Privacy Policy
Last updated: 2026-05-10
1. Who we are
GGFix ("we", "us", "our") is the data controller for personal data collected through ggfix.dk and the GGFix monitoring service. We are GGFix, registered in Denmark, CVR 45911667, address Vejlebrovej 18H, 2635 Ishøj, Denmark.
For all privacy-related questions, contact contact@ggfix.dk or call +45 28 60 92 02.
This policy is written in plain language so you can read it without a lawyer. It is governed by the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Danish Data Protection Act (Databeskyttelsesloven). For business customers we also offer a Data Processing Agreement (DPA) covering Article 28 GDPR.
2. What data we collect, why, and on what lawful basis
| Category | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Account: email, display name, password hash | Create and operate your account | Performance of contract — Art. 6(1)(b) |
| Billing: tax ID, billing address, card metadata (no card numbers) | Process subscriptions and invoices via Stripe | Performance of contract / legal obligation — Art. 6(1)(b)/(c) |
| Hardware telemetry: CPU/GPU temps, fan RPM, voltages, NVMe wear, battery, top processes by memory and CPU, Windows Event Log entries, OS build, hostname, public IP, agent version | Monitor your machines, generate AI alerts and reports, predict failures | Performance of contract — Art. 6(1)(b) |
| Telegram chat ID (only if you link the alerts bot) | Deliver Telegram alerts you opted into | Consent — Art. 6(1)(a) |
| Contact form submissions and AI chat messages | Respond to your enquiry, support requests, sales | Legitimate interest — Art. 6(1)(f) |
| Newsletter email address (if you sign up) | Send product updates you asked for | Consent — Art. 6(1)(a) |
| Analytics (Google Analytics 4) and error reports (Sentry) | Understand site usage in aggregate, fix bugs | Consent — Art. 6(1)(a) — only after you accept in the cookie banner |
What we never collect
Keystrokes, screenshots, browser history, the content of files on your disk, the content of windows you have open, webcam or microphone data, or anything else outside the scope of hardware monitoring. The agent reads sensors and process metadata only.
3. How long we keep your data (retention)
- Account data: for as long as your account is active, plus 90 days after deletion (for backups).
- Telemetry / sensor history: 12 months rolling. Older readings are aggregated or deleted.
- AI chat messages: 90 days, then deleted.
- Billing records: 5 years, as required by Danish bookkeeping law (Bogføringsloven).
- Contact form submissions: 24 months, then deleted.
- Public chat sessions (homepage widget): deleted automatically after 24 hours.
- Enrollment tokens, password reset tokens: 1 hour.
4. Who we share your data with (sub-processors)
We use a small set of trusted service providers to operate the platform. Each is bound by a Data Processing Agreement and appropriate transfer safeguards. The full list with regions and transfer mechanisms lives in our Data Processing Agreement (section 5). Summary:
- Google LLC (Firebase / Cloud Functions / Firestore): auth, database, hosting infrastructure
- Anthropic, PBC (Claude AI): AI alert generation, chat, monthly reports
- Stripe Payments Europe, Ltd.: subscription billing
- Cloudflare, Inc.: frontend hosting, CDN, agent binary distribution
- Resend, Inc.: transactional email
- Telegram FZ-LLC: alert delivery (only if you link the bot)
We do not sell your personal data. We do not share it with advertisers or data brokers. We disclose data to public authorities only when legally compelled.
5. International transfers
Some of our sub-processors are based outside the European Economic Area (EEA), notably in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914), and where applicable on adequacy decisions or other Article 46 GDPR safeguards. We have completed Transfer Impact Assessments for our US-based sub-processors.
6. Automated decisions and AI
GGFix uses Claude AI (Anthropic) to analyse hardware telemetry and generate alerts, reports, and chat responses. These outputs are informational and advisory; they do not produce legal effects or significant consequences for you within the meaning of GDPR Article 22. AI alerts are suggestions you can act on or ignore, not automated decisions about you.
7. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict our processing
- Portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time, where consent is the lawful basis
- Not be subject to a decision based solely on automated processing (see section 6)
Exercise any of these by emailing contact@ggfix.dk. Most actions (data export, account deletion) are also available in the dashboard Settings page. We respond within 30 days.
Right to lodge a complaint
If you believe we have mishandled your data, you can lodge a complaint with the Danish Data Protection Authority:
Datatilsynet · Carl Jacobsens Vej 35, 2500 Valby, Denmark
datatilsynet.dk · +45 33 19 32 00
8. Security
We protect personal data with appropriate technical and organisational measures, including:
- TLS 1.3 in transit, AES-256 at rest
- SHA-256 hashing of API keys (we never store plaintext)
- Role-based access control with Firebase custom claims
- Per-client rate limiting on telemetry writes
- Stripe webhook signature verification with idempotency
- Single-use 30-minute enrollment tokens
- Continuous error and audit log monitoring (Sentry)
9. Children's data
GGFix is a B2B and prosumer product not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
10. Changes to this policy
We may update this policy as our service evolves or to reflect new legal requirements. The "Last updated" date at the top of the page shows when changes took effect. Material changes will be announced via email to active account holders at least 30 days before they take effect.
11. Contact
GGFix — Privacy
Email: contact@ggfix.dk
Phone: +45 28 60 92 02
Postal: GGFix, Vejlebrovej 18H, 2635 Ishøj, Denmark · CVR 45911667