Last updated: 15 December 2025
This Privacy and Cookie Policy explains how Limepack ApS (“Limepack”, “we”, “us”, “our”) processes personal data when you visit our websites and webshop, place orders, communicate with us or receive our marketing. We process personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and applicable national data protection law.
1. Data controller and contact details
The data controller responsible for the processing of your personal data is:
Limepack ApS
Guldborgvej 25
2000 Frederiksberg
Denmark
If you have any questions or wish to exercise your data protection rights, you can contact us at:
Email: [email protected]
Telephone: +45 71 65 11 46
Our current postal address is available on our website, and you can also contact us through the contact options provided there.
We have not appointed a Data Protection Officer, but all privacy‑related enquiries can be directed to the contact details above.
2. Scope of this policy
This policy applies to our processing of personal data in connection with visits to and use of our websites and webshop, including any associated online services; enquiries and communication with our customer service and sales teams; quotation and ordering processes and other contractual relationships; our marketing activities across digital channels; and the use of cookies and similar technologies on our websites and in marketing.
The policy primarily covers individuals in the EU/EEA, including customers, prospective customers and other visitors to our online services.
3. What personal data we process
The types of personal data we process depend on how you interact with us.
When you request a quotation, place an order or create an account, we typically process identification and contact information such as name, company name, role or job title, postal address, billing and delivery addresses, email address and telephone number. We also process information related to the order itself such as products, customisation and design details that you provide, quantities, prices, discounts, delivery preferences, payment information (for example payment method and status, but not full card details if these are handled by a payment provider), and communication related to the order.
When you use our websites and online services, we may process technical and usage information such as IP address, device and browser information, language settings, referrer URL, access times, pages visited, clicks and similar log data. This information is often collected via cookies and similar technologies, as described in section 6.
When you receive our marketing or otherwise interact with our communications, we may process information about your marketing preferences, subscription status, whether you open our emails, which links you click, your purchase history and your responses to specific campaigns. We may link this information to your customer profile if you have one.
When you contact us, for example by email, telephone, online form or other channels, we process the information you provide, such as your enquiries, feedback, complaints and other correspondence, together with internal notes and follow‑up information.
We do not intentionally collect or process special categories of personal data such as information about health, religion or political opinions, nor data relating to criminal convictions. We ask you not to include such information in orders or communications. If such information is nevertheless provided, we will handle it in accordance with applicable law and, where appropriate, delete or restrict it.
4. Where your personal data comes from
In most cases, we receive personal data directly from you, for example when you place an order, ask for a quotation, sign up for marketing, contact us or use our websites.
We may also receive information from other sources such as payment service providers and banks that confirm whether a payment has been completed or rejected; logistics and delivery partners that inform us about shipping and returns; providers of analytics, advertising and marketing services that generate statistics or audience information based on your interactions with our services; and publicly available business information or partners in a B2B context when we verify or enrich company contact details.
If we obtain personal data from sources other than you, we will provide you with the information required by GDPR, including the information in this policy, within the time limits set by law.
5. Purposes and legal bases for processing
We only process your personal data where we have a specific purpose and a legal basis for doing so. The main purposes and legal bases are described below.
5.1 Providing our services and fulfilling contracts
We process personal data to handle enquiries and quotations, create and manage customer accounts, process and deliver orders, manage returns and complaints, provide customer service and technical support and manage our relationship with you as a customer or prospective customer. This includes verifying relevant information, communicating with you about orders or requests and performing our contractual obligations.
The legal basis for this processing is that it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract, in accordance with Article 6(1)(b) GDPR.
5.2 Compliance with legal obligations
We process certain personal data to comply with legal obligations, for example in relation to accounting and bookkeeping, tax rules, consumer protection, product safety, data protection rules, and obligations to retain and document information. This may require us to store transaction data, communication and documentation for a specified period and to share information with competent authorities where required.
The legal basis for this processing is Article 6(1)(c) GDPR, as the processing is necessary for compliance with a legal obligation to which we are subject.
5.3 Marketing and personalisation
We use personal data for marketing and communication about our products and services. This includes sending newsletters and other marketing communications, showing or suppressing ads on various digital channels, creating and using segments or target groups, and personalising offers and content based on your previous purchases, interests and interactions with us.
We may use first‑party customer data such as contact information, purchase history, browsing behaviour on our own services and information about how you interact with our communications to carry out direct marketing, customer match activities, audience building and retargeting across current and future marketing channels. These channels may include, for example, email, our own websites, search engines, social media platforms, online advertising networks and similar digital marketing platforms.
