Privacy Policy

We operate as a controller for visitor analytics preferences, mailing-list style correspondence, and consulting contracts where you engage us directly. When we host worksheets on behalf of a corporate client under strict written instructions, we may act as a processor for that limited dataset only; the client privacy notice then supplements this document.

Trading name

Elbowsnatureel

Postal address

Hovedvejen 101, 2600 Glostrup, Denmark

Telephone

+45 43 96 00 20

Email

online@elbowsnatureel.world

Mark messages with “Privacy” in the subject when you exercise GDPR rights so they are not delayed behind general publishing traffic.

Depending on how you interact with us, we may process:

• Identity and contact fields submitted through forms or invoices.
• Message bodies, attachments, and internal tags staff add for routing.
• Payment references, partial card metadata from payment providers, and settlement reports.
• Technical identifiers such as truncated IP addresses, user-agent strings, and consent tokens.
• Calendar metadata you share while preparing consulting sessions.

The public website targets adults making planning decisions for themselves or teams. We do not knowingly collect data from children below the age where parental consent is mandated in Denmark for information society services. If you believe a minor submitted data without authority, contact us and we will delete it when verification completes.

Vetted vendors may process personal data on documented terms: hosting, transactional email, customer relationship tools, webinar platforms, analytics when you opt in, and payment gateways. Staff access follows least-privilege rules; contractors sign confidentiality clauses and use company-approved devices.

Primary storage targets the European Economic Area. When a supplier processes data in the United Kingdom, United States, or elsewhere, we rely on Article 46 mechanisms such as the European Commission’s Standard Contractual Clauses, supplemented where required by transfer impact assessments.

Marketing consent logs

Until withdrawal plus six months for audit evidence.

Contact archives

Twenty-four months after last substantive reply unless litigation holds apply.

Accounting records

Five Danish financial years from closure, unless longer retention is mandatory.

Server security logs

Typically ninety days rolling, unless incident review extends a slice.

We combine TLS on public endpoints, segmented networks for production data, encrypted offline backups, multi-factor authentication on privileged accounts, and vendor due diligence reviews at least annually. These measures reduce risk but cannot eliminate every threat scenario.

You may request access, rectification, erasure, processing restriction, objection to certain legitimate-interest processing, and portability for structured data you supplied. Withdraw consent at any time for processing that relies upon it. You may lodge a complaint with Datatilsynet without giving up other remedies.

We do not make decisions that produce legal or similarly significant effects using solely automated means. Lightweight audience bucketing for optional email may occur, but humans approve content sends.

When a breach likely risks your rights, we notify the supervisory authority within statutory windows and communicate with affected individuals when required, describing nature, consequences, and measures taken.

Material updates receive a new review stamp at the top of this page and, where practical, a short notice in the site footer or email to active clients. Continued use after the effective date means you acknowledge the revised notice, subject to mandatory consumer protections.

Use the contact details in section 02 for rights requests. We may ask proportionate proof of identity before disclosing records. If you disagree with our response, escalation paths include Datatilsynet Mediemøllen 29, 8000 Aarhus C, Denmark.