top of page

Privacy Policy

1. Introduction and Purpose of this Privacy Policy

Enduro Genetics ApS (“we”, “us”, “our”) processes personal data as part of our business. This privacy policy is intended to inform you (the “data subject”) about how we collect, process, and protect your personal data. We are committed to processing your personal data in accordance with applicable data protection law, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”), as well as national legislation. We strive to ensure that your data is processed lawfully, fairly, and transparently.

​

 

2. Data Controller

The data controller responsible for the processing of your personal data is:
Name: Enduro Genetics ApS
Address: Ole Maaløes Vej 3, DK-2200 Copenhagen N
CVR (Company Reg. No.): 40960465
E-mail: info@endurogenetics.com
Phone: +45 93935580
Web: enduro.bio

Enduro Genetics ApS is the data controller, which means we determine the purposes and means of processing your personal data.

  • Joint controllership (if any): Not applicable.

  • EU/EEA representative (if any): Not applicable, as the company is established in the EU.

​

 

3. Categories of Personal Data We Process

We process personal data about several categories of data subjects. Below is an overview of these categories and the types of personal data we typically process for each:​

Categories of data subjects:

  • Customers (prospective and existing)

  • Suppliers and partners

  • Website and social media users

Types of personal data per category:

  • Customers (prospective and existing): name, e-mail, phone number, business address, job title, CVR number, bank account number, notes and communication history (e-mails, call logs), information about sales opportunities.

  • Suppliers and partners: contact persons’ names, e-mail, phone number, job title, business address, CVR number, bank account number, communications data.

  • Website and social media users: name, e-mail, phone number (if provided via contact form), profile name, interactions and messages.

Sources of data collection:
We primarily collect personal data directly from you. Data may also be generated through your interaction with us and our systems (e.g., communications data, website interactions). In some cases, we may receive information from third parties, such as public authorities (if relevant).

​

 

4. Purposes and Legal Bases for Processing Personal Data

We process your personal data for the following overall, specific, explicitly stated and legitimate purposes.

Purposes and indicative legal bases:​

  • Customer and supplier management (CRM): managing relationships, sales processes, contracts, and communications with prospective and existing customers and suppliers.

    • Legal bases: GDPR Art. 6(1)(b) (contract or pre-contractual steps), Art. 6(1)(f) (legitimate interests in managing customer relationships and sales).

  • Finance and accounting: invoicing, bookkeeping, accounting, and audit in accordance with applicable law.

    • Legal bases: GDPR Art. 6(1)(c) (legal obligation, e.g., accounting law).

  • Internal and external communications and collaboration: supporting daily operations, communications, document handling, and collaboration within the company and with external parties.

    • Legal bases: GDPR Art. 6(1)(f) (legitimate interests in operating the business efficiently).

  • Online presence and branding: managing the company website and professional social media for branding, information, and interaction.

    • Legal bases: GDPR Art. 6(1)(a) (consent—e.g., for non-essential cookies), Art. 6(1)(f) (legitimate interests in marketing the company and interacting with users).

​

 

5. Disclosure of Personal Data to Other Recipients

We regularly disclose personal data to the following categories of recipients (primarily data processors) under data processing agreements:​

  • Audit (customers, suppliers) — relevant financial data (e.g., invoice data, names, business contact details).

  • Accounting system (customers, suppliers) — name, business address, e-mail, phone, CVR, bank account, invoice data.

  • CRM system (customers/prospects) — name, e-mail, phone number, business address, job title, CVR number, notes and communications history.

  • Office & collaboration platform (customers, suppliers, partners) — business contact details, documents, communications data.

  • Website platform (website users) — contact details submitted via forms.

  • Professional social media (customers, partners, followers) — publicly available profile information (such as name, job title, experience, education, and profile photo) as well as any messages or contact details you choose to share with us through the platform.

​

Transfers to third countries (outside the EU/EEA):
We use various systems and services. As a rule, we aim to ensure that all processing occurs within the EU/EEA to maintain a high level of data protection. In certain cases, transfers to countries or international organizations outside the EU/EEA (“third countries”) may be necessary. Such transfers are carried out in accordance with GDPR Chapter V to ensure that the protection afforded to individuals within the EU is not undermined.

