1. Introduction
At Levvel Health ApS, we take your privacy seriously. We respect and protect the personal data you share with us when you visit levvel.health or interact with our services.

This Privacy and Cookie Policy explains how we collect, use, store, share, and protect your personal data, and how we comply with the General Data Protection Regulation (GDPR) and Danish privacy and cookie laws.

​We aim to be transparent, accountable, and respectful of your rights.

2. Who We Are
Levvel Health ApS
VAT No: 41230134
Agern Allé 5A, 2970 Hørsholm, Denmark

Website: https://levvel.health
Email: contact@levvel.health
Data Protection Officer (DPO): dpo@levvel.health

Levvel Health ApS is the data controller for all processing activities described in this policy.

3. What Data We Collect
We may collect the following categories of data depending on your interaction:

Category: Identification & contact data
Examples: Name, email, phone number, job title, company
Purpose / Legal Basis: To communicate with you, provide requested services, register webinar participation — Art. 6(1)(b) GDPR (contract)

Category: Usage data
Examples: Pages visited, clicks, IP address, browser type, device, referral source
Purpose / Legal Basis: To improve our site, ensure security, measure traffic — Art. 6(1)(f) GDPR (legitimate interest); analytics cookies only with consent (Art. 6(1)(a))

Category: Marketing preferences
Examples: Newsletter opt-ins, unsubscribes, communication logs
Purpose / Legal Basis: To send you marketing information with your consent — Art. 6(1)(a)

Category: Support & correspondence
Examples: Messages sent via forms, email or chat
Purpose / Legal Basis: To respond to your inquiries — Art. 6(1)(b) or (f)

Category: Webinar registration data
Examples: Name, email, company, country
Purpose / Legal Basis: To provide webinar access and related content — Art. 6(1)(b)

Category: Cookies / trackers
Examples: Device identifiers, consent logs, cookie preferences
Purpose / Legal Basis: For functionality, analytics, or marketing — Art. 6(1)(a) except strictly necessary cookies (Art. 6(1)(f))

We do not intentionally collect or process special category data (e.g. health information) through the website.
​
​4. How We Use Your Data
We use personal data only for legitimate business and compliance purposes:
- To provide and improve our website and services
- To respond to your inquiries and support requests
- To manage your webinar or newsletter subscriptions
- To personalize content and measure engagement
- To comply with legal and security obligations
- To send marketing communications only with your prior consent
​We will never sell your personal data.
​
​5. Legal Bases for Processing
We process your personal data under one or more of the following legal bases:
- Consent (Article 6(1)(a)): e.g. cookies, newsletters, marketing communications.
- Contractual necessity (Article 6(1)(b)): when providing you with services or fulfilling your requests.
- Legitimate interests (Article 6(1)(f)): for website security, analytics, or service improvement (only when your rights do not override our interests).
​- Legal obligation (Article 6(1)(c)): when required to comply with tax, audit, or other legal duties.

6. How Long We Keep Your Data
We keep personal data only as long as necessary for the purposes stated above:

Contact forms / inquiries: Up to 2 years after last contact
Marketing subscriptions: Until you withdraw consent
Webinar registrations: 3 years (audit and attendance records)
Cookie consent logs: 12 months
Website analytics (anonymized): 14 months
Contracts / transactions: 5 years (legal retention obligation)

We delete or anonymize data when no longer needed or when you request erasure (where applicable).
​
​7. Cookies and Tracking Technologies

7.1. What are cookies?
​​Cookies are small text files placed on your device that help us improve your experience, analyze traffic, and deliver personalized content.

7.2. Types of cookies we use
Strictly necessary: Essential for website operation (e.g. session, security). Consent required: No. Example: Session ID, load balancer cookie.

Functional / preference: Remember settings and user preferences. Consent required: Yes. Example: Language selection.

Analytics / performance: Measure website usage and performance. Consent required: Yes. Example: Google Analytics (anonymous).

Marketing / targeting: Show personalized ads or remarketing. Consent required: Yes. Example: LinkedIn Insight Tag, Meta Pixel.

7.3. Cookie consent
We use a Consent Management Platform (CMP) that:
- Blocks all non-essential cookies until consent is given
- Provides clear choices (Accept / Reject / Customize) with equal prominence
- Allows you to change or withdraw consent anytime via the “Cookie Settings” link
- Stores consent logs securely for 12 months for compliance evidence

No non-essential cookies are placed before you consent.

7.4. Third-party cookies
Google Analytics 4: Purpose: Site usage analytics. Transfer outside EEA: Yes (USA). Safeguard: EU-U.S. Data Privacy Framework / SCCs.

LinkedIn: Purpose: Ad conversion tracking. Transfer outside EEA: Yes (USA). Safeguard: SCCs.

Meta (Facebook): Purpose: Ad performance / remarketing. Transfer outside EEA: Yes (USA). Safeguard: SCCs.

Cookie Consent Manager: Purpose: Consent record keeping. Transfer outside EEA: EU-based. Safeguard: N/A.

8. How We Protect Your Data
We apply technical and organizational measures (TOMs) aligned with ISO/IEC 27001 and ISO 13485:
- Encryption of data in transit (TLS) and at rest
- Secure Danish hosting (24/7 monitored)
- Role-based access control and two-factor authentication
- Regular vulnerability scanning and patch management
- Data minimization and pseudonymization
- Confidentiality agreements with staff and vendors
- Documented incident response plan

9. Data Transfers Outside the EEA
If data is transferred outside the EEA (e.g. to U.S. vendors), we ensure adequate protection through:
- Adequacy decisions (e.g. EU-U.S. Data Privacy Framework), or
- Standard Contractual Clauses (SCCs) approved by the European Commission.

Copies of safeguards can be requested at dpo@levvel.health.

10. Sharing of Data
We may share data with trusted service providers under strict data processing agreements (DPAs). Typical recipients include:
- Hosting and IT security providers
- Marketing automation / analytics vendors
- Webinar or event platforms
- Legal or accounting advisors when required

All processors act under our instruction, and data is never shared for independent commercial use.

11. Your Rights Under GDPR
You have the following rights:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right to rectification (Art. 16) — correct inaccuracies
- Right to erasure (Art. 17) — “right to be forgotten”
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21) — especially to marketing or legitimate interests
- Right to withdraw consent (Art. 7(3)) at any time
- Right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet, www.datatilsynet.dk)

To exercise your rights, contact our DPO at dpo@levvel.health.
We will respond within one month (extendable to three months for complex cases).

12. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling that produces legal or significant effects on you.

If this changes, we will update this policy and notify you accordingly.

13. Data Breach Notification
In the unlikely event of a personal data breach, we will:
- Notify the Danish Data Protection Authority within 72 hours (Article 33 GDPR) unless the breach is unlikely to result in risk to rights and freedoms; and
- Inform affected individuals without undue delay when required under Article 34 GDPR.

14. Children’s Privacy
Our website and services are not directed at children under 15.
If we become aware that we have collected data from a child under 15 without parental consent, we will delete it promptly.

15. Updates to This Policy
We review this policy at least annually or when regulations or our practices change.
The latest version and change history will always be available on our website.
Significant updates will be communicated via banner or email notice.

16. Contact and Complaints
Questions, concerns, or data protection requests can be directed to:

Data Protection Officer
Levvel Health ApS
Agern Allé 5A, 2970 Hørsholm, Denmark
Email: dpo@levvel.health

If you believe your data protection rights have been violated, you may lodge a complaint with:

Datatilsynet (Danish Data Protection Authority)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Tel: +45 33 19 32 00
Website: www.datatilsynet.dk