Privacy policy


The purpose of this privacy policy (“Policy”) is to explain how, when and why Prduct collects information about individuals, how, for what purposes and on what grounds these ‘personal data’ are subsequently processed, who processes them and what rights the individuals have in connection with their personal data. The Policy also explains Prduct’s practices in using cookies and other technologies for storing information on others’ devices and retrieving information from such devices.

When we refer to “Prduct” or use the word “we”, “our” or “us”, we mean the Prduct entity that acts as the ‘controller’ of the information we hold about you or the ‘processor’ of the information that a customer has entrusted to us, as explained in more detail under the “identifying the data controller” section of this Policy. The phrase “Prduct entity” refers to the following company: Prduct ApS, a Danish private limited company, registered number DK39368226, based in Aarhus, Denmark. The contact details of this entity are set out at the end of this Policy.

By “you” we mean the individual reading this text, i.e., you as a natural person (and not any company or other organisation that you may be associated with).

Some words and phrases in this Policy are in single quotation marks (e.g., ‘controller’, ‘processor’ and ‘data subject’). These are legal terms, having the same meanings as given to them in the EU General Data Protection Regulation, i.e., Regulation (EU) 2016/679 (“GDPR”).

This Policy details our commitment to protecting the privacy of individuals who visit our Websites (defined below) (“Website Visitors”), who register to use the products and services which we market for subscription (available at (the “Service(s)”, or who attend or register to attend sponsored events or other events at which Prduct participates (“Attendees”). For the purposes of this Policy, the term, “Websites”, shall refer collectively to as well as the other websites and applications that Prduct operates and that link to this Policy.

1. Scope

1.1 When this Policy applies This Policy applies to the data processing that takes place through or in connection with your visiting, or accessing resources that form part of, any Prduct Website or your communication or interaction with Prduct; insofar as the above activities are not subject to another privacy policy or similar document.

Personal Data When we speak of “Personal Data”, we mean any information about a living individual from which that person can be identified (the proper legal definition of ‘personal data’ is “any information relating to an identified or identifiable natural person”, with the person to whom the information relates being referred to as the ‘data subject’). Personal Data do not include information from which no individual can reasonably be identified, that is to say, anonymous information or personal data rendered anonymous in such a manner that the individual is not, or no longer is, identifiable (de-identified or anonymised information). The Policy does not apply to such information.

1.2 When this Policy does not apply Third party websites Our Websites may contain links to other websites. The information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to recommendation the privacy statements of any such other websites to understand their information practices.

Subscription Data With the exception of Account Information (as defined below) and other information we collect in connection with your registration or authentication into our Services, this Policy does not apply to our security and privacy practices in connection with your access to and use of the products and services which we market for subscription on our Websites (our “Services“). These security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications or other materials submitted to and stored within the Services by You (“Service Data”), are detailed in and governed by our Master Subscription Agreement, or such other applicable agreement between you and any member of Prduct relating to Your access to and Your use of such Services (collectively referred to as the “Service Agreement”).

Subscribers to our Services are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, as well as any and all privacy policies, agreements or other obligations, relating to the collection of personal information in connection with the use of our Services by individuals (also referred to as “data subjects”) with whom our Subscribers interact. If you are an individual who interacts with a Subscriber using our Services, then you will be directed to contact our Subscriber for assistance with any requests or questions relating to your personal information.

We collect information under the direction of our Subscribers, and have no direct relationship with individuals whose personal information we process in connection with our Subscriber’s use of our Services. If you are an individual who interacts with a Subscriber using our Services (such as a customer of one of our Subscribers) and would either like to amend your contact information or no longer wish to be contacted by one of our Subscribers that use our Services, please contact the Subscriber that you interact with directly.

1.3 The Policy supplements our other terms and policies and is not intended to override them.

2. Identifying the data controller

2.1 We are a technology company and a lot of what we do involves data processing in one way or another. Various data need to be processed in a number of ways in order for us to carry on our business, including provide, maintain and develop the Service and Websites, and to communicate with you. Information is processed both for us as well as our customers, and customers themselves process information through the Service. Not all of this information constitutes Personal Data and much of the processing is controlled by parties other than Prduct.

