Privacy Policy
Information on processing of personal data
Introduction
This document sets out how CAP TechCo ApS ("CAP", "we", "us") collects and processes personal data about external persons as part of the operation of our business and the activities described in Section 3 below.
Data Controller
Unless otherwise specifically stated, the data controller is:
CAP TechCo ApS
CVR-no.: 44099578
Dronningens Tværgade 26
1302 København K
E-mail: [email protected]Processing activities
Delivery of services and management of customer relations
We process personal information about (contact persons) customers in order to deliver our services and manage the customer relations.
Categories of personal data
- Name
- Information on the company you work for
- (Business) Email address
- (Business) Telephone number
- Payment details
- Payment card details
- Username
- Passwords
- System activities (log files)
Legal basis
If you are using our product as the owner of a personally owned business, the legal basis of our processing of personal data is Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract with you.
Otherwise, the legal basis is Article 6(1)(f) of the GDPR, as the processing is necessary for us to pursue our legitimate interests in delivering our services and managing our customer relationships.
Recipients of personal data
Data is made available to our IT suppliers (data processors), who store the data for us and process the data in accordance with our instructions.
In connection with the processing, the personal data may be transferred to countries outside the EU/EEA (third countries). These countries include Canada, UK, USA and other countries where Google has sub processors. Our data processor in Canada is subject to the PIPED Act and our data processors in the USA are subject to the EU/US Data Privacy Framework, while the UK is generally recognized by the EU Commission as a country offering an adequate level of protection of personal data. Therefore, transfers of personal data to these recipients are based on Article 45 of the GDPR. Other transfers are based on standard contracts approved by the European Commission cf. Article 46(2), para (c), of the GDPR. For a copy of these standard contracts, please contact us (see Section 2 above).
Retention
We retain the personal data throughout the duration of the customer relationship and for five years from the end of the year, where the customer relationship ended.
We may store the information for a longer period if this is required to comply with a legal obligation or to establish, exercise or defend a legal claim.
Marketing, including our profiles on social media
With your consent, we may use personal information about you, including pictures, for marketing purposes. Furthermore, we collect information about interactions with our profiles on social media in order to better understand our stakeholders and keep our profiles updated and relevant.
Categories of personal data
- Name
- Email address
- Information on the company you work for
- Images and videos
- Information about interaction with our profiles on social media
Legal basis
As far as processing of images of you in connection with our marketing activities, the legal basis is your consent as set out in Article 6(1)(a) of the GDPR.
Otherwise, the legal basis for our processing of personal data is Article 6(1)(f) of the GDPR, as the processing is necessary to pursue our legitimate interests in understanding our stakeholders and communicating effectively with them for marketing purposes.
Recipients of personal data
Data is made available to our IT suppliers (data processors), who store the data for us and process the data in accordance with our instructions.
When you visit our profile on LinkedIn, LinkedIn collects personal information about you. This information is made available to us as anonymized statistical information. As far as this processing is concerned, we are joint controllers with LinkedIn. Further information is available on LinkedIn Pages Joint Controller Addendum.
In connection with the processing, the personal data may be transferred to countries outside the EU/EEA (third countries). These countries include the USA. The recipients are subject to the EU/US Data Privacy Framework, and therefore, the transfers are based on article 45 of the GDPR.
Retention
We retain the information until 2 years after the end of the customer relationship, unless you withdraw your consent at an earlier time.
We may store the information for a longer period if this is required to comply with a legal obligation or to establish, exercise or defend a legal claim.
Suppliers and business partners
We process personal information about (contact persons at) our suppliers and business partners in order to be able to manage our business relationship with them.
Categories of personal data
- Name
- Business email address
- Business telephone number
- Business address
- Information on the specific relationship, including information on historic purchases and other agreements.
Legal basis
If you interact with CAP as a private person or as the owner of a personally owned business, the legal basis of our processing of non-sensitive personal data is Article 6(1)(b) of the GDPR, as the processing is necessary for the conclusion or performance of a contract with you.
Otherwise, the legal basis of our processing is Article 6(1)(f), of the GDPR, as the processing is necessary for us to pursue our legitimate interest in managing our business and business relationships.
Under any circumstances, the legal basis of our processing is also Article 6(1)(c) of the GDPR, as the processing is necessary for us to comply with our legal obligations, primarily the obligations arising from the Danish Bookkeeping Act.
Recipients of personal data
Data is made available to our IT suppliers (data processors), who store the data for us and process the data in accordance with our instructions.
In connection with the processing, the personal data may be transferred to countries outside the EU/EEA (third countries). These countries include Canada, UK, USA and other countries where Google has sub processors. Our data processor in Canada is subject to the PIPED Act and our data processors in the USA are subject to the EU/US Data Privacy Framework, while the UK is generally recognized by the EU Commission as a country offering an adequate level of protection of personal data. Therefore, transfers of personal data to these recipients are based on Article 45 of the GDPR. Other transfers are based on standard contracts approved by the European Commission cf. Article 46(2), para (c), of the GDPR. For a copy of these standard contracts, please contact us (see Section 2 above).
Retention
We retain the information throughout the duration of our business relationship and five years from it has ended.
We may store the information for a longer period if this is required to comply with a legal obligation or to establish, exercise or defend a legal claim.
Recruitment
We process personal data about job candidates for positions with us in order to identify the candidate we assess as the best fit for the position in question.
Categories of personal data
- Name
- Contact information
- Information on educational background, including diplomas
- Information on current and prior occupation, including appraisals and other statements from prior employers
- Information on specific competencies, e.g. languages spoken, certifications, etc.
- Results from tests taken during the recruitment (personality and skills tests)
- Information available on the publicly available parts of your profiles on social media
- References that you allow us to contact
- Any other information provided by you
For certain positions, we may also require a copy of your criminal record (straffeattest).
