Privacy Policy
This Privacy Policy describes how Veriflied ApS ("Veriflied", "we", "us", or "our") collects, uses, and protects personal data in connection with the operation of this website (veriflied.dk) and the provision of our services. We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Danish Data Protection Act (databeskyttelsesloven).
1. Who We Are
Veriflied ApS is a private limited company incorporated under the laws of the Kingdom of Denmark.
| Legal Name | Veriflied ApS |
| Company Registration Number (CVR) | 46424999 |
| Country of Establishment | Denmark |
| Privacy Contact | contact@veriflied.dk |
| Lead Supervisory Authority | Datatilsynet (Danish Data Protection Agency) |
For questions about this Privacy Policy or our processing of your personal data, please contact us at contact@veriflied.dk.
2. Scope of This Privacy Policy
This Privacy Policy applies to:
- ·Visitors to our website at veriflied.dk
- ·Individuals who submit information through forms on our website
- ·Business contacts at customer organisations and prospective customers
- ·Authorised users of the Veriflied platform (including the VeriFly and Vantage services)
This Privacy Policy does not govern our processing of customer data submitted to the VeriFly or Vantage services. Such processing is governed by our Data Processing Agreement (DPA) with the relevant customer organisation, under which Veriflied acts as a data processor on behalf of the customer.
3. Personal Data We Process
3.1 Information You Provide Directly
When you submit a contact form, request a demo, or otherwise communicate with us, we collect:
- ·Your name
- ·Your business email address
- ·Your business telephone number (if provided)
- ·Your job title and employer
- ·The content of your enquiry
- ·Any additional information you choose to provide
3.2 Authorised User Account Data
If you become an authorised user of the Veriflied platform, we collect:
- ·Your name
- ·Your business email address
- ·A hashed version of your password (we never store your password in plain text)
- ·Multi-factor authentication enrolment data (if you enable MFA)
- ·Login timestamps and IP addresses (for security purposes)
- ·Records of administrative actions performed in your account
3.3 Information Collected Automatically
When you visit veriflied.dk, we automatically collect limited technical information through standard server logs:
- ·Your IP address (truncated for privacy)
- ·Your browser type and version
- ·The pages you visit on our website
- ·The time and date of your visit
- ·The referring website (if any)
This information is collected to operate the website, monitor security, and prevent abuse. We do not use this information to identify you personally, and it is not associated with any other personal data we hold about you.
4. Cookies
We use only cookies that are strictly necessary for the operation of our website. We do not use analytics cookies, advertising cookies, or tracking cookies of any kind. We do not use Google Analytics, Meta Pixel, or any similar tracking technology on veriflied.dk.
For full details of the cookies we use, please see our Cookie Policy.
5. How We Use Your Personal Data
We process your personal data for the following purposes:
| Purpose | Lawful Basis (GDPR Article 6) |
|---|---|
| Responding to your enquiries and providing requested information | Article 6(1)(b) — Performance of pre-contractual measures at your request |
| Negotiating, executing, and administering commercial agreements | Article 6(1)(b) — Performance of contract |
| Authenticating authorised users and providing access to the Veriflied platform | Article 6(1)(b) — Performance of contract |
| Operating, securing, and monitoring our website | Article 6(1)(f) — Legitimate interest in operating a secure website |
| Preventing fraud, abuse, and unauthorised access to our systems | Article 6(1)(f) — Legitimate interest in security |
| Complying with legal obligations (including accounting and tax law) | Article 6(1)(c) — Legal obligation |
We do not engage in automated decision-making producing legal effects or similarly significantly affecting you within the meaning of Article 22 GDPR.
6. How We Share Your Personal Data
We share your personal data only with the following categories of recipients, and only to the extent necessary for the purposes set out above:
6.1 Service Providers (Sub-Processors)
We engage carefully selected service providers to operate our website and platform. Each service provider is bound by a written data processing agreement and operates under appropriate data transfer safeguards.
| Service Provider | Service | Location |
|---|---|---|
| Vercel Inc. | Website hosting and content delivery | Frankfurt and Dublin (EU function regions) |
| Supabase Pte. Ltd. | Authentication and metadata database | Ireland (eu-west-1) |
| Google LLC | Cloud infrastructure for Veriflied platform | Frankfurt (europe-west4) |
| Microsoft Corporation | Email correspondence | EU Data Boundary |
| PandaDoc Inc. | Electronic signature for agreements | Multi-region (signing party location) |
A complete and current list of our sub-processors is maintained in our internal Records of Processing Activities and is available to customers upon request.
