Legal
Privacy Policy
Waterheart I/S
This Privacy Policy explains how Waterheart I/S (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit waterheart.eu (the “Site”) or purchase our products. We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Danish Data Protection Act (Databeskyttelsesloven).
1. Data Controller
The data controller responsible for your personal data is:
- Company: Waterheart I/S
- CVR number: 46370767
- Address: Skørpingevej 21, Skørpinge, 4673 Rødvig Stevns, Denmark
- Email: gdpr@waterheart.eu
- Phone: +45 41 29 02 27
We have appointed a Data Protection Officer (DPO) who can be contacted at gdpr@waterheart.eu.
2. Personal Data We Collect
Depending on how you interact with us, we collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity & contact data | Name, email, phone, billing and shipping address | Provided by you at checkout |
| Order & transaction data | Order number, items purchased, price, payment status, delivery details | Generated when you place an order |
| Payment data | Payment method and last 4 digits of card (full card data is handled by our payment provider) | Payment provider |
| Communication data | Emails, support tickets, chat messages, product reviews | Provided by you |
| Technical data | IP address, browser type, device type, operating system, referring URL | Collected automatically when you visit the Site |
| Usage data | Pages viewed, time on site, clicks, cart activity | Cookies and analytics tools (with your consent) |
| Marketing data | Newsletter subscription status, marketing preferences, email engagement | Provided by you / generated when you interact with our emails |
We do not knowingly collect special categories of personal data (e.g. health, religion, political opinions) or data about children under 16.
3. Purposes and Legal Basis
We process your personal data for the following purposes, each based on a lawful ground under Article 6 GDPR:
| Purpose | Data used | Legal basis |
|---|---|---|
| Processing and delivering your order | Identity, contact, order, payment | Contract performance — Art. 6(1)(b) |
| Customer support and handling complaints | Identity, contact, order, communication | Contract performance — Art. 6(1)(b) |
| Bookkeeping and tax compliance | Order, payment, invoice data | Legal obligation — Art. 6(1)(c) (Bogføringsloven) |
| Handling withdrawal, warranty, and product liability claims | Identity, contact, order, communication | Legal obligation & legitimate interest — Art. 6(1)(c) and (f) |
| Site security, fraud prevention, debugging | Technical, usage | Legitimate interest — Art. 6(1)(f) |
| Analytics and improving the Site | Technical, usage | Consent — Art. 6(1)(a) |
| Newsletters and marketing emails | Contact, marketing preferences | Consent — Art. 6(1)(a) / Markedsføringsloven §10 |
| Defending legal claims | Any relevant data | Legitimate interest — Art. 6(1)(f) |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms and concluded that our processing does not override them. You can ask for more information about this balancing at any time.
4. Cookies and Similar Technologies
We use cookies and similar technologies on the Site. Strictly necessary cookies (e.g. session, cart, checkout, security) are used without consent because they are essential to providing the service you request. All other cookies — including analytics, personalisation, and marketing — are set only with your prior consent, which you give through our cookie banner.
You can withdraw or change your consent at any time through the cookie settings link in the footer of the Site. For full details of each cookie, its purpose, provider, and storage period, see our Cookie Policy.
5. Who We Share Your Data With
We share personal data only with parties that need it to support our operations. These include:
- Payment providers — e.g. Stripe, Klarna, MobilePay, Quickpay — to process payments.
- Shipping carriers — e.g. PostNord, GLS, DHL, UPS — to deliver your order.
- Hosting and platform providers — e.g. Hetzner, AWS — to operate the Site.
- Email and marketing services — e.g. Mailchimp, Klaviyo — to send transactional and marketing emails (the latter only with consent).
- Analytics providers — e.g. Plausible, Google Analytics — with consent, to understand how the Site is used.
- Accounting and auditing — external bookkeeper or auditor — to meet our legal record-keeping obligations.
- Production partners — e.g. 3D printing service bureau — where needed to fulfil your order.
- Public authorities — where required by law (e.g. tax authorities, courts).
Service providers that process data on our behalf act as data processors and are bound by a data processing agreement under Article 28 GDPR. They may only use your data for the purposes we instruct.
6. International Transfers
Some of our service providers are based outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure an adequate level of protection by relying on one of the following safeguards:
- An adequacy decision by the European Commission (e.g. UK, Switzerland, or providers certified under the EU–US Data Privacy Framework);
- Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary measures where necessary;
- Another valid transfer mechanism under Chapter V of the GDPR.
You can request a copy of the safeguards in place by contacting us at gdpr@waterheart.eu.
7. How Long We Keep Your Data
We keep personal data only as long as needed for the purpose for which it was collected:
| Data type | Retention period |
|---|---|
| Accounting and transaction records (invoices, order data) | 5 years from the end of the financial year (Bogføringsloven §12) |
| Order and customer account data (beyond bookkeeping) | Up to 3 years after the last order, for warranty and complaints |
| Product liability documentation | Up to 10 years, to defend potential claims |
| Customer support communications | Up to 2 years after the case is closed |
| Newsletter subscription data | Until you unsubscribe, plus up to 2 years for documentation |
| Cookie-based analytics and marketing data | As stated in the Cookie Policy; typically up to 14 months |
| Server logs | Up to 6 months, for security and debugging |
After the retention period, data is deleted or anonymised. Where deletion is not technically feasible (e.g. backups), we isolate the data and stop active use until it is overwritten in the ordinary course.
8. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include encryption in transit (TLS), access controls, regular backups, logging, and vendor due diligence. No system is perfectly secure; if a personal data breach occurs that is likely to result in a risk to your rights, we will notify the Danish Data Protection Agency (Datatilsynet) within 72 hours and, where required, inform you directly.
9. Your Rights Under GDPR
You have the following rights in relation to your personal data:
- Right of access (Art. 15) — obtain confirmation of whether we process your data and receive a copy.
- Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17) — have your data deleted where one of the grounds applies (the “right to be forgotten”).
- Right to restriction (Art. 18) — have processing limited in certain circumstances.
- Right to data portability (Art. 20) — receive data you provided to us in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making (Art. 22) — we do not use automated decision-making that produces legal or similarly significant effects on you.
To exercise any of these rights, contact us at gdpr@waterheart.eu. We will respond within one month. Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.
10. Right to Lodge a Complaint
If you believe we have handled your personal data in breach of GDPR, you have the right to lodge a complaint with the Danish Data Protection Agency:
- Datatilsynet — Carl Jacobsens Vej 35, 2500 Valby, Denmark
- Phone: +45 33 19 32 00
- Website: datatilsynet.dk
You may also complain to the supervisory authority in your country of residence or place of work.
11. Children
The Site is intended for users aged 18 or over. We do not knowingly process personal data of children under 16. If you believe a child has provided us with personal data, please contact gdpr@waterheart.eu and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. The “Last updated” date at the top shows when the latest version took effect. Material changes will be communicated through the Site or, where appropriate, by email.
13. Contact Us
Questions, requests, or concerns about this Privacy Policy or your personal data? Contact us at:
- Email: gdpr@waterheart.eu
- Post: Waterheart I/S, Skørpingevej 21, Skørpinge, 4673 Rødvig Stevns, Denmark