Privacy Policy

Effective date: January 8, 2026

Last updated: January 8, 2026

1. Who we are

1.1

Campfire Security ApS, CVR 44318563, a company incorporated under Danish law with registered address at Søndre Jernbanevej 32, 3400 Hillerød, Denmark (“we,” “us,” or “our”), acts as the data controller for the purposes of applicable data protection laws, including the General Data Protection Regulation (EU) (the “GDPR”).

1.2Our contact details are as follows:

Email: security@campfiresecurity.dk
Postal Address: Søndre Jernbanevej 32, 3400 Hillerød, Denmark

1.3This Privacy Policy (the “Privacy Policy”) describes how we will process your personal data when you:

Visit and use the websites campfiresecurity.dk, campfiresecurity.com, campsec.dk, campsec.com and all subdomains thereof (collectively, the “Websites”),
Are signed up for and use our services, including our cybersecurity training platform, courses, laboratories, capture-the-flag exercises, and related educational services,
Are signed up for our newsletter, or
Interacting with us.

2. Definitions

Where this Privacy Policy uses the terms defined in the GDPR, those terms shall have the same meaning as in the GDPR.

3. Purpose of this Privacy Policy

3.1

The purpose of this Privacy Policy is to inform you how we handle your personal data in a lawful, fair and transparent manner in accordance with the General Data Protection Regulation (GDPR). The Privacy Policy outlines the types of personal data we collect, how it is used, the lawful basis for processing it and your rights as a data subject.

3.2

This Privacy Policy aims to fulfill our obligation under Articles 12-14 GDPR to provide clear, concise and transparent information about our data processing activities.

4. The data we collect

4.1

We collect and process the following categories of personal data in accordance with the principle of data minimization:

4.2Data Categories:

Data Category	Specific Data Elements
A. Identity & Account Data	Full name, username, email address, account credentials, user identification numbers
B. Contact Information	Email address, postal address, telephone number, communication preferences
C. Profile & Social Data	Profile information, social media links, professional details, company affiliation
D. Learning & Progress Data	Course completion status, learning progress metrics, assessment scores, certificates awarded, experience points
E. Seat/License/Team Data	License assignments, team memberships, organizational hierarchies, seat allocations
F. Payment & Billing Data	Billing address, payment method tokens, transaction history, invoice records
G. Technical & Usage Data	Including but not limited to IP addresses, browser information, device identifiers, log files, behavioral data and usage patterns, data on interaction (clicks etc.) with email and services, session data, timestamps, approximate location,
H. Security Tokens	Authentication tokens, session identifiers, security credentials, multi-factor authentication data
I. Customer services data	Information provided when you contact us
J. Customer survey data	Information provided when responding to customer surveys, filing reviews or otherwise providing feedback on the services

4.3

Payment card details are processed exclusively by our third-party payment processor and are not stored on our systems, except where explicitly provided to us during direct communications.

5. How we use your data

5.1

We process your personal data for the purposes and under the lawful bases specified in Section 6, which include:

5.1.1 Service Provision and Account Management (SAM)
5.1.2 Business Operations (BO)
5.1.3 Analytics and Improvement (AI)
5.1.4 Legal Compliance (LC)

6. Why we process your data (lawful basis and purposes)

6.1We process your personal data based on the following lawful bases under Article 6 of the GDPR:

Processing Purpose	Data Categories (Section 4.2)	Lawful Basis (Article 6 GDPR)	Legitimate Interest Assessment	Purpose Category (Section 5.1)
Create and maintain user accounts	A, B, H	(b) Contract performance	N/A	SAM
Authenticate users and secure platform	A, H, G	(b) Contract performance; (f) Legitimate interests	Necessary for security; expected by users; minimal privacy intrusion	SAM
Deliver training services	A, D, E, G	(b) Contract performance	N/A	SAM
Track learning progress and award credentials	A, D	(b) Contract performance	N/A	SAM
Report learning progress to employers	A (identifier only), D, E	(f) Legitimate interests	Necessary for employers to assess usage of the services, if usage is mandated by a contract with the employer	BO
Manage licenses, billing, and invoicing	A, E, F	(b) Contract performance; (c) Legal obligation	N/A	BO
Send mandatory service communications	A, B	(b) Contract performance	N/A	BO
Send voluntary service communications	A, B, D	(f) Legitimate interests	Increases your value of the services; no marketing; opt-out offered	BO
Send personalized marketing communications	A, B, C, D, G	(a) Consent;	N/A	BO
Provide user support and troubleshooting	A, B, G, D, I	(b) Contract performance; (f) Legitimate interests	Necessary for issue resolution; restricted staff access	BO
Conduct platform analytics and improvement	G (aggregated), D	(f) Legitimate interests	Data aggregated/pseudonymized; no direct marketing; user expectation of service improvement	AI
Ensure security and prevent fraud	G, H	(f) Legitimate interests	Essential for safety; minimal, justified privacy impact.	AI
Comply with legal obligations	A, F, B (minimal)	(c) Legal obligation	N/A	LC