2.2 For instance, the user environment delivered via the Organization Service has certain logically defined parts (each, a “Organization” or a “Brand”) where an Organization Service user (“User”) can enter, store, use, disclose and otherwise manipulate various data. The data thus processed are referred to as “Organization Data” and it is usually the User who created the Organization that determines the purposes of, and otherwise controls, the processing of these data. That authority can be assigned to another User, but, at any rate, there is always one particular User, identified in the Organization as the “Organization Owner”, that has legal control over, and is responsible for, Organization Data. That User (the Organization Owner) is also the ‘controller’ of all Personal Data maintained in the Organization. Prduct processes these data on the Organization Owner’s behalf and is thus considered to be the ‘processor’ of the said Personal Data. This means that any enquiry, request, objection or complaint that you as a ‘data subject’ may have in connection with the processing of Personal Data that form part of Organization Data (i.e., where the information concerned relates to you) should be addressed to, and resolved by, the relevant Organization Owner.

2.3 Prduct is the ‘controller’ of the Personal Data that are collected by us or on our behalf through the activities listed in section 1 of this Policy, or which are otherwise processed for the purposes of our business. Specifically, it is Prduct that acts as the ‘controller’ of the said Personal Data. The following sections explain the collection and subsequent processing of these data in more detail.

3. Information that you provide to us

3.1 You may browse Prduct’s websites without submitting Personal Information. However, if you choose to sign up you will be asked to submit applicable Personal Data for us to guide you the best way possible. Read more about this in the following sections.

3.2 Account, Profile and Registration Information We collect, generate and receive information in a variety of ways. Some of this information constitutes Personal Data and the rest does not. Personal information about you collect could be such as your name, address, phone number, email address, birthdate, gender, profession, education, family size, family role, family civil status, country of residence, language, credit card information, and you may also upload a profile picture. Also shopping preference information is saved for your convenience, some of this information as allergies could be classified as personal information. For every information mentioned, besides email, it is solely your choice if you want to share it or not. We show an icon with every information input field to inform you if the information is publicly available at your Profile or is privately kept in your Account. We shall use the word “Information” to designate any and all of the data that are collected, generated or otherwise processed by us or on our behalf. This part of the Policy describes which Information and how is collected or generated through the activities listed in section 1.

In order to maintain an Organization, i.e., act as an Organization Owner, you need to provide us with your physical address and may give a telephone number at which you can be reached, when you register for an account to access or utilize one or more of our Services (an “Account”). We also ask for and collect personal information such as an email address and a name or alias from any individual that you authorize to log into and utilize our Services in connection with Your Account.

During the sign-up procedure, we may automatically record your internet protocol address (IP address) and an application programming interface token (API token) is automatically generated and stored under your User Account (this is an authentication token that you can use for accessing the Service through other software). For validating human access to the User Account, you will create a user name and a password, which both will be stored in our database along with the API token. You will also be assigned a user identifier (user ID), which is a certain numerical value that we generate, store and can identify you by.

As a User Account, you are not required to enter your credit

card information unless and until you decide to continue with a paid subscription to our Services. A third-party intermediary is used to manage credit card processing. This intermediary is not permitted to store, retain, or use your billing information for any purpose except for credit card processing on our behalf.

We refer to any information described above as “Account Information” for the purposes of this Policy. By voluntarily providing us with Account Information, you represent that you are the owner of such personal information or otherwise have the requisite consent to provide it to us.

The Service has a user invitation feature that can be used for inviting you to become a User. If a User elects to invite you, she will give us your email address and the Service will send you an invitation. We store this email address but not as part of your User profile (as you are not yet a User). It will only become such if you obtain a User Account.

3.3 Billing Information It is completely free to sign-up and use Prduct’s basic services as a consumer.

If a User subscribes to a paid Service plan, we ask the User to supply us with the full name of the person or entity that will pay for the Service plan, their physical address and, optionally, email address and VAT number (i.e., the registration number of a “taxable person” as respects value added tax). The payer may or may not be the User subscribing to the Service plan, so it is possible for us to receive the above Information about you from another User.

In the case of a paid Service plan, you will supply a third-party payment service provider (who acts independently from us) with such information as they request from you to facilitate your payments to us. We do not collect any information about your methods or instruments of payment, except that, if you give the payment service provider credit card details, the last four digits of the credit card number are stored in the User Settings or Organization Settings under subscription billing info. This piece of Information forms part of User or Organization Data.

