Privacy policy

auditchecklists.org processes the minimum personal data needed to deliver the audit checklist you buy and to meet Danish bookkeeping law. This document explains exactly what we collect, why, on what legal basis, how long we keep it, and how you exercise your rights under GDPR.

Last updated: 22 May 2026. We post material changes here; the page preserves the date of last update so you can verify currency.

1. The data controller

auditchecklists.org is a brand operated by Contenza K/S, CVR 43349023, Denmark. Contenza K/S is the data controller for the personal data processed via this website and the auditchecklists.org catalogue.

Contact for data matters: use the privacy contact form. We respond within 30 days, sooner where reasonable.

2. What we collect, why, and on what legal basis

Data	Why	Lawful basis (Art. 6 GDPR)	Retention
Email address (purchase)	Deliver the artefacts. Send regulatory amendment notifications during the 12-month update period. Send the T-30 renewal email.	Art. 6(1)(b) performance of contract; Art. 6(1)(f) legitimate interest (amendment notices to existing buyers).	5 years from purchase (Danish bookkeeping law), then anonymised.
Cardholder name + billing address + country	Process payment, issue VAT-compliant invoice.	Art. 6(1)(b); Art. 6(1)(c) legal obligation (invoicing).	5 years from purchase, then anonymised on our side. Stripe retains per its own policy.
Organisation name (licensee)	Stamp the licence on every artefact. Address the invoice. Identify licence transfers.	Art. 6(1)(b); Art. 6(1)(f) anti-redistribution evidence.	5 years from purchase; the stamp on already-issued PDFs cannot be retracted (documented in the licence terms).
VAT ID (optional)	EU B2B reverse-charge handling.	Art. 6(1)(c) tax law.	5 years from purchase.
Contact-form submissions	Reply to your enquiry.	Art. 6(1)(b) pre-contractual measures at your request.	2 years from the last contact, or shorter on request.
Server logs (IP address, request path, timestamp)	Security, abuse detection, debugging.	Art. 6(1)(f) legitimate interest.	90 days, then rotated out.

3. What we do NOT collect

No analytics tracking. No Google Analytics, no Meta Pixel, no Plausible, nothing comparable.
No third-party cookies on this site. The only cookies are strictly-necessary session cookies set by the storefront app itself.
No card data. Stripe handles all card details; they never touch our servers.
No marketing list. You don't opt in to anything when you buy.

4. Sub-processors

We use a small set of well-known sub-processors. Each carries its own Data Processing Agreement with Contenza K/S.

Stripe Payments Europe Ltd (Ireland; payments and invoicing). Stripe is the payment processor and stores card data. Stripe sub-processes in the US under the EU-US Data Privacy Framework (DPF). stripe.com/privacy.
Resend, Inc. (US; transactional email delivery only). Resend transmits the delivery emails from ordersATauditchecklists.org to you. Resend is DPF-certified for EU data transfers. resend.com/legal/privacy-policy.
Hetzner Online GmbH (Germany; hosting). The application server, database and object storage run on a Hetzner VPS in Falkenstein. Hetzner does not access your data; they provide the infrastructure. hetzner.com/legal/privacy-policy.
MinIO (self-hosted on the Hetzner VPS; object storage). MinIO is open-source software we operate ourselves; there is no third-party data flow.

No personal data is shared beyond these processors. We never sell or rent personal data.

5. International transfers

The application and database run in the EU (Germany). Two processors (Stripe and Resend) involve transfers to the United States; both rely on the EU-US Data Privacy Framework adequacy decision (10 July 2023) as the lawful basis for the transfer. Each processor publishes its own Standard Contractual Clauses fallback in case the DPF lapses.

6. Your rights under GDPR

Use the privacy contact form to exercise any of the following. We respond within 30 days at the latest.

Access (Art. 15). A copy of everything we hold about you.
Rectification (Art. 16). Correction of inaccurate data.
Erasure (Art. 17). Deletion of your personal data, subject to the 5-year bookkeeping retention; invoice data we are required to keep is anonymised on our side. The licence stamp on PDFs already in your possession cannot be retracted (documented in the licence terms).
Restriction (Art. 18). Restriction of further processing.
Portability (Art. 20). Your data in a structured, common, machine-readable format.
Objection (Art. 21). Objection to processing based on legitimate interest, including the amendment-notice emails sent under Art. 6(1)(f) — though doing so will mean you stop receiving regulatory updates you may need.

7. Complaints

If you believe we have processed your personal data unlawfully and you are not satisfied with our response, you have the right to complain to the Danish data protection authority:

Datatilsynet · Carl Jacobsens Vej 35, 2500 Valby, Denmark · datatilsynet.dk · +45 33 19 32 00.

You may also complain to the supervisory authority in your country of habitual residence.

8. Changes to this policy

If we materially change how we process personal data, we update this page and rev the "Last updated" date at the top. We do not silently change the policy.