How ErgoDenta handles your personal data

1 Who is the data controller

The data controller responsible for processing your personal data is:

• ErgoDenta ApS
• CVR no. 43850032 · VAT no. DK43850032
• Hørskætten 14 · 2630 Taastrup · Denmark
• Phone: +45 5524 1100
• Email: info@ergodenta.dk

For all privacy-related queries — including requests to exercise your rights — please use the email above and reference "GDPR request" in the subject line.

2 What personal data we collect

Identity & account data

• First name and last name
• Job title or professional role (e.g. dentist, hygienist, distributor manager)
• Company / clinic / institution name
• Professional licence number where required for verification

Contact data

• Business email address
• Business phone number
• Billing and shipping addresses
• Country of operation

Transaction & financial data

• VAT/tax registration number
• Order history, invoice records, payment status
• Bank account details (for refunds and supplier payments only)
• Credit-card data is processed by our payment-service provider — we do not store full card numbers on our servers.

Technical data

• IP address (anonymised after collection where applicable)
• Browser type and version, device type, operating system
• Pages visited, time on page, referral source, click-stream data
• Cookie identifiers (see clause 9 below)

Communication data

• Records of email correspondence with our customer service team
• Notes from sales and support conversations
• Newsletter subscription status and engagement (open/click events)

We do not knowingly collect special categories of personal data (health, religious belief, political opinion, etc.). We do not knowingly process data of children under 18.

3 How we collect it

• Directly from you — when you create an account, place an order, request a quotation, subscribe to our newsletter, contact our customer service team, or visit our trade-show stand;
• Automatically — through cookies, server logs and analytics tools when you visit our website;
• From third parties — including our distributors who refer you, public business registries (CVR.dk, EU VIES VAT validation), and credit-reference agencies for credit-control checks where credit terms are requested.

4 The legal basis for processing

We rely on the following GDPR legal bases:

• Performance of a contract (Art. 6(1)(b)) — to process your orders, deliver products, provide warranty service, manage payment, and fulfil our distributor and reseller agreements.
• Compliance with a legal obligation (Art. 6(1)(c)) — to keep accounting, VAT and tax records as required by Danish law (typically 5 years), and to fulfil EU-MDR vigilance obligations.
• Legitimate interests (Art. 6(1)(f)) — to operate and improve the website, prevent fraud, communicate with B2B customers about products and offers relevant to their professional activity, manage business relationships, and enforce our rights.
• Consent (Art. 6(1)(a)) — for non-essential cookies, optional analytics tracking, and any marketing communications where consent is required by law.

5 How we use your data

• To create and manage your customer or distributor account;
• To process orders, issue invoices, arrange shipment and provide post-sale support;
• To verify your professional eligibility under our B2B-only sales policy;
• To communicate with you about your orders, account, warranty claims, and after-sales service;
• To send technical and product-safety notifications, including any required vigilance or recall communications;
• To send commercial communications (newsletters, product launches, trade-show invitations) where you have subscribed or have an existing business relationship;
• To analyse website usage, improve the website experience, and develop new products and services;
• To prevent fraud, enforce our Terms, manage credit risk, and protect our rights, property and business;
• To comply with applicable law, regulatory requirements and lawful requests from public authorities.

6 Data we share with third parties

We share personal data only where necessary, on a need-to-know basis, with carefully selected service providers who act as our data processors under written GDPR-compliant data-processing agreements:

• Hosting & e-commerce — Odoo S.A., Belgium / EU;
• Payment processing — credit card and bank-transfer processing handled by regulated PSPs (e.g. Stripe, Adyen, our acquiring bank);
• Shipping carriers — UPS, FedEx, DHL, GLS receive recipient name, address, phone and email to deliver your order and provide tracking;
• Email and productivity — Google Workspace (Google Ireland Ltd);
• Analytics — Google Analytics 4 with IP anonymisation enabled;
• Customer support tools — internal CRM and ticketing tools operated by ErgoDenta;
• Accounting & tax advisers — our external accountant and tax adviser for statutory financial record-keeping;
• Professional advisers — lawyers, auditors, insurance providers, where required for the protection of legal rights;
• Public authorities — where required by law (tax authority, customs, supervisory authorities), or for EU-MDR vigilance reporting.

