Skip to content
Home » Privacy Policy

Privacy Policy

Privacy Policy

Last updated: 10 September 2025
Website: https://andreasregnskab.dk

1) Controller

Andreas Regnskab ApS
CVR: 38138502
Address: Kirkebjerg Allé 88, 2., 2605 Brøndby, Denmark
E‑mail: [email protected]

Privacy contact: Andrea Perei (Managing Director), [email protected]
Data Protection Officer (DPO): Not appointed. If we designate a DPO in the future, we will update this notice with their contact details.

2) Scope of this notice

This notice explains how we process personal data of visitors to andreasregnskab.dk and of individuals who contact us via the website (e.g., through our contact form) or book a meeting (Calendly). If you become a client, additional processing will take place under our engagement terms and separate privacy information, which we provide at onboarding.

This policy does not cover websites or services that we merely link to (e.g., social networks). Those services are governed by their own privacy notices.

3) Key concepts (quick glossary)

  • Personal data: information that identifies or can reasonably identify a person (e.g., name, e‑mail, IP address).
  • Processing: any operation on personal data (collection, storage, use, disclosure, deletion, etc.).
  • Controller: the entity that decides why and how personal data are processed (here: Andreas Regnskab ApS).
  • Processor: a service provider that processes data on our behalf according to our instructions (e.g., hosting or scheduling providers).
  • EEA: European Economic Area (EU countries plus Iceland, Liechtenstein and Norway).

4) What data we process, for what purpose and on what legal basis

We process the minimum data required to operate our website and communicate with you. Below is an overview by activity.

4.1 Contact form

  • Data we collect: name, e‑mail address, your message, confirmation of Terms/Policies; technical metadata such as IP address and timestamp may be generated by our systems for security and audit purposes.
  • Purpose: handling enquiries, preparing proposals, following up on prior conversations and ensuring service quality.
  • Legal basis: GDPR Art. 6(1)(f) (our legitimate interests in effective client communication and record‑keeping) and/or Art. 6(1)(b) (steps necessary prior to entering into a contract).

4.2 Appointment scheduling (Calendly)

  • Data we collect: name, e‑mail address, booking details (date/time, time zone), and any notes you choose to provide. Calendly may also process technical data required to deliver the service.
  • Purpose: arranging, confirming and rescheduling consultations; sending calendar invitations and reminders.
  • Legal basis: GDPR Art. 6(1)(b) (pre‑contractual steps) and/or Art. 6(1)(f) (our legitimate interest in managing appointments efficiently).
  • Third‑country processing: see “International data transfers” below.

4.3 Server and security logs

  • Data we collect: IP address, date/time of request, request path/URL, referrer, user‑agent, response/ error codes, and similar diagnostic information generated by our hosting environment.
  • Purpose: operating the website, ensuring availability, detecting abuse, preventing fraud and troubleshooting incidents.
  • Legal basis: GDPR Art. 6(1)(f) (our legitimate interests in IT security and service continuity).
  • Retention: 30 days (one.com default), unless a longer period is strictly necessary to investigate a specific incident.

4.4 Cookies and similar technologies

  • Data we collect: identifiers stored on your device (cookies or similar), their lifetimes and categories (strictly necessary; preferences; analytics if enabled).
  • Purpose: to run core site features (strictly necessary cookies) and—if you consent—gather aggregated statistics to improve usability.
  • Legal basis: strictly necessary cookies – Art. 6(1)(f); all other cookies – consent under Art. 6(1)(a), obtained and logged via Cookiebot.
  • Current status: we do not use Google Analytics (GA4) or remarketing cookies at present. If this changes, the cookie banner and this notice will be updated and you will be able to manage your preference per category.

4.5 Media, embeds and downloads

We do not routinely embed third‑party services. Some blog posts may occasionally include images or videos from external platforms. Interacting with embedded content or following outbound links is governed by the respective provider’s privacy policy; those providers may collect technical data (e.g., IP address, browser details) and set cookies.

Fonts: we aim to use locally hosted fonts. If the theme loads fonts from a third‑party CDN (e.g., Google Fonts), your browser connects to that provider to download font files; in that case limited technical data (such as your IP address and requested resources) are processed by the font provider. We are working to ensure local delivery wherever feasible and will update this notice if the delivery method changes.

4.6 Public comments

Public commenting is not enabled on our website.

5) Our legitimate interests and how we balance them

Where we rely on Art. 6(1)(f) GDPR, our interests generally include: ensuring the security and availability of our systems; communicating efficiently with prospective and current clients; and maintaining records necessary to operate a professional services business. We assess potential impact on individuals and implement safeguards such as access controls, limited retention, and transparency via this notice. You have the right to object to processing based on legitimate interests (see “Your rights” below).

6) Recipients and processors

We share data only as necessary for the purposes above or when required by law (e.g., by a court or supervisory authority). We carefully select our processors and maintain appropriate contracts.

