Privacy Policy – Fenster ApS

Last updated: June 02, 2026

Governing language. This Privacy Policy is written in English. If we provide translations, they are for convenience only. In the event of any discrepancy, the English version prevails.

This Privacy Policy explains how Fenster ApS (“Fenster”, “we”, “us”) processes personal data in connection with our websites and services under *.fenster.dk. It describes when we act as a data controller (e.g., for our business operations, communications, billing and support) and includes a brief explanation of when we act as a data processor on behalf of our customers.

Related documents. This Privacy Policy should be read together with:

• Terms and Conditions (“Terms”) – available at: https://partner.fenster.dk/legal/termsconditions 
• Data Processing Agreement (“DPA”) – available at: https://partner.fenster.dk/legal/dpa 
• Cookie Policy (“Cookie Policy”) - available at: https://partner.fenster.dk/legal/cookiepolicy 

Order of precedence. The Terms form the “Principal Agreement”, and the DPA forms part of the Principal Agreement. Where Fenster processes personal data as a processor on behalf of a customer (i.e., Customer Data), the DPA governs such processing and prevails in case of any conflict.

Definitions. Capitalised terms not defined in this Privacy Policy have the meanings given in the Terms and/or the DPA (as applicable). For example, “Services” refers to Fenster’s SaaS solution made available via www.fenster.dk.

1) Who is the controller and how to contact us

Controller: 

Fenster ApS
Fruebjergvej 3
DK-2100 København Ø
Denmark
CVR: 40021825
Email: support@fenster.dk  

2) Roles: when we are a Controller vs. a Processor

2.1 Fenster as Controller (main scope of this Privacy Policy)

Fenster is the data controller when we process personal data for our own purposes, including:

• Operating and securing our websites and services
• Handling inbound requests, leads, and sales dialogue
• Customer onboarding and administration
• Customer support and communications
• Billing and accounting
• Marketing communications where applicable (e.g., newsletters)
• HR and recruitment
• Managing relationships with business partners

Our handling of personal data where Fenster acts as controller (e.g., account administration, billing, and communications) is described in this Privacy Policy.

2.2 Fenster as Processor (short notice)

When customers use the Services to process Customer Data (including personal data relating to the customer’s own end customers), Fenster processes personal data in Customer Data as a data processor and in accordance with the DPA. We process such personal data only on documented instructions from the customer (controller).

If you are an end customer of one of our customers: The relevant customer is normally the controller. Please contact that business first regarding privacy requests (e.g., access or deletion). If Fenster receives a request from a data subject regarding Customer Data, we will notify the customer and will not respond unless instructed by the customer or required by applicable law.

For details on Fenster’s processor obligations (including security measures, subprocessors, transfers, audits, and deletion/return), please refer to the DPA.

3) What personal data we process (Controller activities)

Depending on your relationship with us, we may process the following categories of personal data:

• A. Website visitors (incl. cookies/analytics)
  IP address, device and browser information, usage data, log data, cookie identifiers, and cookie preferences.
• B. Leads and prospects
  Name, email address, phone number, company, role/title (if provided), and correspondence history.
• C. Customer contacts and account administration (B2B)
  Name, company name, business address, email address, phone number, CVR/registration number (if provided), customer/account references, contract and communication history, and (where applicable) account and access administration data such as user identifiers and role/permission information.
• D. Support and troubleshooting
  Contact details, support requests, and the information you choose to share with us in support tickets, chat conversations, or emails (including related metadata such as timestamps and message history).
• E. Billing and accounting
  Billing contact details, invoices, and transaction-related information. Payments are typically processed by our payment providers; we do not receive or store full payment card details in our own systems in the ordinary course.
• F. Marketing communications (where used)
  Email address, name, communication preferences, and consent status/documentation where consent is required.
• G. HR / recruitment
  Application data and employment-related information; for employees, this may include CPR number and bank details only where required for employment administration and payroll.
• H. Business partners
  Contact details and information related to the cooperation (e.g., agreements and communications).

