Last updated: 29 April 2026
This Privacy Policy describes how Slipp ApS ("Slipp", "we", "us") processes personal data when you use our marketing site (slipp.app), our attendee app, our vendor app, or any related services (together, the "Services").
We process personal data as a data controller under Regulation (EU) 2016/679 (the "GDPR") and the Danish Data Protection Act (Databeskyttelsesloven). This policy fulfils our duty to inform you under GDPR Articles 13 and 14.
Slipp ApS, CVR no. 46359070, is the data controller for personal data processed through the Services.
Registered office: Denmark. Public company information: cvrapi.dk/virksomhed/dk/slipp-aps/46359070.
Privacy contact: privacy@slipp.dk. General support: support@slipp.dk.
Slipp has not appointed a Data Protection Officer. We are not required to appoint one under GDPR Article 37(1): we do not carry out large-scale systematic monitoring of data subjects, we do not process special categories of data on a large scale, and we are not a public authority.
For any data-protection question or request, contact privacy@slipp.dk.
We try to keep what we collect to a minimum. The categories are:
What: Email address. Optionally a display name if you set one.
Why: To authenticate you (one-time codes / magic links), to send order confirmations, and to give vendors a way to contact you about your specific order.
What: Items ordered, prices, vendor, event, timestamps, pickup status.
Why: To process and deliver your order, to keep your order history available to you, and to comply with Danish bookkeeping law.
What: Versions of the Terms and pickup-or-forfeit clause you have accepted, timestamp, and IP address at the moment of acceptance.
Why: To document your consent for legal-basis purposes and to be able to demonstrate consent if challenged.
What: Your choices in our cookie banner (statistics, app-improvement recording), stored in your browser on your device.
Why: To respect your choices on subsequent visits without asking again every session.
What: IP address, user-agent, request timestamps, error traces.
Why: To operate the service, detect abuse, debug issues, and protect the platform.
What: Operational events such as "checkout initiated", "acceptance recorded", "payment succeeded", tagged with device class and connection type. Not joined to advertising profiles.
Why: To detect drop-off and fix the order flow. Treated as a legitimate-interest, operational signal — not consumer analytics.
We do not collect or process Danish CPR numbers (Personnummer). Slipp does not require CPR for any service.
Each category of processing has a lawful basis under GDPR Article 6:
| Purpose | Lawful basis | Reference |
|---|---|---|
| Creating your account, authenticating you, processing orders | Performance of a contract | Art. 6(1)(b) |
| Bookkeeping records (orders, invoices, payments) for 5 years | Legal obligation (Bogføringsloven) | Art. 6(1)(c) |
| Security logs, fraud prevention, error monitoring, operational funnel telemetry | Legitimate interests in operating a secure, reliable platform | Art. 6(1)(f) |
| Cookies / trackers that are not strictly necessary (analytics, session replay) | Consent | Art. 6(1)(a) |
| Marketing emails | Not applicable — Slipp does not send marketing emails | — |
We share personal data only with parties that need it to provide the Services. The recipients are:
We use a small number of vetted providers. International transfers outside the EU/EEA rely on the EU-US Data Privacy Framework ("DPF") and/or Standard Contractual Clauses ("SCCs").
| Provider | Role | Location | Safeguard |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payments, KYC, fraud prevention. Independent controller. | Ireland (EU); group transfers to US. | DPF + SCCs. See stripe.com/privacy. |
| Cloudflare, Inc. | CDN, image delivery, bot protection, DDoS mitigation. | US, with EU edge processing. | DPF + SCCs. Sub-processor list at cloudflare.com. |
| Fly.io, Inc. | Application hosting and database. | Primary region Frankfurt (EU); company in US. | DPF + SCCs. |
| Resend | Transactional email delivery (order confirmations, magic links). | US. | DPF + SCCs. |
| BetterStack | Error monitoring; session replay only when you have consented. | EU. | DPA in place. See betterstack.com. |
| Plausible Analytics | Cookieless website analytics on the marketing site. | EU. | No cookies, no cross-site tracking, EU hosting. |
Some of our sub-processors are based outside the EU/EEA, primarily in the United States. Where transfers occur, they are protected by the EU-US Data Privacy Framework (where the recipient is certified) and/or by the European Commission's Standard Contractual Clauses, with supplementary measures where appropriate.
You can request a copy of the transfer safeguards by writing to privacy@slipp.dk.
We keep personal data only for as long as needed for the purpose it was collected for, plus any period required by law:
| Category | Retention period | Basis |
|---|---|---|
| Order records (invoices, transaction data) | 5 years from end of the financial year | Bogføringsloven (Danish bookkeeping law) |
| Account data for active users | For as long as you keep your account | Performance of contract |
| Account data for dormant accounts (no orders) | 24 months, then deleted | Data minimisation |
| Security and application logs | 30 to 90 days | Legitimate interests (security) |
| Cookie consent records | 12 months, then re-prompted | ePrivacy + cookie guidance |
| Records of withdrawn consent | 2 years | Documenting compliance with withdrawal |
| Audit log of vendor operational changes | Same as order records (5 years) | Legal obligation + dispute support |
Under the GDPR you have the following rights:
To exercise any of these rights, write to privacy@slipp.dk. We will respond within one month, in line with GDPR Article 12(3). We may need to verify your identity before acting on a request.
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet):
Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark. Tel.: +45 33 19 32 00. Email: dt@datatilsynet.dk. Website: datatilsynet.dk.
We would appreciate a chance to address your concern first — please reach out to privacy@slipp.dk.
Slipp is intended for users aged 18 and over. We require an 18+ confirmation at signup. The age threshold is set on the basis of Danish contractual capacity (Værgemålsloven §§ 1, 42), not as a special-category processing matter.
Restricted-goods enforcement (alcohol under Restaurationsloven, tobacco under Tobaksforbudsloven) is the responsibility of the vendor at the point of delivery.
If you become aware that someone under 18 has created an account, please contact privacy@slipp.dk and we will close it.
Slipp does not make decisions producing legal or similarly significant effects about you based solely on automated processing within the meaning of GDPR Article 22.
Stripe may run automated fraud checks as part of its payment processing under its own controller relationship; Stripe's privacy policy applies.
Slipp does not collect, process or store Danish CPR (Personnummer). Processing CPR is restricted under Databeskyttelsesloven § 11 to specific scenarios that do not apply to Slipp.
Slipp does not send marketing emails. The only emails we send are transactional (order confirmations, authentication codes, service notices). We will not opt you in to marketing communications without separate, explicit consent.
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes that affect your rights, we will give reasonable notice and, where required, ask for renewed consent.
Previous versions are available on request from privacy@slipp.dk.