Who controls your personal data
The data controller for personal data collected through https://phrixxenxak.world/ and related studio services is Phrixxenxak, with its registered business address at Kalvebod Brygge 59, 1560 København V, Denmark. You can reach our data protection contact at ask@phrixxenxak.world or by telephone on +45 33 31 55 55. We respond to rights requests and general privacy questions through these channels.
Where we act as a processor on behalf of a client organisation, that organisation is typically the controller for employee or end-user data, and we process such data strictly under contract. This notice focuses on situations where we are the controller for visitors, prospects, and direct clients of the studio.
Summary in short lines
- We collect only what we need to operate the website, answer enquiries, deliver services, invoice, and meet legal duties.
- We rely on consent for optional analytics and marketing cookies; other processing rests on contract steps, legitimate interests, or legal obligation as described below.
- We keep data for defined periods, then delete or anonymise it unless a longer period is required by law or an active dispute.
- You may access, correct, delete, restrict, object, and port data where applicable, and withdraw consent without affecting prior lawful processing.
- We do not sell personal data. We use vetted service providers under data processing terms.
This summary is a convenience. The sections that follow are authoritative for legal detail.
Categories of personal data
Website and communications
When you use the contact form, we collect your name, email address, the text of your message, and the time of submission. Our systems may also record technical metadata such as browser type, approximate location derived from IP at regional level, and a truncated or hashed identifier where needed for abuse prevention.
Client and workshop records
If you purchase facilitation, documentation packs, or related services, we process billing details, purchase history, delivery email addresses, attendance lists you supply, and correspondence about scope. We avoid collecting sensitive categories unless you voluntarily include them in a message; in that case we minimise retention and suggest secure channels if content is highly confidential.
Cookies and similar technologies
Strictly necessary storage keeps consent state and security tokens. If you opt in, analytics tools may assign a pseudonymous identifier; marketing tools may store campaign parameters. See the cookie policy for granular categories and lifetimes.
Server and security logs
Our hosting environment logs IP addresses, timestamps, requested URLs, HTTP status codes, and error traces. These logs support incident response and capacity planning.
Purposes and legal bases
Under the GDPR we must identify a legal basis for each purpose. The following table maps common processing activities to Articles 6 and, where relevant, Article 9. Article 9 applies only if you send us special-category data without solicitation; we discourage that and delete such content when feasible.
- Responding to enquiries — Article 6(1)(b) steps prior to contract, or 6(1)(f) legitimate interest in communicating with people who contact us. Balancing test: limited data, clear opt-out by ceasing contact, no profiling.
- Delivering purchased services — Article 6(1)(b) performance of contract.
- Invoicing, accounting, tax — Article 6(1)(c) legal obligation under Danish bookkeeping and tax rules.
- Operating and securing the Site — Article 6(1)(f) legitimate interests in availability, fraud prevention, and debugging, with minimised logging.
- Optional analytics and marketing — Article 6(1)(a) consent obtained through the cookie interface.
- Establishing or defending legal claims — Article 6(1)(f) where processing is necessary and proportionate.
Recipients and subprocessors
We share personal data only with service providers that help us run the business, and only on written terms that require GDPR-compliant handling. Categories include: hosting and content delivery, email delivery, calendar scheduling where you book a call, payment processors for card transactions, and professional advisers bound by confidentiality. We publish or provide on request an up-to-date list of material subprocessors for client engagements.
We may disclose information if required by court order, competent regulatory demand, or to protect the vital interests of a person. We challenge demands that appear overbroad where law permits.
Advertising and landing-page measurement
If we purchase online advertising, platforms may process technical data such as clicks, impressions, and coarse location as described in their policies. Where the law requires consent, we rely on the cookie and consent tools on this Site. Paid ads are intended to direct users to pages on this domain that describe the same categories of services and limitations as stated on this website and in our terms of use.
International transfers
Data is primarily processed within the European Economic Area. If a subprocessor stores data in a country not subject to an adequacy decision, we implement Standard Contractual Clauses approved by the European Commission, supplemented by technical measures such as encryption in transit, and organisational measures including transfer impact assessments where appropriate. You may request a redacted copy of relevant safeguards.
Retention periods
Retention follows a default schedule, subject to override when law or litigation requires longer storage:
- Contact form messages: up to twenty-four months after the last substantive reply, unless the thread becomes a client relationship governed by project retention.
- Client contracts and deliverables: life of the agreement plus seven years where accounting rules apply, unless a shorter period is agreed in writing and permitted by law.
- Server logs: typically ninety days, extendable for active security investigations.
- Consent records: stored in your browser’s local storage until cleared; we keep internal change logs of policy versions for three years.
- Marketing lists: until you unsubscribe or object, then suppressed identifiers may be kept solely to honour the objection.
Security measures
We implement access control with individual accounts, principle of least privilege, password policies for staff devices, disk encryption on portable hardware where used, malware protection on endpoints, and HTTPS across public endpoints. Backups are encrypted and rotated. We vet vendors for security posture and include confidentiality clauses in agreements.
No online service is risk-free. If we become aware of a personal data breach likely to affect your rights, we will notify the supervisory authority and, when required, affected individuals without undue delay, describing impact and remedial steps.
Your rights
Subject to conditions in the GDPR, you may:
- Request access to personal data we hold about you.
- Request rectification of inaccurate data.
- Request erasure where applicable, for example when data is no longer needed or consent is withdrawn and no other basis applies.
- Request restriction of processing in specific cases such as contested accuracy.
- Object to processing based on legitimate interests, including profiling that produces legal or similarly significant effects, where such profiling exists.
- Request data portability for data you provided that we process by automated means under contract or consent.
- Withdraw consent at any time for processing that relies on consent, without affecting the lawfulness of processing before withdrawal.
- Lodge a complaint with Datatilsynet in Denmark or another EU supervisory authority where you live or work.
We may need to verify your identity before fulfilling requests. We respond within one month, extendable by two further months where complex, and we explain any refusal with reference to legal grounds.
Children, automation, and updates
The Site is directed at adults in professional contexts. We do not knowingly collect data from children below digital consent ages without parental authority. If you believe we received a child’s data in error, contact us for prompt deletion.
We do not use solely automated decision-making that produces legal effects on visitors in the GDPR Article 22 sense. If that changes, we will update this notice and provide meaningful information about logic and consequences.
We may revise this policy to reflect new features, regulators’ guidance, or corporate structure changes. Material updates will be posted on this page with an updated reference timeline. Continued use after notice where consent is not required constitutes acknowledgement; where consent is required, we will seek it explicitly.
For privacy requests: ask@phrixxenxak.world · Kalvebod Brygge 59, 1560 København V, Denmark · +45 33 31 55 55