Privacy Policy
Introduction
Fortiv ApS ("Fortiv", "we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it.Fortiv is a Danish company and your data controller under the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Our lead supervisory authority is Datatilsynet, the Danish Data Protection Authority.If you have any questions about this policy or how we handle your personal data, please contact us at privacy@fortiv.io.
1. Who This Policy Applies To
This policy applies to:
- Platform users — individuals who use the Fortiv BCMS platform on behalf of a customer organization
- Website visitors — individuals who visit www.fortiv.io
- Prospective customers — individuals whose contact details we hold for sales or marketing purposes.
If you are using the Fortiv platform on behalf of your employer or organization, your organization is the data controller for the content you upload and manage within the platform. This policy describes how Fortiv processes your personal data as a data processor on your organization's behalf, as well as in our own capacity as a data controller (e.g. for account management and support).
2. Personal Data We Collect
2.1 Platform users
When you use the Fortiv platform, we process the following data:
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Name, work email address, job title | Account creation and management |
| Authentication data | Hashed passwords, MFA tokens, session data | Secure access to the platform |
| Usage data | Actions taken in the platform, access logs, timestamps | Security monitoring, audit trails, product improvement |
| Content you create | Business continuity plans, risk assessments, incident records, uploaded documents | Providing the service |
| Support communications | Messages sent to our support team | Resolving your support requests |
2.2 Website visitors
When you visit our website, we may collect:
| Data Type | Examples | Purpose |
|---|---|---|
| Analytics data | Pages visited, time on page, browser type, approximate location | Understanding how our website is used |
| Contact form submissions | Name, work email, company, message | Responding to your enquiry |
| Cookie data | Session identifiers, preference cookies | Website functionality and analytics |
| Visitor identification data | When you visit our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email | Identifying potential business customers for outbound sales and marketing |
2.3 Prospective customers
If you have expressed interest in Fortiv or been identified as a potential customer, we may hold:
| Data Type | Examples | Purpose |
|---|---|---|
| Contact details | Name, work email, job title, company name | Sales and marketing communications |
| Engagement history | Emails opened, demos attended, conversations | Managing our sales relationship |
Legal bases for processing
We process your personal data on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the platform and managing your account | Performance of a contract (Article 6(1)(b)) |
| Responding to support requests | Performance of a contract (Article 6(1)(b)) |
| Security monitoring and audit logging | Legitimate interests — protecting our systems and customers (Article 6(1)(f)) |
| Sending marketing communications to existing customers | Legitimate interests (Article 6(1)(f)) |
| Sending marketing communications to prospective customers | Legitimate interests (Article 6(1)(f)) |
| Website visitor identification for outbound sales | Legitimate interests — identifying potential B2B customers (Article 6(1)(f)) |
| Website analytics | Legitimate interests (Article 6(1)(f)) |
| Compliance with legal obligations (e.g. financial records) | Legal obligation (Article 6(1)(c)) |
| Processing based on your consent (e.g. marketing opt-in) | Consent (Article 6(1)(a)) |
Where we rely on legitimate interests, you have the right to object to that processing. See Section 7 for details.
4. How we use your data
We use personal data to:
- Provide, maintain, and improve the Fortiv platform
- Manage your account and authenticate your access
- Respond to support requests and enquiries
- Send you product updates, security notifications, and service-related communications
- Send you marketing communications about Fortiv products and services (where permitted)
- Monitor security and investigate incidents
- Meet our legal and regulatory obligations
- Understand how our website and product are used
- Identify potential business customers who visit our website and reach out with relevant sales communications
We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects.
5. Data sharing and sub-processors
We share personal data only where necessary to deliver our services. The following third parties process personal data on our behalf:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure hosting all platform data | EU (Frankfurt, Germany) |
| ElevenLabs | Voice synthesis for platform features | EU |
| Logfire (Pydantic) | Application observability and monitoring | EU |
| Intercom | Customer support communications | EU (Ireland) |
| Google Workspace | Internal email and document management | Global (Standard Contractual Clauses) |
| Attio | CRM — contact and sales management | Global (Standard Contractual Clauses) |
| RB2B (Retention.com / GetEmails, LLC) | Website visitor identification for marketing purposes | US (Standard Contractual Clauses) |
All sub-processors are bound by data processing agreements and meet our security requirements. A full and current list of sub-processors is available upon request at privacy@fortiv.io.
We notify customers at least 30 days before engaging any new sub-processor that processes customer data.
Opting Out of Website Visitor Identification
If you do not wish to have your website visit associated with your personal information by our data partners, you may opt out at any time:
- General opt-out: https://app.retention.com/optout
- GDPR opt-out: https://www.rb2b.com/rb2b-gdpr-opt-out
International Transfers
All customer product data is stored within the European Union. Where sub-processors operate globally (e.g. Google Workspace, Attio), transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Data retention
We retain personal data only for as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Platform account and content data | Duration of your organization's contract + 30-day export window |
| Backups of platform data | 90 days from creation |
| Security and audit logs | 12 months |
| Application logs | 12 months |
| Support communications | 6 months after resolution |
| Marketing contact data | Until you unsubscribe or request deletion, or 2 years of inactivity |
| Financial and contractual records | 5 years (Danish Bookkeeping Act) |
When a customer contract ends, your organization has 30 days to export all data. After this period, all data is permanently deleted within a further 30 days, including backups within 90 days.
7. Your rights
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your personal data where there is no legitimate reason to continue processing it |
| Portability | Receive your data in a structured, machine-readable format (JSON or CSV) |
| Restriction | Ask us to pause processing of your data in certain circumstances |
| Objection | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
To exercise any of these rights, contact us at privacy@fortiv.io. We will respond within 30 days. We may need to verify your identity before acting on your request.
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with our lead supervisory authority:
Datatilsynet (Danish Data Protection Authority) Carl Jacobsens Vej 35, 2500 Valby, Denmark dt@datatilsynet.dk | +45 33 19 32 00 www.datatilsynet.dk
8. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of all data at rest (AES-256) and in transit (TLS 1.2+)
- Multi-factor authentication for all administrative access
- Role-based access controls on a need-to-know basis
- Continuous security monitoring and intrusion detection
- Annual third-party penetration testing
- ISO 27001:2022 certification (audit ready, pending); SOC 2 (in progress)
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours and affected individuals without undue delay.
9. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify platform users by email or in-app notification, and update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.
10. Contact us
For any questions, requests, or concerns regarding this Privacy Policy or your personal data:
Fortiv ApS Email: privacy@fortiv.io Website: www.fortiv.io/legal/privacy
