HOLM8 - GDPR AND PRIVACY POLICY

Last updated: 2 November 2025

Data Controller: Holm8 ApS
Company Reg. No. (CVR): 39184397
Address: Sundkrogsgade 33, 2150 Nordhavn, Denmark
Website: www.holm8.dk

1. Purpose and Responsibility

At Holm8 ApS (“Holm8”, “we”, “us”), we take the protection of your personal data seriously.
We only collect and process personal information necessary to provide, manage, and improve our services, memberships, and events, and to comply with applicable legislation.
This Privacy Policy explains what data we collect, why we collect it, how we process it, and what rights you have.

2. Types of Personal Data We Collect

Depending on your relationship with Holm8 (member, customer, guest, supplier, partner), we may process the following categories of information:

Identification and Contact Information

  • Name, gender, date of birth, and age

  • Address, e-mail, and phone number

Membership and Account Information

  • Membership number and subscription type

  • Access wristband ID (Kisi or similar system)

  • Participation in events, saunagus sessions, and programmes

  • No-show history and booking data

Payment and Accounting Information

  • Payment card details (stored securely via a certified payment gateway)

  • Invoices, receipts, and accounting data (in accordance with the Danish Bookkeeping Act)

Technical Data

  • IP address, login times, cookies, and device data when using our website or app

  • Access registration via wristband (check-in and check-out times)

Communication and Marketing

  • Inquiries, feedback, and newsletter subscriptions

  • Marketing preferences and any consent to e-mail communication

Special Categories (only with explicit consent)

  • Health-related data (e.g. contraindications or injuries related to sauna/cold plunge participation)

  • Such data is processed only with your explicit consent, which can be withdrawn at any time.

Video Surveillance

  • Member activity may be monitored to ensure safety, security, and to prevent misuse of membership access.

3. Purpose of Processing

We use personal data for the following purposes:

Membership and Access Administration
– Creating a member profile, managing access wristbands, and handling bookings
– Registering participation in events, saunagus sessions, and programmes

Payment and Accounting
– Processing payments, invoices, refunds, and mandatory bookkeeping

Communication and Service
– Responding to inquiries, event reminders, and member communications

Operations and Security
– Access control via Kisi and logging of facility use
– Maintaining order and safety within the centre

Marketing (only with consent)
– Sending newsletters, member information, and promotional offers
– Analysing anonymised data to improve our services

Legal Obligations
– Compliance with accounting, tax, and data protection laws

4. Legal Basis (GDPR Art. 6 and 9)

We process personal data based on the following legal grounds:

  • Art. 6(1)(b) – Necessary for the performance of a contract (membership, purchase, event participation)

  • Art. 6(1)(c) – Necessary to comply with a legal obligation (bookkeeping, accounting, taxation)

  • Art. 6(1)(f) – Legitimate interest (operations, security, access management, improvement of member experience)

  • Art. 6(1)(a) – Consent (e.g. newsletters, health data, photos or testimonials)

  • Art. 9(2)(a) – Explicit consent for processing special categories of data (e.g. health information)

5. Retention and Deletion

We store your data only as long as necessary for the purposes described, or as required by law:

  • Accounting and payment data: 5 years after the end of the financial year, in accordance with the Danish Bookkeeping Act

  • Membership data: Deleted 12 months after termination, unless outstanding matters remain

  • Consent-based data (e.g. newsletters): Deleted immediately upon withdrawal of consent

  • Health data: Deleted upon membership termination or withdrawal of consent

  • Video surveillance: Automatically deleted after 30 days unless requested by authorities (e.g. for investigation or ongoing cases)

Data is anonymised when no longer needed for identifiable purposes.

6. Data Sharing

We share personal data only with trusted partners necessary for Holm8’s operations:

Data Processors and Vendors:

  • YOGO (booking and membership administration)

  • Kisi (access control system)

  • Frisbii / Nets / MobilePay / FlatPay (payment solutions)

  • Mailchimp / Zapier (newsletters and communication)

  • Zenegy / E-conomic (accounting systems)

  • Simply.com / Alphabet / Meta / Slack (IT and hosting partners – secure data storage, marketing, optimisation, and operations)

All processors are contractually obligated to protect your data under Data Processing Agreements (DPAs) and current GDPR standards.
Data is never shared with third parties for marketing purposes without your consent.

In some cases, data may be transferred outside the EU/EEA (e.g. via Mailchimp). Such transfers only occur to companies certified under the EU–U.S. Data Privacy Framework or using EU Commission Standard Contractual Clauses (SCCs).

7. Cookies and Digital Tracking

Our website uses cookies for functionality, statistics, and marketing.
You can change or withdraw your cookie consent at any time through our cookie banner.

8. Your Rights

As a data subject, you have the following rights under the GDPR:

  • Right of access – You can request information about the data we process about you.

  • Right to rectification – You can request correction of inaccurate or incomplete data.

  • Right to erasure – You can request deletion of data when it is no longer necessary.

  • Right to restriction – You can request limited processing in certain situations.

  • Right to data portability – You can obtain your data in a structured, machine-readable format.

  • Right to object – You can object to processing based on legitimate interests.

  • Right to withdraw consent – You can withdraw consent at any time (e.g. for newsletters).

To exercise your rights, contact us at connect@holm8.dk.
We will respond as quickly as possible and no later than within 90 days.

9. Security

We protect your data through technical and organisational security measures, including:

  • Encryption of data during transmission (SSL/TLS)

  • Access control and login protection

  • Regular security monitoring

  • Data processing agreements with all external partners

  • Access to personal data is restricted to authorised employees and facilitators

10. Photos, Video, and Social Media

During special events, saunagus sessions, or other gatherings, ambient photos or videos may be taken.
This will never occur without consent, and you may withdraw your consent at any time by contacting us.
Images are used solely for marketing, social media, or internal communication, always with respect for guests’ privacy.

11. Complaints and Supervisory Authority

If you believe Holm8 is not handling your data correctly, please contact us first at connect@holm8.dk so we can resolve the issue.

You also have the right to file a complaint with:
Danish Data Protection Agency (Datatilsynet)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Web: www.datatilsynet.dk
Phone: +45 33 19 32 00
E-mail: dt@datatilsynet.dk

12. Changes to This Policy

We may update this Privacy Policy when necessary to reflect changes in our practices, technology, or legal requirements.
The latest version is always available on this page.
In case of significant changes, we will notify you by e-mail or through our app.

Contact

If you have questions about how we protect your data, please contact us at connect@holm8.dk
or in writing at: Holm8 ApS, Sundkrogsgade 33, 2150 Nordhavn, Denmark