Privacy policy

This policy sets out what personal data People's Doctor ApS processes in connection with People's Lab, why we process it, how we protect it, and the rights you have. It covers visits to peopleslab.com and customers' use of the Lab platform as sovereign AI infrastructure.

1 Who we are

People's Lab is an infrastructure brand for regulated industries, operated by People's Doctor ApS, Teglværksvej 2, 5600 Faaborg, Denmark (company reg. no. 40930809).

You can reach us at:

General enquiries: support@peoplesdoctor.com
Privacy matters and rights requests: support@peoplesdoctor.com
Security incidents: support@peoplesdoctor.com
CEO: Michael Hein

2 Roles — data controller and processor

People's Lab operates in two roles, depending on the data being processed:

As data controller for data we process from visitors to peopleslab.com: contact form, support correspondence, invoicing of Lab customers and operational logs.

As data processor for Lab customers — typically banks, hospitals, defence and the public sector — running their own systems on Lab's AI infrastructure. The customer is the data controller for end-user data, and People's Doctor ApS processes data solely on the customer's documented instructions under a data processing agreement (GDPR Art. 28).

This policy covers the data controller role. For customers' end-user data, refer to the data processing agreement you have signed.

3 What data we process

We process the following categories of data from visitors and customers:

Contact form: name, work email, organisation, role, sector and the message you send us.
Technical metadata: referrer, language preference, timestamp, any UTM parameters.
Session data: anonymised session ID and form flow time (elapsed_ms) for bot protection.
Analytics (consent-based only): anonymised usage data via cookie-based tracking.
Customer data (for contracts): contact person, invoice address, VAT number and payment history.

We do not process special categories of personal data (GDPR Art. 9) through the website. Where a Lab customer handles such data through the infrastructure, it is governed by the data processing agreement.

4 Purpose and legal basis

Each category of data is processed for a specific purpose on a specific legal basis:

Contact form — purpose: answer your enquiry and follow up commercially. Legal basis: consent (GDPR Art. 6(1)(a)).
Technical metadata and session data — purpose: operational security, bot protection and access documentation. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). Balancing test: the need to protect infrastructure and users against abuse outweighs an individual visitor's interest in entirely absent logging.
Analytics — purpose: improve the website and its content. Legal basis: consent (GDPR Art. 6(1)(a)).
Customer data — purpose: fulfil contractual obligations and bookkeeping duties. Legal basis: contract performance (GDPR Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)), read together with the Danish Bookkeeping Act (five-year retention).

5 AI, automation and human oversight

People's Lab provides infrastructure — not decisions. When a Lab customer builds AI systems on our infrastructure, the customer is responsible for classifying the system under the EU AI Act (Regulation (EU) 2024/1689) and for the required controls, including human oversight (Art. 14) and risk assessment (Art. 9).

For visitors to peopleslab.com, no automated decision-making takes place under GDPR Art. 22. The contact form is handled manually by our team.

6 No training on customer data

Our AI infrastructure runs in inference-only mode for customers. Customer data is never sent to external AI APIs — not to OpenAI, Anthropic, Google or any other third-party provider — and is never used for training, fine-tuning or model optimisation, in identifiable, anonymised or aggregated form.

Model updates come from external, documented sources and undergo internal validation before being put into production.

7 Retention and deletion

We retain data only for as long as is necessary for the purpose for which it was collected:

Data category	Retention period
Contact form (no contract signed)	24 months from receipt
Contact form (contract signed)	Contract duration + 5 years (Bookkeeping Act)
Operational logs	185 days
Analytics data	Deleted on consent withdrawal, or after 26 months at the latest
Invoicing data	5 years (Bookkeeping Act)
Encrypted backups	Follow the periods above; deletion requests are re-applied to restored backups

Deletion is technically irreversible once the retention period ends. Requests for earlier deletion can be sent to support@peoplesdoctor.com.

8 Sub-processors

We use sub-processors in the following categories:

Cloud hosting of peopleslab.com in an EU region.
AI compute for the Lab platform on Danish infrastructure.
Form handling on EU-hosted infrastructure.

An up-to-date list of specific sub-processors is available on request at support@peoplesdoctor.com. Customers under a data processing agreement are notified of changes with at least 30 days' notice, per the DPA.

