Brinvik← Back

GDPR rights

Last updated 2026-05-19.

Under the EU General Data Protection Regulation, you have specific rights over the personal data we hold about you. This page summarises those rights, the legal basis for our processing, and exactly how to exercise each right. For the full picture, read the Privacy policy.

1. Who is the controller

Brinvik, operated by Kim Olsen, Brøndbytoften 11, 2605 Brøndby, Denmark. Privacy contact: [email protected]. Brinvik is currently a sole trader business; an ApS registration is in progress and the CVR number will be added here when issued. There is no Data Protection Officer because Brinvik is below the GDPR threshold that requires one. The privacy contact above is the responsible person.

2. What personal data we collect

  • Chat gate: first name, work email, company URL, a short description of what you are shipping, browser user agent, and a SHA256 hash of your IP address (with a server side salt) for rate limiting.
  • Sign in with Google or LinkedIn: email, first name, display name, and the provider issued user identifier.
  • Chat conversation: the messages you send to the agent and the messages the agent sends back, along with timestamps.
  • Meeting booking: first name, email, and the selected slot are sent to HubSpot to create the meeting.
  • Cookies: brv-locale, sb-*, brv_cc, and Cloudflare Turnstile cookies, plus the Google Analytics _ga cookie if you accept the analytics category. See Privacy Policy section 2.5.

We do not collect raw IP addresses or build advertising profiles. Google Analytics, listed in section 4, is a third party analytics tool; we run it in Google Consent Mode v2 with advertising features off. Before you consent it sends only an anonymous cookieless ping. Full tracking starts after you accept.

3. Why we process it and the legal basis

  • Form intake: legitimate interest under Article 6(1)(f) (qualifying business inquiries) and pre contractual steps under Article 6(1)(b) when the conversation leads to a discussion of an engagement.
  • SSO sign in: consent under Article 6(1)(a), given when you click the sign in button.
  • Chat conversation: legitimate interest and pre contractual steps, same as above.
  • Meeting booking: consent under Article 6(1)(a) and pre contractual steps under Article 6(1)(b).
  • Rate limiting (IP hash): legitimate interest under Article 6(1)(f) for fraud prevention.
  • Analytics cookie category: consent under Article 6(1)(a). Full tracking is off until you accept; an anonymous cookieless tag-presence signal runs from the first visit (no cookies, no individual identifiers).

4. Who processes your data

Brinvik uses these processors. Each has either an EU presence, the EU US Data Privacy Framework certification, or Standard Contractual Clauses in place.

  • Vercel (US, EU US DPF) — hosting, edge serving, server routes.
  • Google Analytics (Google Ireland Limited, US sub processor under the EU US Data Privacy Framework) — pageview and usage measurement in Google Consent Mode v2. Anonymous cookieless ping before consent, full tracking after. Advertising features disabled.
  • Supabase (Singapore company, EU project region eu west 2 London) — primary database for intakes, sessions, and messages.
  • Cloudflare Turnstile (US, EU US DPF) — bot protection on the chat gate.
  • Google and LinkedIn (US, EU US DPF) — identity providers for SSO.
  • Anthropic (US, EU US DPF and DPA) — Claude API for the chat agent. EU endpoint where available.
  • HubSpot (US, EU US DPF with EU residency activated, eu1 region) — CRM, meeting scheduler, and confirmation emails.
  • Make.com (Celonis, Czech Republic, EU) — internal automation between HubSpot and Supabase.
  • Slack (US, EU US DPF) — internal alerting surface for Kim. Receives only first name, company domain, session ID, locale, source method, and timestamps. Does not receive chat transcript bodies.

5. How long we keep your data

  • Chat sessions, intakes, and message bodies: 30 days from creation, then deleted by an automated retention sweep in Supabase.
  • HubSpot Contact and Meeting: retained until manually deleted by Brinvik. If the conversation does not lead to an engagement, Kim deletes the records on a recurring monthly housekeeping pass. If it does, the records are kept for the duration of the engagement and up to 5 years after under Danish bookkeeping law.
  • Rate limit log: 24 hours, then deleted by a daily cron.
  • Cookie consent record (brv_cc): 6 months, then the banner reappears.
  • Vercel server logs: 30 days, Vercel default.

6. Your rights

You have the following rights under GDPR Articles 15 to 22.

  • Access (Article 15): request a copy of the data we hold about you.
  • Rectification (Article 16): correct anything that is inaccurate or incomplete.
  • Erasure (Article 17): the right to be forgotten. We will delete your records unless a legal obligation requires us to keep them.
  • Restriction (Article 18): limit how we process your data while a dispute is resolved.
  • Portability (Article 20): receive your submitted data in a structured, machine readable format.
  • Objection (Article 21): object to processing based on legitimate interest. We will stop unless we can demonstrate compelling grounds.
  • Withdraw consent (Article 7): withdraw consent at any time where consent is the legal basis. Withdrawal does not affect lawfulness of processing before withdrawal.
  • No automated decision making with legal effect (Article 22): the agent's qualification is advisory only. The booking is initiated by you when you click a slot. Disqualification by the agent does not prevent you from contacting Kim directly at [email protected].

7. How to exercise a right

Email [email protected]with the subject line "GDPR request: [right you want to exercise]". Include enough information to identify your records, typically the email address you used to submit the chat gate or sign in. We respond within 30 days as required by Article 12. There is no charge for reasonable requests. If we cannot identify you from the information provided, we may ask for additional verification before acting.

8. Right to complain

You can complain to the Danish Data Protection Authority, Datatilsynet, if you believe we have mishandled your personal data. Datatilsynet is at datatilsynet.dk. You can also complain to the supervisory authority in your habitual residence or place of work within the EU. Brinvik would prefer that you write to [email protected] first so we have a chance to fix the issue, but you are not required to.

9. International transfers

All processors have either an EU presence or are certified under the EU US Data Privacy Framework, supplemented by Standard Contractual Clauses where the framework is contested. No personal data is transferred outside the EU/EEA without one of these mechanisms in place. Supabase keeps stored personal data in eu west 2 (London). Make.com runs entirely in the EU. HubSpot is on its EU data residency tier. Anthropic uses EU API endpoints where available.

10. Children

Brinvik is a B2B service. We do not market to or knowingly collect data from anyone under 16. If you believe a minor has submitted data, write to [email protected] and we will delete it.

11. Changes to this page

We update this page when our processing or rights handling changes. The last updated date at the top of this page reflects the most recent version.