3.4 Usage Information

If you use the Identity feedback or request feature, then certain Information about you (username, age (if provided), gender (if provided)) and your related preferences can be shared with the receiving Organization. This is for the Organization providing the Identity to support your request the best way possible. We don’t share sensitive as disabilities or allergies without your active acceptance at the time of contact.

If you use the Service feedback feature, then certain Information about you and some technical data concerning your Service release and other software and hardware are automatically sent to us along with the content of your communication. The Information we receive depends on the type of Service (and, respectively, the device) you are using but will usually include some of your Profile Information (name, user ID and email address) as well as information about which Service application and what version you are running and the type and version of your device’s operating system. It may also include the name of your device and information as to your web browser type and version, Service settings and usage history, Organization Service plan, and which Service release/update you have chosen.

3.5 Other Submissions We receive from you such Information as you provide us when filling in forms (e.g., applications or questionnaires) on a Website or via the Service or when you participate in our Service-related campaigns or programmes, sign up to receive notifications, newsletters or other communications from us, request support for the Service, interact with our social media accounts or correspond or otherwise communicate with Prduct. If you email us or send us a letter or a message, we may retain a record of such communication, including your name and address, email address or telephone number (as applicable), the content of your communication and our response. We may complement these data with other Information.

3.6 Mobile Application When you download and use our Services, we automatically collect information on the type of device you use, and operating system version.

4. Information That We Collect From You on our Websites

4.1 Cookies and Other Tracking Technologies We and our authorized partners may use cookies and other information gathering technologies for a variety of purposes. These technologies may provide us with personal information, information about devices and networks you utilize to access our Websites, and other information regarding your interactions with our Websites. For detailed information about the use of cookies on the Websites, please read and recommendation our Cookie Policy.

We partner with third parties to either display advertising on the Websites or to manage our advertising on other sites. Our third-party partners may also use technologies such as cookies to gather information about your activities on our Websites and other sites in order to suggest advertisements based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union you may opt into the use of cookies, by clicking here). Please note this does not opt you out of being served ads and you will continue to receive generic, untargeted ads.

Web beacons, tags and scripts may be used on our Websites or in email or other electronic communications we send to you. These assist us in delivering cookies, counting visits to our Websites, understanding usage and campaign effectiveness and determining whether an email has been opened and acted upon. We may receive reports based on the use of these technologies by our third-party service providers on an individual and aggregated basis.

We use Local Storage Objects (“LSOs”) such as HTML5 to store content information and preferences. Various browsers may offer their own management tools for removing HTML5 LSOs. Third parties with whom we partner to provide certain features on our Websites or to display advertising based upon your Web browsing activity use LSOs such as HTML5 and Flash to collect and store information. For further information on how to manage Flash LSOs please click here.

4.2 Logs

As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with our Websites and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your devices, your mobile carrier, and system configuration information. Occasionally, we connect personal information to information gathered in our log files as necessary to improve our Websites and Services. In such a case, we would treat the combined information in accordance with this Policy should be changed to as is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with our Websites and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your devices, your mobile carrier, and system configuration information. Occasionally, We connect personal information to information gathered in our log files as necessary to improve our Websites and Services. In such a case, We would treat the combined information in accordance with this Policy.

4.3 Analytics We collect analytics information when you use the Websites to help us improve them, including through the use of cookies. We may also share anonymous data about your actions on our Websites with third-party service providers of analytics services.

On a more general level, we collect (or have third parties collect for us) anonymous Information about the use of our Service and customer base. Such data may, e.g., include Information about the number of Users and their distribution (active, passive, paying, non-paying, etc.), Identity activities, Organization team sizes, choices between application types, settings, modes of use and Service plans, Service performance, practices and trends in using specific features or components of the Service, the effectiveness of Service messages, and other Information that is not Personal Data.

Accessing resources on Websites may (depending on the site visited, resource accessed, device used and your hardware and software settings), result in the following Information being collected: your IP address, approximate location, Website entry and exit pages, referral sites and keywords, session time and duration, activities on the Website (e.g., pages viewed, links followed, clicks made), web browser type, version and settings (including, e.g., language preferences), device type, name and settings as well as the type and version of its operating system, and your internet service provider or mobile network operator. Some of this Information is collected by the use of cookies, as described in the Cookie Policy.