We do not sell, rent or trade personal data to third parties for their own marketing purposes.

7 International data transfers

Some of our service providers (notably Google, Stripe, and certain shipping carriers) operate or process data outside the European Economic Area, primarily in the United States and the United Kingdom. Where personal data is transferred outside the EEA, we rely on:

• The European Commission's adequacy decisions (e.g. EU-U.S. Data Privacy Framework, UK adequacy decision); or
• Standard Contractual Clauses approved by the European Commission, supplemented where necessary by additional technical and organisational safeguards.

8 How long we keep your data

• Account & transaction data — for the duration of the business relationship plus 5 years thereafter, to satisfy Danish accounting and tax record-keeping requirements (Bogføringsloven);
• Warranty & product-safety records — for the working life of the product plus 10 years, to enable post-market surveillance and traceability under EU-MDR;
• Newsletter & marketing data — until you unsubscribe, plus a short suppression window to honour opt-out;
• Website analytics & cookie data — typically 14 months (Google Analytics default), with IP address anonymised on collection;
• Communications & support records — typically 3 years from the last interaction;
• Data we are required to retain by law — for the period specified by the relevant law.

9 Cookies & analytics

Our website uses cookies and similar technologies. Essential cookies are required for the website to function (session management, basket, security). Analytical cookies (Google Analytics 4) help us understand how the site is used, with IP anonymisation enabled. We do not currently use third-party advertising or behavioural-tracking cookies.

You may accept or decline non-essential cookies via the cookie banner shown on first visit, and you may withdraw consent at any time by clearing your cookies and revisiting the site, or by adjusting your browser settings to block cookies.

10 Marketing communications

Where you are an existing business customer or you have subscribed to our newsletter, we may send you periodic communications about new products, technical guides, trade-show appearances and similar topics relevant to your professional activity. Every email contains a one-click unsubscribe link. You may also opt out at any time by emailing info@ergodenta.dk.

11 Data security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include encryption in transit (HTTPS/TLS), encryption of stored payment card data at the PSP, role-based access controls within ErgoDenta, secure password practices, and periodic review of supplier-side security postures. No information system is impregnable; you should also adopt good practice on your side (strong passwords, secure devices, prompt notification of any suspected breach).

12 Your GDPR rights

Subject to the conditions and exceptions set out in the GDPR, you have the right to:

• Access a copy of the personal data we hold about you;
• Rectification — to correct inaccurate or incomplete data;
• Erasure ("right to be forgotten") — where we no longer have a lawful basis to keep the data;
• Restriction of processing — to limit how we use the data while a query is investigated;
• Data portability — to receive your data in a structured, machine-readable format and have it transferred to another controller where technically feasible;
• Object to processing carried out on the basis of legitimate interests, including direct marketing;
• Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing);
• Not be subject to a decision based solely on automated processing that produces legal effects on you. We do not currently make any automated decisions of this kind.

13 How to exercise your rights

Send a written request to info@ergodenta.dk with the subject line "GDPR request" and a brief description of the right you wish to exercise. We will respond within one calendar month. We may need to verify your identity before disclosing or acting on personal data. The service is free of charge except where requests are manifestly unfounded or excessive, in which case a reasonable fee may be charged or the request may be refused with reasons.

14 Complaints to the supervisory authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

• Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark
• Phone: +45 33 19 32 00 · Email: dt@datatilsynet.dk
• Web: datatilsynet.dk

15 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or business operations. Material changes will be highlighted in the website footer or by direct notification. The version published at this URL on a given date is the version that applies to processing on that date.