Sensitive data. We do not intend to collect or require special categories of personal data (e.g., health data) through our websites or routine business communications. Please do not provide such data to us unless it is necessary and we have specifically requested it.

4) Purposes and legal bases (Controller activities)

When we act as a data controller, we process personal data for the following purposes and legal bases under GDPR:

• To provide and operate our Services and manage our customer relationship (controller activities) (e.g., account creation and administration, customer communications and service messages, customer support, security and fraud prevention): Contract and/or Legitimate interests
• To bill you and meet accounting requirements (e.g., invoices, payments, bookkeeping): Contract (to perform our agreement with you) and Legal obligation (to comply with applicable accounting and bookkeeping rules)
• To manage sales activities and lead management: Legitimate interests (you may object to this processing as described in Section “Your rights”)
• To send newsletters and marketing emails (where used): Consent (you can withdraw your consent at any time)
• To run analytics and marketing cookies on our website: Consent (collected via our cookie banner/CMP)
• For HR and employment administration (incl. payroll): Legal obligation and/or Contract and/or Legitimate interests (depending on the situation)

5) Cookies and similar technologies

We use cookies and similar technologies on *.fenster.dk. We operate a cookie banner / consent management platform (CMP) for non-essential cookies (e.g., analytics and marketing).

Details about cookie categories, vendors, retention (where applicable), and how to withdraw consent are provided in our separate Cookie Policy. 

6) Sharing and recipients

We may share personal data with:

• Processors (service providers) that help us operate the business (e.g., hosting, analytics, communication tools, CRM, support tooling, billing/payment providers).
• Independent controllers where applicable (e.g., authorities where required by law).

We require appropriate contractual and security measures with our processors.

7) International transfers (outside EU/EEA)

Some of our suppliers may be located outside the EU/EEA (e.g., in the United States). Where this involves a transfer of personal data, we use appropriate transfer mechanisms under applicable data protection laws (including, where applicable, the EU Standard Contractual Clauses) and implement supplementary measures where required.

Where Fenster processes personal data as a processor on behalf of a customer (Customer Data), details on cross-border transfers and subprocessors (including the Subprocessor List and related notifications) are governed by and set out in the DPA.

8) Retention (how long we keep data)

We keep personal data only as long as necessary for the purposes described above and to comply with legal obligations. Typical retention periods include:

• Customer contacts / customer administration / support: Up to 5 years after the end of the customer relationship (subject to necessity and documentation needs)
• Accounting records (invoices, bookkeeping documentation): Up to 10 years after the end of the relevant financial year (or as required by law)
• Leads/prospects: Up to 5 years after last contact (unless you object earlier)
• Website-related data: Typically shorter periods depending on configuration and cookie choices (see Cookie Policy)

9) Security

We implement and maintain appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The measures we apply are designed taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the risks to individuals’ rights and freedoms.

Our security measures include, where appropriate:

• Access control and confidentiality: Access to systems and personal data is restricted to authorised personnel on a need-to-know basis and subject to confidentiality obligations.
• Role-based access / least privilege: Logical access controls are applied, including role-based permissions and least-privilege principles where applicable.
• Encryption in transit: Personal data is protected in transit using industry-standard encryption.
• Monitoring and logging: Systems are monitored for availability and security events; relevant logs are collected and retained for a limited period.
• Account security: We use security features such as multi-factor authentication where relevant.

Where Fenster processes personal data on behalf of customers as a processor, additional details on our technical and organisational measures are set out in our DPA (including the Security Measures schedule).

10) Your rights

Subject to the GDPR and applicable limitations, you may have rights to access, rectify, erase, restrict processing of, or object to our processing of your personal data, and to data portability; where we rely on consent, you can withdraw it at any time.

To exercise your rights, contact us at support@fenster.dk.

If your request relates to Customer Data processed by Fenster on behalf of a customer, the customer is the controller; we will notify the customer and will not respond directly unless instructed by the customer or required by law.

You may lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

11) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.