Privacy Policy
Capra Robotics – data protection policy
I. Introduction
Capra Robotics ApS, as a Danish company, is committed to ensuring compliance with applicable data protection laws. This data protection policy (“Policy”) is based on the principles and requirements of the EU General Data Protection Regulation (“GDPR”). By means of this Policy, we would like to inform you, the data subject, about how and why we collect, process, and use personal data and about your rights as a data subject in relation to the processing of your personal data.
II. Scope and Addendum
This Policy covers all types of processing of personal data. It describes how Capra Robotics collects, uses, and shares personal data obtained directly from the user, customer, supplier, business partner or others, or obtained indirectly from other sources. It applies to the processing of personal data obtained through any communication channel and by any means, including, but not limited to, email, file transfer, provision of personal data to applications and tools, websites or mobile apps, social media, and platforms.
This Policy may be supplemented by specific data protection and privacy notices and statements that relate to specific data processing methods or purposes. Anonymized data (non-personal data), e.g., for statistical evaluations or surveys, is not covered by this policy.
In countries where the data of legal entities is protected to the same extent as personal data, this Policy also applies to data of legal entities.
III. Application of National Law
While the GDPR is applicable throughout the EU, there may be laws and regulations in some countries that specify additional data protection requirements, in particular conditions for lawful data processing. If this is the case, it must be checked on a case-by-case basis whether these laws take precedence.
IV. Glossary and Definitions
A glossary of certain terms and definitions is included in Annex A of this Policy.
V. Personal Data We Process, Purposes and Legal Basis
This section of our Policy describes what personal data we collect and process and for what purposes and on what legal basis. The amount of personal data we process depends on the context and circumstances of your interaction with us.
1. Handling of Orders and Fulfillment of Contractual Obligations
When you place orders to purchase goods or services from us, or if you request information about products and services before placing an order, or if you request support regarding the product or services you have ordered, we will process the personal data necessary to negotiate and perform a contract and fulfill contractual obligations and exercise our rights under the contract. This also includes advisory services under the contract if this is related to the contractual purpose. Prior to the conclusion of a contract, personal data may be processed to prepare bids or tenders or fulfill other requests related to the possible conclusion of a contract.
For this purpose, we process personal data (including name, title, email, telephone, postal address, shipping, and billing address), order and customer data (including ordered and delivered goods and services, instructions regarding the order, customer’s business activities and interests and order history), financial data (including invoice data, preferred payment methods, payment period, bank account and credit card details).
The legal basis for processing personal data for the purpose of processing orders and fulfilling contractual obligations and exercising contractual rights is Article 6(1)(b) GDPR (contractual necessity). The legal basis for processing personal data for the purpose of understanding the customer’s business activities and interests and order history is Article 6(1)(f) GDPR (legitimate interests). The legal basis for processing and storing personal data for the purpose of complying with retention obligations (including commercial auditing standards and tax and financial document retention requirements) is Article 6(1)(c) GDPR (legal obligation).
2. Browsing or Registering on Our Website, Social Media Sites or Platforms
When you browse our website, social media pages or platforms, we may use cookies and other tracking technologies to record and understand how you use our websites, social media pages and platforms.
Not all our websites use cookies and tracking technologies that collect personal data. Depending on the cookies and tracking technologies used, we collect information about your online browsing behavior on our websites, social media site or platform, including information about how you respond to ads and offers. We may also collect information about the device you have used to access our websites, social media pages or platforms (including device model and operating system, browser type, IP address, mobile device identifiers).
Specific information about cookies and tracking technology in use on our respective websites, social media sites and platforms can be found in our Cookie Policy. This includes information on how to disable cookies in your browser and how to prevent tracking of your browsing behavior.
When you register on one of our websites, social media sites or platforms, we also process personal data (including name, title, email, phone) and account information (including username, password, login/logout data), except where registration under an alias or pseudonym is permitted. Unfortunately, if you decide not to provide us with this information, you will not be able to register or use any of our services that require registration.
The legal basis for processing information about online browsing behavior, if it contains personal data, is Article 6(1)(a) of the GDPR (consent), if we ask you to consent to and accept the processing of your personal data. Certain other provisions of laws governing data processing in an online context may also require your consent. In some circumstances, e.g., when we process a limited amount of personal data, which by its type and nature does not substantially affect your rights and freedoms, the legal basis for processing your personal data in connection with your browsing or registration on our websites, social media pages or platforms is Article 6(1)(f) GDPR (legitimate interests).
3. Communication, Marketing, Participation in Campaigns, Events and Feedback
When you contact us with any kind of inquiry or request, we will process your personal data (including name, title, company, or organization you work for, email, phone, other contact details) to the extent necessary to handle your inquiry or request and to respond to it.
