1. Who we are

This Privacy Policy describes how Catalyst Reactivate, a service operated by Damgaard Group ApS (hereafter "we," "us," or "our"), collects and processes personal data from visitors to catalystreactivate.com and from people who contact us about our services.

We are the data controller for personal data collected through this website and our services, as defined in the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

Contact:
Catalyst Reactivate / Damgaard Group ApS
[Company address in Denmark]
CVR: [Danish CVR number]
Email: info@catalystreactivate.com

2. What personal data we collect

Information you provide directly

When you complete our screening request form or contact us, we collect:

• First name and last name
• Work email address
• Phone number (optional)
• Company name and your role
• Country and site location
• Technical information about your catalysts, isolators, timeline, and number of units
• Any additional context you share in the message field
• Your explicit consent to this privacy policy, recorded at submission

Information collected automatically

When you visit our website, we may automatically collect the following (subject to your cookie consent):

• IP address, anonymized at city or region level
• Browser type, version, device type, operating system
• Pages visited, time on page, referral source, exit path
• Interaction events such as clicks, scrolls, and form completions

This automatic collection happens only if you give your consent through our cookie banner. See our Cookie Policy for full details.

3. How we use your data

We use your personal data to:

• Respond to your screening requests and deliver catalyst reactivation services
• Communicate with you about your project, documentation, and order status
• Prepare quotations, contracts, and invoices
• Improve our website and service based on aggregated analytics
• Comply with legal, regulatory, and contractual obligations, including Danish accounting law and pharmaceutical sector requirements
• Protect against fraud, spam, and misuse of our website

We do not use your data for marketing purposes without your separate, explicit opt-in consent. We do not sell your personal data to any third party.

4. Legal basis for processing

Under GDPR, we process your personal data based on these legal grounds:

• Consent — when you submit a form and agree to our privacy terms, or when you accept non-essential cookies.
• Contractual necessity — when processing is required to deliver a service you have requested or to perform a signed agreement.
• Legitimate interest — for internal operations, website security, spam prevention, and service improvement, where our interests are not overridden by your fundamental rights.
• Legal obligation — when required by Danish or EU law, including tax, accounting, and pharmaceutical industry regulations.

5. Who we share data with

We do not sell or rent your personal data. We share it only with:

• Service providers who help us operate our website, email, and customer management systems. These providers are bound by data processing agreements and may only use your data to provide services to us.
• Damgaard Group affiliated entities, including Damgaard Solutions, when cross-service coordination is needed.
• Professional advisors such as lawyers, accountants, and auditors, where necessary.
• Regulatory or government authorities when required by law or court order.

Current service providers

• Webflow, Inc. (United States) — website hosting and form submission processing. Form submissions are routed to info@catalystreactivate.com and nca@damgaardgroup.com.
• Google LLC (United States and Ireland) — website analytics via Google Analytics 4, only if you consent to analytics cookies.
• Google Workspace — email and document storage.
• Cloudflare R2 — video and static asset delivery.

We review our service providers annually to ensure they meet our privacy and security standards.

6. How long we keep data

We keep personal data only as long as necessary:

• Screening requests not leading to engagement: 12 months from last contact, then deleted.
• Active and past client records: duration of engagement plus 5 years, aligned with the Danish Bookkeeping Act and pharmaceutical traceability requirements. After 5 years, records are reviewed and either archived or deleted.
• Website analytics data: up to 14 months in Google Analytics, then automatically aggregated and anonymized.
• Cookie preferences: 12 months, or until you clear your browser.
• Email correspondence: retained for the duration of the business relationship plus any applicable legal archive period.

7. Cookies and tracking

Our website uses cookies to provide essential functionality and, if you consent, to understand how visitors use our site. Full details are in our Cookie Policy.

8. Your rights under GDPR

If you are in the European Union, European Economic Area, or the United Kingdom, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure, also known as the right to be forgotten — ask us to delete your data, subject to legal retention requirements.
• Right to restriction of processing — ask us to limit how we process your data.
• Right to data portability — receive your data in a structured, commonly-used format.
• Right to object — object to processing based on legitimate interest.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint — with your national data protection authority. In Denmark, this is Datatilsynet.

To exercise any of these rights, email us at info@catalystreactivate.com. We will respond within 30 days.

9. Data security

We take reasonable technical and organizational measures to protect your personal data, including:

• HTTPS encryption across the entire website
• Access controls and multi-factor authentication on internal systems
• Regular security updates and monitoring
• Staff training on data protection
• Data processing agreements with all service providers

No method of transmission over the internet is 100% secure. While we work to protect your data, we cannot guarantee absolute security.

10. International data transfers

Some of our service providers, including Webflow and Google, are based outside the European Economic Area. When your data is transferred outside the EEA, we ensure adequate protection through:

• The EU-US Data Privacy Framework, for certified US-based providers
• Standard Contractual Clauses approved by the European Commission
• Additional technical and organizational safeguards where appropriate

11. Children's data

Our services are business-to-business and not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our services, legal requirements, or operational practices. The "Last updated" date at the top shows when the policy was last revised. Material changes will be communicated via our website or directly to active clients.

13. Contact us

For any questions about your personal data or this Privacy Policy:

Email: info@catalystreactivate.com
Postal mail: Catalyst Reactivate / Damgaard Group ApS, [company address], Denmark

If you are not satisfied with our response, you may lodge a complaint with Datatilsynet (the Danish Data Protection Agency) or your local data protection authority in the EU.