| Category of Data Subject | Personal data collected | Purposes of processing | Legal basis | Retention period |
|---|---|---|---|---|
| Website users and potential customers | Essential technical data (IP address for security, session management) | Website operation, security, fraud prevention | Legitimate interest (Art. 6.1.f) | Max. 14 months |
| Website users and potential customers | Analytics and non-essential tracking: Analytics cookies, marketing cookies, preference cookies | Performance analysis, personalization, marketing optimization | Consent (Art. 6.1.a). | Browsing data: max. 14 months. Forms: 12 months |
| Marketing contacts | Identification and contact data, professional information, preferences, and interaction history | Sending commercial communications, event invitations, webinars, and promotions | Explicit consent (Art. 6.1.a) | Until consent is withdrawn. Max. 24 or 36 months without commercial interaction |
When we process data based on legitimate interest, our legitimate interests include: - Platform Operations: Ensuring website security and fraud prevention. - Webinar Follow-up: If you have registered for and attended one of our webinars, we have a legitimate interest in contacting you to provide additional materials related to the session, gather feedback, and discuss how our services may meet the professional needs identified during the event. This is based on the reasonable expectation that an attendee has an interest in the topic discussed. - Content Engagement:** If you request access to "Gated Content" (such as whitepapers, templates, or reports), we have a legitimate interest in contacting you to ensure you received the material and to provide further insights or product information directly related to the subject of that content. - Inquiry Follow-up: When you contact us via our Website Chat, we have a legitimate interest in using your provided contact details to resolve your query and to follow up on your interest in our services (e.g., SDR outreach or trial-related emails). We consider that providing a helpful response and exploring a potential business relationship is a reasonable expectation of someone initiating a chat. - Trial Management: Communications related specifically to your Trial/Demo (such as setup guidance, usage tips, and follow-up regarding your experience) are processed under our legitimate interest to ensure you get the most out of the trial and to determine if a commercial relationship can be established.
Legal Basis for Marketing Communications
Consent-based marketing (Art. 6.1.a):
When you are not an existing customer or when you subscribe to our marketing communications (newsletters, promotional emails, event invitations), we rely on your explicit consent. This consent is:
All marketing communications, regardless of legal basis, include clear and easy unsubscribe mechanisms as detailed in section 4.
After the retention periods indicated, we will either:
We use cookies for functionality, performance, and analytics. For more details, please see our separate Cookie Policy.
All marketing communications include clear and easily accessible opt-out mechanisms. Data subjects can withdraw consent or object to marketing processing at any time through:
We process your data based on these fundamental principles:
We may share your data with the following categories of recipients:
All external processors are subject to data processing agreements that ensure GDPR-compliant handling of personal data. We maintain a list of all authorized sub-processors, available upon request at: gdpr@formalize.com
We do not sell your personal data to third parties.
Formalize may transfer personal data between Group entities within the European Economic Area (Denmark, Spain, Italy) under appropriate intra-group agreements.
For transfers outside the EEA, we ensure your data remains protected. These transfers are exceptional and are subject to the safeguards required by the GDPR, such as Standard Contractual Clauses (SCCs) or an adequacy decision from the European Commission.
You have the following rights regarding your personal data under the General Data Protection Regulation (GDPR), which you may exercise at any time using this link:
When our processing is based on your consent, you have the right to withdraw it at any time. This withdrawal will not affect the lawfulness of processing that occurred before you withdrew your consent.
Please note that we respond to data rights requests within one month, extendable to three months for complex requests. dpo@sixtus-compliance.dk. We respond to requests within one month, extendable to three months for complex requests
We maintain coordinated incident response procedures. Breaches are assessed for risk and, where required, reported to supervisory authorities within 72 hours and to affected individuals without undue delay.
This policy was approved by Formalize’s senior management the 1st of December 2025 and may be updated to reflect legal changes or operational improvements. If we intend to process your personal data for a purpose other than that for which it was collected, we will provide you with information about that new purpose and any other relevant information before carrying out such processing, as required by Article 13(3) GDPR.
Updates are communicated through our website and appropriate channels.
You can lodge complaints with a supervisory authority in your country of residence, place of work, or where you believe an infringement occurred.
We maintain ISAE 3000 certification for assurance engagements related to data privacy and control environments, providing independent verification of our protection measures. Additionally, we are ISO 27001 certified, a global standard for information security management.
To uphold these commitments, we have implemented robust protection measures, including data encryption in transit and at rest, strict access controls based on the principle of least privilege, and periodic security audits. We are committed to a proactive approach to risk management and continuous improvement in data protection.