When you have purchased goods or services from us, or if you have informed us that you are interested in certain goods or services, we may process your personal data (including name, title, company or organization you work for, email, phone, other contact details) to contact you and send you information about our or our partners’ goods and services, new technological developments, special offers and business opportunities.
When you participate in promotions or events where we host or sponsor, we process your personal data (including name, title, company, or organization you work for, email, phone, other contact details) to manage your participation in the promotion or event, to provide you with information about our or our partners’ goods and services, new technological developments, special offers and business opportunities. We also process your personal data to ask for your feedback about the campaign or event, ask about your satisfaction with our or our partners’ goods or services and performance. We may also ask you for contributions to improve our goods and services and the cooperation with our business partners.
The legal basis for processing personal data for the purpose of communicating with you and responding to any inquiry or request is Article 6(1)(b) GDPR (contractual necessity), insofar as this is done in connection with the preparation or organization of the conclusion of a contract or in response to inquiries and requests in connection with a contract. The legal basis for processing personal data for the purpose of communicating with you on other topics is Article 6(1)(f) GDPR (legitimate interests).
When we process personal data to contact you and send you information about our or our business partners’ goods and services, new technological developments, special offers and business opportunities, the legal basis is Article 6(1)(a) GDPR (consent) if we ask you to give consent and to agree to the processing of your personal data for that purpose. In some circumstances, e.g. when we process a limited amount of personal data, which by its type and nature does not substantially affect your rights and freedoms, the legal basis for processing your personal data to contact you and send you information about similar goods and services, new technological developments, special offers and business opportunities is Article 6(1)(f) GDPR (legitimate interests).
When we process personal data to manage your participation in a promotion or event, or to send you information about our or our partners’ goods and services, new technological developments, special offers and business opportunities, or to ask for your feedback or contributions, the legal basis is Article 6(1)(a) GDPR (consent) if we ask you to give consent and to agree to the processing of your personal data for that purpose. In some circumstances, e.g. when we process a limited amount of personal data, which by its type and nature does not substantially affect your rights and freedoms, the legal basis for processing your personal data is Article 6(1)(f) GDPR (legitimate interests).
4. Legal Obligations and Compliance
As a company operating globally, we are subject to various laws and regulations that impose legal obligations on us. Some of these laws and regulations may require the collection and processing of personal data (e.g. tax laws, trade laws, trade and export regulations, customs regulations, anti-money laundering legislation). Where such legal obligations are based on EU law or the law of EU member states, the legal basis for processing personal data is Article 6(1)(c) of the GDPR. Where such legal obligations are based on laws and regulations of third (non-EU) countries, compliance with these legal obligations may constitute a legitimate interest. If so, the legal basis for processing personal data is Article 6(1)(f) GDPR. The latter also applies to the processing of personal data for the purpose of ensuring compliance with our policies, codes of conduct and regulations.
5. Recruitment and Applications
When we recruit employees, we process the personal data you provide as part of your application. Data processing for the purpose of recruitment and completion of the application process will generally include personal data (including name, title, email, telephone, postal address) and CV and qualification data (including degrees, university education, training certificates, credentials and skills). After the end of an application process, we may continue to process (store) personal data of applicants for a certain period of time where necessary to ensure that we are able to exercise rights or defend against claims in connection with the employment process.
The legal basis for processing personal data for the purpose of recruitment and handling applications is Article 6(1)(b) GDPR (contractual necessity), insofar as the processing is necessary to review and assess applications, select applicants and execute an employment contract and to exercise rights or defend against claims in connection with the application process.
When applying for a position at Capra Robotics ApS via a career website, recruitment platform or job portal, or when responding to a job posting, the applicant must also read the specific privacy information that may be made available on the career website, recruitment platform, job portal or in the job advertisement.
VI. Children’s Personal Data
Capra Robotics’ business is focused on business-to-business (B2B). Therefore, we do not knowingly seek to collect personal data from children or send them requests for personal data. Although users of all ages can navigate our websites, social media pages or platforms, they are for B2B purposes only and are not targeted at children. If we notice, after being notified by a parent or guardian, or after becoming otherwise aware, that a child under the age of 16 has been registered on any of our websites, social media sites or platforms, we will delete the account and registration and delete the child’s personal data from our records.
VII. Sharing of Personal Data with Service Providers and Third Parties
Not all processing of your personal data will be carried out by Capra Robotics itself. Sometimes we will use service providers and suppliers (“processors”) who process personal data for us, on our behalf and according to our instructions. Such processors may be external companies or affiliated Capra Robotics companies (group companies). Any such outsourcing of data processing will follow a monitoring and due diligence protocol for the service provider/vendor and will be governed by a data processing agreement.