7. How we collect your data

7.1We collect personal data through the following methods:

Collection Method	Description
Direct provision from you	When you register for an account, place orders, or voluntarily provide information
Direct provision from your employer	As part of our contract with your employer
Automated collection	Through cookies, log files, and similar technologies during website usage
Communications	When you contact us for support, feedback, or other communications
Third-party Integration	Through authorized integrations with third-party services

8. How your data is shared and transferred to third countries

8.1

We may share your personal data with the following categories of recipients:

8.2Third-Party Processors

We engage the following processors under appropriate data processing agreements and – to the extent personal data is transferred outside the European Economic Area – apply appropriate safeguards in accordance with Chapter V of the GDPR:

Processor	Service Category	Data Shared	Location	Transfer Mechanism
Stripe, Inc.	Payment processing	Payment details, transaction data, billing information	United States	EU-US Data Privacy Framework (adequacy decision under Article 45(1) GDPR)
Microsoft Corporation	Cloud infrastructure	All platform data at rest	European Union (West Europe)	N/A
Google LLC	Analytics and cloud services	Pseudonymized usage data, server logs	European Union/United States	EU-US Data Privacy Framework (adequacy decision under Article 45(1) GDPR)
HubSpot, Inc.	CRM, marketing automation, lead management	Email addresses, names, contact details, interaction data, campaign engagement metrics	United States	EU-US Data Privacy Framework (adequacy decision under Article 45(1) GDPR)
Hetzner Online GmbH	EU cloud hosting	Session data, lab environment identifiers	Germany (EEA)	N/A
The Rocket Science Group LLC (Mailchimp)	Email marketing	Email addresses, names, subscription data	United States	EU-US Data Privacy Framework (adequacy decision under Article 45(1) GDPR)
Mailgun Technologies, Inc.	Transactional email	Email addresses, message metadata	United States	Standard Contractual Clauses under Article 46(1) GDPR
Usercentrics A/S (Cookiebot)	Cookie consent management	Consent preferences, anonymized identifiers	Denmark (EEA)	N/A

We conduct transfer impact assessments where required and implement supplementary measures to ensure adequate protection. Please contact us at security@campfiresecurity.dk, if you wish to obtain a copy of the standard contractual clauses.

8.3Other Recipients

We may also share personal data with:

Employers or Organizations: Where you access our services through an organizational license, we may share learning progress data with your employer or organization, usage data and statistics
Legal Authorities: Where required by law, court order, or regulatory request
Professional Advisers: Including lawyers, auditors, and consultants under appropriate confidentiality obligations
Other users: Depending on your use of the services, your username may be visible to other users, including on leaderboards and in capture-the-flag exercises.

9. How we store and secure your data

9.1Data Storage Location: Your personal data is primarily stored within the European Economic Area, with our primary hosting infrastructure located in Microsoft Azure's West Europe region.

9.2Security Measures: We implement appropriate technical and organizational measures pursuant to Article 32 GDPR:

Security Domain	Implemented Measures	Standards Compliance
Encryption	AES-256 encryption at rest, TLS 1.2/1.3 in transit, Azure-managed encryption keys	FIPS 140-2 Level 2
Access Controls	Role-based access control (RBAC), multi-factor authentication, principle of least privilege	Internal security framework
Infrastructure Security	Distributed denial-of-service protection, intrusion detection, network segmentation	CIS18 IG1
Backup and Recovery	Bi-weekly encrypted backups, 5-year retention, tested disaster recovery procedures	Automated integrity verification
Monitoring	Continuous security monitoring, vulnerability scanning, penetration testing	Annual third-party security assessments

10. Data retention & deletion

10.1We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law:

Data Category	Retention Period	Deletion Method	Legal/Business Justification
Technical logs and session data	90 days	Automated purging	Security monitoring requirements
Active user accounts	Duration of service relationship plus 2 years	Secure deletion protocols	Service provision and support
Inactive user accounts	2 years from last login	Scheduled deletion with 30-day notice	Business continuity, potential service resumption
Billing and financial records	Current year plus 5 years	Encrypted archival, then secure deletion	Danish Bookkeeping Act compliance
Marketing communication data	Until consent withdrawal or 12 months with no marketing communication or 3 years of user inactivity. We may, however, retain documentation for your consent for a period of up to 5 years following withdrawal or expiry of the consent. The legal basis is our legitimate interest in being able to document a prior consent	Immediate removal from active lists	Marketing law compliance

10.2Upon expiration of the retention period, personal data will be securely deleted or anonymized in accordance with industry best practices.

