1 Accountability
1.1 Protecting your personal data is one of our top priorities. Consequently, we have adopted this Privacy Policy to inform you how we protect and process your personal data.
2 Company / Controller
2.1 Company and controller with respect to this Privacy Policy is:
Noticket - a part of FRAI Group ApS
Vindegade 146A, 1. tv.
CVR.: 44347431
(“NoTicket”, “we”, “us”, or “ours”).
E-Mail: compliance@noticket.io
Web: www.noticket.io
2.2 This Privacy Policy is available on our website: www.noticket.io/privacy-policy. When relevant we include links to the Privacy Policy in our communication with our customers and others, e.g. in our newsletters.
3 Introduction
3.1 Ensuring the security and confidentiality of your personal information is crucial to us. We follow strict procedures for collecting, storing, updating, disclosing, and deleting personal information to prevent unauthorized access to your personal data and to comply with applicable law.
3.2 When we request your personal data, we will inform you about the types of personal data we process and for what purposes. You will receive this information when we collect the personal data in question.
3.3 This Privacy Policy describes what types of personal data we collect, how we process the personal data and who you can contact if you have any questions or comments with respect to our processing of personal data. This Privacy Policy has been made with reference to the GDPR (General Data Protection Regulation (EU) 2016/679 ("GDPR")) and the Danish Data Protection Act (Act No. 502 of 23/05/2018) ("Data Protection Act").
3.4 In relation to the processing of personal data carried out by NoTicket on behalf of the customer (as the customer's data processor), a data processor agreement is entered into between the customer and NoTicket. Please see section 7.4.
4 Facial Recognition Data
4.1 NoTicket ApS handles facial recognition data with the highest level of care and in line with GDPR regulations.
Facial recognition data is securely stored and can only be accessed by authorized personnel.
4.3 We retain facial recognition data only for the duration necessary for its intended purpose or as mandated by law. After such a period, the data is securely deleted.
4.4 NoTicket ApS does not share, sell, or distribute facial recognition data to third parties, except when required by law or with the explicit consent of the individual.
5 Categories of personal data and data subjects
5.1 We typically collect and process the following categories of Personal Data:
- General contact information, including name, telephone number, and email
- Company name and CVR-number if you are a business customer (your workplace or your own business)
- Payment details and invoice information
- Information about the products and services you have bought
- Information regarding your use of our website and/or our profile on social media – please also see section 10.1 of this Privacy Policy
(hereinafter collectively referred to as ”Personal Data”)
6 Legal basis for processing of Personal Data
6.1 General
6.1.1 We process personal data primarily based on the consent of the data subject. For processing necessary personal data to provide NoTicket.io services, we rely on the data subject’s consent under GDPR Article 6(1)(a) for non-sensitive personal data. For facial recognition data, which is considered special category data under GDPR, we obtain explicit consent according to GDPR Article 9(2)(a) to use facial biometric data for service provision.
6.1.2 Additionally, we process personal data on the legal grounds of complying with legal obligations or court orders, supported by GDPR Article 6(1)(c), and in the case of legal claims, as per GDPR Article 9(2)(f).
6.1.3 For non-sensitive personal data, we also process data based on our legitimate interests (GDPR Article 6(1)(f)) to provide customer service, troubleshooting, product development, and ensure cybersecurity, provided that such interests are not overridden by the data subject’s rights and freedoms.
6.1.4 These legal bases uphold our commitment to processing personal data lawfully, fairly, and transparently, while always considering the rights and interests of the data subject.
6.2 Processing of Personal Data in relation to marketing
6.2.1 In connection with marketing purposes, the processing of Personal Data is primarily based on GDPR Article 6, (1) point f and section 6 (1) of the Data Protection Act. We assess from time to time whether it is appropriate to obtain consent, for example, whether it is appropriate to obtain consent in connection with the use of imagery for our website, in newsletters, on social media, etc. If the processing of Personal Data is based on consent, our legal basis in the GDPR is Article 6 (1), point a, and section 6 (1) under the Data Protection Act.
7 Your rights
7.1 You have certain rights with respect to the Personal Data that NoTicket is processing about you. You have the following rights:
- Right to insight is the right to know if your Personal Data is processed and, if so, the right to obtain a copy of the Personal Data.
- Right to data portability is the right to receive Personal Data about yourself that you have given to NoTicket.
- Right to rectification is the right to correct wrong Personal Data.