9 Data location

The Lab platform's core infrastructure — compute, storage and AI inference for customer data — runs exclusively on Danish infrastructure. Customer data does not leave the EU.

This website (peopleslab.com) is hosted with a provider in an EU region. Contact form data passes through EU-hosted infrastructure.

10 Transfers outside the EU/EEA

For the Lab platform core: no transfers outside the EU/EEA. Customer data, AI inference and backups remain on Danish infrastructure.

For the website's hosting we use a provider whose primary business activity is outside the EU, in an EU region. Operational metadata (not form data) may in theory transfer to the US through the provider's global infrastructure. Such transfers are covered by EU Standard Contractual Clauses (SCC). Contact form data, which contains personal data, is handled only on EU-hosted infrastructure.

11 Technical and organisational safeguards

We have put in place the safeguards that GDPR Art. 32 considers appropriate for the risk, including specifically hardened controls for regulated industries:

Encryption:

In transit: TLS 1.2 or later on all network traffic.
At rest: full-disk encryption on database servers.
Backups: AES-256 encryption on separate EU storage.

Access control:

Role-based access control (RBAC) with the principle of least privilege.
MFA/TOTP required for all privileged access.
VPN required for administrative access to production.
Four-eyes principle for production changes.

Monitoring and integrity:

File integrity monitoring on production nodes.
Centrally collected system logs.
SHA-256 hashing of critical transaction logs (immutable audit trail).

Organisational:

Staff do not have default access to customer data (no-access support model). Access in specific support situations requires the customer's prior approval and is documented.
Confidentiality agreements for all staff with access to the production environment.
Regular security training.

12 Audit and certification

Our controls are audited to ISAE 3000 Type 1. The report is available to customers and prospective customers on request under confidentiality agreement.

13 Your rights

You have the following rights under GDPR. The route your request takes depends on whether we process your data as a controller (website visit, customer account, invoicing) or as a processor (customer data on the Lab platform):

Access (Art. 15): confirmation of whether we process data about you, along with a copy of the data.
Rectification (Art. 16): correction of inaccurate data.
Erasure (Art. 17): deletion without undue delay when the conditions in Art. 17(1) are met.
Restriction (Art. 18): restriction of our processing in specific situations.
Portability (Art. 20): data delivered in a structured, commonly used and machine-readable format.
Objection (Art. 21): objection to processing based on legitimate interest.
Withdrawal of consent (Art. 7(3)): where processing is based on consent, you can withdraw it with effect going forward.

How to exercise your rights:

For customer data on the Lab platform (we are processor): contact the customer organisation that signed the agreement.
For website visits, customer account and invoicing (we are controller): contact support@peoplesdoctor.com.

We respond within 30 days under GDPR Art. 12(3). Complex requests may be extended by up to two months with reasoned notice within that period. We do not charge a fee unless the request is manifestly unfounded or excessive (Art. 12(5)).

14 Security breaches

If a personal data breach occurs:

The Danish Data Protection Agency is notified within 72 hours of discovery, under GDPR Art. 33.
Affected customers (controllers) are notified as quickly as possible — internal target 48 hours from breach discovery.
Affected data subjects are notified by the controller under Art. 34, where the breach is likely to result in a high risk to their rights and freedoms.

Security incidents can be reported to support@peoplesdoctor.com.

15 Cookies and website tracking

peopleslab.com currently uses only strictly necessary cookies (session ID and language preference). We do not use marketing trackers, fingerprinting or cross-site tracking.

If analytics or marketing cookies are added in future, consent will be obtained through a cookie banner before any such cookies are set. Consent can be withdrawn at any time through "Cookie settings" at the foot of the page.

16 Complaint to the Data Protection Agency

You can lodge a complaint with the Danish Data Protection Agency if you consider our processing to be in breach of the data protection rules:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
dt@datatilsynet.dk
www.datatilsynet.dk

You do not need to contact us first, but we encourage you to give us the chance to resolve the matter before you file a complaint.

17 Changes to this policy

Material changes are communicated to registered customers by email at least 30 days before they take effect. Minor changes (clarifications, updated contact details) may be published without separate notice.

Previous versions can be requested via support@peoplesdoctor.com.

Privacy policyfor People's Lab