Information on the Processing of Personal Data
Privacy Policy for Flak
We, Flak, are the data controller for the processing of the personal data we have received about you.
This privacy policy describes how we, Flak, CVR no. 46260171 (“we”, “us”, “our”), collect and process personal data in accordance with the General Data Protection Regulation (“GDPR”).
It sets out the rights you have as a customer and/or business partner in connection with our handling of your personal data.
If your inquiry concerns access, erasure, rectification, restriction, objection, or data portability, you can find your rights as the person whose personal data we collect and process (the “data subject”) in section 12.
This policy forms part of our documentation demonstrating that we, as a company, comply with the applicable GDPR rules and fulfil our duty to provide information under Article 13 of the GDPR.
In various respects, we act as the data controller for your personal data, as well as for the processing and activities associated with it.
The processing activities carried out by us are described in sections 1 and 2. The individual legal bases for processing are set out in section 1.
General inquiries regarding personal data, GDPR in general, or related matters may only be made by contacting us.
Contact Information
Flak
Gøprupvej 414
9690 Fjerritslev
CVR no..: 46260171
Telephone: (+45) 93886104
E-mail: [email protected]
We respond to inquiries from data subjects, including you, as quickly as possible and no later than 1 month after we have received the request.
If the request is complex, we have up to 3 months from receipt to respond to the request.
We ensure that requests made pursuant to your rights as a data subject are handled without undue delay.
1. The Purposes of and Legal Basis for the Collection and Processing of Your Personal Data
We process your personal data for the following purposes:
- To perform a contract to which you are a party, or to take steps at your request prior to entering into such a contract with you, including handling your license and customer relation with us.
- To comply with a legal obligation to which we are subject.
- To establish, exercise, or defend a legal claim.
- To carry out processing necessary for us or a third party to pursue a legitimate interest, provided that your interests and rights do not override our or the third party’s legitimate interest. The legitimate interests we pursue are:
- performance of an agreement for the delivery of services
- marketing to which you have consented, or which is otherwise permitted under Danish law
- customer satisfaction and product development.
Our primary purpose for collecting and processing your personal data is to enable us to provide the service ordered by the individual customer and otherwise fulfil our contractual obligations.
The legal basis for our processing of your personal data is derived from:
Regulation (EU) 2016/679 of 27 April 2016 (GDPR):
- Article 6(1)(a) and Article 9(2)(a), where you have given your consent.
- Article 6(1)(b), where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract.
- Article 6(1)(c), where the processing is necessary for compliance with a legal obligation to which Flak is subject.
- Article 6(1)(f), where the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, unless your interests or fundamental rights and freedoms override those interests.
- Article 9(2)(e), where the processing relates to personal data which you have manifestly made public.
- Article 9(2)(f), where the processing is necessary for the establishment, exercise, or defense of legal claims.
Whether information is necessary for us depends on the purpose for which the personal data is to be used. However, we limit our processing to what is necessary in relation to the purposes for which the personal data is processed, also referred to as data minimisation under Article 5(1)(c) GDPR.
We process only personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which the processing takes place.
2. Categories of Personal Data
We only process personal data that is relevant in relation to the purposes listed in section 1. In most cases, this means that we only process information that is relevant to your specific case.
Below you can see which categories of personal data we process about you:
- Name
- Address
- Telephone number
- Email address
- Individual notes relating to the customer relationship
- Information that you send to us via platforms and other digital media
3. Recipients or Categories of Recipients
- We disclose or transfer your personal data to the following recipients, where relevant for the purpose of the processing and where we are legally permitted to do so:
- Our data processors
- Public authorities
- The Danish courts, arbitration tribunals, appeal boards, etc.
- Third parties to whom you request that we disclose information
4. Special GDPR Considerations When Using Flak’s Software/Code
When a customer uses a license to software or code provided by us, the customer is, as a general rule, the data controller in respect of any personal data that the customer enters, uploads, integrates, processes, or otherwise uses in connection with the software or code.
We do not determine the purposes or means of the customer’s own processing of such personal data and is therefore, as a general rule, neither the data controller nor the data processor in relation to that processing.
