Skip to content
THINGMARK
Legal · Privacy

Privacy policy

This policy describes how Thingmark processes personal data when you use thingmark.dk, contact us via the form, or use the admin area. We describe only what we actually do in code — not aspirational promises.

Last updated: 15 May 2026

1. Data controller

The data controller is Thingmark v/Teis Thinggaard. You can reach us at hej@thingmark.dk or +45 81 94 43 01. We do not have a dedicated DPO — contact Teis Thinggaard directly at the same address.

  • Name: Thingmark
  • CVR (VAT): DK41466472
  • Registered in: Middelfart, Denmark
  • Email: hej@thingmark.dk
  • Phone: +45 81 94 43 01

2. What we process

We process only the data needed to run the site and respond to enquiries:

  • Contact form: name, email address, free-text message, and the language (da/en) you wrote from. These fields are required so we can reply to you.
  • IP address: your IP is held briefly in an in-memory rate-limit store (up to one hour) and included in the email we receive — solely to deter spam and abuse.
  • Cookies: we set two strictly necessary cookies — tm_locale (language preference) and tm_admin (only if you log in to /admin). See the cookie policy for details.
  • We do not load Google Analytics, Meta Pixel or any third-party tracking on this site.

3. Purpose and legal basis

We use your data to answer your enquiry, run the site, and prevent abuse. The legal basis is:

  • GDPR Art. 6(1)(b) (pre-contractual steps) — to respond to messages submitted through the contact form.
  • GDPR Art. 6(1)(f) (legitimate interest) — for IP logging and rate-limiting to prevent abuse of the contact form, and to maintain owner admin access.

4. Retention

We keep data no longer than necessary:

  • Contact messages: kept in the hej@thingmark.dk inbox for up to 24 months unless the enquiry becomes a customer relationship (then the customer agreement governs retention).
  • IP addresses in the rate-limit store: at most 1 hour, in memory only — cleared on server restart.
  • Admin cookie (tm_admin): expires automatically after 7 days.
  • Locale cookie (tm_locale): expires automatically after 1 year.

5. Sub-processors and transfers outside the EU/EEA

We use the following sub-processors. Some are based in the United States; transfer takes place under the European Commission Standard Contractual Clauses (SCCs) and the providers’ own compliance mechanisms.

ProviderPurposeLocationAgreement
Vercel Inc.Site hosting + Blob storage for editable contentUSA (SCCs)vercel.com/legal/dpa
ResendDelivering email from the contact formUSA (SCCs)resend.com/legal/dpa
CalendlyExternal booking link (you leave the site to book)USAcalendly.com/dpa

6. Your rights

Under the GDPR you have the right to:

  • Access the data we hold about you (Art. 15)
  • Have inaccurate data corrected (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Send requests to hej@thingmark.dk — we will respond within one month.
  • You can lodge a complaint with the Danish Data Protection Agency (datatilsynet.dk) if you believe we process your data incorrectly.

7. Security

The site is served exclusively over HTTPS with HSTS enabled. We set a Content-Security-Policy, X-Frame-Options: DENY, and a strict Referrer-Policy. The contact form is rate-limited (5 requests per IP per hour). The admin cookie is HttpOnly + SameSite=strict and sent only over HTTPS in production.

8. Changes

We update this policy when we change what we process or which sub-processors we use. Check the date at the top for the latest version.