5. Information Collected From Other Sources

5.1 Social Media Widgets The Websites include social media features, such as the Facebook Like button, and widgets, such as the Share This button or interactive mini-programs that run on our Websites. These features may collect your Internet protocol address, which page you are visiting on the Websites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on the Websites. Your interactions with these features are governed by the privacy statement of the companies that provide them.

5.2 Information From Third Party Services We may also obtain other information, including personal information, from third parties and combine that with information we collect through our Websites. For example, we may have access to certain information from a third-party social media or authentication service if you log into our Services through such a service or otherwise provide us with access to information from the service. Any access that we may have to such information from a third-party social media or authentication service is in accordance with the authorization procedures determined by that service. If you authorize us to connect with a third-party service, we will access and store your name, email address(es), current city, profile picture URL, and other personal information that the third-party service makes available to us, and use and disclose it in accordance with this Policy. You should check your privacy settings on

these third-party services to understand and change the information sent to us through these services. For example, you can log in to the Services using single sign-in services such as Facebook Connect or an Open ID provider.

These single sign-on services will authenticate your identity, provide you with the option to share certain personal information (such as your name and email address) with us, and pre-populate our sign up form. Services like Facebook Connect give you the option to post information about your activities in the Services to your profile page to share with others within your network.

6. How We Use Information That We Collect

6.1 The purposes for which Information is processed and the legal grounds for such processing are varied and depend on the nature of the Information. If Information is anonymous or de-identified, we may collect, use, disclose and otherwise process it for any purpose. Our processing of Personal Data, however, is limited to the purposes set out in this Policy.

6.2 Most commonly, we will process your Personal Data in the following circumstances: (a) if we need to perform an agreement you have with us or it is necessary to take pre-contractual steps at your request before entering into such an agreement (we shall refer to these grounds as “Contractual”); (b) where we need to comply with a legal obligation, e.g., one arising from a law or regulation concerning taxation, accounting, financial reporting, prevention of terrorism or money laundering, or judicial or administrative process (this would be a “Legal” ground); (c) if it is warranted by our legitimate interests or those of a third party and such interests are not overridden by yours or your fundamental rights and freedoms (here, the processing would be based on “Interest”); (d) where we have your unambiguous consent before processing your Personal Data in that specific situation (thus allowing us to process these data on the grounds of “Consent”).

6.3 Each of the categories of Information described under sections 3 – 5 may include your Personal Data but not all those categories may apply to you (e.g., if you are not a User, it is unlikely for us to hold much Personal Information on you and most of the other categories of Information would also be irrelevant). The table below sets out the purposes for which your Personal Data in the specified category of Information will or may be stored, used, disclosed or otherwise processed, and which of the above grounds we rely on when doing so. Where the processing is based on Interest, we have also identified what the legitimate interest in that particular case is. Please note that we may be processing the same pieces of your Personal Data for several purposes simultaneously and, respectively, on more than one legal ground (e.g., on a Contractual basis as well as based on Interest, and perhaps also on a Legal ground). Contact us if you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been listed. Note also that not each piece of Personal Data in a particular category of Information is processed for all the purposes specified in connection with that category (and on the grounds corresponding to those purposes). Contact us if you wish to know which of the said purposes precisely and in what circumstances applies to the processing of a specific piece of your Personal Data. Our contact details are provided at the end of this Policy.

Account Information Purpose Grounds
Providing tailored content to you based on your Demographic information, including age, preferences, gender, educational degrees, interests, and diabetes specific information. Interest (performing our agreements with the Users)
Keeping our records updated Legal
Negotiating, preparing, concluding, performing, amending and enforcing our agreements with you (incl. particularly agreements concerning the Service) and exercising our rights under such agreements. Contractual, Legal, Interest (recovering debts due to us, enjoying and defending our rights, negotiating new terms or amending existing ones to reflect changes in circumstances or to better suit our interests and/or yours).
Contacting you on matters relating to the Service or your agreements with us or in connection with matters that may affect you, and replying to your communications Contractual, Legal
Delivering messages to you from Users, incl. invitations to become a User Interest (performing our agreements with the Users)
Sending you communications you have subscribed or otherwise agreed to receive Interest (providing you with information we find relevant and reasonably believe is of interest to you)
Investigating Service-related illegal conduct, violations of contract and (actual or suspected) infringements of legal rights or freedoms (yours, ours or those of third parties) Legal, Interest (enjoying and enforcing our rights and freedoms)
Disclosing if and as required by law Legal
Billing Information Purpose Grounds
Preparing, performing, amending and enforcing our agreements with you Contractual, Legal, Interest (recovering debts due to us and defending our rights)
Informing you about matters concerning your Service plan and payments to us Contractual, Interest (keeping you current as to our relationship)
Managing and executing our sales to you Interest (operating our business)
Financial and tax accounting Legal
Disclosing if and as required by law Legal
Usage Information Purpose Grounds
Providing the Service Contractual
Ensuring an appropriate level of security as respects the Service and Websites, incl. particularly in terms of data processing Contractual, Legal, Interest (keeping our products and services competitive)
Customising the content, layout and other properties of the Service and Websites for you Contractual, Interest (keeping our products and services relevant and enjoyable)
Improving your Service user experience Interest (keeping the Service enjoyable)
Gaining a better understanding of how you interact with the Service or a Website Interest (keeping our products and services competitive)
Investigating and preventing Service- or Website-related errors, defects, performance and security issues, illegal conduct, violations of contract and (actual or suspected) infringements of legal rights or freedoms (yours, ours or those of third parties) Contractual, Legal, Interest (enjoying and enforcing our rights and freedoms)
Maintaining, improving, otherwise developing and protecting the Service and Websites Contractual, Interest (furthering our business, enjoying our rights and freedoms)
Creating new products and services Interest (growing our business)
Making our communications to you more relevant Interest (being relevant to you, thereby contributing to the success of our business)
Measuring the effectiveness of the messages we address to you Interest (making our marketing more effective)
Learning where our customers come from and where to focus our marketing efforts Interest (informing and shaping our business decisions)
Having our messages delivered across the internet Interest (being visible and remembered)
Disclosing if and as required by law Legal
Cookie Information Purpose Grounds
Same as for Usage Information Same as for Usage Information
Third-Party Information Purpose Grounds
Providing the Service Contractual
Performing our agreements with the third parties concerned Interest (adhering to contracts)
Disclosing if and as required by law Legal
Other Information Purpose Grounds
Providing the Service Contractual
Keeping our records updated Legal
Responding to your requests, comments and questions Contractual, Legal, Interest (being responsive)
Sending you communications you have subscribed or otherwise agreed to receive Interest (providing you with information we find relevant and reasonably believe is of interest to you)
Offering you the Service or other products or services Interest (growing our business)
Improving or otherwise developing the Service, our other products and services and Websites Interest (keeping our products and services competitive)
Creating new products and services Interest (growing our business)
Improving customer relationships and experiences Interest (growing our business)
Disclosing if and as required by law Legal

6.4 The communications that we initiate with you can broadly be classified as:

Service-related technical, administrative, business, legal and subscribed-to promotional messages that we address to Users and which you only receive if you are one (“Service Messages”); and messages about products, services, events and other matters you have shown interest in or which we believe may be of interest to you (“Marketing Messages”).

6.5 You can unsubscribe from certain Service Messages by adjusting your User Account settings and from others by following the instructions provided in the message. There are, however, some Service Messages that form part of the Service and which you cannot opt out of receiving unless you unsubscribe from the Service. As for Marketing Messages, you can always opt out of receiving these, but the variety of procedures for doing so may depend on the nature of the message and whether you have a User Account. If you do, try adjusting your User Account settings, and whether you have an account or not, there should always be opt-out instructions in the message itself. If you have trouble unsubscribing, contact us and we shall opt you out. Our details, as noted, are at the end of this Policy.

7. Failure to provide Information

7.1 Generally, no one is obliged to give us her Personal Data but failure to do so may, or, depending on the circumstances, will or is likely to, result in our not being able to achieve the data processing purpose(s) specified for the occasion in question (as listed in the table under section 6.3) and the particular ‘

data subject’ may, or, respectively, will or is likely to, miss the benefits corresponding to that purpose (or those purposes).

7.2 Where we need to collect your Personal Data by law or under the terms of a contract we have with you, or in order to enter into such a contract, and you fail to provide those data when requested, we may not be able to perform or enter into the relevant contract (which may be a contract for the provision of the Service or some other benefit). Should that be the case, we may have to cancel a product or service you have with us, but we shall let you know at the time if that applies.

