Legal
Privacy policy
We process personal data on behalf of regulated lenders. The bar is high. This document describes — in plain language — how we meet it.
Effective: 30 April 2026 · Version 1.0
This Privacy Policy explains how Centeo Group ApS (“Centeo,” “we,” “us”) collects, uses, and protects personal data when you visit Centeo or interact with us as an applicant, partner, vendor, or candidate. We comply with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act, and applicable marketing rules.
1. Data controller
The data controller for personal data processed via Centeo is:
- Centeo Group ApS
- CVR registration: DK40651101
- Viborgvej 159 A, 8210 Aarhus V, Denmark
- Email: sb@centeo.dk
For loan applications routed through our platform on behalf of bank and broker partners, Centeo acts as data processor. The relevant lender or broker is the controller — see their privacy policy for the full picture.
2. Personal data we collect
2.1 When you visit Centeo
- Technical data: IP address, browser version, language, operating system, referring page, pages viewed, timestamp.
- Cookies and similar technologies: only after consent. See our cookie policy for the full inventory.
- Analytics: aggregated visitor statistics via Google Analytics 4 — only with active consent.
2.2 When you submit a contact form
- Name, work email, company, role, phone number, country, free-text message.
- Technical metadata: IP, user agent, locale, source page, timestamp, anti-bot score.
2.3 When you apply for a role
- Contact details, CV, cover letter, LinkedIn URL, any attachments you provide.
2.4 If you are a business partner
- Contact data of named representatives, billing details, KYC documentation, contract terms.
3. Legal basis for processing
We only process personal data where we have a lawful basis under GDPR Article 6:
| Purpose | Legal basis |
|---|---|
| Responding to a contact-form inquiry | Art. 6(1)(b) — performance of a contract or pre-contractual steps |
| Operating and securing Centeo | Art. 6(1)(f) — legitimate interest |
| Web analytics via cookies | Art. 6(1)(a) — consent (cookie banner) |
| Processing job applications | Art. 6(1)(b) — pre-contractual steps |
| Bookkeeping and invoicing | Art. 6(1)(c) — legal obligation (Danish Bookkeeping Act) |
| Compliance with lender requirements | Art. 6(1)(c) — legal obligation |
| Establishing or defending legal claims | Art. 6(1)(f) — legitimate interest |
4. Who we share data with
We do not sell personal data. We share it only with:
- Sub-processors providing hosting, email, SMS, analytics, and customer support — all under data-processing agreements and based in the EU.
- Lender and broker partners in the context of a routed loan application, only with explicit applicant consent.
- Public authorities where legally required (e.g. tax authority, police, the Danish Data Protection Agency).
- Professional advisors (auditors, lawyers) under confidentiality.
5. International transfers
Personal data is stored exclusively in the EU as a default. Where a sub-processor is exceptionally based outside the EU, transfers occur only under the European Commission’s Standard Contractual Clauses (SCCs) and only after a transfer-impact assessment (Schrems II level).
6. How long we retain data
| Data category | Retention |
|---|---|
| Contact-form submissions | 24 months |
| Job applications (no hire) | 6 months after rejection, then deletion or further consent |
| Accounting records | 5 years (Danish Bookkeeping Act §10) |
| Platform audit logs | 5 years — required by lender partners |
| Aggregated analytics | 26 months |
| Server and access logs | 90 days |
7. Your rights
As a data subject under GDPR, you have the following rights:
- Access — confirm whether we process data about you and obtain a copy.
- Rectification — have inaccurate data corrected.
- Erasure (“right to be forgotten”) — have data deleted when there is no longer a lawful basis to keep it.
- Restriction — restrict processing in specific situations.
- Portability — receive your data in a structured, commonly used format.
- Objection — object to processing based on legitimate interest.
- Withdrawal of consent — where processing is based on consent, withdraw it at any time.
Email sb@centeo.dk to exercise any of the above. We respond within 30 days. You may also lodge a complaint with the Danish Data Protection Agency — Carl Jacobsens Vej 35, 2500 Valby, Denmark — datatilsynet.dk.
8. Security
We apply technical and organisational safeguards in line with GDPR Article 32: TLS 1.3 in transit and encryption at rest, role-based access control, audit logging on critical actions, regular security testing, background checks on key staff, and data-processing agreements with every sub-processor.
9. Children
Centeo’s services are not directed at individuals under 18. We do not knowingly collect data from minors. If you become aware that a minor has submitted data to us, please email sb@centeo.dk and we will delete it promptly.
10. Changes
We update this policy as needed. The current version is always available on this page. We will notify you of material changes by email or a prominent on-site notice before they take effect.
11. Contact
Questions, access requests, or complaints:
- Email: sb@centeo.dk
- Post: Centeo Group ApS, Viborgvej 159 A, 8210 Aarhus V, Denmark
- Supervisory authority: Danish Data Protection Agency — datatilsynet.dk