Privacy Policy
Last updated: April 8, 2026
Legal Notice: This Privacy Policy has been drafted in accordance with GDPR Articles 12, 13, and 14 and the Danish Data Protection Act (Databeskyttelsesloven). It does not constitute legal advice.
1. Introduction
IoTo Communications ApS (“IoTo”, “we”, “us”, “our”) is committed to protecting the personal data of individuals who interact with us — whether as website visitors, prospective clients, business contacts, or representatives of our client organisations.
This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for processing, how long we retain it, who we share it with, and what rights you have under applicable data protection law.
It is written in plain language in accordance with GDPR Article 12, which requires that privacy information be provided in a concise, transparent, intelligible, and easily accessible form.
2. Who We Are (Data Controller)
The data controller for personal data collected through this website and in connection with IoTo's services is:
IoTo Communications ApS
Website: www.ioto-communications.com
Email: hello@ioto-communications.com
Country of registration: Denmark
IoTo is an IoT Operator providing enterprise connectivity, fleet management platforms, and IoT consultancy services. Our services are directed exclusively at business customers (B2B). We do not knowingly collect personal data from consumers or individuals acting in a private capacity outside of a professional context.
3. Data Protection Officer
IoTo Communications is an early-stage SME and is not currently legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. Should this change, this Policy will be updated accordingly.
For all data protection queries, please contact us at: hello@ioto-communications.com
4. Personal Data We Collect and Why
IoTo collects personal data in the following contexts. For each, we set out the categories of data, the purpose, and the legal basis under GDPR Article 6.
4.1 Website Visitors
When you visit www.ioto-communications.com, we may collect:
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Technical data | IP address, browser type, operating system, pages visited, time of visit | Website security, performance monitoring, and analytics (after consent) | Art. 6(1)(f) – Legitimate interest (security); Art. 6(1)(a) – Consent (analytics) |
| Cookie data | Cookie identifiers, consent preferences | Managing your cookie settings; see Cookie Declaration | Art. 6(1)(a) – Consent / Art. 6(1)(f) – Legitimate interest (strictly necessary cookies) |
4.2 Contact Form and Email Enquiries
When you submit a contact form or send us an email, we collect:
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Identity data | First name, last name, job title | To identify who we are corresponding with | Art. 6(1)(b) – Pre-contractual steps; Art. 6(1)(f) – Legitimate interest |
| Contact data | Business email address, phone number, company name | To respond to your enquiry | Art. 6(1)(b) – Pre-contractual steps |
| Communication content | The content of your message | To address your specific query | Art. 6(1)(b) – Pre-contractual steps |
4.3 Business Development and Client Relationships
When we enter into a service agreement, onboarding process, or ongoing commercial relationship, we collect:
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Identity and contact data | Name, title, business email, phone | Contract administration, invoicing, communications | Art. 6(1)(b) – Performance of contract |
| Financial data | Billing address, VAT number, payment records | Invoicing and financial record-keeping | Art. 6(1)(b) – Contract; Art. 6(1)(c) – Legal obligation (Danish Bookkeeping Act) |
| Service usage data | Platform login events, device telemetry, connectivity records | Delivering and supporting contracted services | Art. 6(1)(b) – Performance of contract |
4.4 LinkedIn and Social Media
When you interact with IoTo on LinkedIn or other professional platforms, we may collect publicly available profile information (name, title, company, message content) for the purposes of business development and responding to enquiries. This data is processed under Art. 6(1)(f) – Legitimate interest in pursuing and maintaining B2B relationships.
5. Data We Do Not Collect
IoTo does not collect or process:
- Special categories of personal data (Article 9 GDPR), including health data, biometric data, religious beliefs, or political opinions
- Personal data from minors — our services and website are directed exclusively at business professionals
- Consumer personal data — IoTo is a B2B operator; we do not maintain consumer-facing databases
6. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on the Website. Full details — including all cookies used, their purpose, retention periods, and how to manage your preferences — are set out in our Cookie Declaration.