7.3 If you limit the ability of a Service application or Website to set cookies, you may, and in some cases most definitely will, prevent yourself from using that application or site or certain of its features, or may worsen your user experience as the item in question will not be personalised to you. It may also stop you from saving customised settings and you may need to validate your access to the Service or the Website more frequently during your browsing session.

8. Duration of Personal Data storage

8.1 We only store your Personal Data for as long as necessary in the light of, or compatible with, the purposes for which the data were collected (e.g., enjoying our rights and performing our obligations under the contract you have with us, if that was the sole purpose) and such additional period as may be required by law.

For Subscribers who want to delete their account, we have collected information about data deletion in our Data Deletion Policy.

8.2 Legal retention periods vary depending on the type of Information concerned, and they can be quite long. For instance, Personal Data relevant to our accounting or taxation (which is likely to be the case upon some of the Personal Data under the Profile Information and Billing Information categories, and may also apply to some other Personal Data) must be retained for at least seven years after the primary purpose for their processing ceases to apply (e.g., seven years following the financial year when our business relationship with you terminated and the last transaction between us occurred).

9. Disclosure of Personal Data

9.1 This part of the Policy describes the circumstances in which we may disclose or transmit your Personal Data to third parties. Please note that the sections below only address the disclosures and transmissions of Personal Data and not, for example, anonymous or de-identified Information (which we may transmit and disclose at any time to anyone anywhere, in any manner and for any purpose). Nor does this part deal with the transmission or disclosure of Organization Data, which is at the discretion and responsibility of the Organization Owner.

9.2 If you invite another User to your Organization or join someone else’s Organization, you are instructing us to display certain of your Profile Information (which may include your name, address, email address, profile picture, country of residence, time zone) and, if applicable, Billing Information (including your name, billing address, billing email address, VAT number and the last four digits of your credit card number) in the Organization such that other Users may or will have access to them (depending on their User privileges).

9.3 If you use the Service invitation feature to invite someone to become a User, we shall let the invitee know who you are by including some of your Profile Information (name, email address and perhaps your profile picture) in the invitation.

9.4 When you share Organization Data or other content from your User Account by distributing links to such data (e.g., to allow someone without a User Account to view something you have created with the Service), certain of your Profile Information (e.g., name, email address and/or profile picture) is likely to be disclosed to the addressee(s) along with the material you share (and you may also be disclosing other Users’ Personal Data).

9.5 Your Profile Information and possibly Billing Information or certain of these data may also be shared when integrating third-party services with your User Account, Organization or Service application and when using such third-party services in conjunction with the Service. You can control which data are shared when enabling and/or while enjoying the integration (depending on the third-party service). At any rate, do check your privacy settings for both the Service as well as the third-party service prior to integration as well as during to determine which data may be shared. And please note that we are not responsible for the privacy practices (or other acts or omissions) of such third-party service providers, so it would be advisable for you to make sure, before the integration, that you trust the service and the provider in question and are satisfied with the provider’s policies.

9.6 We have engaged and will continue to use third-party service providers to assist us in providing, maintaining, developing, protecting and promoting the Service and Websites. We may, for example, use such parties for hosting the Service or a Website, sending out Service Messages or Marketing Messages, providing or hosting customer support services, performing analyses related to the Service or a Website, or for processing payments. We may also store Personal Data in locations outside our direct control, e.g., on third-party cloud infrastructure or platforms (IaaS/PaaS) or cloud infrastructure whose operation we have entrusted to other parties. These service providers may have access to your Personal Data for the limited purpose of providing the service we have engaged them to provide. Importantly for you as a ‘data subject’, our use of such service providers may involve transmitting your Personal Data to jurisdictions other than the one you reside in. Where this is the case, section 9.2 will apply.

9.7 We may share your Personal Data with our corporate affiliates and outside accountants, legal counsels and auditors.

9.8 If we engage in or are subject to a merger, acquisition, division, transformation, public offering of our securities, obtaining financing, divestiture of all or substantially all of our assets or a significant part of such assets, transfer of the enterprise or a part of the enterprise to which your agreement with us pertains, or a similar transaction or proceeding, or if we take steps in contemplation of such activities (e.g., submit to due diligence), your Personal Data may, subject to standard confidentiality arrangements, be shared with, or transferred to, our counterparties or other relevant participants in the respective transaction or proceeding.

