Privacy policy
Data controller: The Shepherdess and the Chimney Sweep, operating the brand Detoxificationty.ddd, Mageløs 12, 2 th, 5000 Odense, Denmark. CVR: 38974947 (verifiable at datacvr.virk.dk). Contact: message@detoxificationty.world, phone +45 22 37 66 63. We have not appointed a Data Protection Officer (DPO); for privacy matters, contact the controller at the email above.
Last updated: 13 May 2026. This notice is provided pursuant to Articles 13–14 of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and the supplementary Danish rules in the Act on supplementary provisions to the regulation on protection of natural persons with regard to the processing of personal data and on the free movement of such data (databeskyttelsesloven), as consolidated and amended from time to time.
Applicable law and supervisory authority
Processing is governed by the GDPR as it applies in Denmark and by the Danish Data Protection Act. You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet): Carl Jacobsens Vej 35, 2500 Valby, Denmark; telephone +45 33 19 32 00; e-mail dt@datatilsynet.dk; website datatilsynet.dk. Lodging a complaint is without prejudice to your right to seek an administrative or judicial remedy.
Scope and legal bases (Article 6 GDPR)
Depending on the relationship, we rely on the following legal bases:
- Contract (Article 6(1)(b)): processing necessary to register you for paid classes, issue invoices, and deliver agreed services.
- Legal obligation (Article 6(1)(c)): processing required by Danish bookkeeping, tax, and accounting rules (e.g. retention of accounting records under the Danish Bookkeeping Act (bogføringsloven) and related administrative orders).
- Legitimate interests (Article 6(1)(f)): operating and securing the website, answering unsolicited enquiries, limited safety attendance lists, internal statistics that do not override your interests or fundamental rights, and (where permitted) documenting commercial correspondence. We perform a balancing test before relying on this basis for new processing.
- Consent (Article 6(1)(a)): optional analytics or marketing cookies, optional marketing emails when you tick a separate sign-up box (e.g. studio news on the home page), electronic marketing beyond existing customers where consent is required under Danish law, and any other processing we expressly ask you to opt in to. You may withdraw consent at any time with effect for the future; withdrawal does not affect the lawfulness of processing before withdrawal.
Special categories of data (Article 9 GDPR)
We do not ask you to submit health data through the website. If you voluntarily disclose health-related information in a free-text message, we will treat it as special category data where applicable and only process it with your explicit consent or another Article 9 ground, and we will limit access and retention strictly to what is necessary to respond or to meet a legal obligation. Where possible, please avoid sending sensitive health details by email; use a channel agreed with us if you need to share such information.
Categories of personal data
We may process: identification and contact data (name, email, telephone); communication content; optional flags for marketing email consent from website forms; booking and payment-related data processed by our payment/booking providers; limited attendance data (name and session date) for safety; technical and usage data (IP address, user agent, referrer, timestamps); and cookie or similar identifiers where you have consented.
Purposes
- Responding to contact forms and email requests.
- Scheduling, delivering, and invoicing classes and workshops.
- Compliance with accounting, tax, and other statutory duties in Denmark.
- Website security, abuse prevention, and error diagnosis.
- Optional marketing emails (dates, studio news) where you have ticked a separate consent field on the website.
- Optional analytics or marketing where you have given consent via the cookie banner or separate marketing consent. Where Google tags are used, choices are reflected through Google Consent Mode v2 as described in the cookie policy.
Electronic communications and Danish marketing rules
Unsolicited electronic marketing to natural persons as consumers is regulated by the Danish Marketing Practices Act (markedsføringsloven), Denmark’s rules implementing the ePrivacy Directive (cookies and similar), and the GDPR. We do not buy email lists for cold outreach. Where we rely on consent, we keep evidence of the opt-in context (e.g. form used, policy version) in line with Datatilsynet guidance on documentation.
Recipients, processors, and disclosure
We use processors (e.g. hosting, email, payment, calendar, or analytics providers) who process personal data on our instructions under Article 28 GDPR and a written data processing agreement where required. A current list of categories of processors is available on request. We do not sell personal data. Data may be disclosed to public authorities when Danish or EU law obliges us (e.g. tax authorities, courts, or law enforcement with a lawful basis).
Transfers outside the EU/EEA
Where data is transferred to countries outside the EU/EEA, we ensure a lawful transfer mechanism under Chapter V GDPR (e.g. adequacy decision, Standard Contractual Clauses approved by the European Commission, supplemented measures where required). You may request a copy of relevant safeguards by contacting us.
Retention
General correspondence: up to 24 months after the last contact unless a dispute, warranty, or legal claim requires longer retention. Accounting source documents and invoices: at least five years from the end of the financial year to which they relate, in line with the Danish Bookkeeping Act (longer retention may apply for certain tax-relevant material as prescribed by Danish tax law). Safety attendance logs: up to 24 months unless a specific incident investigation requires a longer period. Cookie preference logs on our systems (if any): according to the cookie policy. Local storage of cookie choices in your browser: until you clear site data.
Your rights under the GDPR
Subject to conditions in the GDPR and Danish Data Protection Act, you have the right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability (for processing based on consent or contract, where technically feasible), and object to processing based on legitimate interests (including profiling, where applicable). Where processing is based on consent, you may withdraw consent at any time. To exercise your rights, contact the controller at the email above. We will respond without undue delay and in any event within one month, which may be extended by two further months where necessary (Article 12 GDPR).
Automated decision-making
We do not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
Security and breach notification
We implement appropriate technical and organisational measures (Article 32 GDPR), including access limitation, staff instructions, and transport encryption where supported. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify Datatilsynet without undue delay and, where required, communicate with affected data subjects in accordance with Articles 33–34 GDPR.
Children
Our services are not directed at children without parental involvement. For participants under 15, we require a parent or guardian to provide consent and contact details. Parents or guardians may exercise rights on behalf of minors.
Marketing and consumer oversight (Denmark)
Commercial practices and certain marketing rules are supervised by the Danish Consumer Ombudsman (Forbrugerombudsmanden) where relevant. Unsolicited electronic marketing to consumers is subject to the Danish Marketing Practices Act (markedsføringsloven) and related executive orders; we obtain consent when required.
Updates
We will update this policy when our processing changes and revise the “last updated” date. Material changes that require a new consent will be collected through an appropriate consent mechanism.
Legal notice: This policy describes our intended compliance with Danish and EU data protection law. It is not a substitute for independent legal advice, especially where processing scales or new technologies are introduced.