To the extent we use service providers and suppliers as data processors to process personal data on our behalf, your personal data may be shared with the following categories of recipients:
IT service providers, application service providers, internet service providers, platform and web hosting service providers, data mining companies, marketing agencies, market research agencies, advertising partners, order and account management providers, payment service providers, logistics providers, customer care service providers.
Apart from sharing personal data with service providers and suppliers, it may be necessary to share your personal data with third parties because there is a legal obligation to do so or because there is a legitimate interest to ensure compliance with policies and regulations, or to facilitate business cooperation and collaboration. In such cases, your personal data may be shared with the following categories of recipients:
Public and administrative authorities, law enforcement and anti-fraud agencies, courts, lawyers, lawyers, tax advisors, accounting and auditing firms, credit reference agencies, payment card issuers and insurers, manufacturers and distributors, and retailers.
If you use our websites, social media sites or platforms and if you choose to link your social media accounts to us or if you are logged into your social media account, your personal data may be shared with the operators of those social media sites and platforms.
If we sell or buy any business or assets or transfer any part of our business to a new owner, we will disclose your personal data to the prospective seller or buyer of such business or assets or any third party that acquires our assets or to whom the business is transferred.
We may share information with affiliated or unaffiliated third parties on an anonymous, aggregated basis. Although this information does not identify you personally because it does not contain personal data, in some cases these third parties may combine this aggregated information with other data they have about you or that they have collected from you or received from third parties in a way that allows them to identify you personally. When we share such data with third parties, we take steps to ensure that they use appropriate security measures to protect your data.
VIII. Retention Periods for Personal Data
In general, we do not retain personal data longer than necessary to pursue or achieve the purposes for which the personal data is processed. In most cases, personal data is processed for more than one purpose, e.g., if the data processing takes place in connection with a purchase, we process personal data for the purposes of delivering and fulfilling your order, delivering the goods or services, invoicing and payment and subsequent customer service. However, as a company, we are also subject to record-keeping obligations and must comply with tax and commercial laws that require much longer retention of certain documents and files that may contain personal data.
If we process personal data for the purpose of handling orders and fulfilling contractual obligations, we will retain your personal data for as long as you have a customer or business relationship with us. Personal data included in documents or files covered by tax legislation will be retained for 10 years (unless legal provisions or pending litigation or tax proceedings require longer retention). Personal data contained in documents or files covered by commercial laws will be retained for 6 years (unless legal provisions or pending legal proceedings require longer retention).
If we process personal data for the purpose of understanding your online browsing behavior, we will only store personal data for as long as necessary to create user statistics and analytics reports that use aggregated data (non-personal data). Specific information on how long such personal data should be stored can be found in our Cookie Policy.
If we process personal data for communication, marketing, promotion, event or feedback purposes, we will retain the data for as long as we need it to communicate with you or for as long as we have a legitimate interest in sending business, product and service information or marketing, event and promotional materials to you, except where you have objected to the processing of your personal data for such purposes.
If we process personal data for compliance with laws and regulations that impose legal obligations on Capra Robotics, we will retain personal data for as long as such laws and regulations require.
If we process personal data for the purposes of employment and carrying out the application process, we will retain personal data for as long as necessary to review and assess applications, select applicants, and negotiate and execute an employment contract, and to exercise rights or defend against claims in connection with the application process. If an application leads to employment, your personal data will – to the extent necessary to execute the employment contract – be retained for the duration of your employment with Capra Robotics and after termination of employment for as long as necessary to comply with retention requirements or for as long as future or pending legal proceedings require longer retention. If your application does not lead to employment, we will retain your personal data for up to six months for the purpose of defending ourselves against potential claims and legal proceedings.
If your application did not lead to employment, but you have agreed to us storing your personal data for future use, we will store your personal data for up to two years, unless otherwise stated on our career websites, recruitment platforms or job portals, or in a job advertisement.
IX. Transfer of Personal Data to Third Countries
It may sometimes be necessary to transfer personal data to recipients in other countries. This may be the case for certain information that may contain personal data or in connection with international cooperation and collaboration with our business partners or when orders are handled, managed and shipped internationally. If and to the extent we use data processors, we may also transfer your personal data to data processors in other countries.
To the extent that such data transfers involve recipients in countries outside the European Union or outside the European Economic Area (“Third Countries”), we will ensure that the transfer is in accordance with data protection regulations that restrict the transfer of personal data outside the European Union or the European Economic Area and that require appropriate safeguards to be put in place to ensure an adequate level of data protection.