The customer is accordingly solely responsible for ensuring that any processing of personal data in the customer’s own systems, environments, integrations, and use of the software complies with applicable data protection law.
5. Transfers to Recipients in Third Countries, Including International Organisations
International transfers and third‑country processors We engage certain processors to support the delivery, operation, and support of our licensed product. All processors act on our documented instructions under Article 28 GDPR and are bound by data processing agreements, confidentiality, and appropriate technical and organisational measures. Where personal data is transferred outside the EEA/UK, we implement the European Commission’s Standard Contractual Clauses (SCCs), conduct transfer impact assessments, and apply supplementary safeguards (including encryption, access controls, and data minimisation). Copies of the relevant SCCs can be requested using the contact details in this policy.
1. Amazon Web Services EMEA SARL / AWS
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L‑1855 Luxembourg
Service area: Cloud infrastructure, hosting, server operations, storage, and related services
Role and legal basis: Processor/sub‑processor under Article 28 GDPR and the applicable DPA
Transfer posture: Primary processing is in the EEA when EEA regions are selected. To the extent support or ancillary access involves third‑country transfers, SCCs and supplementary safeguards apply.
2. MongoDB, Inc.
MongoDB, Inc., 1633 Broadway, 38th Floor, New York, NY 10019, USA – USA (third country)
Service area: Database services and data storage
Role and legal basis: Processor/sub‑processor under Article 28 GDPR and the applicable DPA
Transfer safeguard: SCCs (EU Commission 2021 SCCs) with transfer impact assessment and supplementary measures (e.g., encryption-at-rest/in-transit, access controls, logging).
3. Microsoft Ireland Operations Limited / Microsoft
Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (with possible support access from third countries)
Service area: Cloud and online services (e.g., Microsoft 365, Outlook)
Role and legal basis: Processor/sub‑processor under Article 28 GDPR and the applicable DPA
Transfer posture: Data is primarily hosted in the EEA/UK where configured. Where support or global service operations entail third‑country access, SCCs and supplementary safeguards apply.
4. Functional Software, Inc. d/b/a Sentry
Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105– USA (third country)
Service area: Error monitoring, logging, debugging, and related technical support
Role and legal basis: Processor/sub‑processor under Article 28 GDPR and the applicable DPA
Transfer safeguard: SCCs with transfer impact assessment and supplementary measures. Personal data in error reports/logs is minimised and subject to retention limits.
5. Heroku / Salesforce, Inc.
Salesforce, Inc. (Heroku), Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA – USA (third country) Name:
Service area: Platform‑as‑a‑Service, application hosting, cloud platform operations
Role and legal basis: Processor/sub‑processor under Article 28 GDPR and the applicable DPA
Transfer safeguard: SCCs with transfer impact assessment and supplementary measures; regional hosting is applied where available and appropriate.
6. Stripe Payments Europe, Ltd.
Stripe Payments Europe, Ltd. 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, and Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA – Ireland / USA (third country, where applicable)
Service area: Payment processing and payment infrastructure.
Role and legal basis: Processor/sub-processor under Article 28 GDPR and the applicable Stripe Data Processing Agreement. Stripe may also act as an independent controller for certain payment, fraud prevention, compliance and regulatory purposes.
Transfer safeguard: SCCs, EU-U.S. Data Privacy Framework where applicable, transfer impact assessment and supplementary measures, including encryption, access controls, logging and security monitoring.
6. Where Your Personal Data Comes From
The personal data we process about you mainly consists of information that we have received from you in connection with a customer relationship. In certain cases, however, we may obtain additional information about you from other sources.
The other sources we use to obtain information about you generally include:
- Information that you have provided yourself to us, by email, in person, or by telephone.
7. Retention of Your Personal Data
We retain personal data in accordance with the applicable retention periods under Danish law. For example, we store invoices containing your name and address for 5 years, cf. section 10(1) of the Danish Bookkeeping Act.
Other information about you in our customer records is deleted 24 months after the end of the customer relationship or after inactivity.