9.9 We may find ourselves in a situation where we are legally obliged to disclose some or all of your Personal Data or where we reasonably believe that we are so obliged. This may be the case if we receive an Information request from an authority or there is a law or regulation that requires us to make a disclosure without specific request (e.g., to comply with national or international measures against terrorism or money laundering). We may also be compelled to disclose your Personal Data by a judicial, arbitral, administrative or otherwise mandatory order or judgment. Where any of the foregoing applies, we shall make the disclosure, and we may not be permitted to tell you that your Personal Data have been disclosed.

9.10 There may also be situations where we find the disclosure of your Personal Data to be necessary in order to exercise, enforce or defend our rights, freedoms or legitimate interests or to protect the rights, freedoms or legitimate interests of a third party (e.g., a ‘data subject’ or an intellectual property owner).

9.11 We shall disclose your Personal Data at your request (unless legally prohibited, impracticable or involving unreasonable effort or expense) or may do so upon your Consent.

10. International transfers of Personal Data

10.1 We may transfer your Personal Data to jurisdictions other than the one you reside in, subject to section 10.2.

10.2 We shall not transfer your Personal Data from countries participating in the European Economic Area (“EEA”) to those which do not, or from the EEA to international organisations, unless the recipient country or the particular person or entity receiving the data ensures an adequate level of protection for the data received, or, if it does not, then without applying such safeguards as legally required and/or without the transfer being subject to such other conditions as the law provides for these kinds of transfers. For instance, if we are to transfer your Personal Data from the EEA to a recipient in the United States (which is likely to occur in our use of some of the service providers mentioned under section 9.6), we shall make sure that the recipient participates in the EU-U.S. Privacy Shield Framework, having thus self-certified itself as ensuring a level of protection of Personal Data that is essentially equivalent to the one guaranteed under the GDPR.

11. Personal Data Security

11.1 We shall maintain adequate technical and organisational measures to ensure such level of security in our processing of Personal Data as appropriate in the given circumstances. Upon assessing whether a measure is adequate and which level of security is appropriate we consider the nature of the Personal Data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing of your Personal Data, the state of the art, the costs of implementation and such other matters as may be relevant in the particular circumstances.

11.2 The measures referenced in the preceding section particularly address the following: the protection of Personal Data against unauthorised or unlawful processing and against accidental loss, alteration or destruction; the integrity and confidentiality of Personal Data; the availability and resilience of the Service features pertinent to the processing of Personal Data; and our ability to restore the availability and access to Personal Data in a timely manner after a Service failure.

11.3 However, please be aware that no security measure is perfect. Our efforts notwithstanding, we cannot guarantee that your Personal Data, during transmission over the internet or while stored in our systems or those of our service providers or while otherwise in our care, will be absolutely safe from unauthorised or

unlawful processing or accidental loss, alteration or destruction, or that they will indeed be intact and confidential at all times or shortly available after any Service incident. Note also that we cannot control, and are not responsible for, the actions of other parties with whom you share (or instruct us to share) your Personal Data. Read more in our Data Protection Policy and Responsible Disclosure Policy.

12. Your rights as a Data subject

12.1 ‘Data subjects’ in the EEA have certain statutory rights under the GDPR concerning the Personal Data that we have on them. This part of the Policy aims to give you a general understanding of these rights and we encourage you to deepen this understanding by studying the GDPR yourself. To facilitate this, we have, in relation to each of the rights noted below, provided a reference to the specific provision of the GDPR from which that right arises.

Specifically then, and subject to such statutory exceptions as may apply in your particular case, your ‘data subject’ rights include the following:

12.2 Right of access / GDPR Article 15 You have the right to enquire and get a confirmation from us as to whether or not we process any of your Personal Data. Where we do, you may request access to those data and have us give you a copy of them. A User can access most of the Personal Data we have about the person by logging in to the User Account and going to the settings (we have what you see there), and it may well be that these are the only Personal Data we maintain on her. If you wish to be certain or have no User Account, please use the contact details at the end of this Policy to exercise your ‘right of access’.