6.2 Public Authorities
We may disclose your personal data to public authorities (such as Datatilsynet, SKAT, or law enforcement) where required by law or in response to a valid legal request.
6.3 Professional Advisers
We may share your personal data with our professional advisers (lawyers, accountants, auditors) where necessary for the conduct of our business, under equivalent confidentiality obligations.
7. International Transfers of Personal Data
All processing of personal data in connection with the Veriflied platform takes place within the European Union/European Economic Area, specifically in the Frankfurt (europe-west4) region of Google Cloud Platform.
To the extent that any of our service providers (such as Vercel, Supabase, or Google) have parent entities in third countries (typically the United States), we rely on the following transfer safeguards:
- ·The EU-US Data Privacy Framework, where the relevant entity is certified
- ·Standard Contractual Clauses (Modules 1, 2, and 3 as applicable, EU Commission Implementing Decision 2021/914) as a layered fallback
- ·The UK International Data Transfer Addendum where UK-relevant transfers occur
We have conducted Transfer Impact Assessments in respect of these safeguards and have determined that they provide appropriate protection for your personal data in light of the relevant Schrems II considerations.
8. How Long We Keep Your Personal Data
We retain your personal data only for as long as necessary for the purposes for which it was collected, subject to applicable legal retention obligations:
| Data Category | Retention Period |
|---|---|
| Contact form submissions | 24 months from receipt |
| Server access logs | 30 days |
| Authorised user account data | Duration of authorisation by customer organisation, plus 30 days |
| Customer relationship data | Duration of relationship plus 5 years (Bogføringsloven) |
| Email correspondence | 5 years from last commercial communication |
| Accounting records | 5 years from end of financial year (Bogføringsloven §10) |
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. Our key security measures include:
- ·TLS 1.3 encryption for all data in transit
- ·AES-256 encryption for all data at rest
- ·Multi-factor authentication available for all authorised users
- ·Bcrypt password hashing
- ·Access controls and the principle of least privilege
- ·Regular security reviews of our infrastructure and code base
- ·Incident response procedures aligned with the GDPR's 72-hour notification requirement
We do not store passwords in plain text. We do not write the content of customer-submitted documents or images to persistent storage at any point in our processing pipeline.
10. Your Rights Under the GDPR
You have the following rights in respect of the personal data we hold about you:
10.1 Right of Access (Article 15)
You may request a copy of the personal data we hold about you, together with information about how and why we process it.
10.2 Right to Rectification (Article 16)
You may request that we correct any inaccurate or incomplete personal data we hold about you.
10.3 Right to Erasure (Article 17)
You may request that we delete your personal data, subject to applicable legal retention obligations.
10.4 Right to Restriction of Processing (Article 18)
You may request that we suspend the processing of your personal data in certain circumstances.
10.5 Right to Data Portability (Article 20)
You may request that we provide your personal data to you (or transmit it to another controller) in a structured, commonly used, machine-readable format.
10.6 Right to Object (Article 21)
You may object to processing of your personal data carried out on the basis of legitimate interests (Article 6(1)(f)).
10.7 Right to Withdraw Consent (Article 7(3))
Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
10.8 How to Exercise Your Rights
To exercise any of these rights, please contact us at contact@veriflied.dk. We will respond to your request within 30 days, or notify you within that period if an extension is required (up to 60 additional days for complex requests, in accordance with Article 12(3) GDPR).
We may need to verify your identity before processing your request to ensure that we do not disclose personal data to an unauthorised person.
10.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data infringes the GDPR. The lead supervisory authority for Veriflied is Datatilsynet:
Carl Jacobsens Vej 35
2500 Valby, Denmark
Telephone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
11. Children's Data
Veriflied's services and website are not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe that we have collected personal data from a child without appropriate consent, please contact us at contact@veriflied.dk and we will delete the data without undue delay.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, changes in applicable law, or other operational reasons. The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised.
Where the changes are material, we will notify you by email (where we have your email address on file) or by prominent notice on our website prior to the changes taking effect.
13. Contact Us
For any questions, concerns, or requests in connection with this Privacy Policy or our processing of your personal data, please contact us:
We aim to respond to all enquiries within 5 business days and to formal data subject rights requests within the timelines required by the GDPR.
This Privacy Policy is provided in English. A Danish translation is available upon request.