CPHML An applied AI and Machine Learning Company
Data protection

Privacy Policy

This Privacy Policy explains how Copenhagen Machine Learning I/S processes personal data when you use our website, contact us, or work with us on machine learning projects involving customer data.

Last updated: 4 July 2026 GDPR information notice

1. Data Controller

For our website, contact forms, direct communication, and general business administration, Copenhagen Machine Learning I/S is the data controller.

Copenhagen Machine Learning I/S
CVR no. 46412508
Jernbane Allé 72 B, 3. th
2720 Vanløse, Denmark
Email: info@cphml.dk

For customer projects, our role may vary. In many cases, we expect to act as a data processor on behalf of the customer, who remains the data controller. The exact role, processing instructions, and responsibilities should be documented in a data processing agreement before personal data is transferred.

2. Why We Process Personal Data

We process personal data for the following purposes:

  • To respond to enquiries and communicate with potential customers, partners, and suppliers.
  • To scope, deliver, support, and improve machine learning projects and related services.
  • To operate a secure and functional website.
  • To manage contracts, invoicing, accounting, and legal compliance.
  • To document project decisions, data handling procedures, and customer instructions.

3. Categories of Personal Data

Depending on the context, we may process contact details such as name, email address, phone number, organisation, job title, message content, and other information you choose to provide.

In customer projects, personal data may include pseudonymous or identifiable customer, donor, member, lead, or campaign records provided by the customer. The exact categories may include identifiers, contact history, transaction history, campaign activity, response outcomes, segmentation attributes, and other variables required for modelling or analysis.

Placeholder for customer data specifics: The final policy should describe the exact data categories, sources, processing steps, model outputs, temporary storage locations, access controls, deletion routines, and customer instructions once the production process has been fully defined.

5. Customer Data and Temporary Storage

Our services may require access to personal data supplied by customers in order to prepare datasets, train or evaluate models, generate predictions, produce reports, and deliver campaign or targeting recommendations.

Customer data should only be processed for the agreed project purpose and according to written customer instructions. We expect to use temporary storage for data preparation, modelling, quality assurance, and secure delivery of project outputs.

Placeholder for operational details: The final version should specify the approved storage systems, hosting locations, encryption measures, retention windows, deletion verification process, subprocessors, access logging, incident procedure, and whether any anonymised or aggregated outputs are retained after project completion.

6. Sharing Personal Data

We do not sell personal data. We may share personal data with service providers that process data on our behalf, such as hosting, email, form handling, security, backup, accounting, and collaboration tools.

We may also disclose personal data where required by law, to protect legal claims, or as necessary to perform an agreement with a customer. Customer project data is shared only according to the applicable agreement and documented instructions.

7. Retention and Deletion

We keep personal data only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law.

  • Contact enquiries are retained for as long as needed to handle the enquiry and maintain relevant business records.
  • Accounting and contractual records may be retained for the period required under Danish bookkeeping rules.
  • Customer project data should be deleted or returned according to the relevant data processing agreement and project instructions.

Placeholder for retention schedule: Add exact retention periods for contact form messages, project files, raw datasets, transformed datasets, model artefacts, predictions, logs, backups, and reports.

8. Security

We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include access limitation, encryption, secure transfer methods, authentication controls, backups, and internal procedures for handling customer data.

Security measures for customer projects should be adapted to the sensitivity, scope, and risks of the specific dataset.

9. Transfers Outside the EU/EEA

If personal data is transferred outside the EU/EEA, we will ensure that an appropriate transfer mechanism is in place, such as an adequacy decision by the European Commission or the European Commission's Standard Contractual Clauses, where required.

Placeholder for transfer mapping: Confirm whether any hosting, analytics, form processing, collaboration, AI, or infrastructure providers involve transfers outside the EU/EEA.

10. Website, Cookies, and Contact Forms

Our website may process technical information such as IP address, browser information, device information, pages visited, and timestamps to keep the site secure and functional. If optional cookies or analytics are introduced, the cookie setup and consent mechanism should be documented separately.

When you submit a contact form, we process the information you provide so we can respond to your enquiry.

11. Your Rights

You have the following rights under the GDPR, subject to the conditions and limitations in the law:

  • Right of access to the personal data we process about you.
  • Right to rectification of inaccurate or incomplete personal data.
  • Right to erasure in certain circumstances.
  • Right to restriction of processing in certain circumstances.
  • Right to object when processing is based on legitimate interests.
  • Right to data portability when processing is based on consent or contract and carried out by automated means.
  • Right to withdraw consent at any time when processing is based on consent.

To exercise your rights, contact us at info@cphml.dk. If your request relates to customer project data where we act as a data processor, we may need to forward or refer your request to the relevant customer.

12. Complaints

You have the right to lodge a complaint with the Danish Data Protection Agency, Datatilsynet, if you are dissatisfied with how we process your personal data. You can find more information at www.datatilsynet.dk.