Privacy Policy
This document explains what personal information BrandingNarrative ApS collects when you use brandingnarrative.com, what we do with it, and the rights you have over your own data under the EU General Data Protection Regulation (GDPR).
1. Who we are
BrandingNarrative ApS is a Danish private limited company registered at Nørresundbyvej 12, 8940 Randers, Denmark, CVR 41 88 26 09. For the purposes of GDPR Article 4(7), we are the data controller for the personal data we process about you in connection with this website and our services. You can reach us at any time at support@brandingnarrative.com or by post at the address above.
2. What data we collect
We collect personal data in three contexts: when you contact us, when you place an order, and through limited analytics on the website itself.
Contact form. When you write to us through the form on the contact page, we collect your first name, last name, email address, the optional company name and phone number you choose to provide, the project topic you select, and the message you write. This information is sent to support@brandingnarrative.com and stored in our internal email and project-management systems.
Checkout and orders. When you place an order, we collect first name, last name, email address, phone number, and country at the pre-checkout step. Payment itself is handled by Stripe Payments Europe Ltd. (Ireland); we do not see, transmit, or store your card details or full billing address. Stripe returns to us a transaction reference, the amount paid, and your email — which we use to issue invoices and to start the project.
Analytics. The site uses a single first-party analytics cookie that records the pages you visit, the approximate region you are visiting from (derived from a truncated IP address), and the device class. We do not share this data with advertising networks. The analytics cookie is only set if you accept cookies on the cookie banner.
3. Why we use your data — and on what legal basis
We process your contact-form data on the basis of our legitimate interest in answering enquiries about our services (Article 6(1)(f) GDPR). We process your checkout data on the basis of contract performance (Article 6(1)(b)) and, for invoicing and tax records, on the basis of legal obligation (Article 6(1)(c)) under Danish bookkeeping law. We process analytics data on the basis of consent (Article 6(1)(a)), which you give or withhold via the cookie banner.
4. How long we keep your data
Contact-form messages are kept for 24 months unless they become part of an active project, in which case they are kept for the lifetime of the engagement plus seven years (the retention period required by Danish bookkeeping law). Order and invoice data is kept for seven years from the end of the financial year in which the transaction occurred. Analytics data is kept for thirteen months in aggregated form, and longer in anonymised form for trend analysis.
5. Who we share your data with
We share your personal data only with the suppliers we need to deliver our service. Specifically: Stripe (payments), Google Workspace (email and document storage, hosted in the EU), Asana (project management, hosted in the EU and US under SCCs), Slack (where applicable for active client engagements), and our Danish bookkeeping firm. We do not sell or rent personal data to anyone, ever, under any circumstances.
6. International transfers
Some of our processors are based in the United States. Where this is the case, transfers are governed by the EU Standard Contractual Clauses and supplementary technical measures. We do not transfer data outside the EEA to jurisdictions without an adequacy decision unless one of the safeguards in Articles 46–49 of the GDPR is in place.
7. Your rights
You have the right to access, rectify, erase, restrict, or object to our processing of your personal data, and the right to data portability where applicable. To exercise any of these rights, write to support@brandingnarrative.com. We will respond within thirty days. You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at any time; we would, however, appreciate the chance to put it right first.
8. Security
We use industry-standard security measures — encrypted connections (TLS), least-privilege access controls, separated production and development environments, and regular security reviews. No website can guarantee absolute security; if a breach affects your data, we will notify you and the supervisory authority within seventy-two hours, as required by Article 33 of the GDPR.
9. Changes to this policy
If we materially change this policy, we will update the "last updated" date at the top of the page and, for active clients, write to you directly. We do not change policies retroactively in ways that disadvantage users.