Updated 25th of February 2025
Introduction
At Ebbefos Energy, we protect your data. We process your personal data responsibly, respecting your privacy and in full compliance with the General Data Protection Regulation (GDPR), the Danish Data Protection Act, and other applicable legislation. This privacy policy describes what personal data we process and how we process it.
Data controller and Contact information
The data controller for the processing of personal data under this privacy policy is:
Ebbefos Holding A/S
CVR No: 42895458
Havnegade 23
1058 Copenhagen K, Denmark
The person responsible for data protection can be contacted at: support@xolta.com.
Alternatively, you can send a letter marked ‘Data Protection’ to Ebbefos Holding A/S at the above address.
Definition of ‘Personal data’ and ‘Processing’
‘Personal data’ refers to any information about an identified or identifiable human. This includes, for example, name, address, telephone number, and email address. ‘Processing’ covers any form of handling personal data, such as collection, storage, disclosure, and deletion.
Purpose of Processing, Legal basis, and Retention periods
The table below outlines the processing of your personal data for different activities, including the purpose, legal basis, and retention period. It also specifies any recipients of the data and whether personal data is transferred to third countries. We only store your personal data if we have a legal basis to do so, and we do not process data longer than necessary to fulfill the purpose for which it was collected unless legally required.
Information security
We implement sufficient technical and organizational security measures to ensure that your personal data is not accessed by unauthorized third parties. All personal data we receive are stored on secure servers. Our employees are trained in compliance with data protection regulations, including our internal policies and procedures for handling personal data. Only authorized personnel have access to personal data when necessary to perform their job. Additionally, we ensure that all data processors we collaborate with have implemented adequate security measures to protect your personal data.
Disclosure of Personal data
We only disclose personal data to other data controllers when legally permitted and when necessary. Personal data under this privacy policy may be disclosed to the following categories of recipients:
– Public institutions and authorities, including municipalities and the police
– Service partners/technicians
– Insurance companies
– Subsidiaries and companies within Ebbefos Holding A/S
– Relevant business partners
Transfer of Personal data to Data processors in third countries
We only transfer personal data to data processors in third countries (countries outside the EU or EEA) if we have ensured adequate guarantees that the protection level in the recipient country is sufficient according to the GDPR. If we use data processors from third countries, this will be specified in the table below.
We only collect personal data from third parties if we have a legal basis to do so and if the collection is relevant for the specific processing activity.
Rights as a Data Subject
When we process personal data, you have the following rights under the GDPR, subject to limitations:
– The right to access the information we have recorded
– The right to have incorrect or unnecessary information corrected or deleted
– The right to withdraw consent if the processing is based on consent
– The right to restrict the processing of your personal data
– The right to receive your data in a structured, commonly used, and machine-readable format
– The right to object to the processing of your data, including the right not to be subject to automated decisions and profiling
To exercise these rights, you should contact the data protection officer at the contact details mentioned above. You also have the right to file a complaint with a supervisory authority. Complaints to the Danish Data Protection Agency can be submitted via: https://www.datatilsynet.dk/borger/klage/saadan-klager-du
Activity | Purpose | Personal data | Legal basis | Source of Collection | Recipients | Third-country transfer | Retention period |
General Inquiries | When contacting us via our contact forms, app, email, telephone, Facebook, or by letter, we collect and process the information you provide to us. The processing is carried out to handle and respond to your inquiry. | Name, contact details (phone/email), inquiry content. | GDPR, Article 6(1)(f) (the legitimate interest rule), where our legitimate interest is to respond to your inquiry. | Directly from data subject | N/A | No | Up to 3 years from the inquiry date. |
Newsletter Subscription | When signing up for our newsletter, we collect and process the information you provide during registration. Additionally, we continuously collect data on newsletter reading and interaction to tailor our marketing efforts. | Name, address (optional), birthdate (optional), contact details (phone/email), interaction tracking. | GDPR Art. 6(1)(a) (consent). | Directly from data subject via sign-up form | N/A | No | Up to 3 months after unsubscription. |
Customer Service Inquiries | When contacting us via our contact forms, email, telephone, or letter, we collect and process the information you provide to us. The processing is carried out to handle and respond to your inquiry. | Name, contact details (phone/email), inquiry content. | GDPR, Article 6(1)(f) (the legitimate interest rule), where our legitimate interest is to respond to your inquiry. | Directly from data subject | N/A | No | Up to 3 years from the inquiry date. |
Call Recordings (Customer Service) | Contacting our customer service center by phone may be recorded with prior consent for internal employee training purposes. | Audio recording, phone number, call timestamp. | GDPR Art. 6(1)(a) (consent). | Phone calls to customer service. | N/A | No | Up to 3 months after call. |
CRM Customer Management | Processing in the CRM system aims to provide an overview of our network, identify marketing and sales opportunities, and customize and plan events. | Customer name, contact person, address, phone, email. | GDPR, Article 6(1)(f) (the legitimate interest rule), where our legitimate interest is to manage and strengthen customer relationships as well as develop our business and services. | Public sources (e.g., cvr.dk, LinkedIn, websites). | N/A | No | As long as data is necessary or until deletion request. |
Battery Monitoring | Ensuring battery functionality, service intervals, and updates. | Customer name, address, phone, email, battery ID, location. | GDPR, Article 6(1)(b) (performance of a contract) GDPR, Article 6(1)(f) (the legitimate interest rule), where our legitimate interest is to ensure the continuous operation of the battery. | Directly from data subject or partner/ Distributor. | Service partners/ technicians.
| No | Up to 12 months after battery removal. |
Supplier Management | Optimizing procurement of goods and services. | Supplier name, contact person, address, phone, email, account details, delivery terms, quality measures etc. | GDPR, Article 6(1)(b) (performance of a contract) GDPR, Article 6(1)(f) (the legitimate interest rule), where our legitimate interest is to evaluate the business relationship. | Directly from data subject. | N/A | No | As long as the data is necessary for the stated purposes or until the data subject requests its deletion. |
Debt Collection | If a debt arises with us, we process all necessary information to establish the claim and collect the debt. | Name, contact details, details of debt, court rulings (if applicable). | GDPR, Article 6(1)(f) (the legitimate interest rule), where our legitimate interest is to ensure the settlement of the debt. GDPR, Article 9(2)(f) (the legal claim rule). | Directly from data subject. | Authorities (police, courts), collection agencies. | No | Until debt is paid or statute of limitations expires. |
Recruitment | Review of your job application and other documents. Possible criminal record checks when relevant for the position you are applying for. | Name, address, phone, email, application, CV, photo on CV, contact details of and statements from references, diplomas and certificates, other information included in your application and accompanying documents. | GDPR, Article 6(1)(f) (legitimate interests), where our legitimate interest is to hire the best candidate for the advertised position. | Directly from data subject. | N/A | No | Up to 6 months after job posting closure unless consent for longer retention. |
© 2025 XOLTA