Information relating to job applicants is deleted at the earliest of either (i) 3 months after the position has been filled, or (ii) 6 months after the application was received. However, we may retain such information for up to 6 months after the position has been filled if you give us your consent to do so.
Our deletion procedures for employees are communicated in connection with employment.
If we specifically assess that there is no legitimate reason to retain the information, we will delete your personal data at an earlier point in time. In making this assessment, we take into account whether legislation grants us a right or imposes an obligation to retain the information, whether you have a reasonable interest in having the information deleted that outweighs our interest in retaining it, and whether the continued storage of the information entails a risk to you as a data subject.
8. Automated Decisions, Including Profiling
We do not use your personal data for automated decision-making or profiling. This means that we do not make decisions based solely on automated processing that may have legal or similarly significant effects on you.
If we change this practice at any time, we will inform you in advance and ensure that this takes place in accordance with Article 22 of the GDPR.
9. Sub-processors and Data Processors
In certain cases, we may use sub-processors and data processors for the performance of contracts entered into with us, as well as where consent has been given or where other legitimate interests justify the processing of personal data in cooperation with our sub-processors and data processors.
List of Data Processors / Sub-processors:
1. Amazon Web Services EMEA SARL / AWS
Name: Amazon Web Services EMEA SARL
Address: 38 Avenue John F. Kennedy, L-1855 Luxembourg
Service area: Cloud infrastructure, hosting, server operations, storage, and related infrastructure services
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: AWS will typically act as a sub-processor where the licensed product is hosted on AWS or where customer personal data is stored or otherwise processed in AWS environments.
2. MongoDB, Inc.
Name: MongoDB, Inc.
Address: 1633 Broadway, 38th Floor, New York, NY 10019, USA
Service area: Database services and data storage
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: MongoDB will typically act as a sub-processor where personal data is stored in the database as part of the delivery and operation of the licensed product.
3. Functional Software, Inc. d/b/a Sentry
Name: Functional Software, Inc. d/b/a Sentry
Address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
Service area: Error monitoring, logging, debugging, and related technical support services
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: Sentry will typically act as a sub-processor where error reports, logs, or stack traces may contain personal data relating to the customer’s users, systems, or environment.
4. Heroku / Salesforce, Inc.
Name: Heroku / Salesforce, Inc.
Address: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Service area: Platform-as-a-Service, application hosting, cloud platform operations, and related services
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: Heroku will typically act as a sub-processor where the application or parts of the licensed product are hosted, deployed, or operated on the Heroku platform.
5. Microsoft Ireland Operations Limited / Microsoft
Name: Microsoft Ireland Operations Limited
Address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
Service area: Cloud services and online services, including Microsoft 365, Outlook, and related services
Legal basis: Processing of personal data as a processor or sub-processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: Microsoft will typically act as a sub-processor where customer personal data is processed through Outlook, Microsoft 365, or other Microsoft online services as part of the delivery, support, or operation of the licensed product.
6. Visma e-conomic A/S
Name: Visma e-conomic A/S
Address: Gærtorvet 3, 1799 Copenhagen V, Denmark
Service area: Accounting software, bookkeeping systems, invoicing, and related financial administration services
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: e-conomic will typically act as a processor in relation to personal data included in accounting, bookkeeping, invoicing, and other financial administration data.
7. Stripe Payments Europe, Ltd. / Stripe, Inc.
Name: Stripe Payments Europe, Ltd. / Stripe, Inc. / Stripe, LLC
Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, and 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA.
Service area: Payment processing, payment infrastructure, transaction handling, and related payment services
Legal basis: Processing of personal data as a processor pursuant to Article 28 GDPR and the applicable data processing agreement
Description: Stripe will typically act as a processor in relation to personal data processed for payment transactions, including name, contact details, payment and transaction data. Stripe may also act as an independent controller for certain fraud prevention, compliance, regulatory, and payment network purposes.
Our sub-processors and data processors may change over time as a result of changes in suppliers and/or cooperation agreements with third parties. We will always inform data subjects accordingly, and we continuously update this policy.