  • Hosting / server: one.com (EU/EEA).
  • E‑mail: one.com and Google Workspace (Google Ireland Ltd.). Google operates a global infrastructure; appropriate safeguards (including SCCs and internal policies) apply. Emails are also managed in a self‑hosted EspoCRM instance on AWS eu‑north‑1 (Stockholm).
  • Appointment scheduling: Calendly, LLC (USA) – EU Standard Contractual Clauses (SCCs) apply.
  • CRM: self‑hosted EspoCRM on AWS eu‑north‑1 (Stockholm).
  • File storage / backups: Google Drive (as part of Google Workspace) and Amazon Web Services (EU).
  • Cookie consent management: Cookiebot / Cybot A/S (Denmark).

We do not sell personal data and we do not disclose it to third parties for their independent marketing purposes.

7) International data transfers

Some providers are headquartered outside the EEA or use non‑EEA infrastructure (e.g., Calendly in the USA or certain Google operations). Where such transfers occur, we rely on SCCs and, where appropriate, additional technical and organisational measures. Where a provider participates in a recognised adequacy mechanism (e.g., an EU‑approved framework), we may rely on that mechanism as the legal basis for transfer.

Our CRM and primary hosting are located in the EU (AWS Stockholm, one.com). We endeavour to keep processing within the EEA whenever this is practical and offers equivalent functionality and security.

8) Retention periods and criteria

We retain personal data only for as long as needed for the purposes outlined above, and then delete or irreversibly anonymise it.

  • Contact‑form messages & related correspondence: 24 months, unless specific threads must be retained for the establishment, exercise or defence of legal claims, or because they form part of an active client relationship.
  • Calendly bookings: 24 months to support rescheduling history and quality assurance.
  • Web server/security logs: 30 days (one.com default), extendable for incident investigation strictly on a need‑to‑retain basis.
  • Business and accounting records: retained in line with legal obligations (typically at least 5 years under Danish bookkeeping rules).

Retention criteria: statutory limitation periods; contractual obligations; dispute resolution needs; and technical constraints (e.g., system backups). If deletion is not immediately feasible (e.g., because the data are in encrypted backups), we will securely isolate the data from further use until deletion is possible.

9) Your rights and how to exercise them

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15);
  • Rectification of inaccurate or incomplete data (Art. 16);
  • Erasure (“right to be forgotten”) in the circumstances set out in Art. 17;
  • Restriction of processing (Art. 18);
  • Data portability for data you provided to us, where processing is based on consent or contract and carried out by automated means (Art. 20);
  • Object to processing based on our legitimate interests (Art. 21).

How to make a request: please e‑mail [email protected] and clearly describe your request. We may ask you to verify your identity. We respond within one month of receipt; this may be extended by up to two further months for complex or multiple requests, in which case we will notify you of the extension and the reasons for it.

You can withdraw or change your cookie consent at any time via the Cookiebot widget on our site. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

10) Security measures

We implement appropriate technical and organisational measures, including:

  • HTTPS/TLS for data in transit;
  • role‑based access control and least‑privilege principles;
  • strong authentication (e.g., 2FA) for administrative systems;
  • logging and monitoring;
  • regular software updates and vulnerability remediation;
  • secure configuration and backups;
  • encryption where feasible and proportionate.

Incident response and breach notification: if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will assess the impact and, where required, notify the Danish Data Protection Agency (Datatilsynet) within 72 hours and inform affected individuals without undue delay.

11) Children’s data

Our services are not directed to children, and we do not knowingly target individuals under 13 years of age. Please do not submit personal data of children through our website. If you believe a child has provided personal data to us, contact [email protected] so we can take appropriate steps.

12) Data obtained from third parties

We do not purchase marketing lists and we do not enrich profiles using third‑party data. If you contact us using a third‑party service (e.g., LinkedIn), we may receive your profile name and contact details according to that service’s settings. Such data are processed solely to respond to your enquiry.

13) Social media and external links

Our website may contain links to our official pages on platforms such as LinkedIn or Facebook. Your interactions on those platforms are governed by their own terms and privacy policies. We do not control how those platforms collect or use your data.

14) Automated decision‑making and profiling

We do not carry out profiling or automated decision‑making that produces legal or similarly significant effects (GDPR Art. 22). If this changes, we will provide meaningful information about the logic involved and the envisaged consequences, and offer you the right to obtain human intervention.

15) Complaints and contact

If you have questions or concerns about how we handle your data, please contact us first at [email protected]—we will do our best to resolve the issue.
You can also lodge a complaint with the Danish Data Protection Agency (Datatilsynet):
Web: https://www.datatilsynet.dk/ | Tel.: +45 33 19 32 00.

16) Changes to this notice

We may update this notice from time to time—for example, if we start using new processors, change our cookie setup, or adopt new security measures. Material changes will be highlighted on this page with an updated “Last updated” date and, where appropriate, communicated via a notice on the site.