Privacy policy.

Effective date: 3 September 2025

Summary:

Who controls your data?
manifold AI consulting ApS (CVR 29805121), Grundtvigsvej 25 B, st., 1864 Frederiksberg C, Denmark. 

Primary contact
COO, Bastian Meyer‑Karlsen, bastian@manifold‑ai.com, +45 42 40 08 73. 
Data Protection Officer (DPO): Arsen Hrynevych, arsen@manifold‑ai.com. 

Public company details are available in Danish business directories. 

What do we collect?
Business contact details and correspondence when you contact us, minimal technical logs when you visit our site, and recruitment data if you apply.

Why? 
To respond to enquiries, deliver and administer our B2B services, operate and secure our website, and—only with consent—send direct marketing. Legal bases: contract, legal obligation, legitimate interests, and consent (where used). 

Cookies/analytics: We do not use third‑party analytics or marketing tools. Our site runs only necessary cookies for operation/security; if we later introduce non‑essential cookies, we’ll ask for consent per Danish rules. 

Your rights: Access, rectification, erasure, restriction, portability, and objection—including to direct marketing—plus the right to withdraw consent and to complain to Datatilsynet (the Danish Data Protection Agency). 



Table of Contents:

1) Who we are (Controller)

2) Scope of this notice

3) What we collect

4) Why we process your data & legal bases (GDPR Art. 6)

5) Sources of data

6) Automated decisions

7) Cookies & similar technologies

8) Recipients & processors (categories)

9) International transfers

10) Our role when delivering AI services

11) Security

12) Your rights

13) Direct marketing in Denmark

14) Retention

15) Children

16) Entity roles in different engagement models

17) Changes to this notice

1) Who we are (Controller)

This website and associated online channels are operated by manifold AI consulting ApS (CVR 29805121), Grundtvigsvej 25 B, st., 1864 Frederiksberg C, Denmark. 

Contact: bastian@manifold‑ai.com / +45 42 40 08 73. Public registration details confirming the company name, CVR and address appear in Danish business directories. 

We have appointed our Platform Lead, Arsen Hrynevych, as the company’s Data Protection Officer (DPO). DPO contact: arsen@manifold‑ai.com. Where required by law, DPO details are communicated to the supervisory authority. 

2) Scope of this notice

This notice covers:

  • Your use of www.manifold‑ai.com (e.g., Virtual AI Colleagues, Virtual AI Team Leaders, AI Empowerment, Client Cases). 

  • Any apps or APIs we operate now or later (e.g., to provision or support “Virtual AI Colleagues”). If a product‑specific privacy notice is presented (e.g., in‑app), it prevails for that product.

  • B2B sales, delivery and support of AI engineering/consulting services.

Note: on third‑party APIs: We use third‑party APIs and infrastructure to deliver services. To protect client confidentiality and security, we do not list those providers publicly in this notice. They are disclosed and contractually governed in the Data Processing Agreement (DPA) we sign with each client (see §10).

3) What we collect

From website forms/interactions

Name, business email, phone, company/role, and the content of your message (and your communication preferences).

From your device when you visit the site

Minimal technical data produced by necessary operations (e.g., IP address at connection time, basic device/browser information, pages viewed, error logs, and security telemetry). We currently do not run third‑party analytics or marketing tags. If this changes, we will seek consent first under Danish cookie rules. 

From business interactions

Contact details and correspondence during discovery calls, workshops, proposals, contracting and service delivery.

From recruitment

CVs and application details when you apply (and interview notes if applicable).

Special categories

We do not seek special‑category data through our website. If a client engagement requires processing such data, we do so only under a DPA and on documented instructions (see §10). 


4) Why we process your data & legal bases (GDPR Art. 6)

1.

Purpose: Respond to enquiries & proposals

Examples: Contact forms, inbound emails/calls

Legal basis: Steps prior to contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)). (EUR-Lex)

2.

Purpose: Deliver contracted B2B AI services

Examples: Engineering, deploying, and supporting “Virtual AI Colleagues” and related solutions

Legal basis: Contract (Art. 6(1)(b)). (EUR-Lex)

3.

Purpose: Account administration & invoicing

Examples: Customer records, billing

Legal basis: Contract (Art. 6(1)(b)); legal obligations (tax/bookkeeping) (Art. 6(1)(c)). (Danish Business Authority)

4.

Purpose: Website operation & security

Examples: Load balancing, error logs, fraud/security monitoring

Legal basis: Legitimate interests (Art. 6(1)(f)). (EUR-Lex)

5.

Purpose: Direct marketing (optional)

Examples: News/updates/event invites (opt‑in; easy unsubscribe)

Legal basis: Consent (Art. 6(1)(a)); Danish Marketing Practices Act §10. (Retsinformation, forbrugerombudsmanden.dk)

6.

