Raptor Services A/S

Privacy Policy

1. Privacy Policy at Raptor Services A/S

At Raptor Services A/S (“Raptor”, “we”, “us”, “our”), we are committed to protecting the personal data of our clients, suppliers, website visitors, applicants, and other individuals. This Privacy Policy outlines how we collect, use, store, and disclose personal data in accordance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. 

We process personal data lawfully, fairly, and transparently, with respect for individual privacy and in line with applicable data protection regulations. 

2. Data Controller

Raptor Services A/S is the data controller responsible for processing your personal data. We ensure that all processing is compliant with applicable data protection laws. 

Contact Information: 
Raptor Services A/S 
VAT-ID: 35 05 59 75 
Åboulevarden 37, 4th floor 
DK – 8000 Aarhus C. 

Compliance Officer: 
Kirsten Düsterdich  
E-mail: [email protected] 
Phone: +45 2040 8020 

3. Purpose and Legal Bases of processing 

We process personal data for the following purposes: 

Purpose of Processing 

Legal Basis (GDPR Article 6) 

To deliver requested products and services 

Art. 6(1)(b) – Performance of a contract 

To respond to inquiries or requests 

Art. 6(1)(f) – Legitimate interest, balanced against your privacy rights. 

To process and manage supplier and partner relationships 

Art. 6(1)(b) – Performance of a contract 

To improve our website, services, and user experience 

Art. 6(1)(f) – Legitimate interest, balanced against your privacy rights. 

To manage subscriptions to newsletters and marketing communications 

Art. 6(1)(a) – Consent 

To organize and promote events, including use of event images or recordings 

Art. 6(1)(a) – Consent 

To recruit candidates and evaluate applications 

Art. 6(1)(b) – Steps prior to entering a contract 

Art. 6(1)(a) – Consent (for extended retention) 

To comply with legal obligations (e.g., tax, accounting, AML regulations) 

Art. 6(1)(c) – Compliance with a legal obligation 

To secure IT systems and prevent misuse or fraud 

Art. 6(1)(f) – Legitimate interest, balanced against your privacy rights. 

4. Data Retention Periods and Types of Personal Data

Personal data is retained: 

  • As long as necessary to fulfill contractual obligations; 
  • For up to 5 years after a customer/supplier relationship ends, in compliance with bookkeeping and anti-money laundering legislation; 
  • Until you withdraw consent, for marketing or potential leads. 

Overview of which personal data is used for which purposes and how long: 

Types of Personal Data 

Purpose of Processing 

Legal Basis (GDPR) 

Retention Period 

Name, email, company name, phone number 

– Managing customer/supplier relationships  
– Sending newsletters and marketing materials 

Art. 6(1)(b) – Contract  
 
Art. 6(1)(a) – Consent 

While the business relationship is active  
 
Or until consent is withdrawn 

Job title, company affiliation 

– Processing contact/lead forms  
– Personalizing communication and services 

Art. 6(1)(b) – Contract  
 
Art. 6(1)(f) – Legitimate interest 

While the business relationship is active or until request for deletion 

IP address, browser data (via cookies) 

– Website optimization  
– Statistical analysis 

Art. 6(1)(a) – Consent  
 
Art. 6(1)(f) – Legitimate interest 

Until the data is anonymized or deleted by user request; dependent on cookie duration 

Login credentials (cookies) 

– Providing secure access to customer areas 

Art. 6(1)(f) – Legitimate interest 

Session-based or as per cookie consent settings 

Images, videos from events 

– Promoting events  
– Marketing and communications 

Art. 6(1)(a) – Consent 

Until consent is withdrawn or deemed no longer relevant 

Resume, cover letter, application details 

– Recruitment  
– Future employment consideration 

Art. 6(1)(b) – Contract Art. 6(1)(a) – Consent (extended storage) 

6 months (standard) Up to 12 months if consent is given 

Consent status, consent ID, timestamp 

– Demonstrating compliance with consent requirements 

Art. 6(1)(c) – Legal obligation 

Retained as long as necessary to demonstrate lawful processing 

Customer website usage data (as processor) 

– Delivering services to customers 

Art. 6(1)(b) – Contract (processor role) 

As specified in Data Processing Agreement (DPA) with customer 

Technical identifiers (e.g., CRM user IDs) 

– CRM tracking  
– Lead management and support 

Art. 6(1)(f) – Legitimate interest 

While business relationship is active or upon deletion request 

Financial and transactional data 

– Invoicing and regulatory compliance (e.g., accounting, AML) 

Art. 6(1)(c) – Legal obligation 

5 years after the end of the customer/supplier relationship (per accounting/AML laws) 

 

5. Cookie Data in relation to visits on the website www.raptorservices.com

When visiting www.raptorservices.com, cookies are used. Cookies are small text files that are stored through your browser on your device, used by websites to make a user’s experience more efficient. The data is used to optimize the website in relation to the visitors’ needs. 