- Right of deletion / right to be 'forgotten' is the right to have, with certain restrictions, your Personal Data deleted without undue delay.
- Right to object is the right to object to our processing of your Personal Data.
- Right to restrict processing of Personal Data is the right to restrict handling of Personal Data, e.g. if a request for deleting of data cannot be granted.
8 General data processing principles
8.1 Data processing principles
8.1.1 We will process the data subject’s Personal Data lawfully, fairly and in a transparent manner.
8.1.2 Our processing of Personal Data is subject to a purpose limitation, which means that Personal Data must be collected for explicitly stated and legitimate purposes. They may not be further treated in a manner incompatible with those purposes.
8.1.3 We process Personal Data based on a principle of data minimization, which means that it must be sufficient, relevant and limited to what is necessary for the purposes for which it is processed.
8.1.4 Personal Data must be processed based on a principle of accuracy, which means that it must be correct and, if necessary, up to date.
8.1.5 We process Personal Data based on a retention-limit principle, which means that Personal Data must be stored in such a way that it is not possible to identify the data subjects for longer than required for the purposes for which the Personal Data is processed.
8.1.6 Personal Data must be processed based on a principle of integrity and confidentiality, which means that it must be processed in a way that ensures adequate security of the Personal Data, including protection from unauthorized or unlawful processing and from accidental loss, destruction or damage, using appropriate technical or organizational measures.
8.2 Risk analysis
8.2.1 In the course of our case process, we must carry out the technical and organizational measures to ensure a level of security that fits the risks specifically associated with our processing of Personal Data. We have therefore carried out a risk analysis which underlies this Privacy Policy.
8.3 Duty to inform
8.3.1 When relevant, we include references to this Privacy Policy in our correspondence with customers, business partners etc. This Privacy Policy is also available on our website:
www.noticket.io/privacy-policy8.3.2 NoTicket gladly contributes to the customers’ fulfillment of their information duties towards the customers’ (end) users of the NoTicket system. However, it is the duty of the customers to make sure that their duty to inform the end users is complied with.
8.4 Data Processing Agreements
8.4.1 If we are data controllers and have considered that a data processing structure is available with one of our suppliers, a data processing agreement must be agreed upon. The same applies if NoTicket is processing personal data on behalf of others, e.g. NoTicket’s customers (the fitness centers). In such cases NoTicket will be the data processor, and the customer will be the (dat) controller of personal data. It is our assessment, as NoTicket is essentially a software supplier, that NoTicket to a large extent will be processing personal data on behalf of our customers.
8.4.2 The data processing agreement shall comply with the applicable requirements for data process agreements as referred to in Article 28 (3) of the GDPR. This implies drawing up a contract or other legal document binding on the data processor. It is also a requirement that the data processing agreement be in writing, including electronically.
8.4.3 In addition, the GDPR sets several specific requirements for the content of the data processing agreement. The agreement must include information on the status and duration of the processing, the nature and objectives of the processing, the type of Personal Data, categorization of data subjects and our obligations and rights as controller, as well as the duties of the data processor in relation to performing the task. The requirements are specifically described in GDPR Article 28 (3), points a-h.
9 Transfer of Personal Data to third countries
9.1 NoTicket's processing of Personal Data will predominantly take place within the EU.
9.2 If it is necessary to transfer Personal Data to a third country or international organization located outside the EU/EEA, we shall ensure prior to the transfer of Personal Data to the third country or international organization that the transfer of Personal Data is carried out in a manner that constitutes sufficient guarantee that the Personal Data is protected, including in certain cases the use of the EU Commission's standard data protection contract provisions. We will, prior to any such transfer, assess if the Personal Data is granted a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights – if necessary with additional measures to compensate for lack of protection of third country legal systems.
10 Security measures
10.1 We have taken the necessary technical and organizational security measures to protect your Personal Data from accidental or unlawful destruction, loss or change and from unauthorized public disclosure, misuse or other conduct in violation of applicable law.
10.2 Access to Personal Data is limited to persons who have a need for access to Personal Data. Employees who process Personal Data are instructed and trained to know what to do with Personal Data and how to protect Personal Data.
10.3 Passwords are used to access PCs and other electronic devices with Personal Data. Only the persons who need access will have a code and then only for the systems that he or she needs to use. Persons with access codes must not leave the code to others or leave it for others to see. Check-ups on assigned codes will be carried out regularly.
