1. Data Controller
For our website, contact forms, direct communication, and general business administration, Copenhagen Machine Learning I/S is the data controller.
Copenhagen Machine Learning I/S
CVR no. 46412508
Jernbane Allé 72 B, 3. th
2720 Vanløse, Denmark
Email: info@cphml.dk
For customer projects, our role may vary. In many cases, we expect to act as a data processor on behalf of the customer, who remains the data controller. The exact role, processing instructions, and responsibilities should be documented in a data processing agreement before personal data is transferred.
2. Why We Process Personal Data
We process personal data for the following purposes:
- To respond to enquiries and communicate with potential customers, partners, and suppliers.
- To scope, deliver, support, and improve machine learning projects and related services.
- To operate a secure and functional website.
- To manage contracts, invoicing, accounting, and legal compliance.
- To document project decisions, data handling procedures, and customer instructions.
3. Categories of Personal Data
Depending on the context, we may process contact details such as name, email address, phone number, organisation, job title, message content, and other information you choose to provide.
In customer projects, personal data may include pseudonymous or identifiable customer, donor, member, lead, or campaign records provided by the customer. The exact categories may include identifiers, contact history, transaction history, campaign activity, response outcomes, segmentation attributes, and other variables required for modelling or analysis.
Placeholder for customer data specifics: The final policy should describe the exact data categories, sources, processing steps, model outputs, temporary storage locations, access controls, deletion routines, and customer instructions once the production process has been fully defined.
4. Legal Basis
We process personal data under the GDPR using one or more of the following legal bases:
- Article 6(1)(b), when processing is necessary to enter into or perform a contract.
- Article 6(1)(c), when processing is necessary to comply with legal obligations.
- Article 6(1)(f), when processing is necessary for legitimate interests, such as running our business, securing our services, and responding to enquiries.
- Article 6(1)(a), when you have given consent, for example for optional communications or cookie categories where relevant.
Where we act as a data processor for a customer, the customer is responsible for identifying the legal basis for its own processing and for issuing documented instructions to us.
5. Customer Data and Temporary Storage
Our services may require access to personal data supplied by customers in order to prepare datasets, train or evaluate models, generate predictions, produce reports, and deliver campaign or targeting recommendations.
Customer data should only be processed for the agreed project purpose and according to written customer instructions. We expect to use temporary storage for data preparation, modelling, quality assurance, and secure delivery of project outputs.
Placeholder for operational details: The final version should specify the approved storage systems, hosting locations, encryption measures, retention windows, deletion verification process, subprocessors, access logging, incident procedure, and whether any anonymised or aggregated outputs are retained after project completion.
7. Retention and Deletion
We keep personal data only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law.
- Contact enquiries are retained for as long as needed to handle the enquiry and maintain relevant business records.
- Accounting and contractual records may be retained for the period required under Danish bookkeeping rules.
- Customer project data should be deleted or returned according to the relevant data processing agreement and project instructions.
Placeholder for retention schedule: Add exact retention periods for contact form messages, project files, raw datasets, transformed datasets, model artefacts, predictions, logs, backups, and reports.
8. Security
We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include access limitation, encryption, secure transfer methods, authentication controls, backups, and internal procedures for handling customer data.
Security measures for customer projects should be adapted to the sensitivity, scope, and risks of the specific dataset.
9. Transfers Outside the EU/EEA
If personal data is transferred outside the EU/EEA, we will ensure that an appropriate transfer mechanism is in place, such as an adequacy decision by the European Commission or the European Commission's Standard Contractual Clauses, where required.
Placeholder for transfer mapping: Confirm whether any hosting, analytics, form processing, collaboration, AI, or infrastructure providers involve transfers outside the EU/EEA.
11. Your Rights
You have the following rights under the GDPR, subject to the conditions and limitations in the law:
- Right of access to the personal data we process about you.
- Right to rectification of inaccurate or incomplete personal data.
- Right to erasure in certain circumstances.
- Right to restriction of processing in certain circumstances.
- Right to object when processing is based on legitimate interests.
- Right to data portability when processing is based on consent or contract and carried out by automated means.
- Right to withdraw consent at any time when processing is based on consent.
To exercise your rights, contact us at info@cphml.dk. If your request relates to customer project data where we act as a data processor, we may need to forward or refer your request to the relevant customer.
12. Complaints
You have the right to lodge a complaint with the Danish Data Protection Agency, Datatilsynet, if you are dissatisfied with how we process your personal data. You can find more information at www.datatilsynet.dk.