The login to the customer area on the website requires cookies to remember your choices. 

Selected employees at Raptor Services A/S have access to the collected data. The data is used for and disclosed in the form of statistics, etc., without specifying individual IP addresses. The purpose of processing statistics obtained from cookies is to provide a better website. 

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages. 

You can at any time change or withdraw your consent from the Cookie Declaration right here.  

Please state your consent ID and date when you contact us regarding your consent. 

If you want to learn more about what cookies we use, you can check out our cookie information. 

6. Data Access and Disclosure

Access to personal data is restricted to employees and subcontractors who require it to perform specific tasks, based on the principle of least privilege. All third-party processors operate under legally binding Data Processing Agreements. 

Our primary hosting and data storage provider is Microsoft, with additional services from: 

  • Adobe Creative Suite 
  • Arcade* 
  • Arrows.to* 
  • Asana 
  • Codetwo 
  • Contractbook* 
  • Cookiebot 
  • Copilot (Microsoft)* 
  • Crossbeam 
  • Demio 
  • E-conomic 
  • Meta (Facebook/Instagram) (note: shared data controllership)* 
  • Figma* 
  • Google Ads* 
  • Google Analytics* 
  • HubSpot* 
  • Klaviyo* 
  • LinkedIn* 
  • Loom* 
  • Medium* 
  • Microsoft Business Premium 
  • Notion* 
  • Plecto* 
  • SQL Server* 
  • Shopify* 
  • Slack* 
  • Sleeknote* 
  • Zapier*  

Certain data transfers may occur to processors based in the United States, under mechanisms such as the Data Privacy Framework (DPF) and/or Standard Contractual Clauses or other lawful transfer tools compliant with Chapter V of the GDPR. 

For a full list of data processors, contact our Compliance Officer. 

* Note that these third-party processors offer AI services in their main services. We therefore refer to the Annex I to this Privacy Policy, “AI-Enabled Service Providers and Compliance Measures”.  

7. Data Security

We maintain appropriate technical and organizational measures (TOMs) to protect personal data, including: 

  • Encryption (in transit and at rest) 
  • Role-based access controls 
  • Regular data backups 
  • Employee confidentiality protocols 

In the event of a data breach likely to result in high risk to individuals, we will notify affected parties and supervisory authorities without undue delay, as required by GDPR Art. 33 and 34. 

8. Your rights under the GDPR

You have the right to: 

  • Access your personal data (Art. 15) 
  • Rectify inaccurate data (Art. 16) 
  • Erase data (aka “right to be forgotten”, Art. 17) 
  • Restrict processing (Art. 18) 
  • Data portability (Art. 20) 
  • Object to processing (Art. 21) 
  • Withdraw consent at any time (Art. 7(3)) 

To exercise your rights, contact our Compliance Officer (see Section 2). We will respond within one month, or within two months for complex requests. Unfounded or excessive requests may be refused or subject to a fee. 

Note that due to the nature of our services, some of the above-mentioned rights are either irrelevant or impossible. For those cases, we have relevant measures to ensure that your rights are respected to the greatest possible extent. 

9. Complaints

You may send a complaint to the Danish Data Protection Authority (Datatilsynet): 

Email: [email protected] 

Website: www.datatilsynet.dk 

Address: Carl Jacobsens Vej 35, 2500 Valby, Denmark 

Phone: +45 33 19 32 00 

10. Change of privacy policy

This Privacy Policy may be updated to reflect legal or operational changes. Significant changes will be communicated through our website or by email. The current version is always available at www.raptorservices.com/privacy-policy

Annex I

Annex I to Raptor Services’ Privacy Policy: AI-Enabled Service Providers and Compliance Measures 

This annex provides detailed information regarding the AI-powered services used by Raptor Services A/S, including their functions, data handling practices, and the safeguards in place to ensure compliance with the General Data Protection Regulation (GDPR), ePrivacy Directive, and the EU Artificial Intelligence Act (AI Act). 