10.4 If a sensitive Personal Data or Social Security number is sent by email over the Internet, such emails must be encrypted. If you send Personal Data to us by email, please be aware that this is not secure if your emails are not encrypted. We advise you to not send us confidential or sensitive Personal Data by email unless this is specifically agreed in advance so that we can ensure the necessary level of security.
10.5 In connection with the repair and service of data equipment containing Personal Data and when data media is to be sold or discarded, we take the necessary measures to ensure that the Personal Data cannot come to the attention of unauthorized persons. For example, by using declarations of confidence.
10.6 When using an external data processor to process Personal Data, a written agreement is signed between us and the data processor, which also imposes a duty on the data processor to carry out the necessary technical and organizational security measures to protect your Personal Data.
10.7 NoTicket takes backup of all databases and files on shared drives. Backup is stored on an external server.
10.8 Security measures in NoTicket’s biometric scanning software
10.9 As previously described, this Personal Data Policy primarily concerns NoTicket's processing of personal data as data controller. However, NoTicket would like to contribute to the customers 'fulfillment of their obligations towards end users and has therefore in the following section described the security measures used in NoTicket's biometric scanning software (the "Future Recognition Platform").
10.10 In the following sections, we describe the anonymization technique that is part of our standard biometric scanning setup. For the sake of good order, however, we point out that what is described below may vary from the specific solution that the customer has agreed with NoTicket. For example, it may be agreed that NoTicket processes data about only its employees or members, which is not fully in anonymised form. In that case, such processing of personal data takes place only with the data subjects’ express consent.
10.11 Security measures regarding ”input data”
10.11.1 In NoTicket, we have built several complex and advanced security measures into our biometric scanning software.
10.11.2 The system ensures that all input data and output data are anonymised, so that the information collected cannot be used to identify a specific natural person. To ensure anonymity in connection with the collection of information via biometric scanning, we have developed a digital platform ("Future Recognition Platform"). The platform makes it possible to perform biometric scanning etc. in such a short time (between 22 - 150 milliseconds) that no images of individuals can be recognized. Thus, at no time does the platform store personal information on an electronic medium from which identifiable natural persons can be derived.
10.11.3 To protect the transfer of images between the camera and our system, and to best protect the rights of individuals, we use the HTTPS protocol. The HTTPS protocol is a protocol that is used by online banks, debit card and credit card payments via the Internet and / or registration, where the CPR number must be provided.
10.11.4 In connection with the storage of the image in the application memory (but only in the server's RAM, not in the server's hard drive), we deliberately use data fragmentation. The data fragmentation ensures that the image data in the memory is divided into many small pieces, which cannot be collected or recreated in a way so that natural persons can be deduced.
10.12 Security measures regarding “output data”
10.12.1 By output data is any result we create with our electronic data processing, which can subsequently be read using our system.
10.12.2 In connection with securing output material, we have implemented the anonymisation technique generalization. The technique must help to ensure that any data set that we present to the user has irrevocably removed the identification of individuals, so that individuals can neither be separated nor deduced from the data set itself or by interconnection with other data sets.
10.12.3 In the results, we have changed the relative order of the data sets that we presented to the user at any given time. In this way, there are several people associated with the same data set, and thus it becomes less likely that individuals can be designated. We generalize inside for the following classes: gender, age groups, ethnicities, mood and weather status.
11 Retention periods and deletion
11.1 When do we delete your Personal Data?
11.1.1 Upon termination of the contractual relationship with a customer, we will generally delete the Personal Data from the customer relationship as soon as it is no longer necessary to retain the applicable Personal Data.
11.1.2 However, several considerations and special rules mean that Personal Data cannot or should not always be deleted before a certain time has passed.
11.1.3 Therefore, we always carry out a specific evaluation to determine how long Personal Data should be stored before being deleted.
11.1.4 Bookkeeping rules mean that Personal Data related to a payment must be stored for 5 years + the current calendar year after the end of the financial year.
11.1.5 The fact that we may protect your or our interests through possible liability may involve the retention of Personal Data for 3 years (or in exceptional circumstances for a longer period) after the end of our relationship with the customer or supplier. However - to ensure logical synergy with the financial processing of information - the customer’s basic data is stored for up to 5 years after the end of the customer relationship.
11.1.6 If Personal Data is obtained based on your consent, we will in principle delete the Personal Data obtained based on consent immediately after you withdraw your consent. However, we are obliged to keep the documentation, stating that we lawfully asked for your consent, for 2 years from the latest marketing material sent to you. Generally, a recall of consent does not affect our processing of Personal Data, which is based on grounds other than your consent, e.g. if the continued processing of the Personal Data is necessary in order for us to comply with legal obligations, to which NoTicket is subjected.
