Skip to content
Contact us
Contact us
Privacy Policy

We care about privacy


Who we are

We are Shape ApS and we design and develop world class digital products for our clients, our website is www.shape.dk.

We can be found at Njalsgade 17A, 2. 2300 Copenhagen, Denmark.

We are part of the Framna group of companies which includes companies based in Switzerland, Sweden, the Netherlands, the UK and USA. 

 

Introduction

This privacy notice (“Privacy Notice”) sets out how we use and protect your personal data when we collect it in any of the following ways:

  • when it is collected through our website (e.g. if you complete a contact form, sign up for an event or sign up to our newsletter);
  • when you contact our team through any channel (e.g. by email, Linkedin message etc);
  • via automated technologies or interactions (e.g. through cookies or similar technologies);
  • when you engage with us on social media;
  • when we collect it from publicly available sources;
  • when your employer contracts with us as a client; or
  • when you attend a Shape event or webinar.

Throughout this Privacy Notice, where we refer to “Data Protection Legislation”, we mean the EU General Data Protection Regulation (EU GDPR). This includes any replacement or amending legislation coming into effect from time to time.

When we use the term “personal data” and “processor” in this Privacy Notice, these terms have the meanings given to them in Article 4 of the EU GDPR.

We are committed to meeting the requirements of the Data Protection Legislation and we have developed this Privacy Notice to ensure that you are aware of:

  • the personal data we collect about you;
  • what we do with your personal data;
  • what we do to keep your personal data secure; and
  • the rights and choices you have in relation to your personal data.

We will only use your personal data in accordance with this Privacy Notice. If we need to use your personal data for any other purpose, we will tell you and we will update this Privacy Notice.

 

The types of personal data we collect

We only collect personal data that we genuinely need and only in accordance with the Data Protection Legislation.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, and title.
  • Contact Data includes company address, company name, job role, company email address, and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
  • Usage Data includes information about how you interact with and use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties, and your communication preferences, and your photo, bio and testimonial if you attend or present at one of our events.
  • Recruitment Data includes your CV, skills, experience, qualifications, right to work documentation or visa documentation.
  • Social Media includes your user name, demographics and job title.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

The table shown at the end of this Privacy Notice explains how and why we process each type of personal data.

You can access the table here.

 

Legal basis for processing your personal data

  • We will only ever process your personal data if we have a legal basis to do so. The legal bases we rely on are:

    • Performance of a contract – this is where we process your personal data to fulfil a contractual arrangement we have made with you, or prior to entering into a contractual relationship with you.    
    • Consent – this is where we have asked you to provide permission to process your personal data for a particular purpose. Please note, if we are relying on your consent, you can withdraw your consent at any time by contacting us or using the opt out link in any emails that we send to you.
    • Legal obligation - we may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
    • Legitimate interest – we may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example, to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

    The table shown at the end of this Privacy Notice explains the purpose of our processing and the legal bases that we rely on for each type of personal data which we process.

    You can access the table here.


Your rights

You have a number of rights under Data Protection Legislation. If you would like to exercise any of these rights, you can contact us using the contact details in the “Contact Us” section further below.

Your rights under the Data Protection Legislation are:

(a) Right to be informed about our collection and use of your personal data

You have the right to be informed about the collection and use of your personal data. This Privacy Notice gives you this information.

(b) Right to access your personal data

You have the right to access the personal data that we hold about you. This is sometimes called a ‘Subject Access Request’. If we agree that we are obliged to provide personal data to you (or someone else on your behalf), we will provide it to you or them free of charge and will aim to do so within 1 month from the point that we are able to confirm your identity. We will ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal data.

(c) Right to correction your personal data

If any of the personal data we hold about you is inaccurate, incomplete or out of date, you can ask us to correct it.

(d) Right to restrict processing

You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. This right is not absolute and only applies in certain circumstances.

(e) Right to erasure

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. This right is not absolute and only applies in certain circumstances.

(f) Right to portability

The right to portability gives you the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format. It also gives you the right to request that we transmit this data directly to a third party.

(g) Right to object

You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., where we have a legal obligation to do so.

You can make a complaint to Datatilsynet (the Danish data protection authority) at any time about the way we use your personal data. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

If you have any feedback about this Privacy Notice or would like to complain about our privacy practices please contact our Data Protection Officer at dpo@shape.dk.

 

How long we retain your personal data 

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

The table shown at the end of this Privacy Notice explains how long we retain each type of personal data.

You can access the table here.

 

Who we may share your personal data with

Our group companies

We are part of a group of companies known as the Framna Group. You can find details of each of our group companies here.

We share your personal data between our group companies for the following reasons:

  • so we can provide shared services such as marketing, finance and legal;
  • so we can provide digital product development, and related services, to one another, and to each other’s clients; and
  • to identify cross sell and upsell opportunities.

Where we share data between the group companies we have group information sharing agreements and data processing agreements in place.

External parties

In some circumstances we may need to share your personal data with third parties in order to:

  • provide you with the service that you have asked for
  • send you marketing communications
  • meet our legal obligations
  • run and manage our business
  • carry out audits

We may share your personal data with the following third parties:

  • Law enforcement or other public authorities that require us to release information.
  • Any organisation where it is necessary for us to establish a legal claim or to defend ourselves against such a claim.
  • Our professional advisors including accountants, legal professionals or insurers.
  • Providers of ancillary business support services such as information technology services (as a processor on our behalf).
  • Marketing service providers (as processors on our behalf) including organisations that help us communicate with you.
  • Any organisation in the event of the sale, merger, reorganisation, dissolution or disposal of our business. We will inform you of any such transfer or disclosure as required by law.

