Privacy Policy
Effective date: [INSERT DATE] — Version 1.0
This policy applies to PennaSystems and all products under the platform (PennaPay, PennaBook, PennaConnect, PennaShare, PennaVentory). It explains what data we collect, why, and your rights under the GDPR.
1. Who we are
PennaSystems is operated by [YOUR FULL LEGAL NAME], a sole trader (enkeltmandsvirksomhed / PMV) based in Denmark. References to "we", "us", or "PennaSystems" in this policy refer to [YOUR FULL LEGAL NAME].
Contact: [YOUR EMAIL ADDRESS] — [YOUR MAILING ADDRESS, DENMARK]
2. What data we collect and why
Account data (you, the freelancer who signs up):
- Name, email address, password hash — to create and secure your account.
- Business name, logo, billing address — to populate invoices you send to your clients.
- Payment method — handled entirely by Stripe. We never see or store your card number.
Client data (data about your clients, entered by you):
- Client name, email, address, phone — to create invoices and messages.
- Invoice history, file uploads, messages — to provide the core service.
- You are the data controller for your clients' data. We process it as your data processor, on your instructions, in accordance with GDPR Article 28.
Usage data (automatically collected):
- Log data: IP address, browser type, pages visited, timestamps — for security monitoring and debugging.
- Session tokens — to keep you logged in.
3. Legal basis for processing (GDPR Article 6)
- Contract performance (Art. 6(1)(b)): We process your account data and client data to deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)): We process log and security data to protect the platform from abuse.
- Legal obligation (Art. 6(1)(c)): We retain certain financial records as required by Danish accounting law (Bogføringsloven).
- Consent (Art. 6(1)(a)): We use consent for non-essential cookies and any optional marketing communications.
4. Who we share your data with
We do not sell your data. We share it only with the following sub-processors, each bound by a Data Processing Agreement:
- Stripe, Inc. (USA) — payment processing. Stripe is certified under the EU–US Data Privacy Framework.
- Resend, Inc. (USA) — transactional email delivery. Standard Contractual Clauses apply.
- Railway Corp. (USA) — cloud hosting and database. Standard Contractual Clauses apply.
- Cloudflare, Inc. (USA) — file storage (R2) and CDN. Standard Contractual Clauses apply.
We will notify you at least 30 days before adding any new sub-processor.
5. Data retention
- Account data: retained while your account is active, then soft-deleted for 30 days (restorable), then permanently erased.
- Invoice and payment records: retained for 5 years after the financial year of the transaction, as required by Danish Bogføringsloven § 10.
- Log data: retained for 90 days, then automatically deleted.
- Client data you upload: deleted within 30 days of your account deletion request.
6. Your rights (GDPR Chapter 3)
As a data subject, you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your account and data (subject to legal retention obligations).
- Portability — receive your data in a machine-readable format (JSON).
- Restriction — ask us to pause processing while a dispute is resolved.
- Objection — object to processing based on legitimate interests.
To exercise any right, email us at [YOUR EMAIL ADDRESS]. We will respond within 30 days. If you are unsatisfied, you may lodge a complaint with Datatilsynet (datatilsynet.dk), the Danish supervisory authority.
7. Cookies
We use only essential cookies necessary for the platform to function (session management). We do not use advertising or tracking cookies. You will be asked to consent before any non-essential cookies are set.
8. Security
We implement appropriate technical and organisational measures including: TLS encryption in transit, hashed passwords (bcrypt), HTTP-only session cookies, role-based access controls, and rate limiting on authentication endpoints. In the event of a personal data breach, we will notify affected users and Datatilsynet within 72 hours where required by law.
9. Children
PennaSystems is a business tool intended for users aged 18 and over. We do not knowingly collect data from minors.
10. Changes to this policy
We will notify you by email at least 14 days before making material changes to this policy. Continued use of the platform after that date constitutes acceptance of the updated policy. The current version is always available at pennapay.com/privacy.html.
11. Contact
[YOUR FULL LEGAL NAME]
[YOUR EMAIL ADDRESS]
[YOUR MAILING ADDRESS]
Denmark