Privatlivspolitik

Data controller and contact information

Ento Labs ApS, CVR-nummer: 40184120, Jægergårdsgade 97, st., 8000 Aarhus C, Danmark is considered the data controller in accordance with GDPR (in the following; ”we” or ”us”).

If you have any questions or wish to exercise your individual rights as described below, you can contact us via e-mail dpo@ento.ai or phone +45 39 39 31 18.

Processing activities

In the following, you will find information on the categories of personal data we process, the purpose of the processing, the legal basis of the processing and when data are erased.

 

Customer and supplier relationships

Categories of personal data Legal basis for processing (only relates to personal data on EU and EØS citizens)   Storage period Recipients and potential transfers to third countries (transfers to third countries only relating to personal data on EU, – EØS and Swiss citizens)
Contact information, payment information (only with respect to sole proprietorships and small partnerships), signatures and job title. Ordinary personal data is processed because they are necessary to enter into and fulfill the contract with the customer or supplier, cf. Article 6(1)(b) of the GDPR.

 

Personal data of potential customers and business partners (leads) is processed on the basis of our legitimate interest in being able to contact them, cf. Article 6(1)(f) of the GDPR.

 Information is deleted 3 years after the end of the business relationship, unless longer storage is required, for example in accordance with the rules of the Danish Accounting Act (5 years storage of accounting material), or if the information is necessary for a claim or guarantee that extends beyond the 3 years.

Information regarding potential leads and partners will be deleted after 24 months.		 In some instances, your personal data is passed on to third party service providers when we believe it is necessary for us as a result of the operation of our business, or if it follows from a legal obligation following from us being data controllers.

We pass on your personal information in a number of different situations:

 

Information that is included in our accounting material, or in documentation for a specific agreement, is passed on to the relevant authorities when, for example, we are obliged to do so in accordance with the law. For example, accounting material is passed on to SKAT. In addition, payment information will be passed on to Visma e-conomic A/S and Corpay by One ApS, which are providers of our invoicing systems, E-conomic and Corepay. We also share payment information with Scaleup Finance Denmark ApS who does our bookkeeping.

 

HubSpot is our customer management system. Your contact information is managed through this system and is in that connection shared with HubSpot, Inc.  

 

We use Google Workspace as our email software and Postmark as our email notification system for your app. In this connection, your information is left to Google Ireland Limited and Wildbit LLC, respectively. There are no transfers to third countries, as we only use servers located in the EU. Thereto, we use Amazon Web Services, Google Cloud and Hetzner. In this connection, your information is shared with Amazon Web Services EMEA SARL, Google Ireland Limited and Hetzner Online GmbH, respectively. There are no transfers to third countries, as we only use servers located in the EU.

 

In addition, we use various process management tools to organize and improve our services and platform, namely Notion, Mixpanel and Typeform. In this connection, your personal data may be transferred outside the EU and the EEA, including insecure third countries such as the US.

 

Finally, we use Leadfeeder’s lead generation software. In some cases, your data is transferred to countries outside the EU and the EEA. As a rule, personal data are only transferred to countries that the European Commission has assessed to be secure. In some cases, however, transfers may occur to insecure third countries, including the United States.

 

In the event that your information is transferred to insecure third countries, such as the US, the European Commission’s standard clauses will always be entered into between our data processor and the recipient. In addition, our data processors have implemented additional technical and organizational measures to ensure a high level of data security.

 

Website, including analysis of traffic

Categories of personal data Legal basis for processing (only relates to personal data on EU and EØS citizens)   Storage period Recipients and potential transfers to third countries (transfers to third countries only relating to personal data on EU, – EØS and Swiss citizens)
Identification data, including unique IDs, IP addresses, data on the device and browser used to access the website and data on behavior on the website.

 

 Personal data are processed based on our legitimate interests in accordance with article 6(1)(f) of the GDPR.

 

It is our assessment that our legitimate interest takes precedence over the visitors, as the information is not directly personally identifiable, is general and is not of a private or intrusive nature and is only passed on to third parties to a limited and / or encrypted extent.

 

To the extent that you have given consent to cookies, we process personal information collected through this for the purposes for which you have given consent, e.g., statistics or marketing, cf. Article 6(1)(a) of the GDPR. You can withdraw your consent in your browser at any time, delete your cookies by following the instructions in our cookie policy or by contacting us.

 Personal data contained in cookies are deleted when the cookie expires or is deleted by the user (see our cookie policy).

We use Google Analytics 4, and data at user and event level are anonymized according to the strictest possible settings, i.e., currently two months.

Other than that, analysis data in personally identifiable form are stored only to a limited extent and for a limited time only, as the data are automatically aggregated (anonymized) when statistics are generated.		 Certain analysis data will be disclosed to Google, Facebook and LinkedIn, if you have consented to statistics and marketing cookies. This also appears from the cookie which popped up when you first visited our website and is also described in our cookie policy.