11. Cookies and similar technologies

11.1Our Websites use cookies and similar tracking technologies. The legal basis for cookie processing is set forth in our Cookie Policy, which forms part of this Privacy Policy.

11.2Cookie Categories:

Cookie Type	Purpose	Legal Basis	Retention	User Control
Strictly Necessary	Essential website functionality, security, load balancing	Article 6(1)(f) - Legitimate interests	Session to 1 year	Cannot be disabled
Functional/Preference	Remember user preferences, language settings	Article 6(1)(a) - Consent	1 day to 1 year	Only used subject to consent
Analytics	Website usage analysis, performance monitoring	Article 6(1)(a) - Consent	Up to 2 years	Only used subject to consent
Marketing	Targeted advertising, conversion tracking	Article 6(1)(a) - Consent	3 months to 2 years	Only used subject to consent

11.3Detailed Cookie Inventory and Declaration:

11.4Cookie Management: You may manage cookie preferences through our cookie consent banner or your browser settings. Disabling certain cookies may affect website functionality. Your current consent applies to the following domains: app.campfiresecurity.dk, campfiresecurity.dk.

12. Your data protection rights & how to exercise them

12.1Under the GDPR, you have the following rights regarding your personal data:

Right	Description	Limitations	Exercise Method	Response Time
Access (Article 15)	Obtain confirmation of processing and copies of your data	May be restricted for others' rights and freedoms	Email request with identity verification	1 month (extendable to 3 months for complex requests)
Rectification (Article 16)	Correct inaccurate or incomplete data	Must not adversely affect others' rights	Email request with corrected information	1 month
Erasure (Article 17)	Request deletion of your data	Limited by legal obligations and legitimate interests	Written request with specific grounds	1 month
Restriction (Article 18)	Limit processing of your data	Available in specific circumstances only	Email request with justification	1 month
Objection (Article 21)	Object to processing based on legitimate interests	Must be balanced against our legitimate interests unless related to direct marketing	Email request with specific objections	1 month
Portability (Article 20)	Receive your data in structured format	Limited to data provided by you under contract/consent	Email request specifying data scope	1 month
Withdraw Consent	Withdraw consent where processing is consent-based	Does not affect lawfulness of prior processing	Email request or unsubscribe mechanisms	Promptly

12.2

To exercise these rights, contact us at security@campfiresecurity.dk with sufficient information to verify your identity and specify your request.

12.3We may request additional information to verify your identity and will respond within the timeframes specified by law.

13. Children's privacy

13.1Our Services are intended for individuals aged 15 years and older. Campfire Security does not, to the extent of our capability, process personal data about children under 15 years of age.

13.2If we become aware that we have collected personal data from a child under 15, we will take steps to delete such information promptly.

13.3

Parents or guardians who believe we may have collected information from a child under 15 should contact us immediately at security@campfiresecurity.dk.

14. Automated decision-making

14.1We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

14.2Any automated processing we conduct is limited to technical operations necessary for service provision and does not result in decisions that significantly affect your legal rights or interests.

15. Data breach notification

15.1In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

15.2Such notification will include:

The nature of the breach and categories of data affected
The likely consequences of the breach
Measures taken or proposed to address the breach
Contact information for further inquiries

16. Changes to this Privacy Policy

16.1We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

16.2Material changes will be communicated by:

Email notification to registered users
Updated effective date at the top of this Privacy Policy

16.3Your continued use of our services after the effective date constitutes acceptance of the revised Privacy Policy.

17. External websites & links

17.1Our Websites may contain links to third-party websites that are not operated by us. This Policy does not apply to such external websites.

17.2We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any external websites you visit.

18. Contact information and complaints

18.1Data Controller Contact:

Email: security@campfiresecurity.dk
Postal Address: Søndre Jernbanevej 32, 3400 Hillerød, Denmark

18.2Supervisory Authority: You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at

datatilsynet.dk if you believe we have not handled your personal data in accordance with applicable law.

18.3Response Times: We aim to respond to all privacy-related inquiries within 72 hours and formal data subject requests within one month as required by law.

Document Control:

Version: 1.5
Effective Date: January 8, 2026
Next Review Date: January 8, 2027
Approved By: Manager group
Document Classification: Public

This Privacy Policy has been prepared in compliance with the General Data Protection Regulation (EU) 2016/679, the Danish Data Protection Act, and other applicable privacy laws.