1.1 This privacy notice explains how Baymard Institute ApS ("Baymard", "we", "us", "our") processes personal data in various situations. We provide you with this information as we are required to do so under the General Data Protection Regulation (the "GDPR").
1.2 Below, you will find information on the various situations where we process personal data:
2.1 Baymard Institute ApS, Kastanie Alle 41, 3520 Farum, Denmark, CVR no. 38748890, acts as a data controller for the processing of personal data in connection with the below mentioned purposes.
2.2 If you have any questions about how we process personal data, please contact us at support@baymard.com
3.1 Below, please find the specific purposes for our data processing, the categories of personal data that we process, the legal basis for such processing, and the retention periods that we have decided (in specific situations, we may defer from our general retention periods in case of e.g., complaints, objections, or other specific situations).
3.2.1 Purpose: To ensure the functionality and security on our website (necessary cookies).
3.2.1 Categories: To ensure the functionality and security on our website (necessary cookies).Preferred language and region, username and password, the use of our website, including traffic on the pages, time, what you click, pages/products visited, browser type, keywords, IP address, information about device type (computer, smartphone, etc.), as well as the features used.
3.2.1 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in ensuring the functionality and security of our website.
3.2.1 Retention: See our cookie declaration.
3.2.2 Purpose: To compile statistics in order to optimize the user experience on our website and the services we offer (statistical cookies).
3.2.2 Categories: Activity on our website, including location, IP-addresses, browser used, time and date of access, operating system, pages visited, web requests etc..
3.2.2 Legal basis: According to the Danish Executive Order on Cookies we are required to obtain you consent to use cookies for statistical purposes. At the same time we obtain your consent to the processing of your personal data, c.f. Article 6(1)(a) of the GDPR.
3.2.2 Retention: See our cookie declaration.
3.2.3 Purpose: To personalise the browsing experience by saving information about your preferences (preference cookies)
3.2.3 Categories: Login details and information related to comments.
3.2.3 Legal basis: According to the Danish Executive Order on Cookies we are required to obtain you consent to use preference cookies. At the same time we obtain your consent to the processing of your personal data, c.f. Article 6(1)(a) of the GDPR.
3.2.4 Purpose: Tracking website visitors for marketing purposes, including targeted advertising (marketing cookies).
3.2.4 Categories: Activity on our website, including location, IP-addresses, browser used, time and date of access, operating system, pages visited, web requests etc.
3.2.4 Legal basis: According to the Danish Executive Order on Cookies we are required to obtain you consent to use targeting cookies for marketing purposes. At the same time we obtain your consent to the processing of your personal data, c.f. Article 6(1)(a) of the GDPR.
3.2.4 Retention: See our cookie declaration.
3.3.1 Purpose: Communicating with you when you represent a customer, supplier or another third party.
3.3.1 Categories: Name and contact information, title, and position. The relationship to the business that you represent.
3.3.1 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing business contacts and fulfilling any agreement, we may have concluded with the company you represent.
3.3.1 Retention: As long as the business relationship exists and up to 2 years after the end of the financial year in which the company account has been deleted.
3.3.2 Purpose: Handling communication via our website contact form.
3.3.2 Categories: Name, email, enquiry type and any other information that you chose to include in the message/communication.
3.3.2 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing communications with you.
3.3.2 Retention: Up to 5 year after the last communication. (Unless a Baymard account is also created by you or your parent organization, then up to 2 years after the company account has been deleted.)
3.3.3 Purpose: Bookkeeping purposes.
3.3.3 Categories: Information stated on invoices such as name and contact details.
3.3.3 Legal basis: Article 6(1)(c) of the GDPR. The legal obligations derive from the Danish bookkeeping legislation.
3.3.3 Retention: Up to 10 years after the end of the financial year to which the invoice, etc. relates to.
3.4.1 Purpose: To send out newsletters (direct marketing).
3.4.1 Categories: Name, email address and any preferences you have given in connection with your subscription.
3.4.1 Legal basis: The consent you have given in accordance with article 6(1)(a) of the GDPR and section 10 of the Danish Marketing Practices Act. You can read more about your right withdraw your consent below.
3.4.1 Retention: Personal data pertaining to our distribution of electronic newsletters will be deleted 2 years after our last newsletter has been distributed to document that we comply with the Danish Marketing Practices, unless you have withdrawn your consent (i.e., unsubscribed) before such time.
3.4.2 If personal data are processed for the purpose of direct marketing, you have the right at any time to object to the processing of your personal data for such marketing, including to object to profiling in so far as it relates to direct marketing. If you object to processing for the purpose of direct marketing, the personal data may no longer be processed for this purpose. Please find our contact information in section 2 above.
3.5.1 Purpose: Managing Baymard accounts.
3.5.1 Categories: Name, work email, password, company information.
3.5.1 Legal basis: The legal basis for our processing is article 6(1)(f) of the GDPR, as we pursue our legitimate interest in ensuring that you are able to log on to your account as agreed with the company you represent.
3.5.1 Retention: Personal data pertaining to accounts will as a starting point be deleted 2 years after the end of the financial year in which the company account has been deleted.
3.6.1 Purpose: To provide you with recommendations on content specifically relevant to you and to provide relevant updates. Along with ensuring security features of the account and fair usage Terms are met.
3.6.1 Categories: Activity in the application, including information on e.g., content and pages visited, features used, duration on each page.
3.6.1 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing our application and providing you with relevant content.
3.6.1 Retention: Personal data pertaining to accounts will as a starting point be deleted 2 years after the end of the financial year in which the company account has been deleted.
3.6.2 Purpose: Managing our chatbot function and commentary/note section
3.6.2 Categories: Account information and other information that you chose to include.
3.6.2 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing our application.
3.6.3 Purpose: Upload images to the application.
3.6.3 Categories: Images you choose to upload.
3.6.3 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing our application.
3.6.3 Retention: Images uploaded to the account are managed by the account itself (not the person uploading), and are deleted 2 years after the end of the financial year in which the company account has been deleted.
4.1 We may process and share your personal data with external partners who process personal data on our behalf (data processors). Such external partners include e.g. providers of hosting services, IT systems and technical assistance with regard to our IT.
4.2 Further, we may share your personal data with suppliers or subcontractors, if relevant in their work, insofar as reasonably necessary for the purposes set out in this privacy notice.
4.3 If necessary, e.g., in relation to any disputes or when we otherwise need external advice, we may disclose information to our advisors, such as auditors and lawyers.
4.4 Additionally, we may share personal data with public authorities such as the police, if necessary in relation to a specific case or dispute or if necessary to comply with our legal obligation.
5.1 We transfer your personal data to countries outside the EU/EEA, when making data available to our processors, including the United States.
5.2 Further, some of our processors may use sub-processors located in other countries outside the EU/EEA. You can find lists of such sub-processors via the links below:
5.3 Unless the country in question has been approved by the European Commission as having sufficient level of protection (including companies located in the United States that are covered by the EU-US Data Privacy Framework), the basis for the transfer is the European Commission's Standard Contractual Clauses.
5.4 If you want additional information about our transfer of personal data to third countries, you may make a request for such additional information by contacting us (see above).
6.1 As a starting point and depending on the specific situations, you have the following rights:
6.2 You can read more about your rights in the Danish Data Protection Agency's guidelines on data subjects' rights, which is available at datatilsynet.dk (in Danish) and at datatilsynet.dk (in English). Please contact us if you wish to exercise any of your rights. The relevant contact details are stated above.
7.1 If you want to lodge a complaint with a supervisory authority about our processing of your personal data, you can do so by contacting the Danish Data Protection Agency via their website, www.datatilsynet.dk