online GmbHServers / hostingDE
Vercel Inc.Web app hosting / deploymentUS (SCC)
SupabaseDatabase & backendUS (SCC)
Google (Workspace, Ads, Analytics)Email, advertising, analytics, AIUS (DPF/SCC)
Microsoft (365, Azure, Bing)Files, email, advertisingUS (DPF/SCC)
Meta PlatformsAdvertising on Facebook/InstagramUS (DPF/SCC)
HubSpotCRM, email marketingUS (DPF/SCC)
Anthropic (Claude API)AI-assisted content productionUS (SCC)
OpenAI (ChatGPT API)AI-assisted content productionUS (SCC)
DineroAccounting and invoicingDK
Stripe, Quickpay, Clearhaus, FlatpayPayment gateways/acquirersDK/US

DPF = EU-U.S. Data Privacy Framework · SCC = EU Standard Contractual Clauses. The complete list — including third-country status and transfer basis — is set out in DPA Appendix B.

7.4Notice of changes. We give at least 30 days' notice before adding or replacing a sub-processor that processes personal data on behalf of a customer, cf. DPA Clause 7.3.

Section 8

8. Transfer to third countries

8.1Some of our sub-processors are established outside the EU/EEA — primarily in the United States. Whenever personal data is transferred to a third country, it always takes place on a lawful transfer basis under GDPR Chapter V:

  • EU-U.S. Data Privacy Framework (DPF) — for US companies certified under the framework (Commission decision of 10 July 2023).
  • EU Standard Contractual Clauses (SCC) — for suppliers without DPF certification, supplemented with appropriate technical and organisational measures.

8.2Where relevant, we carry out a Transfer Impact Assessment (TIA) to assess whether the level of protection in the third country is equivalent to the European one, and we implement supplementary measures (encryption, pseudonymisation, data minimisation) where necessary.

8.3You may obtain a copy of the transfer basis for a specific sub-processor by contacting dba@firma360.dk.

Section 9

9. Artificial intelligence (AI)

9.1We use AI-based tools as an integral part of our work — including for content production, code generation, analysis, translation and customer dialogue. The primary tools are Claude (Anthropic), ChatGPT (OpenAI) and Gemini (Google), which we access via APIs or business versions with a signed data processing agreement.

9.2In accordance with the EU AI Act (Regulation 2024/1689) we disclose the following:

  • The AI systems we use are classified as "general-purpose AI systems" (GPAI) — not as high-risk systems under Article 6 of the Regulation.
  • We do not use AI for purposes prohibited under Article 5 — e.g. social scoring, manipulative techniques, biometric remote identification or exploitation of vulnerabilities.
  • We do not use AI to make decisions that produce legal effects or similarly significantly affect you (cf. GDPR Article 22).

9.3Transparency. Where AI plays a significant role in content, communication or deliverables (e.g. AI-generated text, translations or suggestions), we work on the principle of human oversight and review (human-in-the-loop). Final approval is always given by an employee before content is published or used towards customers.

9.4Data sent to AI services. We actively minimise the data we send to AI services. As a rule, we do not send:

  • Special categories of personal data (Article 9 data, health data etc.)
  • Personal identification numbers (CPR) or other national identifiers
  • Login credentials, codes, financial details
  • Customer data from data-processor tasks where the customer has not given explicit consent

When we do send data, it takes place via paid APIs or business plans where the provider has signed a data processing agreement and does not use data for training their models (Anthropic, OpenAI and Google all offer this as standard for their enterprise products).

9.5Labelling of AI-generated content. When we publish AI-generated content on our own platforms — e.g. blog articles, marketing material or visualisations — we will, in accordance with Article 50 of the AI Act, label the content where relevant and be transparent about its use.

Section 10

10. Retention periods

10.1We retain personal data for as long as necessary to fulfil the purpose, or for as long as required by law. We then delete or anonymise the data.

CategoryPeriodReason
Log data (server, security)Up to 12 monthsIT security, troubleshooting
Cookie consent12 months or until withdrawnConsent documentation
Leads and unfinished contactsUp to 24 monthsLegitimate interest in follow-up
Active customer relationshipsDuration of agreementPerformance of agreement
Bookkeeping material (invoices etc.)5 years + current financial yearDanish Bookkeeping Act §10
Post-completion correspondenceUp to 3 years after last activityDispute and documentation purposes
Newsletter (consent)Until unsubscribe + 2 years (documentation)Marketing Practices Act §10
Job applications (rejected)6 monthsComplaint and documentation period
Unsolicited applicationsUp to 12 monthsRelevance for future positions
Backup (technical copies)Up to 90 daysStandard backup cycle, cf. DPA C.2.5
Section 11

11. Security measures

11.1We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage — in accordance with GDPR Article 32 and DPA Appendix C.

