Privacy Policy

The data controller for the processing of personal data on this website is:

ATP Holding ApS (trading as thorup.)

CVR: 43575430

Denmark

Email: alexander@athorup.com

thorup. is a Danish advisory brand providing fractional CFO services, M&A readiness, and AI automation to SMBs and startups. All data processing activities described in this policy are carried out by ATP Holding ApS as the legal entity responsible for the thorup. brand.

We do not have a designated Data Protection Officer (DPO), as we are not required to appoint one under Article 37 of the GDPR. Questions about this policy or your personal data can be directed to alexander@athorup.com.

This privacy policy describes how we collect, use, store, and protect personal data when you visit athorup.com or contact us through any channel. It applies to all visitors and individuals who interact with us via the website or by email.

This policy is governed by Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR) and the Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018, as amended). Where Danish law imposes stricter or supplementary requirements beyond the GDPR, those requirements apply.

We only collect personal data that you voluntarily provide to us. We do not collect data passively or through cookies, tracking pixels, or behavioral analytics tools.

Contact form submissions

When you submit our contact form, we collect your name, email address, and the content of your message. This data is transmitted to us via a serverless function hosted on Vercel.

Direct email correspondence

When you email us at alexander@athorup.com, we process your name, email address, and any personal information you include in your message.

No cookies or tracking

This website does not use cookies, local storage tracking, advertising networks, or third-party analytics tools such as Google Analytics. No personal data is collected through passive browsing of this website.

We do not process special categories of personal data (sensitive data as defined in GDPR Article 9), such as health data, political opinions, or ethnic origin.

We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6:

Responding to your inquiry (Article 6(1)(b) and (f))

When you contact us via the contact form or by email, we process your data to respond to your message and to assess whether we can be of service. The legal basis is the performance of pre-contractual steps at your request and our legitimate interest in managing incoming business inquiries.

Managing an ongoing client engagement (Article 6(1)(b))

If your inquiry leads to an advisory engagement, we process your contact data as necessary to perform the contract or take pre-contractual steps.

Compliance with legal obligations (Article 6(1)(c))

We may process and retain certain data to comply with Danish bookkeeping legislation (Bogføringsloven) and other applicable legal requirements.

Legitimate interests (Article 6(1)(f))

Where we rely on legitimate interests, those interests are: managing and maintaining our business communications, keeping records of professional contacts, and protecting our legal rights. We have assessed that these interests do not override your rights and freedoms, given the limited nature and scope of the data processed.

We do not use your personal data for automated decision-making or profiling with legal or similarly significant effects, as described in GDPR Article 22.

We only retain personal data for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

Inquiry data with no engagement

If your contact does not lead to a business engagement, we will delete your personal data within 12 months of last contact.

Client engagement data

Personal data related to an ongoing or completed client engagement is retained for 5 years after the end of the engagement, in accordance with the Danish Statute of Limitations (Forældelsesloven) and applicable bookkeeping requirements.

Legal retention obligations

Certain financial records may be required to be kept for up to 5 years under the Danish Bookkeeping Act (Bogføringsloven, section 10).

When data is no longer necessary and no legal retention obligation applies, it is securely deleted or anonymised.

We do not sell, rent, or share your personal data with third parties for marketing or commercial purposes.

We use a limited number of third-party service providers (data processors) who may process personal data on our behalf. These providers are contractually bound to process data only according to our instructions and in compliance with GDPR:

Vercel, Inc.

We host this website and its serverless API functions on Vercel. Contact form submissions are routed through Vercel infrastructure before being delivered to us. Vercel may process data on servers located in the EU and the United States. We have a Data Processing Agreement with Vercel in place.

Email service providers

Our email communications are managed through standard business email infrastructure. Providers used may process email metadata and content in accordance with their own privacy policies and applicable data protection agreements.

We may also disclose personal data if required to do so by Danish or EU law, by court order, or by a competent authority. In such cases, we will disclose only what is strictly required.

Some of our data processors, including Vercel, may process personal data outside the European Economic Area (EEA). Where such transfers occur, we ensure that an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46.

The United States does not have a general adequacy decision from the European Commission applicable to all transfers. Where data is transferred to processors in the US, we rely on Standard Contractual Clauses to ensure an adequate level of protection. You can obtain a copy of the relevant safeguards by contacting us at alexander@athorup.com.

Under the GDPR and the Danish Data Protection Act, you have the following rights regarding your personal data:

Right of access (Article 15)

You have the right to request a copy of the personal data we hold about you, along with information about how and why it is being processed.

Right to rectification (Article 16)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

Right to erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, for example when the data is no longer necessary for the purpose it was collected, or when you withdraw consent.

Right to restriction of processing (Article 18)

You have the right to request that we restrict the processing of your data in certain situations, for example while the accuracy of the data is being contested.

Right to data portability (Article 20)

Where processing is based on consent or a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

Right to object (Article 21)

You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to withdraw consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) if you believe our processing of your personal data does not comply with applicable law. See section 09 for contact details.

The supervisory authority for data protection in Denmark is Datatilsynet. If you believe that our processing of your personal data violates the GDPR or the Danish Data Protection Act, you have the right to file a complaint.

Datatilsynet

Carl Jacobsens Vej 35

2500 Valby

Denmark

Phone: +45 33 19 32 00

Email: dt@datatilsynet.dk

Website: www.datatilsynet.dk

We encourage you to contact us first at alexander@athorup.com before lodging a complaint, so we have the opportunity to address your concerns directly.

To exercise any of your rights under this policy, or to ask questions about how we handle your personal data, please contact us:

ATP Holding ApS (thorup.)

CVR: 43575430

Denmark

Email: alexander@athorup.com

We will respond to all requests within 30 days of receipt. In complex cases or where we receive a high volume of requests, we may extend this period by a further two months, in which case we will notify you within the initial 30-day period.

We may need to verify your identity before processing a request. We will not charge a fee for reasonable requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

We may update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or operational procedures. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of our website after changes are posted constitutes your acknowledgement of the updated policy.