Such safeguards may be either an adequacy decision whereby the European Union has assessed that the country in which the recipient is located has adequate data protection laws or the implementation of EU Standard Contractual Clauses (also known as EU Model Clauses) with the recipient or the recipient’s implementation of Binding Corporate Rules (“BCRs”), or if the recipient has an active EU-US Privacy Shield certification or another solution permitted by law.
If you have specific concerns about the adequate protection of your personal data in connection with a transfer to a third country, you can contact the Data Protection Officer at talents@capra.ooo
X. Security of Personal Data and Protection of Payment Card Information
We have implemented technical and organizational security measures to protect the personal data we process against accidental or unlawful manipulation, destruction or loss, alteration and against unauthorized disclosure or access by third parties. Such security measures include authentication tools, firewalls, monitoring of IT systems and networks, pseudonymization and encryption of personal data.
The technical and organizational security measures are regularly reviewed and adjusted, taking into account the state of the art, the nature, scope, context and purposes of the processing, as well as the risks and likelihood of occurrence. However, given the dynamic context, security measures, advanced technology, vulnerabilities, threats, and risks cannot guarantee absolute security.
We store your payment card details solely for the purpose of accepting payment for orders you place with us. We store this information to process any future purchases as quickly as possible. We protect any card details we store by making only the last four digits of the account number visible when confirming an order, you have placed. We maintain physical, electronic, and procedural controls over the collection, storage, and disclosure of personally identifiable information that we store. We place a high value on security and ask you to take reasonable precautions to ensure that your account information is protected, including ID and password, to prevent unauthorized use of this information. We recommend that you log out of your account completely and that you delete your browsing history and cookies to prevent unauthorized use of this information.
If you have specific concerns about the security of your personal data, you can contact the Data Protection Officer at talents@capra.ooo
XI. Marketing Preferences
As described in section IV. 3. of this Policy, we may have either your consent or a legitimate interest to process your personal data (including name, title, company or organization you work for, email, phone, other contact details) to manage your participation in a promotion or event, to provide you with information about our or our partners’ goods and services, new technological developments, special offers and business opportunities. For these purposes, we may use your personal data, in accordance with any preferences, if expressed, to send you product and service information and marketing messages via email, post, telephone and social media, unless you have asked us not to do so.
Unless consent is required as a legal basis, which would also require an opt-in, you always have the option to opt-out of receiving product and service information and marketing messages by simply checking a box or clicking a button or link, or by changing your preferences in account settings, as applicable.
You can of course similarly instruct us to stop sending you product and service information and marketing messages at any later time. If we have permission to send you marketing information, you can opt-out at any time (at no cost to email communications other than any data transfer costs). If you no longer want us to contact you for marketing purposes, please either click here to update the preferences in your account or contact us by email at talents@capra.ooo (and let us know what type of marketing you no longer wish to receive) or by phone on +45 7022 7707 (charges may apply – please contact your telecommunications provider for further information).
If you instruct us to stop sending you product and service information and marketing messages, it may take some time for all our systems and applications to be updated, so you may still receive messages from us while we finalize your instruction.
Please note that instructing us to stop sending marketing messages does not stop our other communications with you, such as order confirmations, order updates, shipping notifications or payment requests.
XII. Other Websites
Our website may contain links to other websites. Our privacy statement and policy apply only to this website, so when you link to other websites, you should check the privacy statements of those websites.
XIII. Your Rights Over Your Personal Data
You have many rights over your personal data and how it is used. These rights are summarized below. To exercise any of these rights, you can contact the Capra Robotics legal entity identified as the data controller below in Section XV.
1. Right to Access Your Personal Data
You have the right to request confirmation as to whether we process personal data concerning you.
If we are processing personal data concerning you, you have the right to request access to the personal data and to obtain further information about the purposes of the processing, the categories of personal data concerned, who else outside Capra Robotics may have received the data, including recipients in third countries; any available information, what the source of the data was if you did not provide it directly to us; the envisaged retention period for the personal data or, if that is not possible, the criteria used to determine that period. You may also request a copy of the personal data being processed.
2. Right to Rectify Your Personal Data
You have the right to rectify (correct) the registration of your personal data that we process if it is inaccurate or incorrect.
3. Right to Erase Your Personal Data
You have the right to request the erasure (removal) of your personal data. However, there may be reasons and legal grounds to retain your personal data despite your request, for example, if you still have a business relationship with us and we need the data to fulfill orders or other contractual obligations, or if retention obligations prevent the deletion, or when we are handling a pending complaint. If we need to continue processing your personal data, we will tell you why we need to do so when we respond to your request.
