Skip to content
DevFlowCollective Engineering · Hadsund · DK
Book a sprint →

Updated · May 11, 2026

Privacy notice

This notice describes how DevFlowCollective ApS handles personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the Danish Data Protection Act (Databeskyttelsesloven, 2018). It is written to be read once and understood — not skimmed under duress.

1. Data controller

DevFlowCollective ApS · CVR 44 81 26 73 · Østergade 47B, 9560 Hadsund, Denmark. For any question relating to your data, write to support@devflowcollective.com.

2. What we collect

  • Brief intake form: first and last name, email address, phone number (optional), company (optional), country, engagement type, indicative budget, free-text brief.
  • Checkout: first and last name, email address, phone number, country. Card details never reach our servers — they are entered directly into Stripe's hosted checkout.
  • Strictly necessary cookies: PHP session identifier (DFCSESSID); cookie banner choice stored in your browser's localStorage as dfc_cookie_consent.
  • Server logs: IP address, user-agent string, and the requested URL, retained for fourteen days for abuse detection.

3. Lawful bases and purposes

  • Performance of a contract (Art. 6(1)(b) GDPR): processing your order, invoicing, and delivering the service.
  • Legal obligation (Art. 6(1)(c) GDPR): five-year accounting retention under the Danish Bookkeeping Act (Bogføringsloven), and invoice issuance under Danish VAT regulations.
  • Legitimate interest (Art. 6(1)(f) GDPR): securing the website, preventing fraud, and replying to your brief before any contract is signed.
  • Consent (Art. 6(1)(a) GDPR): when you submit the brief intake form after ticking the consent box. Consent can be withdrawn at any time.

4. Retention

Invoices and the underlying checkout data: five years from the end of the financial year in which the transaction occurred, as required by the Danish Bookkeeping Act. Briefs that did not convert into an engagement: twenty-four months from last contact, unless you ask us to delete sooner. Server logs: fourteen days.

5. Processors

We share data only with the providers strictly necessary to operate the service:

  • Stripe Payments Europe Ltd (Ireland) — payment processing. Card data does not reach our servers.
  • Hetzner Online GmbH (Germany) — website hosting.
  • Postmark or an equivalent transactional email provider (USA, under Standard Contractual Clauses) — for transactional email delivery.
  • Google Fonts — for web font delivery. When a font is served from Google's CDN, the CDN may log your browser's IP address.

6. International transfers

Where a processor handles data outside the European Economic Area, the transfer is covered by an adequacy decision under Art. 45 GDPR or, where one does not exist, by Standard Contractual Clauses approved by the European Commission, supplemented with additional technical measures where required.

7. Your rights

Under the GDPR you may, at any time, request access to your data, rectification of inaccurate data, erasure, restriction of processing, objection to processing, and data portability. Write to support@devflowcollective.com and we will reply within thirty days. If you believe we have mishandled your request, you may lodge a complaint with the Danish Data Protection Agency (datatilsynet.dk), the supervisory authority for data protection in Denmark.

8. Changes

If we update this notice materially, we record the date at the top of this page. When a change introduces new purposes, we will email you before applying it to data we already hold.