Except for references, we will obtain the information directly from you or from publicly available sources.
Legal basis
The legal bases of our processing of non-sensitive personal data are:
- Your consent where this is required, for example to obtain information from references you allow us to contact. This legal basis is set out in Article 6(1)(a) of the GDPR.
- Conclusion of a contract with you or performance of a contract, which you have concluded. This legal basis is set out in Article 6(1)(b) of the GDPR.
- Article 6(1)(f) of the GDPR, as the processing is necessary for us to pursue our legitimate interest in selecting the candidate, we assess to be the best fit for the position in question.
Recipients of personal data
We may disclose your personal data to professional advisors supporting us in the recruitment process, e.g., external recruiters and law firms.
Furthermore, data is made available to our IT suppliers (data processors), who store the data for us and process the data in accordance with our instructions.
In connection with the processing, the personal data may be transferred to countries outside the EU/EEA (third countries). These countries include the USA. The recipients are subject to the EU/US Data Privacy Framework, and therefore, the transfers are based on article 45 of the GDPR.
Retention
Where the recruitment process leads to the candidate being employed by CAP, the information is transferred to the personnel file and stored in accordance with the retention rules described in the privacy notice for current and prior employees.
For other candidates, the information is deleted within 6 months from the end of the month, where the relevant recruitment process was concluded, unless we ask for the candidate’s consent to keep the information for longer, in which case we store the information in accordance with the consent provided by the candidate.
Unsolicited applications are stored for 12 months from the end of the month they are received, unless we ask for the candidate's consent to keep the information for longer, in which case we store the information in accordance with the consent provided by the candidate.
We may store the information for a longer period if this is required to comply with a legal obligation or to establish, exercise or defend a legal claim.
General business administration
In order to handle queries and other interactions with other persons than the categories covered in sections 3.1 –3.4 above, we process personal data about such other persons.
Categories of personal data
- Name
- Email address
- Telephone number
- Address
- The reason for CAP to interact with the person (e.g., a query from the person) and any information relevant to this interaction such as communication between the parties.
Legal basis for the processing
The legal basis of our processing of non-sensitive personal data depends on the specific reason for the interaction and may be:
- Conclusion of a contract with you or performance of a contract, which you have concluded. This legal basis is set out in Article 6(1)(b) of the GDPR.
- Article 6(1)(f), of the GDPR, as the processing is necessary for a proper and professional handling of queries and other interactions with stakeholders and others, with whom we may be interacting.
Recipients of personal data
Depending on the reason for the interaction, we may disclose information to other third parties where necessary for proper handling of the matter. This could include insurance companies, external advisors or public authorities as appropriate.
Furthermore, data is made available to our IT suppliers (data processors), who store the data for us and process the data in accordance with our instructions.
In connection with the processing, the personal data may be transferred to countries outside the EU/EEA (third countries). These countries include the USA. The recipients are subject to the EU/US Data Privacy Framework, and therefore, the transfers are based on article 45 of the GDPR.
Retention
If the relationship involves financial transactions, we will retain the information for five years from the end of the year of the latest transaction.
For other situations, we will retain the information for three years from the end of the year of the latest interaction.
We may store the information for a longer period if this is required to comply with a legal obligation or to establish, exercise or defend a legal claim.
Your rights
When we process personal data about you, you have the following rights:
- Withdrawal of consent: Where the processing is based on your consent, pursuant to Article 6(1)(a) or Article 9(2)(a) of GDPR, you have the right to withdraw your consent at any time. You may do so by contacting us, using the contact information in section 2. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out prior to the point in time of withdrawal.
- Access: You have the right to receive a confirmation as to whether we process personal data about you. If we do, you also have the right to receive a copy of the data we process about you along with other information about the processing.
- Rectification: You have the right to have incorrect or incomplete personal data about you rectified or completed.
- Erasure: In special circumstances, you have the right to have personal data about you erased, before the time for our ordinary erasure.
- Restriction: In certain cases, you have the right to restriction of processing of your personal data. If the right applies, we may then only process the data – except for retention – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another person or for reasons of important public interest.
- Data portability: In certain cases, you have the right to receive a copy of the personal data you have provided in a structured commonly used and machine-readable format.
- Object to the processing: Where the processing is based on article 6(1)(f), of the GDPR (our legitimate interest), you have the right to object to the processing at any time on grounds relating to your particular situation. In particular, you have an unconditional right to object to the processing of your personal data for the purposes of direct marketing.
If you wish to exercise your rights, please contact us at the email address provided in section 2.
Please be aware that certain conditions and/or restrictions may apply for some of the rights; it depends on the specific circumstances relating to the processing activities. Therefore, we might not be obliged or able to fulfil your request.
Your request will be processed in accordance with the legislation in force at the given time. To the extent necessary, we will contact you and ask for additional information required to handle your request correctly.
If you would like to learn more about your rights, please visit the website of the Danish Data Protection Agency, www.datatilsynet.dk
Making a complaint
Further to the rights described above, you always have the right to file a complaint with the relevant supervisory authority, if you believe that our processing of personal data is infringing your rights.
In Denmark, the relevant supervisory authority is the Danish Data Protection Agency, Carl Jacobsens Vej 35, DK-2500 Valby. A complaint may be filed by email to [email protected] or through the website of the Danish Data Protection Agency www.datatilsynet.dk.
We do, however, recommend that you contact us before filing a complaint with the Danish Data Protection Agency. Our contact information can be found in section 2.
Updating our privacy policy
CAP may update this privacy policy on an ongoing basis when this is necessary to provide a fair description of our processing of personal data.
In the event of material changes to our processing of your personal data already in our possession, you will be notified directly of the update (e.g. by email).
This privacy policy was last updated in October 2024.