Categories of data subjects |
Categories of personal data |
Purposes of processing |
Legal basis for collection and processing of personal data |
Customers / customer contact persons / end users of Keepit services |
Non-sensitive categories of personal data:
Special categories of personal data:
|
|
The processing is necessary for the performance of the contract or in order to take steps at the request of the customer prior to entering into a contract cf. Article 6(1)(b) of the GDPR, as well as our legitimate interests in communicating with the customers/contact persons and processing, negotiating, and handling orders, agreements, etc. cf. Article 6(1)(f) of the GDPR.
Additionally we also process personal data to comply with the legal obligations, cf. Article 6(1)(c) of the GDPR, in relation to our compliance with legislation concerning e.g., bookkeeping.
The processing of the system activity logs is based on contractual necessity to deliver Keepit services to our customers cf. Article 6(1)(b) of the GDPR, as well as our legitimate interest for maintaining confidentiality, integrity and availability of Keepit’s services cf. Article 6(1)(f) of the GDPR. |
Business partners / suppliers / contact persons at business partners / suppliers |
Non-sensitive categories of personal data:
Special categories of personal data:
|
|
The processing is necessary for the performance of the contract or in order to take steps at the request of the business partner/supplier prior to entering into a contract cf. Article 6(1)(b) of the GDPR, as well as our legitimate interests in communicating with our business partners/suppliers, and processing, negotiating and handling agreements, collaborations, etc. cf. Article 6(1)(f) of the GDPR.
Additionally we also process personal data to comply with the legal obligations, cf. Article 6(1)(c) of the GDPR, in relation to our compliance with legislation concerning e.g., bookkeeping. |
Potential customers / contact persons at potential customers/ any other Individuals who have agreed to or expressed interest in receiving sales or marketing materials |
Non-sensitive categories of personal data:
Special categories of personal data:
|
|
The processing of personal data is based on your explicit consent, cf. Article 6(1)(a) of the GDPR.
Our processing of the personal data provided by third parties may be also based on our legitimate interest in marketing and selling our services and communicating with interested potential customers, cf. Article 6(1)(f) of the GDPR. |
Website visitors |
Non-sensitive categories of personal data:
Special categories of personal data:
|
|
The processing of personal data for e.g., the purpose of basic functional features is primarily based on our legitimate interests in ensuring the performance, functionality and security of our website, cf. Article 6(1)(f) of the GDPR.
Where the processing of your personal data for marketing purposes requires consent (e.g., if we disclose your personal data to third parties for the purpose of direct marketing), the processing of your personal data will be based on your explicit consent, cf. Article 6(1)(a) of the GDPR.
A prior cookie consent will always be obtained. |
Event attendees (including invitees to events) / contest participants* |
Non-sensitive categories of personal data:
Special categories of personal data:
|
|
The processing of the personal data provided by you (or third parties in case of a third party sponsored events) is based on your explicit consent provided upon event registration/participation or upon enrolling to the contest, cf. Article 6(1)(a) of the GDPR.
We can also process your personal data on the basis of legitimate interest for brand promotion, customer education and engagement activities, cf. Article 6(1)(f) of the GDPR. |
Office visitors / users of Keepit’s IT systems or forums |
Non-sensitive categories of personal data:
Special categories of personal data:
|
|
The processing of personal data provided by you is based on our legitimate interest for ensuring security of our IT systems and forums as well as physical security of our premises, cf. Article 6(1)(f) of the GDPR. |
Privacy Policy
Last updated August 2025
For persons in contact with Keepit A/S, and all of its affiliates, either as customers, potential customers, suppliers, business partners, contact persons, website visitors, event attendees, and office visitors.
Introduction
This Privacy Policy is issued on behalf of Keepit A/S and all its affiliates where Keepit A/S is the data controller (the one responsible and in charge of the personal data) and its affiliates act as data processors. For the purposes of this Privacy Policy by “us”, “we”, and “Keepit”, we refer to Keepit A/S.
In connection with our administration, operation, and provision of services, we collect and process personal data of customers, potential customers, suppliers, business partners, contact persons, website visitors, event attendees, and office visitors.
Job applicants
If you are applying for a position at Keepit, please refer to our separate privacy policy for job applicants that contains detailed information about how we process your personal data collected during the recruitment process.
Our different roles
This Privacy Policy explains how we in our capacity of data controller collect, use and protect your personal data in accordance with applicable law – in particular the General Data Protection Regulation (“GDPR”) - and outlines your privacy rights and the measures we take to safeguard them.