12.3 Right to rectification / GDPR Article 16 If the Personal Data we have about you is incorrect, you have the right to request that we correct those data, and, in some circumstances, you may have the right to require that your incomplete Personal Data be completed (but in each of these cases we may need to verify the accuracy of the information you provide to us). As with the ‘right of access’, Users can and are encouraged to update the Personal Data under their User Accounts themselves.

12.4 Right to erasure (right to be forgotten) / GDPR Article 17 You have the right to request that we delete or remove the Personal Data we have on you where there is no good reason for us continuing to process them. Please note that we may not always be able to comply with your request as there may be specific legal reasons which warrant the processing. Should this be the case, we shall inform you accordingly at the time of your request. For subscribers, the Data Deletion Policy applies.

12.5 Right to object / GDPR Article 21 You have the right to object to our processing of your Personal Data where the processing is based on Interest and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts your interests or fundamental rights and freedoms. There may, however, be occasions where we demonstrate that we have compelling legitimate grounds to process your Personal Data (i.e., that our legitimate interests or those of a third party override yours and your fundamental rights and freedoms) and thus dismiss your objection. In case we are processing your Personal Data for direct marketing purposes, you may object to that processing at any time and we shall no longer process your Personal Data for such purposes.

12.6 Right to restriction of processing / GDPR Article 18 You have the right to request that we suspend the processing of your Personal Data where any of the following applies:

you have contested the accuracy of the data and the same needs to be verified; the processing is unlawful but you do not want us to erase the data that we are processing; you need us to maintain the data even though we no longer require them as they are necessary for your establishment, exercise or defence of legal claims; or you have objected to processing as described under section 12.5 but we need to verify whether we have overriding legitimate grounds for processing.

12.7 Right to data portability / GDPR Article 20 If our processing of your Personal Data which you have provided us is based on a Contractual ground or on Consent and the processing is carried out by automated means, you are entitled to have us make those data available to you in a structured, commonly used and machine-readable format so that you could transmit them to someone else (another ‘controller’). You may also ask us to transmit these data to that other ‘controller’ directly, and we shall do so, if technically feasible.

12.8 Right to withdraw consent / GDPR subsection 13(2)(c) If we are processing your Personal Data based on Consent, you may withdraw that consent at any time (but this will not affect the lawfulness of any processing activities carried out based on your consent before its withdrawal).

12.9 As noted above, you can exercise some of your ‘data subject’ rights (such as the ‘right of access’ and the ‘right to rectification’) through your User Account. If you are unable to do so, particularly if you have no User Account, or if the right in question cannot be thus exercised, then please use the contact details at the end of this Policy to get in touch with us and we shall do what we reasonably can to facilitate the exercise of your rights.

12.10 We aim to respond to any legitimate request within a month of its receipt but it may take us longer if your request is particularly complex or you have made several requests. If that is the case, we shall let you know and keep you updated.

12.11 We shall not charge you any fee for exercising the above rights unless your requests are clearly unfounded or excessive (e.g., because of their repetitive character), in which case we may charge a reasonable fee. Alternatively, we may decline your request in such circumstances.

13. Right to lodge a complaint with a supervisory authority

13.1 In case you believe that we are processing your Personal Data in violation of the GDPR, you have the right to lodge a complaint with the ‘supervisory authority’ located in the EEA country where you reside or work or where the alleged infringement took place or you can lodge the complaint with our ‘supervisory authority’ whose details are below.

Danish Data Protection Inspectorate (Datatilsynet) Borgergade 28, 5 Tel. +45 33 1932 00 Fax +45 33 19 32 18 email: [email protected] Website:

14. Changes to this Policy

14.1 We may revise this Policy from time to time to reflect changes to the Service, Websites, applicable laws, regulations or standards or other changes that may occur in our business. We shall post the revised Policy (or, as the case may be, our new privacy policy) on the same webpage where we published this Policy or on such other webpage as we then may habitually use for publishing materials such as the Policy. We may also use the Service, email or other means for notifying Users of such policy changes. The revised Policy (or, as applicable, the new one) will be effective when posted as described unless the document itself specifies a later time for its entry into force.

15. Contact details

15.1 Feel free to get in touch with us if you have any questions about this Policy or our data processing practices or if you would like to exercise any of your ‘data subject’ rights with respect to the Personal Data we maintain on you.

Email us: [email protected] Call us: +45 5020 8844 Visit us: Universitetsbyen 7, Aarhus C, DK8000