This privacy policy explains how neexo ApS (CVR no.: 46273125) ("we", "us" or "our") collects, processes, stores and protects your personal data in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR) 2016/679.
1. Data Controller
neexo ApS is the data controller for the processing of your personal data. If you have questions, wish to exercise your rights or have other inquiries regarding this policy, you can contact us at:
Contact details
- neexo ApS
- CVR no.: 46273125
- Address: Lykkegårdsvej 35, 5210 Odense NV, Denmark
- Email: hello@neexo.dk
- Phone: +45 3165 5460
Data Protection Officer (DPO)
We have not appointed a Data Protection Officer (DPO) as we are not required to do so under GDPR Article 37.
2. Personal Data We Collect
We only collect and process personal data that is necessary to deliver our services and comply with legal requirements. This includes:
Employees and job applicants
- Name, national ID number, date of birth, citizenship
- Address, phone number, email address
- Bank details (account number for salary payments), tax information
- CV and application (for job applicants), educational background and qualifications, employment contract and terms, working hours registration
Customers and business partners (B2B)
- Contact person name, email address, phone number, company name, CVR number, billing address
- Invoice details, transaction history, payment information
- Email correspondence, meeting notes, support inquiries
3. Purpose and Legal Basis for Processing
We process your personal data for the following purposes with the stated legal basis:
Processing purposes
- Employment administration: Contract performance (Article 6(1)(b))
- Legal compliance: Legal obligation (Article 6(1)(c))
- Recruitment: Contract performance (Article 6(1)(b)) and legitimate interest (Article 6(1)(f))
- Delivery of consulting services: Contract performance (Article 6(1)(b))
- Customer service and support: Contract performance (Article 6(1)(b)) or legitimate interest (Article 6(1)(f))
- Accounting and invoicing: Legal obligation (Article 6(1)(c)) and contract performance (Article 6(1)(b))
- Security and IT operations: Legitimate interest (Article 6(1)(f))
Consequences and automated decisions
If you do not provide the necessary personal data (e.g. name, contact details, national ID for employees, bank details for salary payments), we cannot enter into or fulfil employment relationships, deliver our services or comply with our legal obligations. We do not make automated individual decisions or profile our users.
4. Sharing of Personal Data
We only share your personal data when necessary and in accordance with applicable legislation:
With service providers (data processors)
- IT hosting and cloud services: For secure storage of business data and documents
- Email and communication services: For email communication and collaboration tools
- Accounting and payroll systems: For bookkeeping, invoicing and salary payments
- IT support and maintenance: For operation and maintenance of our IT systems
Other recipients
All our data processors are subject to data processing agreements that ensure appropriate protection of your personal data in accordance with GDPR Article 28. When required by law, we may share your data with relevant authorities (e.g. tax authorities, data protection agencies, police or other relevant supervisory authorities). In case of a merger, acquisition or sale of the company, your personal data may be transferred to the new owner. We do not sell your personal data to third parties for marketing purposes.
5. Retention Periods
We only retain your personal data for as long as necessary to fulfil the purposes described in this policy, or to comply with legal obligations:
Retention periods by data type
- Employee data (national ID, address, bank details): Duration of employment + 5 years (Bookkeeping Act and tax legislation)
- Job applications (rejected applicants): 6 months after conclusion of the recruitment process
- Customer data and contract data: Duration of the customer relationship + 5 years (Bookkeeping Act)
- Invoices and transaction data: Minimum 5 years from the end of the financial year (Bookkeeping Act)
- Email correspondence and support inquiries: Duration of the customer relationship + 12 months
- System logs and security logs: 12 months
Deletion
After the retention period, data is securely deleted or anonymised in accordance with our data deletion guidelines.
6. Data Transfers to Third Countries
We primarily store and process data within the EU/EEA. In certain cases, data may be transferred to third countries outside the EU/EEA in connection with the use of IT service providers.
Safeguards for transfers
- Standard Contractual Clauses (SCC) approved by the European Commission
- Adequacy decisions by the European Commission for the relevant country (e.g. United Kingdom, Switzerland)
- Other appropriate safeguards in accordance with GDPR Chapter V
7. Your Rights Under GDPR
As a data subject, you have the following rights:
Your rights
- Right of access (Article 15): Obtain confirmation of whether we process your personal data and receive a copy
- Right to rectification (Article 16): Have inaccurate personal data corrected and incomplete data completed
- Right to erasure (Article 17): Request deletion of your personal data, unless we are legally obliged to retain it
- Right to restriction of processing (Article 18): Request restriction of processing under certain circumstances
- Right to data portability (Article 20): Receive your data in a structured, machine-readable format
- Right to object (Article 21): Object to processing based on legitimate interests
- Right to withdraw consent (Article 7): Withdraw consent at any time
- Right not to be subject to automated decision-making (Article 22)
Exercising your rights and complaints
Contact us at hello@neexo.dk or send a letter to our address. We will respond to your request within 30 days (which may be extended to 90 days for complex or numerous requests). We may request additional information to verify your identity before processing your request. You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Phone: 33 19 32 00, Email: dt@datatilsynet.dk, Website: www.datatilsynet.dk).
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
Technical measures
- Encryption of data in transit (TLS/SSL) and at rest
- Firewall and antivirus protection
- Regular security updates of systems and software
- Logging and monitoring of security events
- Secure password policy and multi-factor authentication where relevant
- Backup solutions to protect against data loss
Organizational measures
- Access control: Only authorized personnel have access to personal data
- Confidentiality agreements with employees
- Regular staff training in data security and GDPR
- Clear procedures for handling data breaches
- Regular risk assessments in accordance with GDPR Article 32
- Data processing agreements with all external suppliers
- Clear desk and clear screen policies for employees
Data breaches
No system is completely secure, and we encourage users to take precautions when handling sensitive information (e.g. using strong passwords, careful handling of login credentials, and reporting suspicious activities). If we discover a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34.