Legal

Terms of Service|Privacy Policy|Cookies|Data Retention|GDPR

Privacy Policy

Last updated: April 2026

1. Data Controller

This Privacy Policy describes how Keyton ApS ("we", "us", "Keyton") collects, uses, and protects personal data when you use the Attensus platform.

Keyton ApS CVR: 44301958 Copenhagen, Denmark

Data Protection Officer: dpo@attensus.com General contact: hello@attensus.com

2. What Data We Collect

Account Data

When you create an account or are invited to an organization, we collect:

  • Name — to identify you within your organization
  • Email address — for authentication, notifications, and communication
  • Organization name — to associate your account with your tenant
  • Role — to enforce access control within your organization

Operational Data

When you use Attensus for forecasting, you upload data to the platform:

  • CSV files containing business metrics such as hours, units, volumes, weights, and group identifiers
  • ETL configurations including column mappings, delimiters, and metric definitions
  • Forecast parameters including model selections, horizon settings, and ensemble configurations

This data typically does not contain personal data. If your uploads include personal data (e.g., employee names as group identifiers), you are responsible for ensuring a lawful basis for that processing. We recommend pseudonymizing or anonymizing data before upload where possible.

Usage Data

We collect minimal server-side data necessary for platform reliability and security:

  • Server logs — timestamps, request paths, HTTP status codes, and response times
  • Error logs — stack traces and error context for debugging (no personal data)
  • IP addresses — truncated and used only for security monitoring (e.g., detecting unauthorized access attempts)

We do not use analytics cookies, tracking pixels, browser fingerprinting, or any client-side tracking technology. See our Cookie Policy for details.

3. How We Use Your Data

PurposeData UsedLegal Basis
Provide the forecasting serviceAccount data, operational dataContract performance (GDPR Art. 6(1)(b))
Authenticate and authorize usersEmail, name, roleContract performance (GDPR Art. 6(1)(b))
Send transactional emails (invitations, password resets, alerts)Email address, nameContract performance (GDPR Art. 6(1)(b))
Maintain platform security and prevent abuseServer logs, IP addressesLegitimate interest (GDPR Art. 6(1)(f))
Debug errors and improve platform reliabilityError logs, server logsLegitimate interest (GDPR Art. 6(1)(f))
Respond to support requestsAccount data, communication contentContract performance (GDPR Art. 6(1)(b))

We do not process your data for marketing, profiling, automated decision-making, or any purpose beyond those listed above. We do not sell personal data. We do not use customer data to train models for other tenants.

4. Data Retention

Data CategoryRetention Period
Account dataDuration of the service agreement
Operational data (uploads, forecasts)Duration of the service agreement
Audit logs2 years from creation
System backups30 days (rolling)
Server logs90 days

Upon account closure or deletion request, all account and operational data is permanently deleted from production systems within 30 days and from backups within 60 days. See our Data Retention Policy for full details.

5. Third-Party Processors

We share data with a limited number of processors, all operating within the EU:

ProcessorPurposeLocationData Shared
Hetzner Online GmbHCloud infrastructure (compute, database, object storage)Falkenstein, Germany (EU)All platform data (encrypted at rest and in transit)
Resend Inc.Transactional email deliveryEU processingRecipient email address, email subject, email body

Each processor is bound by a Data Processing Agreement that requires GDPR-compliant data handling, appropriate security measures, and prompt breach notification.

We do not share data with advertisers, data brokers, or any party not listed above.

6. International Data Transfers

There are no international data transfers. All data is stored and processed within the European Union. Our infrastructure is hosted at Hetzner's data center in Falkenstein, Germany. We do not use US-based cloud providers for data processing or storage.

7. Data Security

We implement the following technical and organizational measures:

  • Encryption in transit: TLS 1.3 on all connections, with HSTS enforcement
  • Encryption at rest: AES-256 for all stored data, including backups
  • Tenant isolation: PostgreSQL Row-Level Security (RLS) ensures strict data separation between customers at the database level
  • Access control: Role-based access control within organizations, with the principle of least privilege
  • Backup encryption: Daily encrypted backups with 30-day retention
  • Secure authentication: Passwords are hashed; session tokens are cryptographically secure

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Access (Art. 15) — Request a copy of all personal data we hold about you
  • Rectification (Art. 16) — Correct inaccurate or incomplete personal data
  • Erasure (Art. 17) — Request deletion of your personal data
  • Restriction (Art. 18) — Request restricted processing while a concern is being resolved
  • Portability (Art. 20) — Receive your data in a structured, machine-readable format
  • Objection (Art. 21) — Object to processing based on legitimate interest

To exercise any of these rights:

  • Self-service: Use the Settings page in the Attensus platform to update, export, or delete your data
  • Email: Contact dpo@attensus.com with your request

We will respond to all requests within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period and explain the reason for the delay.

We will verify your identity before processing any data subject request to prevent unauthorized access.

9. Children's Privacy

Attensus is a business-to-business platform and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact dpo@attensus.com.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or regulatory guidance. If we make material changes, we will notify you through the platform or by email at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of Attensus after the effective date of a revised policy constitutes acceptance of the changes.

11. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. Our supervisory authority is:

Datatilsynet (Danish Data Protection Agency) Carl Jacobsens Vej 35 2500 Valby, Denmark www.datatilsynet.dk

You may also contact the supervisory authority in your EU member state of residence.

12. Contact

For questions about this Privacy Policy or our data practices: