Legal

Privacy notice

Last updated 13 July 2026. This notice explains how ApexX ApS (“Kvix”, “we”, “us”) processes personal data, in line with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

1. Who we are

Kvix is operated by ApexX ApS, a company registered in Copenhagen, Denmark under CVR 44 84 25 05. We are the data controller for personal data we collect about visitors to this website and people we communicate with directly. For personal data that our customers submit through the Kvix product (for example, contents of customer support tickets), we act as a data processor — see our Data Processing Agreement.

You can reach us at [email protected].

2. What we collect

We collect personal data in three contexts:

  • Account data — name, work email, company name, hashed password, and billing details for paying customers.
  • Product usage — IP address, browser type, timestamps, and a session cookie used to keep you logged in. Server logs are retained for security and debugging.
  • Communications — anything you send to us by email, contact form, or chat. We use it to reply.

3. Why we process it

  • To provide the service you signed up for (performance of a contract, GDPR Art. 6(1)(b)).
  • To comply with our legal obligations such as bookkeeping and tax (Art. 6(1)(c)).
  • To protect our service from abuse and fraud (legitimate interests, Art. 6(1)(f)).
  • To send product updates and occasional marketing — only with your consent (Art. 6(1)(a)), which you can withdraw at any time.

4. How long we keep it

  • Account data: while your account is active, plus 5 years after closure where Danish bookkeeping law requires it.
  • Server logs: 90 days, then deleted.
  • Support email threads: 24 months after last activity.
  • Marketing consents: until you withdraw them.

5. Where it lives

Customer data is stored in the European Union (AWS region eu-west-1, Ireland). We use a small number of sub-processors for hosting, email delivery, payments, and AI inference; the current list is on the sub-processors page and in the DPA. Where a sub-processor operates outside the EU, transfers are covered by the European Commission’s Standard Contractual Clauses and additional safeguards where appropriate.

6. Who we share it with

We do not sell personal data and we do not share it with advertisers. We share it only with:

  • Sub-processors strictly necessary to run the service (listed in the DPA).
  • Authorities, where we are legally required to do so.
  • Acquirers, in the event of a merger or sale — in which case we will notify you in advance.

7. Cookies

We use strictly necessary cookies to keep logged-in users authenticated and protect form submissions. Analytics cookies (Google Analytics 4 with IP anonymisation) are opt-in via the consent banner on first visit. The full inventory of cookies, their TTL and category is on the cookie policy page.

8. Your GDPR rights

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Have inaccurate data corrected (Art. 16).
  • Have your data erased, subject to retention obligations (Art. 17).
  • Restrict or object to processing (Art. 18, 21).
  • Receive your data in a portable format (Art. 20).
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
  • Lodge a complaint with the Danish Data Protection Authority (Datatilsynet, datatilsynet.dk) or the supervisory authority in your country of residence.

To exercise any of these, email [email protected]. We respond within 30 days.

9. Children

Kvix is a business tool. We do not knowingly collect personal data from anyone under 16.

10. Changes to this notice

We update this notice when our practices change. We will email customers about material changes and post the updated date at the top of this page. Previous versions are available on request.