Situations where third-country transfers may occur, and applicable transfer mechanisms include:​

  • Cloud-based productivity tools and data management systems: data is generally stored within the EU. Transfers to the USA may occur for support and maintenance. The transfer mechanism is EU-U.S. Data Privacy Framework certification, recognized by the European Commission as providing an adequate level of protection.

  • Professional networking platforms: in some cases, data is processed globally. Transfers outside the EU/EEA are based on the EU Commission’s Standard Contractual Clauses (SCCs) combined with a third-country assessment and any supplementary technical measures to ensure a level of protection essentially equivalent to that within the EU/EEA.

  • Other business systems and services: for most of our other business systems and services (e.g., web hosting, advisory services, and financial management), processing primarily takes place within the EU/EEA. No regular third-country transfers have been identified for these services.
    You may contact us at any time for further information on the specific transfer mechanisms and safeguards, including how to obtain a copy of the SCCs or other relevant documents.

​

 

6. Storage and Deletion of Personal Data

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, or for as long as required by applicable law.​

​

Retention periods/criteria:

  • Accounting materials (e.g., invoices, payroll vouchers): deleted 5 years after the end of the financial year to which the material relates, cf. the Danish Bookkeeping Act §10.

  • Customers: deleted 5 years after end of business/financial year (per bookkeeping law) or when no longer needed for the purpose. CRM lead contact details are deleted 2 years after the last relevant dialogue.

  • Suppliers and partners: deleted 5 years after end of business/financial year (per bookkeeping law).

Your personal data will be deleted or anonymized when it is no longer necessary for the purposes for which it was collected and processed, and when we are no longer legally obliged to retain it.

​

 

7. Security Measures

We take the protection of your personal data seriously and have implemented a range of technical and organizational measures to ensure an appropriate level of security, including:​

  • Access management: access to systems and data is limited on a need-to-know basis and via role-based access control (RBAC). User IDs and complex passwords are used.

  • Authentication: two-factor authentication (2FA) is implemented across critical systems.

  • Encryption: data is encrypted in transit (HTTPS/TLS) and at rest on our processors’ servers where technically possible.

  • Policies and procedures: an overarching IT security policy, employee instructions, and an incident response plan for handling security breaches are in place.

  • Awareness: employees receive continuous information and training in GDPR and proper handling of personal data.

  • Monitoring and follow-up: regular risk assessments and checks of security measures and processors’ compliance with agreements.

  • Data processing agreements (DPAs): concluded with all relevant vendors, specifying processing parameters and ensuring GDPR compliance.

  • Physical security: physical materials are stored securely; our vendors’ data centers are subject to strict physical security measures.

  • Network security: firewalls, IDS/IPS, and antivirus software are used to protect networks and systems.

​

 

8. Your Rights

You have a number of rights under the GDPR, which we respect and will help you exercise. These include the rights of access, rectification, erasure, restriction of processing, data portability, objection, the right not to be subject to automated individual decision-making, the right to withdraw consent, and the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

​

Exercising your rights:
If you wish to exercise your rights, please contact us using the details in Section 2 (Data Controller) or our Data Protection Officer (DPO) listed in Section 9. We will process your request as quickly as possible and in accordance with applicable law.


Exceptions:
Please note that exceptions may apply. We will always make a case-by-case assessment of whether a request can be fulfilled.

​

 

9. Data Protection Officer (DPO)

Contact details:
Name: gdprconsult.dk (Contact: Niels Madsen)
Address: Finsensvej 45b, 4th, 2000 Frederiksberg
CVR: 25077830
E-mail: niels@gdprconsult.dk
Phone: +45 91 97 78 77
Web: gdprconsult.dk

​

 

10. Changes to this Privacy Policy

This privacy policy may be updated from time to time. The latest version will always be available on our website (enduro.bio).


Notice of material changes: If we make material changes, we will inform you via our website or by direct notification where appropriate.

​

 

11. Complaints

You have the right to lodge a complaint with the Danish Data Protection Agency if you believe our processing of your personal data violates applicable data protection law.


Danish Data Protection Agency (Datatilsynet)
Address: Carl Jacobsens Vej 35, 2500 Valby
E-mail: dt@datatilsynet.dk
Phone: +45 33 19 32 00
Web: www.datatilsynet.dk

bottom of page