Privacy Policy
Last Updated: March 14, 2026
1. Introduction and Controller Identity
This Privacy Policy explains how V.N. Holding ApS ("V.N. Holding ApS", "we", "our", or "us") collects, uses, and protects your personal data when you visit our website, communicate with us, or participate in our educational programs and professional development services available across Canada. We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR (where applicable), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Data Controller: V.N. Holding ApS, Prins Valdemars Vej 46, 2820 Gentofte, Denmark. You can contact us at [email protected] for any privacy inquiries, requests, or concerns. We do not currently appoint a Data Protection Officer; however, our privacy team monitors compliance and responds to requests within statutory time frames.
2. Personal Data We Collect
We collect the minimum information necessary to provide our services and to operate this website responsibly. The categories of personal data we may collect include:
- Identity and contact data: full name, email address, telephone number, organization, job role, and province/territory for service coordination.
- Inquiry and enrollment data: program interests, preferred timelines, learning objectives, and any details you provide in messages or forms.
- Technical data: IP address, device type, operating system, browser type and version, language preferences, and approximate geolocation derived from IP.
- Usage data: pages viewed, time on page, navigation paths, referral source, and interactions with on‑page elements.
- Cookies and similar identifiers: essential session cookies and, subject to consent where required, analytics and marketing identifiers. See Section 4.
- Communications: emails, call notes, and correspondence records related to program consultations and support.
We do not intentionally collect special category data (e.g., health, political opinions, religious beliefs), financial account numbers, or government identification numbers via our website. Please avoid including such information in free‑text form fields.
3. Why We Process Personal Data and Legal Basis
We process personal data only for specific and legitimate purposes:
- Responding to inquiries and providing program information: to communicate about our services, clarify requirements, and prepare enrollment steps. GDPR legal basis: Article 6(1)(b) (pre‑contractual steps) and, where applicable, Article 6(1)(a) (consent).
- Service delivery and participant support: to enroll participants, provide materials, and manage schedules. GDPR legal basis: Article 6(1)(b) (contract).
- Analytics (consent‑based): to understand website performance and improve content. GDPR legal basis: Article 6(1)(a) (consent).
- Marketing (consent‑based): to measure advertising effectiveness and, where permitted, show relevant content. GDPR legal basis: Article 6(1)(a) (consent).
- Security and fraud prevention: to protect our systems and investigate misuse. GDPR legal basis: Article 6(1)(f) (legitimate interests).
- Legal compliance: to meet record‑keeping, tax, and regulatory obligations. GDPR legal basis: Article 6(1)(c) (legal obligation).
Automated decision‑making: We do not conduct automated decision‑making or profiling that produces legal or similarly significant effects (GDPR Article 22).
4. Cookies and Tracking Technologies
Our website uses cookies and similar technologies. We categorize them as follows:
- Essential cookies (always active): required for core functionality such as session continuity and consent storage.
- Analytics cookies (consent‑based): help us measure traffic and usage patterns with aggregated insights.
- Marketing cookies (consent‑based): used to measure advertising reach and conversions, and to form audience segments consistent with applicable law.
Illustrative cookie names and lifetimes that may be present on this site or when we later enable specific services:
- _site_session (Essential, first‑party, session): maintains session continuity.
- cookie_consent (Essential, first‑party, 12 months): stores your consent preferences.
- _ga and _ga_XXXXXXXXXX (Analytics, third‑party, up to 2 years): Google Analytics 4 identifiers with IP anonymization.
- _gcl_au (Marketing, third‑party, 90 days): Google Ads conversion linker.
- _fbp and _fbc (Marketing, third‑party, 90 days): Meta Pixel identifiers for reach and conversion measurement.
Beyond cookies, we may use pixel tags and server‑side measurement to improve reliability (for example, hashed identifiers alongside IP and User‑Agent for deduplication). Analytics and marketing technologies are activated only after consent where required. You can manage your choices at any time via the “Manage cookie preferences” link in the site footer. For more details, see our Cookie Policy.
5. Consent (EEA/UK) and Canadian Considerations
If you are located in the EEA or the UK, we request explicit consent for analytics and marketing cookies before activating them. Your consent is recorded in the cookie_consent cookie for 12 months and may be withdrawn at any time via the preferences panel or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
In Canada, we handle personal information under PIPEDA’s fair information principles. Where we rely on consent, it will be meaningful and informed. In limited circumstances, we may collect, use, or disclose personal information without consent if permitted by law (e.g., fraud investigation, legal requests, or security incidents).
6. Sharing with Service Providers and Advertising Partners
We share personal data only with trusted providers that help us operate the website, deliver services, and measure performance. Typical categories include:
- Infrastructure and security (e.g., content delivery networks, hosting, DDoS protection) — limited technical data such as IP address.