In summary:
- Strictly necessary cookies are placed without consent as they are essential for website operation
- Functional and analytics cookies are only placed after you give explicit opt-in consent
- You can withdraw or change your cookie consent at any time via the Cookie Settings link in the website footer
7. How We Share Your Personal Data
IoTo does not sell personal data. We may share personal data with the following categories of recipients:
| Recipient | Reason | Safeguards |
|---|---|---|
| IT infrastructure providers (e.g., web hosting, email, CRM) | To operate and maintain our systems | Data processing agreements; EU/EEA storage or SCCs |
| Analytics providers (e.g., Google Analytics) | To analyse website traffic (consent-based only) | EU–US Data Privacy Framework adequacy decision |
| Mobile network operator partners | To deliver IoT connectivity services | Contractual agreements with network partners |
| Professional advisors (lawyers, accountants, auditors) | Legal compliance, financial reporting | Confidentiality obligations |
| Regulatory authorities (Datatilsynet, Danish courts, tax authorities) | Legal obligation or regulatory request | Required by law |
We do not transfer personal data to countries outside the EU/EEA unless appropriate safeguards are in place (adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules).
8. International Data Transfers
Where we use third-party service providers that process data outside the EU/EEA, we ensure appropriate protections are in place:
- Google Analytics (USA): Covered by the EU–US Data Privacy Framework (adequacy decision, July 2023)
- Other US-based SaaS tools (if applicable): Protected via EU Standard Contractual Clauses (SCCs) under Commission Decision 2021/914
If you require further information about the specific safeguards applied to any international transfer, please contact us at hello@ioto-communications.com.
9. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Website enquiry data | 2 years from last contact | Reasonable business follow-up period |
| Client contract data | 5 years after contract end | Danish Bookkeeping Act (Bogføringsloven) financial record requirements |
| Financial records and invoices | 5 years | Bogføringsloven (Danish Bookkeeping Act, Section 10) |
| Cookie consent records | 5 years | GDPR accountability requirements; Danish DPA guidance |
| Website analytics data | 14 months (Google Analytics default) | Standard analytics retention; deleted thereafter |
| Job application data (if received) | 6 months from rejection | Standard Danish HR practice |
When data is no longer needed, it is securely deleted or anonymised.
10. Your Rights as a Data Subject
Under the GDPR and Danish Data Protection Act, you have the following rights in relation to your personal data:
| Right | What It Means |
|---|---|
| Right of access (Art. 15) | You can request a copy of the personal data we hold about you |
| Right to rectification (Art. 16) | You can ask us to correct inaccurate or incomplete data |
| Right to erasure (Art. 17) | You can ask us to delete your data, subject to legal retention obligations |
| Right to restriction (Art. 18) | You can ask us to restrict processing of your data in certain circumstances |
| Right to data portability (Art. 20) | Where processing is based on consent or contract, you can ask for your data in a portable format |
| Right to object (Art. 21) | You can object to processing based on legitimate interests at any time |
| Right to withdraw consent (Art. 7(3)) | Where processing is based on consent, you can withdraw it at any time without affecting prior processing |
How to Exercise Your Rights
To exercise any of the above rights, please contact us at hello@ioto-communications.com with the subject line “Data Subject Request”. We will respond within 30 days in accordance with GDPR Article 12.
We may ask you to verify your identity before processing your request. There is no charge for exercising your rights.
11. Automated Decision-Making and Profiling
IoTo does not use personal data for automated decision-making that produces legal or similarly significant effects on individuals (Article 22 GDPR). Our AI-driven Fleet Management Platform processes device telemetry data, not personal data about natural persons, for the purpose of IoT fleet analytics.
12. Security
IoTo implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:
- Access controls and role-based permissions for internal systems
- Encrypted data transmission (HTTPS/TLS) for the website and platform
- Regular review of third-party data processors and their security standards
- Internal data minimisation practices — we collect only what we need
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours in accordance with GDPR Article 33, and will notify affected individuals without undue delay where required under Article 34.
13. Children's Data
This website and IoTo's services are intended exclusively for business professionals. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has submitted personal data to us, please contact hello@ioto-communications.com and we will delete it promptly.
14. Changes to This Policy
We review and update this Privacy Policy periodically. We will notify active clients and website visitors of material changes by posting a prominent notice on the website and updating the “Last updated” date at the top of this page.
If changes significantly affect how we process your personal data, we will seek fresh consent where required.
15. Supervisory Authority and Complaints
You have the right to lodge a complaint about our processing of your personal data with the Danish supervisory authority:
Datatilsynet (Danish Data Protection Authority)
Carl Jacobsens Vej 35
2500 Valby, Denmark
Email: dt@datatilsynet.dk
Telephone: +45 33 19 32 00
Website: www.datatilsynet.dk
We would, however, appreciate the opportunity to address your concerns directly before you contact Datatilsynet — please reach out to us first at hello@ioto-communications.com.
16. Contact
For any questions, requests, or concerns about this Privacy Policy or how IoTo handles your personal data: