Privacy Policy for Website Users, Potential Customers, and Marketing

1. Who we are and how to contact us

• Data Controller: Formalize ApS.
• Address: Kannikgade 4.1, 8000 Aarhus, Denmark.
• Contact: gdpr@formalize.com
• Data Protection Officer (DPO): Bo Pyskow, email: dpo@sixtus-compliance.dk

2. What personal data we collect and why

When we process data based on legitimate interest, our legitimate interests include website security and fraud prevention.

Legal Basis for Marketing Communications

Consent-based marketing (Art. 6.1.a):

When you are not an existing customer or when you subscribe to our marketing communications (newsletters, promotional emails, event invitations), we rely on your explicit consent. This consent is:

• Freely given through clear affirmative action (opt-in checkbox, subscription form)
• Specific to the type of communication you will receive
• Withdrawable at any time through unsubscribe links or contacting us

All marketing communications, regardless of legal basis, include clear and easy unsubscribe mechanisms as detailed in section 3.4.

After the retention periods indicated, we will either:

• Request renewal of your consent, or
• Permanently delete your data from our marketing systems

3. Use of cookies and other tracking technologies

We use cookies for functionality, performance, and analytics. For more details, please see our separate Cookie Policy.

4. Marketing Consent and Opt-out Mechanisms

All marketing communications include clear and easily accessible opt-out mechanisms. Data subjects can withdraw consent or object to marketing processing at any time through:

• Email communications: You can manage email communication preferences in every marketing email
• Direct contact: gdpr@formalize.com
• Account management: Updating preferences through customer account settings where available
• Postal communications: Written requests to company addresses listed in Who we are section.

5. Our data protection principles

We process your data based on these fundamental principles:

• Lawfulness and transparency: All processing has a legal basis and is conducted fairly, with clear information about how we use your data.
• Purpose limitation: Data is collected for specific, explicit, and legitimate business purposes and is not processed in a way that is incompatible with those purposes.
• Data minimization: We only process data that is necessary and relevant for the stated purposes.
• Accuracy: We keep data accurate, complete, and up-to-date, and rely on you to inform us of any changes.
• Storage limitation: Data is retained only as long as necessary to fulfill processing purposes and comply with legal obligations.
• Security: We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or damage.
• Accountability: We demonstrate compliance with these principles and maintain records of our processing activities.

6. With whom we share your personal data

We may share your data with the following categories of recipients:

• Analytics service providers (e.g., Google Analytics, website performance tools)
• Marketing automation platforms (for email campaigns and CRM)
• Customer support tools and chatbot providers
• Content delivery networks (CDN) for website performance
• Partners with whom we organize events or webinars

All external processors are subject to data processing agreements that ensure GDPR-compliant handling of personal data. We maintain a list of all authorized sub-processors, available upon request at: gdpr@formalize.com

We do not sell your personal data to third parties.

7. EEA data transfers

Formalize may transfer personal data between Group entities within the European Economic Area (Denmark, Spain, Italy) under appropriate intra-group agreements.

For transfers outside the EEA, we ensure your data remains protected. These transfers are exceptional and are subject to the safeguards required by the GDPR, such as Standard Contractual Clauses (SCCs) or an adequacy decision from the European Commission.

8. Your data protection rights

You have the following rights regarding your personal data under the General Data Protection Regulation (GDPR), which you may exercise at any time using this link:

• Right of Access: You may request a copy of your personal information processed by us.
• Right to Rectification: You may request the correction of inaccurate or incomplete data.
• Right to Erasure (‘Right to be Forgotten’): You may request the deletion of your data under certain circumstances, unless we are legally obliged to retain it.
• Right to Restriction of Processing: You may ask us to temporarily limit how we use your data in specific cases.
• Right to Object: You may object to certain types of processing, such as direct marketing or processing based on our legitimate interests.
• Right to Data Portability: You may request your data in a structured, commonly used, and machine-readable format, and have the right to transmit it to another controller.
• Right not to be subject to automated decision-making (including profiling): You may request human intervention, contest decisions made solely by automated means, and obtain information on the logic involved.

When our processing is based on your consent, you have the right to withdraw it at any time. This withdrawal will not affect the lawfulness of processing that occurred before you withdrew your consent.

To exercise your rights, please contact our DPO at dpo@sixtus-compliance.dk. We respond to requests within one month, extendable to three months for complex requests

9. Data breach management

We maintain coordinated incident response procedures. Breaches are assessed for risk and, where required, reported to supervisory authorities within 72 hours and to affected individuals without undue delay.

10. Policy approval and updates

This policy was approved by Formalize’s senior management the 1st of December 2025 and may be updated to reflect legal changes or operational improvements. If we intend to process your personal data for a purpose other than that for which it was collected, we will provide you with information about that new purpose and any other relevant information before carrying out such processing, as required by Article 13(3) GDPR.

Updates are communicated through our website and appropriate channels.

11. Complaints

You can lodge complaints with a supervisory authority in your country of residence, place of work, or where you believe an infringement occurred.

12. Our Commitment to Security

We maintain ISAE 3000 certification for assurance engagements related to data privacy and control environments, providing independent verification of our protection measures. Additionally, we are ISO 27001 certified, a global standard for information security management.

To uphold these commitments, we have implemented robust protection measures, including data encryption in transit and at rest, strict access controls based on the principle of least privilege, and periodic security audits. We are committed to a proactive approach to risk management and continuous improvement in data protection.