  1. Overview of AI-Enabled Vendors

Note that those third-party vendors take the role of processors.  

 

Service Provider   Function  Type of AI  Categories of Data Processed  Legal Basis (GDPR Art. 6(1)  Location 
Arcade  Interactive training tool – user data  Generative-product creation AI  PII (name, email, IP), usage data, screenshots, screen recordings  (a) Consent; (b) Contract; (f) Legitimate interests; (c) Legal obligation  USA (SCCs) 
Arrows.to  Customer onboarding tool – typical personal data  NLP (workflow insights)  PII, employer/company info, user settings, usage metadata  (b) Contract; (f) Legitimate interests; (a) Consent (marketing)  EU/EEA 
Contractbook AI Import  AI-assisted document import and classification of legal contracts  NLP, supervised learning  Contract metadata, party names, contract terms  (b) Contract; (f) Legitimate interests  Denmark/EU 
Copilot (Microsoft)  AI-based assistant in Microsoft environment  NLP + Code generation (LLM, supervised)  Code, telemetry, usage data, possible PII from IDE logs  (a) Consent; (b) Contract; (f) Legitimate interests  Global (US/EU) 
Facebook (META)  Advertising and remarketing  Predictive analytics + NLP  PII, sensitive interest data, social graph, images, video, text  (a) Consent; (f) Legitimate interests; (c) Legal obligation  Global (US/EU) 
Figma  Design platform owned by Adobe – collaboration data  Generative AI (design suggestions)  Design content, uploaded assets, project metadata  (b) Contract; (f) Legitimate interests; (a) Consent  USA (SCCs) 
Google Ads  Ad data, visitor data, lead tracking  Predictive analytics + Reinforcement learning  PII (IP, cookie IDs), browsing data, conversion metrics  (a) Consent; (f) Legitimate interests; (b) Contract  Global (US/EU) 
Google Analytics  Visitor data, even if IP anonymisation is enabled  Predictive analytics  Anonymized PII (IP), behavior, device/browser details  (a) Consent; (f) Legitimate interests  Global (US/EU) 
HubSpot Breeze AI  Marketing automation, email personalization, lead scoring  Predictive analytics / NLP  Name, email, behavior data, marketing interactions  (b) Contract; (f) Legitimate interests; (a) Consent  USA (SCCs) 
Klaviyo  Email marketing – consents, leads, customer data  Predictive analytics + NLP (marketing)  PII, purchase history, interaction and email usage metrics  (a) Consent; (b) Contract; (f) Legitimate interests  USA (SCCs) 
LinkedIn  Advertising and lead forms  Predictive analytics + NLP  PII, profile info, interaction data  (a) Consent; (b) Contract; (f) Legitimate interests  USA (SCCs/DPF) 
Loom  Video recordings may include personal data  NLP (transcription) + Audio/Video AI  Screen recordings, voice/video, transcripts (PII)  (a) Consent; (b) Contract; (f) Legitimate interests  USA (SCCs) 
Medium  Content platform, depends on usage  NLP (transcription) + Audio/Video AI  User profile, reading behavior, text metadata  (a) Consent; (f) Legitimate interests  USA (SCCs) 
Notion  Work and knowledge platform – team data  NLP + Summarization + Semantic search  Notes (could include PII), usage data  (a) Consent; (b) Contract; (f) Legitimate interests  USA (SCCs) 
Plecto  Danish dashboard platform – sales data, users  Predictive analytics  Performance data, metrics, user account info  (b) Contract; (f) Legitimate interests  Denmark (EU) 
Shopify  Webshop and customer data  Predictive analytics (product suggestions, fraud detection)  Store data, customer PII, purchase data  (b) Contract; (f) Legitimate interests; (a) Consent  Canada/US (SCCs/DPF) 
Slack  Communication platform – metadata, possible AI analysis  NLP (message summary, search, automation)  Messages (PII), attachments, usage logs  (b) Contract; (f) Legitimate interests  USA (SCCs/DPF) 
Sleeknote  Pop-up on website  Predictive analytics  PII, device/browser data, behavior analytics  (a) Consent; (f) Legitimate interests  Denmark (EU) 
SQL Server  Databases – local or cloud-hosted, depends on setup  ML platform (customizable; no native AI)  User-defined: potentially PII, business data  (b) Contract; (f) Legitimate interests  Onprem / Azure region (EU) 
Zapier  Integrations – relay personal data between systems  NLP + Predictive (task automation)  PII, app data from user workflows  (a) Consent; (b) Contract; (f) Legitimate interests  USA (SCCs) 
  1. Risk Classification Under the EU AI Act

