Organmobility

Privacy

Privacy Policy — how we honour careful data practice

This Policy describes the personal data processed when you visit https://organmobility.world, purchase informational materials, or correspond with Organmobility from Denmark. We write in plain language because transparency supports trust, but the legal standards of the EU General Data Protection Regulation (GDPR) and supplemental Danish rules remain the governing framework.

The website publishes general educational content on functional body training. Nothing here is clinical care; we do not use health data for automated diagnostic profiling.

Introduction and layered notices

We layer information so you can read a short overview in the cookie banner, a technical annex in the Cookie Policy, and this fuller statement for accountability questions. If a separate contract governs a paid informational service, that contract may add processor details, but it will not reduce the baseline rights described here unless the law explicitly allows a narrower scope.

Plain summary

We collect limited personal data to operate the site, answer messages, invoice where applicable, and improve aggregated understanding of readership when you opt in to analytics. We avoid collecting sensitive categories such as medical diagnoses through general contact forms.

Who is covered and which operations are included

This Policy applies to visitors, prospective clients, current clients of informational products, and professionals who email the studio from any country. Establishing the controller in Denmark does not restrict GDPR rights for data subjects elsewhere in the European Economic Area (EEA); it simply identifies which organisation answers primary regulatory correspondence.

Operations include static website delivery, optional client portals if deployed later, email threads, telephony notes taken during return calls, and accounting records associated with purchases. Training attendance sheets that you complete voluntarily are stored as contractual artefacts, not medical records.

Categories of personal data

Depending on your path through the services, we may process:

  • Identity and contact data such as name, email address, phone number, and country of residence.
  • Commercial information including purchase titles, amounts, VAT identifiers for business buyers, and delivery channels for digital downloads.
  • Communication content contained in messages, attachments you choose to send, and internal notes required to coordinate replies.
  • Technical identifiers such as IP address, browser type, operating system, referring URL, device screen category, and approximate region derived at city or regional granularity through analytics tools when enabled.
  • Cookie and local storage identifiers when you interact with the preference centre.
  • Aggregated statistics derived from the above, for example heatmaps of scroll depth, without attempting to infer medical conditions.
Category Examples
Account-related Name, email, locale preference if accounts launch later.
Transactional Order ID, payment status from payment processors.
Technical Log timestamps, HTTP status codes, bot detection scores.

Sources of data

Most records come directly from you when you complete forms, checkout, or speak with staff. We may receive updated contact details from payment service providers when you change billing addresses. Occasionally a referrer forwards introduction emails; in that case the lawful basis for the introduction rests with the party who first collected your address.

Purposes of processing

  1. Website delivery. Serving HTML, styles, scripts, fonts, and linked documents with integrity checks and rate limits.
  2. Responding to inquiries. Clarifying suitability for informational coaching, sharing syllabus outlines, and pointing to policy pages.
  3. Contract administration. Issuing receipts, managing access to purchased downloads, and handling refund requests described in the Refund Policy.
  4. Security monitoring. Investigating suspected abuse, spam, or credential attacks with proportionate logging.
  5. Optional measurement. Evaluating which articles attract readers when analytics cookies receive consent.
  6. Compliance. Fulfilling tax, accounting, or lawful authority obligations after a narrowly scoped review.

Legal bases under Articles 6 and 9 GDPR

Article 6 GDPR typically applies as follows:

  • Consent (6(1)(a)) for optional cookies, marketing communications where you opt in, and some newsletter experiments.
  • Contract (6(1)(b)) for delivering downloads, scheduling paid guidance blocks, and pre-contractual steps you request.
  • Legal obligation (6(1)(c)) for bookkeeping and responding to court orders.
  • Legitimate interests (6(1)(f)) for securing infrastructure, internal analytics in aggregated form, and follow-up on incomplete payment attempts, balanced against your expectations.

Article 9 GDPR covers special categories of data. We do not intentionally collect health data through marketing forms. If you voluntarily disclose health context, we treat it as incidental correspondence, restrict access, and offer deletion where no statutory retention applies.

Retention schedule and erasure

Retention follows necessity rather than indefinite archiving. General contact threads are kept up to twenty-four months after the last substantive message unless litigation or accounting extends the horizon. Invoice data may persist for up to seven years to satisfy Danish bookkeeping law. Security logs typically roll off hosting infrastructure within ninety days unless an investigation freezes a subset.

Cookie consent records stay until you clear site storage or withdraw consent, after which we re-prompt in line with ePrivacy guidance. Marketing suppression lists may outlive other records so we do not accidentally message someone who objected.

Recipients and processor instructions

We share data only with service providers bound by written agreements: hosting platforms, email transport, payment gateways, customer relationship tooling, and consultants under confidentiality. Each processor receives the minimum data needed for its task and may not reuse information for independent purposes.

If ownership of the studio changes, personal data may transfer to a successor under terms that respect existing commitments; you would receive notice where required.

International transfers outside the EEA

When a subcontractor processes data in a country without an adequacy decision, we implement Standard Contractual Clauses adopted by the European Commission, supplemented by technical measures such as TLS in transit and access logging. Copies of transfer impact assessments may be summarised for serious inquiries.

Security measures and breach response

Controls include role-based administration, multi-factor authentication where supported, encrypted backups when vendors provide them, periodic password rotation guidance for staff devices, and vendor due diligence questionnaires before onboarding new tooling.

Should a personal data breach occur, we evaluate risk to individuals, notify Datatilsynet within seventy-two hours when feasible, and communicate affected users when the breach is likely to adversely impact their rights.

Your GDPR rights

You may exercise the following rights subject to legal limitations:

  • Access to confirm processing and receive a copy of personal data.
  • Rectification of inaccurate or incomplete records.
  • Erasure when processing is no longer necessary or consent was withdrawn without overriding grounds.
  • Restriction while disputes are verified.
  • Data portability for structured data you provided under contract or consent.
  • Objection to legitimate-interest processing based on your particular situation, including direct marketing at any time.

We may ask proportionate verification questions before fulfilling requests to prevent disclosure to impersonators. Responses ordinarily arrive within one calendar month and may be extended by two further months for complex cases with explanation.

Supervisory authority contact

You may lodge a complaint with Datatilsynet (Carl Jacobsens Vej 35, DK-2500 Valby, Denmark) or another EU supervisory authority where you reside or work. Providing informational movement education does not create a therapeutic relationship; clinical questions belong with licensed providers.

Automated decision-making and profiling

We do not make legally significant decisions about you based solely on automated processing. Analytics may segment readership patterns, but segments are not used to deny services or adjust pricing in a hidden way.

Children

Commercial informational products target adults capable of independent consent in their jurisdiction. If you believe a child submitted personal data without parental authority, alert us immediately so we can delete non-essential records.

Changes to this Policy

Material updates appear on this page and, when practical, are echoed through the site footer or email for active clients. Continued use after the effective date constitutes acknowledgment of reasonable changes, while substantial new processing always requires fresh consent or another valid basis.