4. Right to Object to the Processing of Your Personal Data
You have the right to object to the processing of your personal data on grounds relating to your situation or particular circumstances. However, there may be reasons and legal grounds to process your personal data despite your objection. If we deny your request, we will provide you with information explaining why we have denied your request.
Insofar as we use your personal data for direct marketing purposes, you have the right to object at any time. This includes any profiling of your personal data related to direct marketing.
5. Right to Restrict the Processing of Your Personal Data
You have the right to restrict the processing of your personal data. This means that under certain circumstances you can restrict the way we process and use your personal data. The right to restrict processing can be exercised in particular if you have concerns about the content of the personal data we hold or how it is processed, for example, if you dispute the accuracy of the personal data we hold and we are in the process of verifying the accuracy of the data, processing may be restricted until it has been confirmed.
6. Right to Withdraw Consent to the Processing of Your Personal Data
Where consent is the legal basis for the processing of your personal data, you have the right to withdraw your consent at any time. However, withdrawal of consent will typically only have an effect for future processing. Any previous processing of personal data that was legitimately based on consent may be subject to other provisions or obligations that require and legitimize further processing of the personal data.
7. Right to Portability of Your Personal Data
You have the right to ask us to move, transfer or copy personal data you have provided to us so that you can use the personal data in another service or with another provider. You can request a copy of the personal data in a commonly used and machine-readable format so that you can store it for further personal use. You can also request that we send it directly to another organization.
However, the right to data portability may be subject to restrictions due to the technical feasibility of a transfer. The right to data portability does not create an obligation for us to use or maintain processing systems that are technically compatible with those of other organizations.
8. Right to Lodge a Complaint with the Data Protection Authority
You have the right to lodge a complaint with the relevant data protection supervisory authority (the Danish Data Protection Agency) if you believe that we have not handled your personal data correctly and lawfully or if you believe that we have not dealt with your requests appropriately.
The relevant data protection authority where the complaint should be made is the one competent in your place of residence or in your state, or to the supervisory authority competent for us, i.e., the Danish Data Protection Agency.
Once you have filed a complaint, the Danish Data Protection Agency will inform you of the progress and outcome of the complaint.
XIV. How to Contact us Regarding Data Protection
If you have any questions or concerns about this Privacy Policy or about the protection of your personal data, please feel free to contact our Data Protection Officer at talents@capra.ooo
XV. Data Controller and Responsibility
Unless otherwise stated, Capra Robotics is the controller of your personal data. It determines the purposes and means of processing your personal data and is responsible for compliance with applicable data protection laws and regulations and the requirements of this Policy.
XVI. Changes to the Policy
We reserve the right to change this Policy at any time. This Policy may be amended under the established procedure for policy changes and notification of changes.
Appendix A: Glossary and Definitions
Principle of Accountability
Means that controllers will be responsible for, and be able to demonstrate, compliance with the GDPR, which requires the controller to implement appropriate technical and organizational measures to ensure, and be able to demonstrate, that data processing is carried out in accordance with the GDPR, and to review and update these measures where necessary.
Data Controller
Means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for the appointment may be determined pursuant to Union or Member State law.
Data Protection Policy
Means this EMEA Data Protection Policy.
Data Processing Agreement
Means an agreement included in the main agreement between a data controller and a data processor to reflect the agreement of the parties with regard to the processing of personal data in accordance with the requirements of data protection law.
Data Protection Impact Assessment
Means the process of assessing the likelihood and severity of high-risk elements for the rights and freedoms of data subjects, taking into account the nature, scope, context and purposes of the processing and the sources of risk. In particular, an impact assessment should include the measures, safeguards and mechanisms envisaged to mitigate that risk, ensure the protection of personal data and demonstrate compliance with the GDPR.
Data Subject
Means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
GDPR
Means the General Data Protection Regulation, which is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
International Organization
Means an organization and its subordinate bodies governed by international law or any other body established by or on the basis of an agreement between two or more countries.
Personal Data
Means any information relating to (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected in the same way as personal data or personally identifiable information under applicable data protection laws and regulations).
Personal Data Security Breach
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored or otherwise Processed.
Processing
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processor
Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.
Profiling
Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization
Means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.
Recipient
Means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a specific investigation in accordance with Union or Member State law are not considered recipients. The processing of this data by the public authorities concerned must comply with the applicable data protection rules according to the purposes of the processing.
Special Categories of Personal Data
Means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Third Party
Means a natural or legal person, public authority, agency, or body, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.