In line with the AI Act risk categorization: 

Supplier / Tool 

AI Risk Level 

Justification 

Arcade 

Nohighrisk 

Generative demo creation for marketing. Does not fall in any Annex III highrisk domain (employment, credit, critical infrastructure, etc.). 

Arrows.to 

Nohighrisk 

Workflow/helpdesk assistance; does not make legally or economically significant decisions about individuals. 

Contractbook AI Import 

Nohighrisk 

Pure document parsing; supports lawyers but does not decide legal outcomes or access to justice. 

Copilot (Microsoft) 

Nohighrisk 

Codegeneration assistant; not used in any Annex III critical sector. 

Facebook Ads / META 

Nohighrisk 

General adtargeting is outside Annex III. (Politicalcampaign microtargeting could be highrisk/prohibited, but the core advertising AI is not automatically so.) 

Figma 

Nohighrisk 

Designassist AI; creative support only. 

Google Ads 

Nohighrisk 

Marketing optimisation—outside the AI Act’s listed highrisk areas. 

Google Analytics 

Nohighrisk 

Analytics/insights; does not autonomously decide on people’s rights. 

HubSpot Breeze AI 

Nohighrisk 

CRM/email drafting; no sensitive, highimpact decisionmaking. 

Klaviyo 

Nohighrisk 

Ecommerce marketing predictions; does not make highrisk decisions. 

LinkedIn (advertising and leads) 

No-highrisk 

AI is not used for filtering candidates and therefore doesn’t fall Annex III(4) “employment, worker management & access to selfemployment,”.  

Loom 

Nohighrisk 

Transcription & video summarisation; no decisionmaking impact. 

Medium 

Nohighrisk 

Content recommendation; limited effect on fundamental rights. 

Notion AI 

Nohighrisk 

Writing aid/summariser; not in a regulated highrisk domain. 

Plecto 

Nohighrisk 

Dashboards & KPIs; advisory analytics only. 

Shopify AI 

Nohighrisk 

Product suggestions & fraud rules; commerce, but not creditscoring or safetycritical. 

Slack AI 

Nohighrisk 

Message summarisation & search—auxiliary, no Annex III category. 

Sleeknote 

Nohighrisk 

Onsite engagement popups; marketing context only. 

SQL Server (platform) 

Nohighrisk 

Infrastructure; risk depends on user’s application, not the DBMS itself. 

Zapier AI 

Nohighrisk 

Workflow automation suggestions; no direct highrisk decision authority. 

 

  1. Data Protection and AI Governance Measures

The following controls have been implemented to ensure compliant use of AI services: 

Transparency and Accountability 

  • AI involvement is clearly disclosed in relevant interactions (e.g., newsletters or auto-generated content). 
  • Human oversight is maintained over all automated outputs. 
  • Users can request explanations about automated processing and decisions. 

    Data Minimization and Purpose Limitation 

    • Only personal data necessary for the AI system’s defined purpose is processed. 
    • AI tools are restricted contractually from training on client data for generalized model improvement.

       

    Data Processing Agreements and Safeguards 

    • Signed Data Processing Agreements (DPAs) with all relevant data processors. 
    • Data Privacy Framework or entered in EU Standard Contractual Clauses supported by Transfer Impact Assessments and supplemental security measures, if relevant, is the transfer tool for transfers to third countries. 
    • Internal DPIAs are conducted when AI use introduces higher risks to data subjects.

       

    Security and Integrity

    • AI models used by processors are secured against unauthorized access and model drift. 
    • Logging and audit trails are maintained to monitor AI decisions and system performance. 

      Feel free to contact us

      Any Questions?

      Call on phone: +45 20 40 80 20 or find alternative contact details below.

      Contact