Effective date: 10 August 2025
Controller: Fullybookedneuroclinic Skillbuddy Aps, CVR: DK43554638
Registered address: Gammel klausdalsbrovej 482, 2730 Herlev, Denmark
Contact (privacy): [email protected]
We are a marketing agency that helps including neurofeedback clinics with advertising, websites, analytics and CRM workflows. We do not provide healthcare treatment and we do not intentionally process patients’ health records. When our clients share audience lists with us, we process them strictly under contract and written instructions.
1) Scope
This policy covers our website, contact forms, email/SMS marketing (if you opt in), analytics and ads on our site, and our agency services. It explains how we act as data controller for our own marketing/website and as data processor when we handle data that clients share with us for campaigns. GDPR applies alongside Danish rules; you can always complain to Datatilsynet (Carl Jacobsens Vej 35, 2500 Valby; [email protected]; +45 33 19 32 00).
2) What we collect
A. Website & marketing contacts (controller role)
Name, email, phone, company, role, preferences, communications, subscription/consent status, technical data (IP, device, pages viewed), cookie/pixel events (if you consent to non‑essential cookies). We do not request CPR numbers. Where we use analytics/ads, non‑essential cookies/pixels only run with prior consent under Danish rules. erhvervsstyrelsen.dk
B. Lists provided by clients (processor role)
Business contact details (e.g., leads or customers) supplied by a client for campaigns. Our contracts prohibit sharing health records or special‑category data. If truly necessary, clients must pseudonymise/minimise data and we will process only on documented instructions in a data processing agreement (DPA) per GDPR Article 28. GDPR
C. Job applicants / suppliers
CV, contact details and related information you share with us.
Children
For online services based on consent, Denmark’s digital consent age is 15; below 15, a holder of parental responsibility must consent.
3) Why we use your data (legal bases)
To respond and communicate (enquiries, proposals, contracts): GDPR Art. 6(1)(b) (contract) and/or 6(1)(f) (legitimate interests).
To run and secure our site/services (hosting, fraud prevention, security logs): Art. 6(1)(f).
Direct marketing (email/SMS) to you: only with prior consent (and easy opt‑out at any time). Denmark’s Marketing Practices Act §10 restricts unsolicited electronic marketing; “soft opt‑in” is only allowed on strict conditions.
Analytics/advertising cookies & pixels: only with prior consent (you can withdraw it any time).
Legal obligations (e.g., bookkeeping): we keep accounting records for five years from the end of the financial year. erhvervsstyrelsen.dk
You can withdraw consent at any time; withdrawal doesn’t affect processing that already happened lawfully.
4) Cookies & similar technologies (general notice)
We use:
Essential cookies to make the site work (e.g., load balancing, security, consent logging). These do not require consent.
Analytics cookies (e.g., to understand page performance) and advertising cookies/pixels (e.g., to measure ads). These only run after you click “Accept” in our cookie banner, as Danish rules require informed prior consent for non‑essential cookies. You can change or withdraw your cookie choices anytime via Cookie settings on our site.
5) Sharing & recipients
We do not sell personal data. We share only when necessary with:
Processors who host, store, send or analyse data for us (e.g., web host/CDN, email/SMS, CRM, analytics, ad platforms, form tools, cloud storage). All processors are bound by DPAs and may only act on our instructions (or on our client’s instructions when we are processor). GDPR
Clients (when we act as processor) to report campaign performance.
Authorities if required by law or to protect legal rights.
6) International transfers
If non‑EU vendors are used, we rely on approved mechanisms:
EU‑US Data Privacy Framework for certified US vendors, and/or
Standard Contractual Clauses plus transfer risk assessments if needed. European Commission
7) Retention
Prospect/lead data: kept only as long as needed for the purpose or to comply with law (and to document consent/opt‑outs where required by marketing rules), then deleted or anonymised. Forbrugerombudsmanden
Accounting/contract data: five years from end of financial year (plus the current year) under Danish bookkeeping rules. erhvervsstyrelsen.dk
Client‑provided lists (processor role): we keep only for the campaign/contract term and delete or return data at the client’s instruction, per the DPA. GDPR
8) Your rights
You can request access, rectification, erasure, restriction, portability, and objection (including an anytime right to object to direct marketing). If we process based on consent, you can withdraw it at any time. You also have the right to complain to Datatilsynet (see address above). Datatilsynet
9) Our roles explained
Controller (our own data): We decide how to process website visitors’ and our prospects’ data.
Processor (client data): When a client sends us audience lists or connects their CRM/ads, we process only on their documented instructions under a written DPA (Art. 28 GDPR). We instruct clients not to send special‑category data (e.g., health records) and to minimise/pseudonymise wherever possible. GDPR
10) Security
We use reasonable technical and organisational measures (e.g., access controls, MFA, encryption in transit, least‑privilege access, backups, secure deletion). We also vendor‑review our processors and keep records of processing.
11) Updates
We may update this policy to reflect legal/technical changes. We will post the new effective date above and, where appropriate, notify you of material changes.
Contact: [email protected] |