11.2 Key measures

AreaMeasure
Access controlAccess restricted to employees with a work-related need (least privilege). Multi-factor authentication (MFA) required for all administrative systems.
EncryptionTLS 1.2 or higher for all data transmission. Encrypted storage of sensitive data in databases and backups.
LoggingActivity and security events are logged. Log data is retained for a minimum of 12 months.
BackupRegular, encrypted backup separated from primary operations. Overwritten after 90 days.
Patching and updatesSecurity updates rolled out in a timely manner; ongoing vulnerability scans.
NetworkFirewalls, intrusion detection, segmented network, antivirus.
EmployeesConfidentiality obligations, ongoing GDPR training, documented information security policy.
Testing and developmentTest and development environments separated from production. Personal data in test environments is always pseudonymised or anonymised.
Incident responseDocumented incident-handling procedures. Notification of data controllers within 48 hours of a security breach.
Section 12

12. Your rights

12.1As a data subject you have a number of rights under GDPR. You may exercise these rights at any time by contacting us at dba@firma360.dk. We will respond to your request without undue delay — and at the latest within one month.

Right of access

You can obtain information about which personal data we process about you, the purpose of the processing and a copy of the data (Article 15).

Right to rectification

You can have inaccurate data about you corrected or incomplete data completed (Article 16).

Right to erasure

In certain cases you can have your data erased (the "right to be forgotten") — for example if the processing is no longer necessary (Article 17).

Right to restriction

In certain cases you can have our processing of your data restricted so it may only be stored (Article 18).

Right to data portability

You can receive the data you have provided to us in a structured, commonly used format — and have it transferred to another data controller (Article 20).

Right to object

You can object to processing based on legitimate interest — and at any time to direct marketing (Article 21).

Withdrawal of consent

If processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

No automated decisions

You have the right not to be subject to decisions based solely on automated processing, including profiling, with legal effect for you (Article 22).

12.2Identification. In connection with your request we may ask for documentation that confirms your identity, to ensure that we do not disclose information to unauthorised persons.

12.3Limitations on rights. Some rights may be limited, e.g. for reasons of statutory retention requirements (the Danish Bookkeeping Act), defence of legal claims or the rights of other persons. If we cannot accommodate a request, we will explain why.

Section 13

13. Complaints to the Danish Data Protection Agency

13.1If you are dissatisfied with our processing of your personal data, we encourage you to contact us first at dba@firma360.dk, so we have the opportunity to investigate and resolve the matter.

13.2You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Danish Data Protection Agency
Carl Jacobsens Vej 35
2500 Valby
Denmark
Contact the Danish DPA
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Web: datatilsynet.dk
Section 14

14. Changes and versioning

14.1We reserve the right to update this privacy policy to reflect changes in our practices, new technology, case law or legislation. The version in force at any given time is available at firma360.dk/privatlivspolitik.

14.2Material changes — e.g. new purposes for processing or changed legal bases — are notified directly to the affected data subjects by email or by a visible notification on our websites with at least 30 days' notice before the changes take effect.

14.3Version history.

  • v2.0 — May 1, 2026 · Full revision. Added the AI Act, updated sub-processor list, integration with Cookiebot, alignment with DPA v2.0 and Terms of Service v2.0.
  • v1.x — 2023 · Previous version of privacy and cookie policy.
Firma360 ApS · VAT/CVR 39493691 · v2.0 · Last updated May 1, 2026

Ready to take your next step?

Get a no-obligation price estimate in 2 minutes — or contact us for a chat about your options.

Calculate your priceContact us

Or pick your path

Calculate a price (2 min)
Pick your service, get an estimate
Describe your idea
Custom project? We tailor an offer
Book free consultation
30 min sparring with a specialist

Trusted by businesses across Denmark

Tekniq El København
Bech-Bruun
Juuls Køreskole
Guldbageren Brøndby
Ida Davidsen
Stilling
Enter Art Fair
Tekniq El København
Bech-Bruun
Juuls Køreskole
Guldbageren Brøndby
Ida Davidsen
Stilling
Enter Art Fair
Call usCalculate