This policy explains what personal data Decree ApS (hereafter Decree, we, us) processes about you, why we do it, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR). The policy covers our website decree.dk, our contact form, and the customer relationships that arise from an inquiry.
01
Data controller
The data controller for the processing of your personal data is:
Decree is not required to appoint a Data Protection Officer (DPO) under GDPR Art. 37, as we are not a public authority and our core activities involve neither systematic monitoring nor processing of special categories on a large scale. Questions about this policy or about our processing of personal data can be directed to the address above.
02
What information we process
We only collect the information necessary for the specific purpose. Depending on your contact with us, this may include the following categories:
Website visits
- IP address (logged by our hosting provider in server logs)
- Browser type and version, operating system, language setting
- Visited paths on the website, time, and HTTP status code
- Referring page if you click through from an external link
Contact form and email
- Name
- Phone number (optional)
- Company name (optional)
- The content of your message, including which solutions you have marked
Customer relationship
When an inquiry leads to a customer relationship, we additionally process:
- Job title and role with the customer
- Billing details and CVR for the customer's company
- Correspondence, meeting notes, and contractual documents (DPA, master agreement, addenda)
- Operational logs from the services we deliver (separately regulated in the DPA)
We do not collect special categories of personal data (GDPR Art. 9) such as health information, religious beliefs, or trade-union membership through the website or contact form. Nor do we collect data concerning criminal offences (GDPR Art. 10).
03
Purposes and legal basis
We only process personal data when we have a lawful basis under GDPR Art. 6. Below is an overview of each purpose and the associated legal basis.
Operation and security of the website
Purpose: Deliver the website, ensure uptime, detect and avert attacks, troubleshoot operational issues.
Legal basis: Our legitimate interest in operating a secure and stable website, cf. GDPR Art. 6(1)(f). The balancing of interests has been performed, and we conclude that the data subject's interests do not weigh more heavily, as only technical information is logged for a short period.
Responding to inquiries
Purpose: Read your message, respond with answers or proposals, conduct the initial dialogue leading up to a possible agreement.
Legal basis: Measures taken at your request prior to entering into a contract, cf. GDPR Art. 6(1)(b). If you contact us on behalf of a company that is not (yet) a customer, we process your data on the basis of our legitimate interest in answering the inquiry, cf. GDPR Art. 6(1)(f).
Performance of customer agreements
Purpose: Deliver the agreed services, handle support, billing, and ongoing dialogue with contacts at the customer.
Legal basis: Performance of the contract with the customer, cf. GDPR Art. 6(1)(b). As regards the customer data we process as data processor on behalf of the customer, processing is based on our Data Processing Agreement (DPA), cf. GDPR Art. 28.
Accounting and statutory retention
Purpose: Comply with accounting obligations, tax law, and anti-money-laundering rules.
Legal basis: Legal obligation, cf. GDPR Art. 6(1)(c), combined with the Danish Accounting Act § 12 (5-year retention).
04
Recipients and data processors
We do not share your personal data with third parties for marketing or commercial purposes. We use a limited number of data processors that assist with operating the website, mail service, and customer services. The data processors are bound by a Data Processing Agreement (GDPR Art. 28) and may only process the data on our instructions.
Data processors for the website
- Scaleway SAS (France). Hosting of the website and server logs. Data centre in Paris. French company, no US parent company, no transfer outside the EU.
Subprocessor list
The full and up-to-date list of Decree's subprocessors is provided at the start of an engagement or on request. See the subprocessor page for the current description.
Third-country transfers
We do not transfer personal data to countries outside the EU/EEA. Our infrastructure is located in France, and we do not use vendors that fall under the US CLOUD Act or equivalent extraterritorial legislation for processing customer data. Should we later need a vendor outside the EU/EEA, we will ensure a lawful transfer basis (e.g. the EU Commission's Standard Contractual Clauses) and update this policy as well as the subprocessor list.