Purpose: Recruitment

Examples: Candidate evaluation

Legal basis: Steps prior to contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)). (EUR-Lex)

5) Sources of data

  1. Directly from you (forms, emails, calls, meetings) and professional networking or public business sources.

  2. Client‑provided data when we deliver services (typically as processor—see §10).


6) Automated decisions

We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you in the context of this website or our marketing. If this ever changes for a specific product or service, we will explain the logic involved and your rights beforehand. 

7) Cookies & similar technologies

We currently use only necessary cookies (and comparable technologies) for core operations and security. If in the future we introduce non‑essential cookies (e.g., analytics or marketing), we will request your consent via a banner and provide granular controls, in line with Denmark’s Cookie Order and guidance. You can withdraw consent at any time via the banner or your browser. 

8) Recipients & processors (categories)

We share personal data only as needed with:

  • Hosting & infrastructure (e.g., website/cloud/security/backup)

  • Communications & productivity tools (e.g., email, conferencing, document collaboration)

  • Professional advisors (e.g., accountants, auditors, lawyers)

  • Affiliates/sub‑contracted specialists under confidentiality and data protection terms

Each processor is bound by a contract that meets GDPR Article 28 requirements. 

Note: Third‑party APIs (confidential): We rely on third‑party APIs and tools to deliver services. For security and confidentiality, we do not publish their identities here; they are disclosed (and contractually governed) within client‑specific DPAs and security reviews (see §10).

9) International transfers

Where a transfer outside the EU/EEA is necessary, we use one or more of the following:

  • EU adequacy decisions (where available). 

  • European Commission

  • Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) with supplementary measures and transfer assessments. 

For transfers to the United States, recipients’ participation in the EU–US Data Privacy Framework (DPF); note the EU General Court upheld the Commission’s 2023 DPF adequacy decision on 3 September 2025 (case T‑553/23; appeal possible). 

10) Our role when delivering AI services

For most projects (e.g., engineering Virtual AI Colleagues, multi‑agent solutions, integrations with your systems), you (the client) are the controller. manifold AI consulting ApS acts as a processor under a written DPA. We process client data strictly on your documented instructions, maintain confidentiality, implement appropriate security, and ensure any approved sub‑processors are bound by equivalent terms, consistent with GDPR Article 28. 

We DO NOT use client data to train broad, generalized foundation models unless expressly agreed in writing. 

11) Security

We apply appropriate technical and organizational measures proportionate to risk, including role‑based access controls, least privilege, encryption in transit/at rest where appropriate, secure development practices, logging/monitoring, incident response procedures, and vendor/sub‑processor reviews. Where legally required, we notify you and/or the supervisory authority (Articles 33–34 GDPR). 

12) Your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability, and objection to processing (including objection to direct marketing). We respond without undue delay and within one month (extendable by two months for complex requests; we will tell you why). You may also withdraw consent at any time (this does not affect processing before withdrawal). 

To exercise your rights, contact our DPO, arsen@manifold‑ai.com, or use the contact options on our site. 

You also have the right to lodge a complaint with Datatilsynet (Danish Data Protection Agency): Carl Jacobsens Vej 35, DK‑2500 Valby; +45 33 19 32 00; dt@datatilsynet.dk

; online complaint options are available. 

13) Direct marketing in Denmark

We send electronic direct marketing only with prior consent and always include an easy, free opt‑out, consistent with Denmark’s Marketing Practices Act §10 and regulator guidance. You can unsubscribe at any time via the link in our emails or by contacting us. 

14) Retention

We retain data only as long as necessary for the purposes above, then delete or anonymize it:

  • Enquiries & B2B prospects: typically 12 months after your last interaction (unless you become a client)

  • Client records & contracts: for the term of the agreement plus the period needed to establish/exercise/defend legal claims; accounting records are kept 5 years after the end of the financial year to comply with Danish bookkeeping rules. 

  • Marketing lists: until you withdraw consent or we observe prolonged inactivity

  • Recruitment: normally 6 months after process completion unless you consent to a longer talent‑pool period

  • Site logs & security records: short operational periods unless needed to investigate incidents

15) Children

Our site and services target professionals and organizations. We do not intentionally collect children’s data.

16) Entity roles in different engagement models

We are the primary provider: manifold AI consulting ApS is the contracting entity and controller for our own business data; for client data processed to deliver services, we act as processor under a DPA (see §10).

We act as a subcontractor in larger AI projects: we may operate under manifōld AI tech ApS as the contracting entity (CVR 45456285), typically as a (sub‑)processor to the main provider; the end‑client remains controller. 

17) Changes to this notice

We may update this policy from time to time. When we make material changes, we will post a prominent notice on this page and update the effective date.