Information on how we process personal data as data processor while providing our services is described in the respective data processing agreements with our customers. Our most recent data processing agreement can be found at Data Processing Agreement. In such cases, we act as a data processor and process data on behalf of and in accordance with instructions given by our customers. This customer will – in their capacity of data controller for your personal data - make sure to inform you about the processing of your personal data. For more information regarding how we process personal data as a data processor, please contact us using the contact information in section 11 of this Privacy Policy.
Local processing
In principle, Keepit A/S acts as the data controller for personal data processed in connection with our administration, operation, and provision of services. However, where suppliers are engaged locally, Keepit A/S may contract through its affiliates. In such circumstances, for specific processing activities including contract formation, payment processing, and related administrative functions, the relevant local Keepit entity shall act as the sole data controller for the personal data processed based on contractual necessity, cf. Article 6(1)(b) of the GDPR. In the situation outlined above where a Keepit A/S affiliate acts as the formal controller for a specific activity, your personal data will continue to be processed in accordance with the principles, safeguards, and data subject rights set forth in this Privacy Policy.
1. Personal data
In this Privacy Policy, “personal data” means information that identifies you as an individual. In our role as data controller we collect and process the following categories of personal data:
* NOTE: Event attendees and contest participants may at the same time be also treated as potential customers and subject to the collection and processing of personal data as described therein.
Your right to withdraw your consent
If you have provided us with your consent to a specific processing activity, you have the right to withdraw such consent at any given time and without any consequences for you. If you withdraw your consent, Keepit will cease to process your personal data unless we are entitled or obliged to continue processing or storing your personal data, including obligation by law. However, the withdrawal of your consent will not affect the lawfulness of any processing based on your consent that has taken place before the withdrawal. If you wish to withdraw your consent, please contact us using the contact information in section 11 of this Privacy Policy.
AI Assistants
We may use AI assistants – e.g., meeting transcription or summarisation tools – to capture audio, generate transcripts and action notes during video or voice meetings and also to assist with drafting and reviewing documents. These tools act as our data processors cf. Article 28 of the GDPR, and are contractually required to apply appropriate technical and organisational measures to protect it. The lawful basis for this kind of processing is our legitimate interest in efficient collaboration and accurate record-keeping, cf. Article 6(1)(f) of the GDPR. No automated decisions are taken with the use of these tools that would produce any legal or similarly significant effects on you.
Personal data relating to children
We do not knowingly collect or solicit information from anyone under the age of 15. If you are under 15 years old, please do not attempt to send any personal data about yourself to us. If we learn that we have collected personal data from a child under 15 years old, we will delete that information to the extent required by applicable laws. If you believe that a child under 15 years old may have provided us with their personal data, please contact us at dpo@keepit.com.
Special categories of personal data
We do not intentionally collect any special categories of personal data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, or genetic information, biometric data for identification purposes, or information about criminal convictions and offences.
2. Sources
We collect personal data from three main sources (i) information you choose to give us, (ii) data we record automatically when you visit our websites or use our services, and (iii) from third parties. The table below shows typical examples of each source and the kinds of personal data involved.
* NOTE: In some cases your personal data such as contact information, account credentials, etc. may be collected from your employer who is our customer, potential customer, service provider, supplier or business partner.
3. Data provided on a voluntary basis
Providing personal data is generally voluntary and you may refuse to do so at any time. However, if certain information is legally, contractually, or operationally indispensable for the purposes set out in this Privacy Policy, we will be unable to perform those purposes, such as supplying a service, entering into or executing a contract, or meeting statutory obligations, unless the personal data are supplied. Withholding information that is not indispensable carries no further consequences.
4. Data sharing
Data processors
We may disclose non-sensitive personal data to third parties that may assist us in performing the purposes as described above. When disclosing your personal data to third parties we maintain procedures and safeguards to make sure every third party that handles personal data on our behalf does so in full alignment with this Privacy Policy.
