Privacy Policy

1. Privacy Policy for Raptor Control Panel at Raptor Services A/S
At Raptor Services A/S (“Raptor”, “we”, “us”, “our”), we are committed to protecting the personal data of our clients, suppliers, website visitors, applicants, and other individuals. This Privacy Policy outlines how we collect, use, store, and disclose personal data in accordance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. We process personal data lawfully, fairly, and transparently, with respect for individual privacy and in line with applicable data protection regulations. This Privacy Policy pertains only to the Raptor Control Panel and actions taken and events initiated in the Control Panel, ie. the online interface for the Raptor services for users of Raptor customers. It is to ensure compliance with the information obligations in GDPR and is directed to users of the Control Panel. For general information on how Raptor processes data, please see the Raptor. Privacy Policy available on Raptor’s general website.

2. Data Controller
Raptor Services A/S is the data controller responsible for processing your personal data. We ensure that all processing is compliant with applicable data protection laws.

Contact Information:
Raptor Services A / S
VAT-ID: 35 05 59 75
Åboulevarden 37, 4th floor
8000 Aarhus C

Compliance Officer:
Kirsten Düsterdich
E-mail: kmd@raptor.dk
Phone: +45 2040 8020

3. Purpose and Legal Bases of processing
We process personal data for the following purposes:

Purpose of Processing	Legal Basis (GDPR Article 6)
To respond to legal inquiries or requests	Art. 6(1)(f) – Compliance with a legal obligation
To improve our service and user experience	Art. 6(1)(f) – Legitimate interest, balanced against your privacy rights
To secure IT systems and prevent misuse or fraud	Art. 6(1)(f) – Legitimate interest, balanced against your privacy rights

4. Data Retention Periods and Types of Personal Data
Personal data is retained:

For up to 13 months after a given event or action taken in the Control Panel by customers use;
For a longer period in case there is a specific and justified reason for it, where the affected data subject will be notified individually on a case-by-case basis;
For as long as a data subject keeps their user in the Control Panel.

Overview of which personal data is used for which purposes and how long:

Types of Personal Data	Purpose of Processing	Legal Basis (GDPR)	Retention Period
Name, email, company name, phone number,	- Managing customer/supplier relationships - Sending newsletters and marketing materials	Art. 6(1)(f) – Legitimate Interest	As long as a person remains an active user in the Control Panel
Username, email address, job title, company affiliation	- User creation and idenfitication - Login to Control Panel	Art. 6(1)(f) – Legitimate interest	As long as a person remains an active user in the Control Panel
IP address, browser data (via cookies)	- Service optimization - Statistical analysis	Art. 6(1)(f) – Legitimate interest	13 months (as a general rule)
Login credentials (cookies)	- Providing secure access to customer areas - Fraud prevention	Art. 6(1)(f) – Legitimate interest	Session-based (until session closes or cookie data is deleted)
Events and actions of Control Panel usage (user behavior and usage data) with time stamps	- Audit logging - Prevention and combat of misuse - Security	Art. 6(1)(f) – Legitimate Interest	13 months (as a general rule)
Technical identifiers (e.g., user IDs)	- User tracking	Art. 6(1)(f) – Legitimate interest	As long as a person remains an active user in the Control Panel

5. Cookies Data in relation to visits on the website www.raptorservices.com

When visiting Raptor’s Control Panel, cookies are used. Cookies are small text files that are stored through your browser on your device, used by websites to make a user’s experience more efficient. The data is used to optimize the website in relation to the visitors’ needs. The login to the customer area on the website requires cookies to remember your choices. Selected employees at Raptor Services A/S have access to the collected data. The data is used for and disclosed in the form of statistics, etc., without specifying individual IP addresses. The purpose of processing statistics obtained from cookies is to provide a better website. This site uses different types of cookies. Some cookies are placed by third party services that appear on the Control Panel. If you want to learn more about what cookies we use, you can check out our cookie information.

6. Data Access and Disclosure
Access to personal data is restricted to employees and subcontractors who require it to perform specific tasks, based on the principle of least privilege. All third-party processors operate under legally binding Data Processing Agreements.

Our primary hosting and data storage provider is Microsoft, with additional services from:

Sentry.io
Note that data transferred to Sentry.io is limited to IP-addresses and user-agent-ID's, which for Sentry.io does not constitute personal data, as they do not have the means likely to be used to identify the data subject.

Certain data transfers may occur to processors based in the United States, under mechanisms such as the Data Privacy Framework (DPF) and/or Standard Contractual Clauses or other lawful transfer tools compliant with Chapter V of the GDPR.
For a full list of data processors, contact our Compliance Officer.

* Note that these third-party processors offer AI services in their main services. We therefore refer to the table below in this Privacy Policy, “AI-Enabled Service Providers and Compliance Measures”.

7. Data Security
We maintain appropriate technical and organizational measures (TOMs) to protect personal data, including:

Encryption (in transit and at rest)
Role-based access controls
Regular data backups
Employee confidentiality protocols

In the event of a data breach likely to result in high risk to individuals, we will notify affected parties and supervisory authorities without undue delay, as required by GDPR Art. 33 and 34.

8. Your rights under the GDPR
You have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase data (aka “right to be forgotten”, Art. 17)
Restrict processing (Art. 18)
Data portability (Art. 20)
Object to processing (Art. 21)

To exercise your rights, contact our Compliance Officer (see Section 2). We will respond within one month, or within two months for complex requests. Unfounded or excessive requests may be refused or subject to a fee. Note that due to the nature of our services, some of the above-mentioned rights are either irrelevant or impossible. For those cases, we have relevant measures to ensure that your rights are respected to the greatest possible extent. This may entail deletion of your user, if your request for using your data subject rights is valid and reasonable under GDPR.

9. Complaints
You may send a complaint to the Danish Data Protection Authority (Datatilsynet):
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
Address: Carl Jacobsens Vej 35, 2500 Valby
Phone: +45 33 19 32 00

10. Change of Privacy Policy
This Privacy Policy may be updated to reflect legal or operational changes. Significant changes will be communicated through our website or by email. The current version is always available at www.raptorservices.com/privacy-policy.

11. AI-Enabled Service Providers and Compliance Measures
This annex provides detailed information regarding the AI-powered services used by Raptor Services A/S, including their functions, data handling practices, and the safeguards in place to ensure compliance with the General Data Protection Regulation (GDPR), ePrivacy Directive, and the EU Artificial Intelligence Act (AI Act).

Overview of AI-Enabled Vendors
There are no AI-enabled vendors relevant for the processing of data on the Control Panel.

Risk Classification Under the EU AI Act
Not relevant

Data Protection and AI Governance Measures
The following controls have been implemented to ensure compliant use of AI
services:

Transparency and Accountability

AI involvement is clearly disclosed in relevant interactions (e.g., newsletters
or auto-generated content).
Human oversight is maintained over all automated outputs.
Users can request explanations about automated processing and decisions.

Data Minimization and Purpose Limitation

Only personal data necessary for the AI system’s defined purpose is processed.
AI tools are restricted contractually from training on client data for generalized model improvement.

Data Processing Agreements and Safeguards

Signed Data Processing Agreements (DPAs) with both HubSpot and Contractbook.
Data Privacy Framework is the transfer tool for transfers to third countries.
Internal DPIAs are conducted when AI use introduces higher risks to data subjects.

Security and Integrity

AI models used by processors are secured against unauthorized access and model drift.
Logging and audit trails are maintained to monitor AI decisions and system performance.