In all cases we will:

  • only provide the minimum personal data that each party requires to carry out their duties;
  • only disclose personal data to organisations who we have a contractual relationship with or who have an overriding legal requirement to hold the information;
  • ensure that we have data processing agreements in place with the third parties; and
  • carry out due diligence on the third parties.

International transfers of personal data

In some instances your personal data may be processed outside the European Economic Area (EEA), for example where we use an IT provider based outside the EEA.

If and when this is the case we take steps to ensure there is an appropriate level of security so your personal data is protected in the same way as if it was being processed within the EEA.

Where we need to transfer your data outside the EEA we will use one of the following safeguards: 

  • The use of EU standard contractual clauses in contracts for the transfer of personal data to third countries or Binding Corporate Rules, and we will undertake transfer impact assessments for each transfer to identify any supplementary measures required; or
  • Transfers to a non-EEA country with privacy laws that give the same protection as the EEA (those countries with an adequacy decision, or US companies registered with the EU-U.S. Privacy Framework).

 

Data security

  • We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


How we use cookies

When you first visit our website, you will be asked for your permission for us to use some types of cookies.

We have separated our cookies into four categories:

Strictly Necessary Cookies

These cookies will always be placed.

Strictly necessary cookies are necessary for our website to operate as some cannot be switched off. The cookies include those that ensure our site is secure, operates as you would expect and remembers your privacy preferences.

Performance Cookies

With your permission we use performance cookies to measure and improve the performance of our site. These cookies help us analyse data about web page traffic and to tailor it to customer needs. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our website and will not be able to monitor its performance.

Functional Cookies

With your permission we use functional cookies that enable our website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Targeting and Advertising Cookies

With your permission we utilise third party marketing and advertising cookies – these cookies are placed by third party marketing companies (such as Google) or social media companies (such as Facebook) and are used to understand the pages that you have visited so relevant advertisements can be shown to you on these platforms and on other websites.

These cookies do not directly store your personal data but can uniquely identify your browser and device. If you do not allow these cookies, you will see less targeted adverts from us. You may however see generic advertisements from or about us on social media or around the web.

Cookies help us provide you with a better experience, by enabling us to monitor which pages you find useful and those which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

 

Changes to this Privacy Notice

We keep this Privacy Notice under regular review.

We may change this Privacy Notice from time to time (for example, if the law changes). If the changes are material, we will take steps to inform you.

 

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

 

How to contact us

If you would like to:

  • exercise one of your rights as set out above;
  • ask a question or raise a complaint about this Privacy Notice; or
  • ask a question or raise a complaint about the way your personal data is processed,

you can contact us by clicking here or by emailing our Data Protection Officer at dpo@shape.dk.

 

Summary of processing activities
 

Purpose / Use

Type of Data

Retention Period

Legal Basis

To respond to any question or enquiries that you make to us.

Identity

Contact

Social Media

For prospects and leads - 2 years from last contact

For clients - 6 years from last contact or end of contract (if later)

Legitimate interest (to develop our business and respond to enquiries)

To manage our contractual relationship with you / your employer, this includes:

  • Registering you / your employer as a new customer
  • Managing payments, fees and charges
  • Delivering our services
  • Notifying you about changes to our terms or privacy policy
  • Dealing with your requests, complaints and queries

Identity

Contact

Marketing and Communications

6 years from end of contract

Performance of a contract with you

 

Collect and recover money owed to us

Identity

Contact

5 years after end of relevant financial year

Legitimate interest (debt recovery)

Manage and improve our business interactions with you, this includes:

  • Analysing & understanding our clients, prospects & leads and how they use and interact with our website and applications
  • Understanding the effectiveness of our marketing campaigns
  • Developing our products and services
  • Market research

Identity

Contact

Technical Data

Usage

2 years

Legitimate interest (to develop and improve our business, website marketing campaigns and services)

To promote our services, this includes:

  • Running and promoting our events and webinars
  • Our newsletter, surveys, blogs and white papers, prize draws and competitions
  • Email marketing campaigns

Identity

Contact

Marketing and Communications

Social Media

 

2 years from last contact

 

Consent

Business development, this includes:

  • Monitoring open source data such as LinkedIn and other professional, corporate and government sources to identify potential leads.
  • Buying in data.

Identity

Contact

Social Media

2 years

Legitimate interest (to expand and develop our business)

To recruit the best talent within our sector

Identity

Contact

Recruitment

6 months

Necessary prior to entering into a contract with you

To administer and protect our business and website (including troubleshooting, testing, system maintenance, support, reporting and hosting of data, investigating and responding to service or security issues)

Identity

Contact

Technical

Usage

For systems monitoring (for example, to detect and prevent failures, vulnerabilities and external threats) - current year plus 1 year.

Where externally developed IT infrastructure, software and systems are used - 7 years from decommissioning of the infrastructure, software or system.

For technical information relating to client user accounts - 1 year from account closure.

Legitimate interests (for running our business, provision of administration and IT services and network security)

 

To deliver relevant website content and online advertisements to you and to measure or understand the effectiveness of the advertising we serve to you

Identity

Contact

Usage

Marketing and Communications

Technical

2 years

Legitimate interests (to study how you use our products and services, to develop them, to grow our business and to inform our marketing strategy)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Privacy Notice last updated on 6 August 2024