Keepit affiliates
In connection with our administration, operation, and provision of services we may share your personal data with our affiliates listed below:
1. Keepit France SAS, 30 Rue Godot de Mauroy, 75009 Paris, FR67980733521
2. Keepit Poland Sp. z.o.o., 72 Dluga Street, 31-146 Krakow, Poland, KRS: 0000952992
3. Keepit Germany GmbH Maximiliansplatz 22, D-80333 München, Amtsgericht München, HRB 270094,Geschäftsführer: Morten Felsvang
4. Keepit USA Inc., 3232 McKinney Avenue Suite 820, Dallas TX 75204, USA, TIN: 85-358 6335
5. Keepit Technologies UK LTD, 1 St. Katharine's Way, London, E1W 1UN, Company reg. no.: 13785045
6. Keepit Netherlands B.V. Herikerbergweg 88, 1101 CM Amsterdam, Netherlands, KVK: 97908606
Service providers/suppliers/consultants
We may engage with third party service providers, suppliers or consultants to support us with our business activities and in connection with that we may disclose personal data to them. They act as our data processors under the GDPR, and they are handling the information on our behalf based on our instructions. We share only the personal data they need for the agreed tasks and we make sure to bind them to data privacy terms that are in line with this Privacy Policy. Each service provider is assessed before onboarding, to make sure it meets our standards for information security and data protection.
Data controllers
Business partners
We may transfer your personal data, limited to business-contact details (such as your name, work email, job role, and service interests), to our resellers based on our legitimate interest in developing business relationships and facilitating service delivery, or where necessary for the performance of a contract to which you are a party, cf. Article 6(1)(f) of the GDPR and Article 6(1)(b) of the GDPR. These resellers act as independent data controllers, meaning that they determine their own purposes and means of processing and will provide you with their own privacy notice. We work only with business partners that commit to upholding high data protection standards and ensure that any transfers are conducted in accordance with applicable data protection requirements.
Legal authorities (if required)
We may transfer your personal data when we reasonably believe it is required by law, regulation, court order, or a government request, or when necessary to safeguard the security and integrity of our services or protect our own rights. If the law allows, we will notify you before any such disclosure. Legal authorities that might receive your personal data include (i) law enforcement agencies - police, criminal investigation departments, and other law enforcement bodies for prevention, investigation, or prosecution of criminal offences; (ii) regulatory authorities - data protection authorities, financial regulators, and other sector-specific regulatory bodies exercising supervisory powers; (iii) tax and customs authorities - revenue services and customs agencies for fiscal compliance and investigations; (iv) judicial authorities - courts, tribunals, prosecutors, and other judicial bodies in connection with legal proceedings; (v) government authorities - national security services, administrative bodies, and public authorities exercising statutory functions; (vi) International authorities - foreign law enforcement, regulatory, or judicial authorities under mutual legal assistance treaties or international cooperation agreements.
5. International data transfers
Some of our business partners, service providers and suppliers are located in countries outside the EU/EEA. Transfer of personal data to a country outside the EU/EEA (a third country) that is considered to provide an adequate level of protection does not require a specific authorization. Personal data can without further measures be transferred to such third countries.
Transfers to third countries that do not benefit from an adequacy decision may be conducted where appropriate safeguards are implemented to ensure adequate protection of data subjects' rights and freedoms. In such cases, we only transfer personal data in compliance with GDPR chapter V and the European Data Protection Board’s (EDPB) recommendations on supplementary measures. When we transfer personal data to a third country which is not deemed to have an adequate level of security, we enter into the EU standard contractual clauses and, if deemed necessary, apply supplementary measures in accordance with the EDPB’s recommendations.
You may request more information regarding our use of data processors and/or our documentation on our legal basis and legal grounds for any transfers to countries located outside the EU/EEA. To make such request, please contact us using the contact information in section 11 of this Privacy Policy.
6. Storage period
We store personal data for as long as it is necessary to fulfil the purposes set out in this Privacy Policy and to be able to document our right to process the personal data as well as our compliance with data protection legislation and any other relevant laws. After the personal data is no longer needed for these purposes it may be further retained for a limited time due to our purposely determined back-up and deletion routines.
The retention period for different categories of personal data is always specifically assessed and laid down based on how long there is an objective and reasonable purpose to store the personal data in question. Your personal data may, therefore, be subject to different retention policies based on the category of personal data and the purposes for which the personal data was collected:
- When our services agreement is terminated/expires/when our partnership agreement is terminated. Personal data will be retained until all contractual obligations have been fulfilled, outstanding invoices and financial obligations resolved, any ongoing collaborative activities completed, warranty and confidentiality periods expired as specified in the relevant agreement, and applicable statutory limitation periods for contractual claims have elapsed, with deletion occurring thereafter subject to any overriding legal retention requirements or regulatory compliance obligations.
