OFFICIAL collaboration

Bringing ISO standards into modern compliance workflows

Read full article

Política de Privacidad para Clientes, Proveedores y Socios

1. Who we are and how to contact us

Data Controller
  • Formalize ApS: Kannikgade 4.1, 8000 Aarhus, Denmark. VAT: DK42045136
  • Formalize Spain S.L: Calle María de Molina 39, 3P, 28006 Madrid, Spain. VAT: ESB70794854

Formalize ApS has subsidiaries in Europe that operate under the headquarters' guidelines. You may consult the full list of our branches and their contact details in our Office Locations.

Contact: gdpr@formalize.com

Data Protection Officer (DPO): Bo Pyskow, email: dpo@sixtus-compliance.dk

2. What personal data we collect and why

Category of Data Subject Personal data collected Purposes of processing Legal basis Retention period
Clients Identification and contact data, professional data, contractual data, financial and billing data. Management of the contractual relationship, provision of services, customer support, billing, and marketing communications. Contract performance (Art. 6.1.b), legal obligation (Art. 6.1.c) Duration of the contract + 6 years for legal obligations.
Suppliers and business partners Identification and contact data of representatives, contractual and banking data. Management of the business relationship, communication, payments, and legal compliance. Contract performance (Art. 6.1.b) and legal obligation (Art. 6.1.c). Duration of the business relationship + 10 years or more if legally required

3. Source of personal data

We primarily collect your personal data directly from you or from the entity you represent (the client, supplier, or business partner) during the initiation and performance of our contractual or commercial relationship.

This includes data gathered through:

  • Direct Interaction: Contracts, service agreements, billing forms, email correspondence, and direct professional communications.
  • Public and Third-Party Sources: Occasionally, we may collect professional data from publicly available sources (e.g., company registers, corporate websites) or from business partners to verify information or establish initial contact, always ensuring a legal basis for processing (e.g., our legitimate interests).

4. How we use your data in our products

Formalizes products are designed to be used by the client as the data controller.

The relationship between Formalize (as processor) and the client (as controller) is governed by a Data Processing Agreement (DPA) that complies with Art. 28 GDPR.

5. Our data protection principles

We process your data based on these fundamental principles:

  • Lawfulness and transparency: All processing has a legal basis and is conducted fairly, with clear information about how we use your data.
  • Purpose limitation: Data is collected for specific, explicit, and legitimate business purposes and is not processed in a way that is incompatible with those purposes.
  • Data minimization: We only process data that is necessary and relevant for the stated purposes.
  • Accuracy: We keep data accurate, complete, and up-to-date, and rely on you to inform us of any changes.
  • Storage limitation: Data is retained only as long as necessary to fulfill processing purposes and comply with legal obligations.
  • Security: We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or damage.
  • Accountability: We demonstrate compliance with these principles and maintain records of our processing activities.

6. With whom we share your personal data

We share data with external processors who provide sufficient security guarantees and are bound by data processing agreements in accordance with Article 28 of the GDPR. These processors include providers for:

  • Cloud Hosting & Infrastructure: For secure storage, backup, logging, and maintenance of our systems.
  • Customer Support & Ticketing: To manage customer support requests, ticket resolution, and provide AI-based support chat and help centers.
  • Customer Relationship Management (CRM) & Communication: To manage client relationships, sales call recording, analysis, and send service-related notifications.
  • Security & Monitoring: For error, performance, and security monitoring to ensure the resilience of our platform.
  • Subscription & Payment Processing: To manage recurring billing, subscription management, and payment processing.
  • Data Analytics & Enrichment: For data warehousing, analytics, and B2B contact data enrichment.
  • Professional Advisors: Such as accounting, tax, and legal advisors to comply with statutory obligations.

Transparency and Updates: We maintain a comprehensive and up-to-date list of all authorized sub-processors, including their names, locations, and specific processing activities, as set out in Annex IV of our Data Processing Agreement (DPA). This list is available at any time via the Formalize Trust Center. In accordance with our DPA, we will notify you of any intended changes to this list at least fourteen (14) days in advance, providing you with the opportunity to object.

