Privacy Policy
How we collect, process and protect personal data in accordance with the General Data Protection Regulation (GDPR).
Last updated: 7 July 2026 · contact@justparity.com
1. Data controller and data processor
Just Parity ApS is the data controller for the processing of personal data relating to visitors to justparity.com, contact persons at our customers, and platform users (HR staff and managers).
For the pay and HR data that customers upload to the platform, Just Parity ApS acts as a data processor. In these cases, the data controller is the customer's organisation, and requests concerning employee data should be directed there.
Just Parity ApS
Company reg. no. (CVR): 46363906
Vesterbrogade 208, DK-1800 Frederiksberg C, Denmark
Email: contact@justparity.com
Data Protection Officer (DPO): Just Parity ApS has not currently appointed a DPO, as the scope of our processing does not presently trigger the obligation under Article 37 GDPR. Questions concerning data protection should be directed to contact@justparity.com.
2. Purposes of processing
We process personal data for the following purposes:
- delivery of the JustParity compliance platform
- customer support and communication
- invoicing and accounting
- operation, maintenance and improvement of the service
- marketing (only with consent)
- compliance with legal requirements
- sending proposals in B2B relationships, including measuring whether the recipient has opened the email (read receipt via a 1x1 pixel image)
3. Categories of personal data
We process the following categories of personal data:
- Contact details: name, email, phone number, company, job title
- Usage data: log data, IP address, browser information, device information
- Customer data (as data processor): pay and HR data uploaded to the platform by customers
Pay data and special categories. Pay data is processed as ordinary personal data (Article 6). However, the processing may include data falling within the special categories (Article 9):
- gender, processed for pay gap analysis pursuant to EU Directive 2023/970 (Article 9(2)(b))
- trade union membership, which may appear indirectly in imported payroll datasets (Article 9(2)(b))
Danish civil registration numbers (CPR numbers) may be received transiently from connected payroll systems (e.g. Intect) and used solely to technically derive gender for the pay gap analysis (last digit). The CPR number is not stored in JustParity's database (only gender and date of birth are stored). The data controller is responsible for the legal basis for the transfer.
These data are stored in separate tables with additional safeguards and strict access control.
4. Legal basis (Articles 6 and 9 GDPR)
We process personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)): to deliver our services and fulfil the agreement
- Legal obligation (Article 6(1)(c)): accounting, bookkeeping, tax reporting and compliance with EU Directive 2023/970
- Legitimate interest (Article 6(1)(f)): operations, security, prevention of misuse, product improvement, and measuring whether a recipient has opened a B2B proposal we have sent (read receipt). We have assessed that the recipient's expectation of this measurement is reasonable in the context of an ongoing business dialogue, and that the intrusion is minimal (we record the time of opening, IP address and browser type). You may object to this processing at any time by contacting us at contact@justparity.com.
- Consent (Article 6(1)(a)): marketing, newsletters and non-essential cookies
Special categories (Article 9(2)(b)): the processing of gender data and, where applicable, trade union membership for pay gap analysis is carried out as part of compliance with employment law obligations under the EU Pay Transparency Directive and the Danish Equal Pay Act.
CPR numbers: not processed as Article 9 data. CPR numbers may be received transiently from payroll systems and used solely for the technical derivation of gender (last digit); the CPR number is not stored. The data controller is responsible for the legal basis for any transfer.
5. Recipients of personal data
We may share personal data with:
Sub-processors:
| Sub-processor | Processing | Location | Transfer basis |
|---|---|---|---|
| Supabase Inc. | Database, hosting, authentication | EU (Frankfurt) | SCCs |
| Netlify Inc. | Web hosting and CDN | EU CDN | EU-US DPF and SCCs |
| Google Ireland Limited | Transactional emails | EU/US | EU-US DPF and SCCs |
| Slack Technologies (Salesforce Inc.) | Internal notifications on user creation | EU | EU-US DPF and SCCs |
| Functional Software (Sentry) | Error monitoring (browser) | EU/US | EU region, otherwise EU-US DPF and SCCs |
| Redis provider (e.g. Upstash) | Rate limiting (IP addresses) | EU | EU region, otherwise SCCs |
Public authorities: where required by law.
Transfers to third countries outside the EU/EEA only take place where appropriate safeguards are in place, typically the EU Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. Where a sub-processor's parent company has potential access from the United States, SCCs have been entered into.
Consent-based marketing tools: Google Analytics and Google Ads (statistics and ad measurement) are used only with your consent and are not sub-processors of the platform's personal data. Data may be transferred to the USA on the basis of the EU-US Data Privacy Framework and standard contractual clauses (SCCs).
6. Retention periods
We retain personal data for as long as necessary for the purposes for which it was collected:
- Customer data in the platform: deleted no later than 30 days after termination of the agreement
- Contact details: 3 years after the end of the customer relationship, corresponding to the limitation period for contractual claims (Section 3 of the Danish Limitation Act)
- Accounting data: 5 years (Section 12 of the Danish Bookkeeping Act)
- Proposals and proposal audit data: 5 years pursuant to Section 10 of the Danish Bookkeeping Act. Pseudonymised after this period (PII fields are replaced with a hash; the identifier and event timestamp are retained for audit purposes).
- Marketing data: until consent is withdrawn
- Log data: 90 days
- Read receipts on B2B proposals: time of opening, IP address and browser type are stored together with the proposal (5 years) pursuant to the Danish Bookkeeping Act and pseudonymised thereafter
7. Data subject rights
As a data subject, you have the following rights under Chapter III of the GDPR:
- right of access (Article 15)
- right to rectification (Article 16)
- right to erasure, "the right to be forgotten" (Article 17)
- right to restriction of processing (Article 18)
- right to notification regarding rectification or erasure (Article 19)
- right to data portability (Article 20)
- right to object (Article 21)
- right not to be subject to automated decision-making (Article 22)
For data in respect of which JustParity is a data processor (employee data uploaded to the platform), requests must be directed to the data controller, i.e. the organisation that uploaded the data. For other data (contact details, user data), rights may be exercised by contacting contact@justparity.com. We respond to requests within 30 days.
8. Security (Article 32)
We have implemented appropriate technical and organisational measures to protect personal data, including:
- encryption of data in transit (TLS 1.3) and at rest (AES-256)
- role-based access control (RBAC) and multi-factor authentication
- logging and monitoring of access to personal data
- ongoing vulnerability scanning and security updates
- backup, recovery and incident response procedures
- confidentiality undertakings and periodic security training for staff
Detailed security measures are set out in our data processing agreement (/data-processing-agreement).
9. Complaints
Complaints about the processing of personal data may be lodged with the Danish Data Protection Agency (Datatilsynet):
Datatilsynet
Carl Jacobsens Vej 35, DK-2500 Valby, Denmark
Telephone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Web: datatilsynet.dk
10. Changes
We reserve the right to update this privacy policy. In the event of material changes, data subjects will be informed by email or upon logging in to the platform. The latest version is always available on this page.
Questions about this privacy policy?
Contact us if you have any questions about how we process personal data.