- After you visit our website. For collected cookies and similar tracking technologies, specific retention periods are detailed in our Cookie Policy, which governs the duration for which different types of cookies are stored on your device. Personal data collected through website forms or other interactions will be retained until the purpose for collection has been satisfied, unless consent has been provided for marketing purposes which extends the retention period accordingly.
- After you attend the event. Attendee information will be retained until completion of post-event follow-up activities, processing of any feedback or surveys, resolution of event-related administrative matters, and expiry of periods during which related legal claims might arise (if applicable). If before or during the event you provided your consent for marketing purposes it will extend the retention period accordingly.
- When you no longer require access to IT systems/forums. User profiles will be switched to inactive, archived, disabled or otherwise marked as dormant when there is no longer a business need for the profile to remain active, such as when you are no longer a customer, partner, or authorised user. Personal data associated with inactive profiles will be retained in archived form and, where applicable, will be subject to automated deletion periods.
- After you visit our office. Visitor records will be deleted once security and administrative purposes have been satisfied.
Active Deletion on Request
You may exercise your right to be forgotten (see Section 7 below) by requesting earlier deletion, which will be assessed considering ongoing legal obligations and technical feasibility, with deletion occurring promptly where legally permissible and practically possible.
7. Your rights
You have the right to access the personal data we process about you, subject to certain statutory exceptions. You also have the right to object to the processing of your personal data (more information can be found in the table below) and request that its processing is restricted. In addition, you have the right to request rectification, including completion if necessary or that your personal data is deleted subject to certain exceptions (right to be forgotten).
In certain situations, you may also request that we provide you with a copy of your personal data in a structured, commonly used, and machine-readable format and request us to transmit such personal data which you have provided us with to another data controller.
Any consent that you may have provided us with may be withdrawn at any time. The withdrawal of your consent will affect the future processing of your personal data but will not affect the lawfulness of processing based on consent before its withdrawal. If you wish to withdraw a consent, you may contact us as stated below.
The right to object
You have the right to object – on grounds relating to your particular situation – to processing of personal data where the legal basis for our processing is legitimate interests, as stated above. If you exercise your right to object, we may no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims.
You also have the right at any time to object to the processing of your personal data for marketing purposes, which includes the right to object to profiling in so far as it relates to direct marketing. If you object to our processing for the purpose of direct marketing, your personal data may no longer be processed for this purpose.
You also have a right to submit a complaint to the competent supervisory authority, for Denmark the Danish Data Protection Agency. You will find the contact information of the Danish Data Protection Agency on www.datatilsynet.dk. You can also read more about your rights on www.datatilsynet.dk.
8. Data security
Keepit applies appropriate physical, technical and organisational safeguards – selected in line with the sensitivity of the personal data we hold – and reviews them regularly to keep them effective, cf. Article 32 of GDPR. These measures protect personal data against loss, theft and unauthorised access, disclosure, alteration or destruction. Every third-party service provider that processes personal data for us is contractually obliged to maintain security measures suitable for the data it handles. If a personal-data breach that requires notification occurs, we will inform you without undue delay by e-mail, letter, phone or another permitted channel, unless we are legally prevented from doing so, cf. Article 34 of the GDPR.
9. Cookies
For details on how we deploy cookies and similar tracking technologies on our websites, please see our standalone Cookie Policy. That policy describes the cookie types, purposes, storage periods and your options for granting or withdrawing consent for the use of cookies.
10. Whistleblowing policy
For details on how we handle personal data reported through our whistleblower channel please refer to our separate Whistleblowing Policy, available under the following link: Keepit's Whistleblowing Policy. For Poland-specific information please refer to Keepit's Poland Whistleblowing Policy.
11. Contact
Please contact our data protection officer if you have any questions about the processing of your personal data or how to exercise your rights. Please include your name and country to which your inquiry relates.
Contact details:
Att: DPO
Keepit A/S
Per Henrik Lings Allé 4, 7. Sal
2100 Copenhagen
Denmark
CVR No.: 30806883
Email address: DPO@keepit.com
Tel.: (+45) 88704070
12. Changes to the Privacy Policy
Any substantial updates or modifications to this Privacy Policy will be communicated to data subjects through appropriate channels. Such communications may include posting updated information on our website or other suitable means of notification that ensure data subjects are adequately informed of material changes to how their personal data is processed. Minor administrative or technical updates that do not affect the substance of data processing activities may be implemented without direct notification. Data subjects are encouraged to review this Privacy Policy periodically to stay informed of any updates.