- Analytics (e.g., Google Analytics 4) — cookie IDs and usage data, activated only with consent where required.
- Advertising measurement (e.g., Google Ads, Meta) — page views, conversions, and cookie/pixel identifiers, consent‑based.
- Operational tools (e.g., email service providers) — contact details and communications strictly for support and coordination.
We do not sell personal data. Our providers must process data solely on our instructions and are prohibited from using it for their own independent purposes except where required by law. Where reasonably possible, data shared is minimized and pseudonymized.
7. International Transfers
We may transfer personal data to countries outside your jurisdiction, including to the United States for certain service providers. Where applicable, we rely on recognized transfer mechanisms such as the EU‑US Data Privacy Framework (and UK Extension), Standard Contractual Clauses (EU 2021/914), and the UK International Data Transfer Agreement. We take steps to ensure an adequate level of protection consistent with GDPR requirements.
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. Typical retention periods include:
- Inquiry and correspondence records: up to 2 years from last meaningful interaction.
- Participant and enrollment records: for the duration of the program plus applicable legal or tax retention periods.
- Analytics data: up to 14 months in aggregated form, subject to provider settings.
- Marketing identifiers: generally tied to the cookie lifetime noted in Section 4.
- Server logs and security events: typically 90 days unless extended for investigation.
- Consent records: up to 3 years for audit purposes.
9. Your Rights
Depending on your location, you may have the following rights concerning your personal data:
- Access: obtain a copy of your personal data and information about our processing.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion where data is no longer needed or consent is withdrawn (subject to legal exceptions).
- Restriction: request limitation of processing in certain circumstances.
- Portability: receive your data in a structured, commonly used, machine‑readable format.
- Objection: object to processing based on legitimate interests and to direct marketing.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time.
EU/UK residents may lodge a complaint with their supervisory authority. Canadian residents may contact the Office of the Privacy Commissioner of Canada. We encourage you to contact us first so we can address your concerns promptly.
To exercise your rights, email [email protected] with the subject "Privacy Request" and include sufficient details to verify your identity and locate the data at issue. We will respond within 30 days unless an extension is permitted for complex requests.
10. Children’s Privacy
Our website and services are not directed to individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data to us, please contact us so we can promptly delete it unless retention is required by law.
11. Do Not Track
Some browsers offer a "Do Not Track" (DNT) setting. Our website does not currently respond to DNT signals. Consent‑based controls for analytics and marketing are available via the cookie preferences panel referenced in Section 5.
12. Account and Data Deletion Requests
If you wish to request deletion of your personal data, please email [email protected] with the subject "Data Deletion Request". After verifying your identity, we will delete the data unless we must retain it to meet legal obligations, resolve disputes, or enforce agreements. We will confirm completion of your request within the applicable legal period.
13. Business Transfers
If we are involved in a merger, acquisition, asset sale, financing, reorganization, or insolvency, personal data may be transferred to a successor entity subject to this Privacy Policy. We will post a clear notice on our website if such a transfer materially changes the way your data is used.
14. California Privacy Rights (CCPA/CPRA)
While our services are focused on Canada, U.S. visitors may have rights under the California Consumer Privacy Act (as amended by the CPRA). Over the past 12 months, we may have collected the following categories of personal information: identifiers (name, email, IP address, cookie IDs), internet or network activity (usage data), and inferences (interests) created for advertising measurement. We do not sell personal information as defined by CCPA. We may “share” personal information for cross‑context behavioral advertising only with your consent where required and subject to opt‑out controls.
California residents may request to know, access, correct, or delete personal information and to opt out of sale/sharing. Submit requests to [email protected] with "California Privacy Request" in the subject line. We will verify your identity and respond within statutory timelines. Authorized agents must provide proof of authorization.
15. Virginia Privacy Rights (VCDPA)
For Virginia residents, you may have the rights of access, correction, deletion, portability, and opt‑out of targeted advertising. We do not engage in profiling that produces legal or similarly significant effects. To submit a request, email us with the subject "Virginia Privacy Request." If we decline your request, you may appeal by emailing us with the subject "Appeal of Refusal — Privacy Request." If unresolved, you may contact the Virginia Attorney General’s office.
16. Nevada Privacy Rights
Nevada residents may submit a verified request directing us not to sell certain personal information under Nevada Revised Statutes Chapter 603A by emailing "Nevada Do Not Sell Request." We do not currently sell personal information as defined under Nevada law.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. Material changes will be announced via a notice on our homepage at least 14 days before they take effect. The "Last Updated" date at the top indicates the most recent revision. Continued use of our website after changes take effect indicates your acknowledgment of the updated Policy.
18. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact:
- V.N. Holding ApS
- Prins Valdemars Vej 46
- 2820 Gentofte, Denmark
- Email: [email protected]