Where required by law, we obtain your consent before sending you electronic direct marketing such as newsletters and before placing non‑essential marketing cookies and similar technologies on your device. In some situations, for example when we market similar products to existing customers, we may rely on our legitimate interest in promoting our business and maintaining customer relationships, provided you have not objected and local law permits this.
The legal basis is Article 6(1)(a) GDPR where we rely on your consent and Article 6(1)(f) GDPR where we rely on our legitimate interest in marketing and business development. You can withdraw your consent or object to marketing at any time as described in section 11.
5.4 Cookies, analytics and service improvement
We use cookies and similar technologies and process related personal data to operate and secure our websites, remember your preferences and settings, analyse traffic and usage patterns, measure performance and understand how our services are used. We also use data from analytics and reporting tools to improve our websites, products, customer experience and internal processes.
Cookies that are strictly necessary for the functioning of the website are used on the basis of our legitimate interest in providing a secure and user‑friendly service. Cookies that are used for analytics, performance and marketing are only used with your consent, which you can give and manage through our cookie banner and settings.
Depending on the configuration, the legal basis for the processing is Article 6(1)(f) GDPR for necessary cookies and Article 6(1)(a) GDPR for cookies and similar technologies that are not strictly necessary.
5.5 Security, fraud prevention and legal claims
We may process personal data to maintain the security of our systems and services, to detect and prevent misuse, fraud and other unlawful activities, and to protect our rights and interests. We may also process personal data as necessary to establish, exercise or defend legal claims, for example in connection with disputes, complaints or inspections by authorities.
The legal basis for this processing is our legitimate interest under Article 6(1)(f) GDPR in protecting our business, our customers and our rights, and where relevant Article 6(1)(c) GDPR when we are obliged to cooperate with public authorities.
6. Cookies and similar technologies
Our websites use cookies and similar technologies such as pixels, tags and local storage. A cookie is a small text file that is stored on your device and enables recognition of your browser. Some cookies are placed by us and others by third parties that provide services to us.
We use cookies that are necessary to operate the website, for example to enable basic functions, maintain your session, remember the contents of your basket or store your privacy preferences. These cookies are essential for the service you request and are therefore placed without your prior consent.
We also use cookies and similar technologies for analytics, performance and marketing. These technologies help us understand how our websites are used, which pages and products are most popular, how campaigns perform and how we can improve the user experience. They also allow us and our partners to show you more relevant ads and to measure the effect of those ads.
When you first visit our websites, you are asked to choose your cookie preferences. You can change or withdraw your consent at any time through the cookie settings available on the website, and you can also control or delete cookies through your browser settings. If you block or delete cookies, some functions of the website may not work as intended.
Where cookies and similar technologies involve the processing of personal data, this Privacy and Cookie Policy applies, and you have the rights described in section 11.
7. Sharing of personal data with third parties
We do not sell your personal data. We share personal data only when necessary, for example to provide our services, comply with legal obligations, carry out marketing, or operate our business, and we ensure that appropriate contractual and security measures are in place.
We share personal data with third‑party service providers who process data on our behalf and according to our instructions. These providers typically fall into categories such as hosting and cloud infrastructure providers, providers of email, CRM and customer support tools, providers of telephony and communication systems, providers of web analytics and performance measurement services, providers of marketing and advertising technologies (including platforms for email marketing, customer match, retargeting and digital advertising), providers of payment and transaction processing services, providers of logistics and shipping services and providers of business intelligence, reporting and integration tools, including AI‑based services that support our internal workflows, customer support and other processes.
In addition, we may share data with independent third parties that act as controllers for their own purposes, for example payment service providers and banks, shipping and logistics partners, professional advisers such as lawyers and accountants, and public authorities where we are legally required to do so or where it is necessary to protect our rights.
Where we use data processors, we enter into data processing agreements that meet the requirements of Article 28 GDPR, including obligations regarding confidentiality, security and limitations on the use of personal data. For competitive and security reasons, we do not list all individual service providers and partners publicly. However, we can provide more detailed information about relevant processors and categories of recipients in relation to your specific relationship with us if you contact us using the details in section 1 and such information is required by law.
8. International data transfers
Some of our service providers and partners are located outside the EU/EEA or process personal data in countries outside the EU/EEA. When personal data is transferred to such countries, we ensure that an adequate level of protection is in place in accordance with Chapter V GDPR.
