Skip to main content

Privacy Policy

Last Updated: February 18, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how Gap Ejendomme ApS ("we," "us," or "our") collects, uses, stores, and protects your personal data when you visit our website gapejendomme.com (the "Website") and interact with our property management education services. We are committed to processing your personal data responsibly and in compliance with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), and other applicable privacy legislation.

Data Controller:
Gap Ejendomme ApS
Kappelevvej 27
2670 Greve, Denmark
Email: [email protected]
Phone: +45 43 94 27 10

This policy is effective as of February 18, 2026. If you have any questions about how we handle your personal data, please contact us using the details above.

2. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with our Website and services:

  • Identity & Contact Data: Full name, email address, phone number, and any organizational affiliation you provide when submitting a contact or enrollment request form.
  • Form Content: Messages, program preferences, learning goals, and other details you include in your inquiry or enrollment submissions.
  • Technical Data: IP address, browser type and version, device type and operating system, preferred language, screen resolution, and time zone setting.
  • Usage Data: Pages visited, time spent on pages, referral source, click paths, scroll depth, and navigation patterns across our Website.
  • Cookies & Identifiers: Data collected through cookies and similar tracking technologies as described in Section 4 below and in our Cookie Policy.
  • Conversion Event Data: Information about whether you completed a form submission, which pages you visited before submitting, and which program you expressed interest in.

We do not collect special-category data (such as health information, religious beliefs, or political opinions), financial account details, or government-issued identification numbers unless a specific educational program or regulatory requirement makes such collection strictly necessary, in which case we will inform you separately and obtain explicit consent.

3. Why We Process & Legal Basis

We process your personal data for the following purposes, each supported by a lawful basis under GDPR Article 6:

  • Processing contact and enrollment form submissions: Art. 6(1)(b) β€” necessary for performance of a contract or to take steps at your request prior to entering into a contract; and Art. 6(1)(a) β€” your consent, where applicable.
  • Website analytics and performance monitoring: Art. 6(1)(a) β€” your consent, obtained through our cookie consent mechanism before any analytics cookies are activated.
  • Marketing, remarketing, and lookalike audience creation: Art. 6(1)(a) β€” your consent, obtained through our cookie consent mechanism before any marketing cookies are activated.
  • Website security, fraud prevention, and abuse detection: Art. 6(1)(f) β€” our legitimate interest in maintaining the security and integrity of our Website and protecting against malicious activity.
  • Legal, tax, and regulatory compliance: Art. 6(1)(c) β€” necessary for compliance with legal obligations to which we are subject, including Danish tax and accounting requirements.

Automated Decision-Making (Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Cookies & Tracking Technologies

Our Website uses cookies and similar tracking technologies grouped into three categories. Full details, including a complete cookie table, are available in our Cookie Policy.

Essential Cookies (no consent required, always active):

  • _site_session β€” Maintains your session continuity as you navigate the site. First-party, session duration.
  • cookie_consent β€” Stores your cookie preference choice so we do not ask again on every visit. First-party, 12 months.
  • CSRF protection tokens as needed for form security.

Analytics Cookies (consent required):

  • _ga β€” Google Analytics 4 user identifier. Third-party, 2 years.
  • _ga_XXXXXXXXXX β€” Google Analytics 4 session state (10-character GA4 measurement ID). Third-party, 2 years.

Google Analytics 4 is configured with IP anonymization enabled. Data retention is set to 14 months.

Marketing Cookies (consent required):

  • _gcl_au β€” Google Ads conversion linker. Third-party, 90 days.
  • _fbp β€” Meta Pixel browser identifier. Third-party, 90 days.
  • _fbc β€” Meta Pixel click identifier (set when a click ID parameter is present in the landing URL). Third-party, 90 days.

Marketing cookies are used for remarketing, conversion attribution, and the creation of custom and lookalike audiences. Beyond cookies, we may also use pixel tags (gtag.js, Meta Pixel), server-side event transmission via Meta Conversion API or Google Server-Side GTM (using hashed identifiers), and device identifiers derived from IP address and User-Agent combinations.

5. Consent (EEA/UK)

Users in the European Economic Area (EEA) and the United Kingdom receive a consent notice under GDPR and UK GDPR upon their first visit to our Website. Marketing and analytics cookies are activated only after explicit, informed, and freely given consent (Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent browser cookie, which is retained for 12 months.

You may withdraw your consent at any time by clicking "Manage Cookie Preferences" in the footer of any page on our Website, or by clearing your browser cookies. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

6. Sharing With Advertising & Service Partners

Where you have provided consent (or where we rely on another lawful basis), we may share certain personal data with the following categories of third-party service providers:

  • Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, Remarketing): Cookie identifiers, usage data, conversion events, and remarketing list membership. Google's privacy policy is available at policies.google.com/privacy.
  • Meta Platforms, Inc. (Meta Pixel, Custom Audiences, Lookalike Audiences, Conversion API): Page views, conversion events, audience membership, and hashed identifiers (such as hashed email addresses). Meta's privacy policy is available at facebook.com/privacy/policy.
  • Cloudflare, Inc. (CDN and security services): IP-based threat detection, DDoS mitigation, and performance optimization. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

We do not sell personal data. These providers may not use data collected from our Website for their own independent commercial purposes beyond the services they provide to us.