This privacy policy will be updated in the event that we engage sub-processors or data processors. Any disclosure or sharing with sub-processors and data processors will always take place in accordance with the applicable provisions of Article 6 of the GDPR.
10. The Right to Withdraw Consent
You have the right to withdraw your consent at any time. You may do so by contacting us using the contact details set out above in the introduction of this privacy policy.
If you choose to withdraw your consent, this will not affect the lawfulness of our processing of your personal data based on your consent before its withdrawal.
Accordingly, if you withdraw your consent, it will only have effect from that time onwards.
11. Your Right As Data Subject
Under the General Data Protection Regulation, you have a number of rights in relation to our processing of your personal data. If you wish to exercise your rights, please contact us.
Right of access
You have the right to obtain access to the personal data we process about you, as well as a range of additional information.
Right to rectification
You have the right to have inaccurate personal data about yourself corrected. You also have the right to have incomplete personal data completed.
As data controller, we always ensure that personal data is corrected if we become aware that it is inaccurate. We also ensure that we process personal data that is complete and up to date.
Right to erasure
In certain circumstances, you have the right to have personal data about you erased before the time at which our general deletion procedures would otherwise apply.
The right to erasure applies if you withdraw your consent or otherwise invoke this right against us. This may not apply if we have another legal basis for continuing to process your personal data in whole or in part. You will be informed accordingly if a lawful exception applies.
Right to restriction of processing
In certain circumstances, you have the right to obtain restriction of the processing of your personal data. If you are entitled to restriction of processing, we may in the future only process the data — apart from storage — with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of a person or important public interests.
Right to object
In certain circumstances, you have the right to object to our otherwise lawful processing of your personal data. You also have the right to object to the processing of your data for direct marketing purposes.
Upon receipt of such an objection, we will weigh the objection against the legitimate interests, contractual relationship, and other relevant considerations applicable to your personal data.
Right to data portability
In certain circumstances, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have those personal data transmitted from one controller to another without hindrance.
You can read more about your rights in the guidance issued by the Danish Data Protection Agency, available on its website: www.datatilsynet.dk.
12. Handling of Requests
We respond to inquiries from you, as the data subject, as quickly as possible and no later than 1 month after we have received the request.
If the request is complex, we have up to 3 months from receipt to respond to the request.
We ensure that requests made pursuant to your rights as a data subject are handled without undue delay.
13. Security Measures
We ensure an appropriate level of data security for the collection, processing, storage, and disclosure of personal data in accordance with Article 24 of the GDPR.
We have implemented technical and organisational measures to prevent your personal data from being accidentally or unlawfully deleted, disclosed, lost, degraded, accessed by unauthorised persons, misused, or otherwise processed in violation of applicable law.
In the event of a personal data breach, all affected registered users will be contacted within 72 hours and informed of which data has been lost, together with guidance on what they should do in response. In such a situation, our first priority is to close the security gap in order to minimise data loss for users.
We have implemented both privacy by default and privacy by design in our systems. This means, among other things, that we have configured our IT systems to protect personal data as a default setting within the system itself.
We have several technical and organisational security measures in place designed to protect personal data against accidental or unlawful destruction, loss, alteration, degradation, misuse, irresponsible processing, or any other processing contrary to data protection legislation.
Our employees are instructed on how to process personal data responsibly and in accordance with applicable law.
At all times, we ensure that our employees and business partners process personal data lawfully and on the basis of our internal policies, recommendations, and guidelines for proper data processing.
14. Complaint to the Danish Data Protection Agency
You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way in which we process your personal data.
If you wish to do so, we encourage you to contact us first in order to seek a resolution to any issue.
Complaints regarding our processing of your personal data may be submitted to the Danish Data Protection Agency:
Email: [email protected]
You can read more about your rights in the guidance issued by the Danish Data Protection Agency concerning the rights of data subjects, which is available at www.datatilsynet.dk
This Privacy Policy was last updated on 9 of May 2026.
This Privacy Policy have been drafted by Skafsgaard Law ApS.
© 2026 Flak, CVR no. 46260171