7. International Data Transfers and Processing Location

Formalize primarily processes and stores personal data within the European Economic Area (EEA).

  • Primary Location: Our main hosting and storage are located in Frankfurt, Germany (AWS region).
  • Intra-Group Transfers: Personal Data may be transferred between Formalize entities (Denmark, Spain) under agreements ensuring an adequate level of protection.
  • Transfers Outside the EEA: Certain auxiliary services (such as automation or data enrichment) may involve processing in countries outside the EEA, such as the United States. In such cases, we ensure that appropriate legal safeguards are in place, such as the EU's Standard Contractual Clauses (SCCs) or where the recipient country is subject to an adequacy decision by the European Commission.

8. Your data protection rights

You have the right to control your personal data. We ensure you can exercise the following rights at any time, using this link:

  • Right to Access and Rectification: You can ask us for a copy of your personal data and request that we correct any inaccurate information.
  • Right to Erasure ('Right to be Forgotten'): You can request the deletion of your data. We will fulfill this request unless there is a legal obligation to retain it.
  • Right to Object and Restriction of Processing: You can object to us processing your data or ask us to temporarily limit its use. You have the right to object at any time to us processing your personal data for direct marketing purposes.
  • Right to Data Portability: You can request a copy of your data in a structured, commonly used, and machine-readable format.
  • Right not to be subject to automated decision-making (including profiling): You may request human intervention, contest decisions made solely by automated means, and obtain information on the logic involved.

When our processing is based on your consent, you have the right to withdraw it at any time. This withdrawal will not affect the lawfulness of processing that occurred before you withdrew your consent.

9. Data breach management

We maintain coordinated incident response procedures. In the event of a personal data breach, we will notify the affected parties (including Clients, Suppliers, or Partners) without undue delay, and no later than 48 hours after becoming aware of the incident.

The notification will describe the nature of the breach, its likely consequences, and the measures taken to mitigate any adverse effects. When required by law, we will also notify the relevant supervisory authorities within 72 hours.

10. Policy updates

This policy may be updated to reflect legal changes or operational improvements. If we intend to process your personal data for a purpose other than that for which it was collected, we will provide you with information about that new purpose and any other relevant information before carrying out such processing, as required by Article 13(3) GDPR.

Updates are communicated through our website and appropriate channels.

11. Complaints and Supervisory Authorities

You can lodge complaints with a supervisory authority in your country of residence, place of work, or where you believe an infringement occurred.

The relevant supervisory authorities for Formalize Group legal entities are:

For Spain: Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6 28001 Madrid, Spain Tel: +34 912 66 35 17 Email: internacional@aepd.es Website: https://www.aepd.es/
For Denmark: Datatilsynet
Carl Jacobsens Vej 35 DK-2500 Valby, Denmark Tel: +45 33 19 32 00 Email: dt@datatilsynet.dk Website: http://www.datatilsynet.dk/

12. Our Commitment to Security

We maintain ISAE 3000 certification for assurance engagements related to data privacy and control environments, providing independent verification of our protection measures. Additionally, we are ISO 27001 certified, a global standard for information security management.

To uphold these commitments, we have implemented robust protection measures, including data encryption in transit and at rest, strict access controls based on the principle of least privilege and work related need, periodic security audits including an annual Application Resilience Assessment (yearly penetration test) and annually reviewed information security policies approved by management.

We are committed to a proactive approach to risk management and continuous improvement in data protection.

13. Approval and Review

This policy was last reviewed: 16-04-2026

This policy has been approved: 16-04-2026

Current version: 4

Change log:

  • Version 4 - Updated DPA alignment, sub-processor transparency via Trust Center, and adjusted breach notification window.
  • Version 3 - New policies per data subject
  • Version 2 - Complete rework of the privacy policy
  • Version 1 - Original version
Reserve una demo