Public authorities
We only disclose information to public authorities if we are legally required to do so (e.g. under a court order from a Danish court or a directive from the Danish Tax Agency in accounting matters).
05
Retention period
We only retain personal data for as long as necessary for the purpose for which it was collected, or for as long as we are required to do so by law.
| Category | Retention period |
|---|---|
| Server logs (IP, browser, path) | 30 days at Scaleway, then automatic deletion |
| Inquiries without subsequent customer relationship | Up to 12 months, then deletion |
| Active customer relationships | For the duration of the customer relationship |
| Customer correspondence after termination | Up to 3 years after termination, to handle any claims |
| Accounting records (invoices, contracts) | 5 years after the end of the financial year (Accounting Act § 12) |
When the purpose has been fulfilled and any statutory retention period has expired, the data is deleted or anonymised so it can no longer be linked to a natural person.
06
Your rights
As a data subject you have a number of rights under GDPR Art. 15 to 22. You can always contact us at info@decree.dk to exercise them. We will respond to the request without undue delay and at the latest within one month, cf. GDPR Art. 12(3).
Access (Art. 15)
You have the right to be told whether we process personal data about you, and if so, to receive a copy of the data together with information on purposes, categories, recipients, and retention period.
Rectification (Art. 16)
You have the right to have inaccurate data about you corrected, and the right to have incomplete data completed.
Erasure (Art. 17)
You have the right in certain cases to have data about you erased before the time we would otherwise have deleted it. The right to erasure does not apply if we have a legal obligation to retain the data (e.g. accounting records).
Restriction of processing (Art. 18)
You have the right in certain cases to have the processing of your data restricted, so that we may only store the data but not use it.
Data portability (Art. 20)
You have the right in certain cases to receive the data you have provided to us in a structured, commonly used, machine-readable format, and to have the data transferred to another data controller.
Objection (Art. 21)
You have the right to object to our processing of your personal data when the processing is based on our legitimate interest (GDPR Art. 6(1)(f)). If we cannot demonstrate compelling legitimate grounds that override your interests, we may no longer process the data.
Withdrawal of consent
If our processing is based on your consent (GDPR Art. 6(1)(a)), you may withdraw the consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
07
Security
We have taken appropriate technical and organisational measures (GDPR Art. 32) to protect your personal data against unauthorised access, alteration, disclosure, or deletion. The measures include, among others:
- Encryption of data in transit (TLS 1.2 or newer) and at rest
- Access control on least-privilege principles, MFA on all administrative accounts
- Logging of access to production systems
- Hosting in an ISO 27001-certified data centre (Scaleway, Paris)
- Continuous security updates and vulnerability management
- Backups with geographic separation within the EU
Read more about our general approach on the security page. In the event of a personal-data breach that poses a risk to the rights of data subjects, we report it to the Danish Data Protection Agency within 72 hours (GDPR Art. 33) and notify the affected data subjects if the breach is likely to involve a high risk (GDPR Art. 34).
08
Cookies and analytics
Decree's website currently uses no consent-requiring cookies, no analytics cookies, and no third-party trackers. We only set strictly necessary cookies, which are exempt from the consent requirement under § 3(3) of the Danish Executive Order on requirements for information and consent for storing or accessing information on end-user terminal equipment (the cookie order).
If we later enable analytics tools or other consent-requiring cookies, we will obtain your prior, free, and informed consent in a consent banner and update our cookie policy and this policy accordingly.
09
Complaint to the Danish Data Protection Agency
You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way we process your personal data (GDPR Art. 77). We encourage you to contact us first so that we have an opportunity to clarify the matter and correct any error.
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Web: www.datatilsynet.dk
10
Changes to the policy
We may update this privacy policy from time to time to reflect changes in our processing of personal data or in legislation. The current version is published at decree.dk/privacy-policy. The date of the most recent update is shown at the top of the page.
Material changes that affect existing customers or recipients of a newsletter (if and when we have one) are notified by email before they take effect.