 

Finally, we use Leadfeeder. In some cases, your data is transferred to countries outside the EU and the EEA. As a rule, personal data are only transferred to countries that the European Commission has assessed to be secure. In some cases, however, transfers may occur to insecure third countries, including the United States.

 

In the event that your information is transferred to insecure third countries, such as the US, the European Commission’s standard clauses will always be entered into between our data processor and the recipient. In addition, our data processors have implemented additional technical and organizational measures to ensure a high level of data security.

Recruitment and processing of applications

Categories of personal data Legal basis for processing (only relates to personal data on EU and EØS citizens)   Storage period Recipients and potential transfers to third countries (transfers to third countries only relating to personal data on EU, – EØS and Swiss citizens)
Identification and contact information, information provided in applications, CVs and related documents, e.g., diplomas, and other personal data relevant to the assessment of an applicant. 


We may perform personality tests on our applicants. In this regard a snapshot picture will be taken of the applicant while taking the personality test.


Furthermore, we collect publicly available information via the candidate’s social media, particularly Facebook and LinkedIn.

 Personal data are processed based on our legitimate interests in accordance with article 6(1)(f) of the GDPR. Our legitimate interest consists in the fact that the applicant has independently chosen to apply for the position, and it is necessary for us to process the data in order to consider the applicant for the position. Unsolicited job applications and accompanying material will be deleted after they have been read or no later than 3 months from receipt, unless consent is obtained from the applicant for longer storage, e.g., in connection with future positions. 

 

Requested applications and accompanying material will be deleted after the recruitment round is completed or no later than 3 months after, unless consent is obtained for longer storage, e.g., in connection with future positions. 

 

It may be necessary to keep the information longer than 3 months if, based on the job interview, the correspondence with the applicant or other circumstances, there is a concrete or imminent risk that we will be met with a claim as a result of the application process, e.g., if an applicant might think that he or she has been rejected due to his or her age or health. 

 

Personality tests are deleted after the recruitment process unless the applicant is hired. Then the personality test will be stored during the employment. 

 Your personal information is left to our data processors when necessary to the recruitment process:

 

We use Google Workspace as our email software. In this connection, your information is left to Google Ireland Limited, respectively. There are no transfers to third countries, as we only use servers located in the EU.

 

Amazon Web Services, Google Cloud and Hetzner are used for file storage and management. In this connection, your information is left to Amazon Web Services EMEA SARL and Google Ireland Limited, respectively. There are no transfers to third countries, as we only use servers located in the EU. 

 

Moreover, we use the job portals, LinkedIn and the Hub.

 

In the event that your information is transferred to insecure third countries, such as the US, the European Commission’s standard clauses will always be entered into between our data processor and the recipient. In addition, our data processors have implemented additional technical and organizational measures to ensure a high level of data security.

 

Your individual rights

You have the rights as described below which you can exercise by contacting us at the above contact information. Your request will be answered free of charge, as soon as possible and no later than one month after receipt, however, up to two months if necessary due to the complexity or number of the request. In the event of unfounded or excessive requests, we have the right to reject it or charge a reasonable fee for answering it.

  • Withdraw consent. To the extent processing is based on your consent, you may at any time withdraw your consent by contacting us at the above information or as otherwise explained when you provided your consent. This will not affect the lawfulness of the processing before its withdrawal.
  • Access. You have the right to access the personal data that we process about you, as well as certain information about how the processing takes place. No access is granted to information which must remain confidential because of public or private interests, including your own interests.
  • Rectification. You have the right to have incorrect personal data corrected or to have incomplete personal data about you completed.
  • Erasure. You have the right to have personal data about you deleted in the circumstances specified in Article 17 of the GDPR. This may be the case, for example, if the information is no longer necessary for the fulfilment of our obligations and exercising of our rights or if the information is processed on the basis of your consent which has been withdrawn.
  • Restriction. In the circumstances mentioned in Article 18 of the GDPR, you have the right to have the processing of your personal data restricted, e.g. if the accuracy of the data is disputed, in the period until we have had the opportunity to determine whether the personal data is correct or if we no longer need for the personal data for the processing but they are necessary to establish, exercise or defend a legal claim.
  • Object. You have the right to object to the processing of personal data which we process on the basis of Article 6(1)(f) of the GDPR (the legal basis for processing in our legitimate interest) and always if the processing is for the purpose of direct marketing 
  • Data portability. If the processing is based on your consent or contract, you have the right to receive the information in a plain and readable format and to transmit the information to another data controller. If you wish and if technically possible, we will transmit the information directly to this data controller. 
  • Automatic decisions. You have the right not to be the subject of an automatic decision that has legal effect or similarly significantly affects you, which is based solely on automatic processing, including profiling.
  • Lodge a complaint. You may at any time complain about the processing of your personal data by contacting us. In addition, you can always lodge a complaint to the Danish Data Protection Agency (http://datatilsynet.dk, dt@datatilsynet.dk, +45 33 19 32 00), or to the supervisory authority in the country where you reside or in the country where you believe the violation of the GDPR has taken place.