Privacy Policy for Formalize ApS

Intro

100% transparency is important to us. It is important to us that you feel comfortable and informed with our data processing, that we safeguard your privacy and you know your rights. At Formalize we comply with the GDPR rules and guidelines as set forth by the European Commission. We are transparent and will inform you what data we process about you in what situations and why. If you have any questions then please reach out to us.

Data processor

Formalize ApS Kannikegade 4 8000 Aarhus Denmark

GDPR - gdpr@formalize.com DPO - dpo@sixtus-compliance.dk Support - contact@formalize.com Phone - +45 71 99 63 83

What is GDPR and how do we document compliance

GDPR (The General Data Protection Regulation2016/679) is the European legislation that is the framework for how companies should operate and protect customers, employees and other physical persons data. Formalize documents its compliance by submitting itself to yearly inspections and revisions in the form of an ISAE 3000 audit and maintaining an ISO 27001 certification. This policy undergoes regular reviews and is an integrated part of our compliance framework and describes how Formalize as a datacontroller treats your data for various purposes and situations.

I am registered in your system

In case you are registered in our system either as a user, a reported person, or a whistleblower then Formalize is not the datacontroller but the dataprocessor. In that case, you need to reach out to the datacontroller who typically is the company that uses the system. The datacontroller can then reach out to Formalize should they have need of assistance. Formalize does not have access to your information as the data is encrypted with an external key that the datacontroller holds. The datacontroller is the owner of the legal basis, but most often it will based on Article 6.1 litra f - Legitimate interest. Formalize cannot know what information and specific datacategories that are stored as it will be dependent on the information you and/or the datacontroller submit. Data categories can be all of non-sensitive, sensitive, information on criminal offenses and confidential information. Data is deleted at the discretion of the datacontroller.

Purpose - As a visitor to our website

Prior to becoming a customer at Formalize and visiting our website, we may collect information about your company and you from various public sources and partners. The purpose of this is to keep track of statistical information, potential customers, and issue tracking.

Legal basis

• Article 6.1 litra f - Legitimate interest

Legal basis

• IP address
• Geolocation

Data source

Your browser and internet provider. For our cookie policy please visit: https://formalize.com/en/cookie-policy

Purpose - As a receiver of our newsletter

When you sign up for our newsletter we will register and process your contact information. You have the option in every e-mail to opt out of our newsletter. Should you choose to opt out we keep a record of your data so we can ensure you receive no further mails from us. The purpose is to keep you and your company up to date on news and products updates related to Formalize.

Legal basis

• Article 6.1 litra b - Fulfillment
• Article 6.1 litra f - Legitimate interest

Legal basis

Formalize will process non-sensitive personal information such as

• Name
• Contact information such as title, e-mail, and phone number

Data source

You as a data subject

Purpose - As a potential customer

Prior to becoming a customer at Formalize there will typically be communication via mail, chat, or phone. The information we gather will besides your contact details be any information you choose to submit to us. The purpose is to ensure you and your company receive the correct product, information, and guidance in using the product.

Legal basis

• Article 6.1 litra b - Fulfillment
• Article 6.1 litra f - Legitimate interest

Legal basis

Formalize will process non-sensitive personal information such as

• Name
• Contact information such as title, address, e-mail, and phone number

Data source

First and foremost we receive the data from you when you engage with us in relation to you and your company potentially becoming a customer. We will also in some cases collect your personal information from publically available data sources, partners, suppliers, newsletter signups, and social media.

Purpose - As a Customer

When becoming a customer at Formalize we will keep your data up to date and engage in conversations via mail, chat, or phone The purpose is to ensure you and your company are kept up to date, receive correct invoicing, and receive support and guidance in the use of the product.

Legal basis

• Article 6.1 litra b - Fulfillment
• Article 6.1 litra f - Legitimate interest
• The accounting and incasso law

Legal basis

Formalize will process non-sensitive personal information such as

• Name
• Contact information such as title, address, e-mail and phone number

Data source

First and foremost we receive the data from you when you engage with us in relation to you and your company being a customer. We will also in some cases collect and maintain your personal information from publically available data sources, partners, suppliers, newsletter signups, and social media.

Recipients of personal information

Internally:

We only pass on your information to employees who have a work relation purpose for seeing your data. This is based on the least access principle. In case of legal dispute we will pass on your data to our lawyers and to public authorities.

Third countries outside the EU:

We will only transfer your data outside countries of the EU in case we have a legitimate, legal and proportional purpose or doing so and only if we can assure the essential same safeguards as you enjoy under the European GDPR legislation.

Your rights

The right of access by the data subject

In accordance with Article 15 of the GDPR and upon request, you have the right to gain insight into what personal data Formalize process about you. In very few cases the information may be restricted for the sake of other peoples privacy, trade secrets and the protection of intellectual property rights.

The right to rectification

In accordance with Article 16 of the GDPR, you have the right to have information about you rectified.

The right to erasure

In accordance with Article 17 of the GDPR you have the right to have data about you, provided that:

• The data is no longer needed for the purpose it was collected.
• There is no legal basis for the processing.
• You object to the processing and there are no legitimate reasons (purpose) for the processing that precede the objection.
• Your data has been processed illegally.
• The data must be deleted in order to fulfill a legal obligation to which Formalize is subject.

The right to restriction of processing

In accordance with Article 18 of the GDPR the datasubject has the right to have processing restricted if one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
4. the data subject has objected to processing pursuant to Article 21.1 pending the verification whether the legitimate grounds of the controller override those of the data subject.

The right to data portability

In accordance with Article 20 of the GDPR when our processing of your personal data is based on consent or a contract, and our processing is carried out automatically, you have the right to data portability. Data portability meaning that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine readable format.

The right to object

In accordance with Article 21 of the GDPR you have the right to object to Formalize processing your data relating to your particular situation, provided that the processing is based on Article 6.1. letter f on balancing of interests.

Complains

Should you not be satisfied with our processing of your data then please reach out to us using the information listed at the top of this document so we can try to find common ground. If you, after being in contact with us, still do not agree you have the right to complain to your local authorities or the Danish Data Authorities (Datatilsynet)

Contact The Danish Data Protection Agency

Carl Jacobsens Vej 35 2500 Valby Tlf.: +45 33 19 32 00 Safe e-mail: dt@datatilsynet.dk Webpage: www.datatilsynet.dk

Complain form in English: https://www.datatilsynet.dk/english/file-a-complaint Complaint formular in danish: https://www.datatilsynet.dk/media/7766/klage-til-datatilsynet.pdf

Policy review

This policy has latest been reviewed: 02-10-2023 This policy has been approved: 02-10-2023 Current version: 2 Change log:

• Version 2 - Complete rework of the privacy policy
• Version 1 - Original version