Privacy Policy
Last updated: 29 March 2026
1. Introduction
This privacy policy explains how Alliance42 ApS collects, uses, and protects your personal data when you use our website alliance42.eu and our services.
We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven).
2. Data Controller
The data controller responsible for your personal data is:
Alliance42 ApS
CVR: 46047109
Denmark
Email: contact@alliance42.eu
Phone: +45 42 80 25 42
Alliance42 is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. For all data protection inquiries, please contact us at contact@alliance42.eu.
3. What Personal Data We Collect
We collect personal data only when you actively provide it to us through our website. We do not collect data passively or without your knowledge.
Contact form
Name, email address, company name, phone number, and your message.
Security and NaaS estimator tools
Company name, CVR number, contact name, email address, phone number, number of employees, number of servers, number of locations, and billing preference.
Live chat (Crisp, only after cookie consent)
Chat messages, browser type, screen size, and pages visited.
Automatically collected
IP address (used temporarily in server memory for rate limiting only, not stored permanently).
4. Purposes and Legal Basis
We process your personal data for the following purposes, each linked to a specific legal basis under GDPR Article 6(1):
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, company, phone, message | Respond to your inquiry and prepare an offer | Consent - Art. 6(1)(a) |
| Company, CVR, contact details, infrastructure details | Generate a security or network estimate | Consent - Art. 6(1)(a) |
| Chat messages, browser info | Provide live chat support | Consent - Art. 6(1)(a) |
| IP address | Rate limiting to protect against abuse | Legitimate interest - Art. 6(1)(f) |
| Cookie consent choice | Record your consent preference | Legal obligation - ePrivacy Directive |
Name, email, company, phone, message
Purpose: Respond to your inquiry and prepare an offer
Legal basis: Consent - Art. 6(1)(a)
Company, CVR, contact details, infrastructure details
Purpose: Generate a security or network estimate
Legal basis: Consent - Art. 6(1)(a)
Chat messages, browser info
Purpose: Provide live chat support
Legal basis: Consent - Art. 6(1)(a)
IP address
Purpose: Rate limiting to protect against abuse
Legal basis: Legitimate interest - Art. 6(1)(f)
Cookie consent choice
Purpose: Record your consent preference
Legal basis: Legal obligation - ePrivacy Directive
5. Recipients and Processors
We use the following data processors to deliver our services. All processors are bound by data processing agreements (DPAs) and process data exclusively on our behalf.
| Processor | Service | Location | Data processed |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting and infrastructure | Falkenstein, Germany (EU) | All website data, database, files |
| Supabase (self-hosted on Hetzner) | Database | Hetzner, Germany (EU) | Contact submissions, estimates, CRM data |
| Proton Technologies AG | Email (SMTP) | Geneva, Switzerland (adequacy decision) | Email addresses, names, message content |
| Crisp IM SAS | Live chat widget | France (EU) | Chat messages, browser info (only after consent) |
| n8n (self-hosted on Hetzner) | Workflow automation | Hetzner, Germany (EU) | Contact and estimate data for email notifications |
| Plausible Insights OÜ | Cookieless website analytics | Estonia (hosted on Hetzner Germany) | None · Plausible processes no personal data and sets no cookies |
Hetzner Online GmbH
Service: Server hosting and infrastructure
Location: Falkenstein, Germany (EU)
Data processed: All website data, database, files
Supabase (self-hosted on Hetzner)
Service: Database
Location: Hetzner, Germany (EU)
Data processed: Contact submissions, estimates, CRM data
Proton Technologies AG
Service: Email (SMTP)
Location: Geneva, Switzerland (adequacy decision)
Data processed: Email addresses, names, message content
Crisp IM SAS
Service: Live chat widget
Location: France (EU)
Data processed: Chat messages, browser info (only after consent)
n8n (self-hosted on Hetzner)
Service: Workflow automation
Location: Hetzner, Germany (EU)
Data processed: Contact and estimate data for email notifications
Plausible Insights OÜ
Service: Cookieless website analytics
Location: Estonia (hosted on Hetzner Germany)
Data processed: None · Plausible processes no personal data and sets no cookies
We do not share your personal data with third parties for marketing purposes. We do not sell your data.
6. International Transfers
All personal data is stored and processed within the EU/EEA. Our infrastructure is hosted by Hetzner in Germany.
The only data processed outside the EU is email, handled by Proton Technologies AG in Switzerland. Switzerland has an adequacy decision from the European Commission, meaning it provides an adequate level of data protection equivalent to the EU.
We do not transfer personal data to the United States or any other third country without an adequacy decision or appropriate safeguards.
7. Retention Periods
We retain your personal data only for as long as necessary for the purposes described above:
- Contact form submissions and estimates: 24 months, or until you request deletion.
- Live chat messages (Crisp): Maximum 12 months, per Crisp's retention policy.
- Cookie consent choice: 12 months.
- IP addresses for rate limiting: Not stored permanently. Used in server memory only during the active session.
- DPA submissions · IP address and user agent: 12 months from submission, after which those fields are automatically deleted. The DPA document content (company name, CVR, signatory) is retained for up to 24 months for audit purposes.
After the retention period expires, data is deleted or anonymized.
When you submit a Data Processing Agreement via our DPA generator, in addition to the form fields we also log your IP address and user agent. The purpose is abuse prevention and an audit trail for the signed agreement. The legal basis is legitimate interest under Art. 6(1)(f) GDPR. The IP address and user agent are automatically deleted 12 months after submission. You can request deletion at any time by writing to contact@alliance42.eu.
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) - You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) - You can request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) - You can request deletion of your personal data ("right to be forgotten").
- Right to restriction of processing (Art. 18) - You can request that we limit how we use your data.
- Right to data portability (Art. 20) - You can request your data in a structured, machine-readable format.
- Right to object (Art. 21) - You can object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) - You can withdraw your consent at any time, without affecting the lawfulness of processing that occurred before the withdrawal.
9. How to Exercise Your Rights
To exercise any of the above rights, please contact us at:
contact@alliance42.eu
We will respond to your request within 30 days, as required by Article 12(3) of the GDPR. This service is provided free of charge, in accordance with Article 12(5).
We may ask you to verify your identity before processing your request.
10. Complaint to Supervisory Authority
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Danish Data Protection Agency:
Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby
dt@datatilsynet.dk
+45 33 19 32 00
www.datatilsynet.dk
11. Automated Decision-Making
We do not use automated decision-making or profiling as defined under Article 22 of the GDPR.
Our estimator tools provide non-binding, indicative estimates for informational purposes. They do not constitute automated decisions with legal or similarly significant effects.
12. Data Security
We take the protection of your personal data seriously. Our security measures include:
- Encryption of data in transit (TLS/HTTPS)
- EU-hosted infrastructure with no third-country data transfers
- Access controls limiting who can access personal data
- Regular review and improvement of security measures
13. Compliance and Certifications
Alliance42 builds its infrastructure and services on the NIS2 directive framework.
We are actively working towards ISO 27001 certification.
All infrastructure and data processing is designed with GDPR compliance as a foundational requirement.
We continuously evaluate and improve our security posture in line with recognized European standards.
References to compliance frameworks reflect our active commitment and roadmap, not necessarily completed certifications unless explicitly stated.
14. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements.
Material changes will be communicated through a notice on our website. We encourage you to review this policy periodically.
The date at the top of this page indicates when the policy was last updated.