7. International Transfers

Some of our third-party service providers (notably Google LLC and Meta Platforms, Inc.) are based in the United States. Personal data transferred outside the EEA or the UK is protected through the following safeguards:

  • EU-US Data Privacy Framework (primary mechanism, in effect since July 2023)
  • UK Extension to the Data Privacy Framework
  • Swiss-US Data Privacy Framework
  • Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) as a fallback mechanism
  • UK International Data Transfer Agreement (IDTA) as a fallback for UK-originating transfers

We conduct transfer impact assessments where required and implement supplementary measures (such as encryption in transit and at rest) to ensure an essentially equivalent level of protection for transferred data.

8. Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Specific retention periods are as follows:

  • Contact and enrollment form submissions: 2 years from the date of last interaction.
  • Analytics data: 14 months (as configured in Google Analytics 4).
  • Marketing cookies: Per the individual cookie lifetime (typically 90 days for advertising cookies).
  • Email correspondence: Duration of the active relationship plus 1 year.
  • Server logs: 90 days.
  • Cookie consent records: 3 years (for audit and compliance purposes).
  • Legal, tax, and accounting records: As required by Danish law, typically 5 years for bookkeeping records under the Danish Bookkeeping Act (BogfΓΈringsloven).

9. Your Rights (GDPR & UK GDPR)

Under the GDPR and UK GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): You may request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to Restriction (Art. 18): You may request that we restrict the processing of your personal data under certain conditions.
  • Right to Data Portability (Art. 20): You may request that we provide your personal data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before the withdrawal.
  • Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please email us at [email protected] with the subject line "Privacy Rights Request." We will respond within 30 days. In the event of a complex or high-volume request, this period may be extended by an additional 60 days, in which case we will notify you of the extension and explain the reasons.

Lead Supervisory Authority: As Gap Ejendomme ApS is established in Denmark, our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark. Website: datatilsynet.dk.

10. Children

Our Website and educational services are not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If we become aware that personal data has been collected from a child under 16 without verifiable parental consent, we will take steps to delete that data promptly. If you believe we may have inadvertently collected data from a minor, please contact us immediately at [email protected].

11. Do Not Track

This Website does not respond to Do Not Track (DNT) browser signals. There is currently no universally accepted standard for how websites should interpret DNT signals. Third-party providers integrated with our Website may have their own DNT handling policies, which are described in their respective privacy policies linked in Section 6 above.

12. Account & Data Deletion

If you wish to request the deletion of all personal data we hold about you, please email [email protected] with the subject line "Data Deletion Request." We will process your request within 30 days of verifying your identity. Limited data retention may continue only where required by law (such as Danish bookkeeping requirements) or for the establishment, exercise, or defense of legal claims.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity as part of the business assets. We will notify users via a prominent notice on our Website if the transfer materially changes how personal data is used. Any successor entity will remain bound by the commitments made in this Privacy Policy until a revised policy is communicated to you.

14. California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

Categories of personal information disclosed in the past 12 months:

  • Identifiers (name, email address, IP address, device identifiers) β€” disclosed to service providers and advertising partners.
  • Internet/Network Activity (browsing history, pages viewed, interaction data) β€” disclosed to analytics and advertising providers.
  • Inferences (interests, preferences derived from browsing behavior) β€” disclosed to advertising partners for audience creation.

We do not sell personal information as defined by the CCPA. We do share personal information for cross-context behavioral advertising purposes. California residents may opt out of this sharing via our cookie preferences panel, accessible through the "Manage Cookie Preferences" link in the footer of any page.

Your California Rights: Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of sale/sharing, and Right to Non-Discrimination. To exercise these rights, please email [email protected] with the subject line "California Privacy Request." Identity verification is required. Authorized agents must provide written proof of authorization.

15. Virginia (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides you with the following rights: Right to Access, Right to Correct, Right to Delete, Right to Data Portability, and Right to Opt-Out of targeted advertising. To exercise these rights, please email [email protected] with the subject line "Virginia Privacy Request."

We do not sell personal data or engage in profiling that produces legal or similarly significant effects. If we refuse your request, you may appeal by emailing us with the subject line "Appeal of Refusal β€” Privacy Request." We will respond to appeals within 60 days. If you are unsatisfied with the outcome, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line "Nevada Do Not Sell Request." We do not currently sell personal information as defined under Nevada Revised Statutes Chapter 603A.

17. Canadian Privacy Considerations

As our educational services are available to participants throughout Canada, we acknowledge the privacy rights provided under the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation. Canadian participants have the right to access and request correction of their personal information held by us. We obtain meaningful consent for the collection, use, and disclosure of personal information, and we limit collection to what is necessary for the identified purposes. To exercise your rights under Canadian privacy law, please contact us at [email protected].

18. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include encryption in transit (TLS/SSL), secure hosting environments, access controls, regular security assessments, and staff training on data protection responsibilities. While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be announced via a prominent banner on our Website at least 14 days before taking effect. The "Last Updated" date at the top of this page will be revised with every update. We encourage you to review this policy periodically to stay informed about how we protect your data.

20. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Gap Ejendomme ApS
Kappelevvej 27
2670 Greve, Denmark
Email: [email protected]
Phone: +45 43 94 27 10