11.1.7 Contact information in our CRM-system is deleted and updated on an ongoing basis. However, emails which may be relevant to the determination of a legal claim are stored for up to 3 years and then deleted unless there is an obvious risk that a legal claim will be filed against or is considered being filed by NoTicket.
12 Cookies and use of our website
12.1 We collect various pieces of information about you in connection with the operation of our website: We collect information about you and your use of our website through the so-called “cookies”.
12.2 What are “cookies”?
12.2.1 Cookies are small bits of information that NoTicket places on your computer's hard drive, on your tablet or on your smartphone. Cookies contain information that NoTicket uses to streamline communication between you and your web browser.
12.2.2 There are two types of cookies - session cookies and persistent cookies. Session cookies are bits of information that are erased when you close your web browser. Persistent cookies are bits of information that are stored on your computer until they are erased. Persistent cookies erase themselves after a certain period of time but are renewed each time you visit NoTicket. NoTicket uses both temporary and persistent cookies.
12.3 Consent to our use of cookies on NoTicket’s website
12.3.1 When visiting our website for the first time, you will receive information on our use of cookies and asked whether you wish to consent to the use of cookies on our website. If you have provided your consent, you can always withdraw your consent and delete the cookies already saved on your device via the settings in your web browser.
12.4 What type of cookies do we use and for what purposes?
12.4.1 We use cookies:
- for necessary purposes; Some cookies are necessary for the website to work at all. Necessary cookies can e.g. help enable the website to navigate and maintain selected settings as long as you use the website. Necessary cookies are typically session cookies that are deleted when you close your browser.
- to enhance functionality: improve the functionality and optimize your experience of NoTicket and help you remember your username and password so you do not have to log in again when you return to NoTicket.
- for statistics, ie: measuring traffic on NoTicket, including the number of visits to NoTicket, what domains visitors come from, what pages they look at on NoTicket and what general geographic area the user is in.
12.4.2 NoTicket provides access for its third party’s suppliers to inspect the contents of the cookies that are set by NoTicket. This information shall be used exclusively on behalf of NoTicket and must not be used for the third party's own purposes.
12.5 How to delete cookies
12.5.1 You always have the option to erase cookies stored on your computer. You can erase cookies from your hard drive, block all cookies or receive a warning before a cookie is stored via your browser settings. You must be aware that in such case services and features cannot be used by you because they require cookies to remember choices you make. We hope that you will allow the cookies we set as they help us improve NoTicket’s website.
12.5.2 You can always delete cookies that you have accepted when you wish. If you have a computer with a newer browser, you can quickly do so by using the shortcut keys CTRL + SHIFT + Delete.
12.5.3 On the website you can see how to delete cookies depending on which browser you use.
12.5.4 In order to erase cookies from Google Analytics you can use the link: [Link to instructions].
12.6 Your use of the NoTicket website
12.6.1 Our primary purpose of the website is to show and tell about the services that NoTicket offers.
12.6.2 Via the website, NoTicket can be contacted and customers can get general information about NoTicket. Attempts are made to update the website as changes occur.
12.6.3 It is voluntary to use the website. Copying of text and images from the website may in no case be done without the consent of NoTicket. You may only link to the website and text from the website may only be quoted with indication of source reference and by prior agreement with NoTicket.
12.6.4 NoTicket's website may contain links to other websites on the Internet. NoTicket does not take responsibility for these websites, including the website providers' use of cookies and / or the processing of personal data. The websites of such third parties may thus use cookies and process personal data in a different way than that described in this Privacy Policy. If you click on a link to access these pages, it is at your own risk. NoTicket does not endorse or endorse any products or information offered on websites to which you are redirected from this website.
13 Changes to this Privacy Policy
13.1 NoTicket may change this Privacy Policy at any time and without notice and with future effect. In the event of such changes, our users are informed on our website.
14 Contact information
14.1 If you have any questions about this Privacy Policy, our processing of Personal Data, rectification or your relationship with us in any other way, you may contact us at the following email address:{' '} compliance@noticket.io and via the contact form on our website.
15 Data Protection Agency
15.1 You can complain to the Danish Data Protection Agency (in Danish: “Datatilsynet”) regarding NoTicket's processing of your Personal Data. Please refer to the website of the Danish Data Protection Agency: www.noticket.io.