This may be achieved by relying on an adequacy decision from the European Commission for the country in question, or by using standard contractual clauses approved by the European Commission together with additional technical and organisational measures where appropriate. In certain situations, we may rely on other permitted transfer grounds under GDPR.
You can contact us for more information about the specific safeguards that apply to transfers relevant to you.
9. Retention of personal data
We keep personal data only for as long as necessary for the purposes described in this policy, including to comply with legal obligations, handle disputes and enforce our agreements.
The actual retention period depends on the nature of the data and the context in which it is processed. In general, data relating to orders and transactions is retained for the period required by Danish accounting and tax rules. Data used for marketing is retained for as long as you receive our marketing or otherwise interact with us and for a limited period thereafter, unless you withdraw your consent or object earlier. Communication and enquiry data is retained for as long as needed to handle your enquiry and for an appropriate follow‑up period.
Where our processing is based on consent, we will delete or anonymise the personal data when you withdraw your consent or when it is no longer needed for the purpose for which consent was given, unless we are required or allowed by law to retain it for a longer period. When personal data is no longer needed, we delete or anonymise it in a secure manner.
10. Security
We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include access and permission management, use of secure and up‑to‑date systems, backup and recovery routines, internal policies and regular auditing on data protection and information security.
Although no system is completely secure, we aim to maintain a level of security appropriate to the risks associated with our processing of personal data and continuously review and improve our measures.
11. Personal data breaches
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If we become aware of a personal data breach involving personal data for which we are responsible, we will assess the incident without undue delay in order to determine whether the breach is likely to result in a risk or a high risk to the rights and freedoms of individuals, as required by Articles 33 and 34 GDPR and applicable national rules.
If the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. As a Danish company, our primary supervisory authority is the Danish Data Protection Agency (Datatilsynet), unless another supervisory authority is competent in a specific cross‑border situation. If we are unable to notify within 72 hours, we will provide reasons for the delay.
If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, we will also communicate the breach to those individuals without undue delay, unless an exception under the GDPR applies, for example where we have implemented measures that render the data unintelligible to unauthorised persons or where subsequent measures have ensured that the high risk is no longer likely to materialise.
Regardless of whether notification to the supervisory authority or to affected individuals is required, we document all personal data breaches internally. The documentation includes the facts relating to the breach, its effects and the remedial actions taken and is kept in such a way as to allow the supervisory authority to verify our compliance with our obligations.
12. Your rights
Under the GDPR, you have a number of rights in relation to our processing of your personal data.
You have the right to request confirmation as to whether we process personal data about you and to receive access to such data together with additional information about the processing. You have the right to request that inaccurate or incomplete personal data be rectified. You have the right, in certain circumstances, to request the deletion of your personal data, for example where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent in situations where consent is the legal basis, or where you successfully object to processing. There may be situations where we cannot delete data immediately, for example where we are required to retain it by law or where it is needed for legal claims.
You have the right to request restriction of processing in certain circumstances, for example while we investigate a request for rectification or an objection. You have the right to receive personal data that you have provided to us in a structured, commonly used and machine‑readable format and to transmit that data to another controller where the processing is based on consent or contract and is carried out by automated means, and where the rights and freedoms of others are not adversely affected.
You have the right to object at any time to processing based on our legitimate interests on grounds relating to your particular situation. We will then assess your objection and stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is necessary for legal claims. You always have an absolute right to object to the processing of your personal data for direct marketing, including any profiling related to such marketing, and we will then stop that processing.
Where our processing is based on your consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
You can exercise your rights by contacting us using the details in section 1. We may ask for additional information to verify your identity before handling your request. We aim to respond without undue delay and within the time limits set by GDPR.
We do not use your personal data to make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.
13. Complaints to a supervisory authority
If you are dissatisfied with the way we process your personal data, we encourage you to contact us first so that we can try to resolve the issue together.
You also have the right to lodge a complaint with your local data protection authority. In Denmark, the supervisory authority is Datatilsynet (the Danish Data Protection Agency). Contact details and guidelines are available on Datatilsynet’s website. If you are located in another EU/EEA country, you can contact the data protection authority in your country of residence or work or where the alleged infringement took place.
14. Changes to this policy
We may update this Privacy and Cookie Policy from time to time, for example if our services or processing activities change or if required by changes in law or guidance from supervisory authorities. The latest version is always available on our websites. If the changes are significant, we will notify you in an appropriate manner, for example through a notice on our website, an updated date at the top of this policy or direct communication where appropriate.