GDPR Art. 30 — Records of Processing Activities

Processing record

This record fulfills the GDPR Article 30 obligation to maintain a record of processing activities. The public version here is an extended copy of the internal record kept for production to Datatilsynet (the Danish DPA) on request.

Controller

Name: Philip Sloth (philipsloth.com)
Contact: [email protected]
Supervisory authority: Datatilsynet · datatilsynet.dk

Processing activities

Receiving and responding to inquiries submitted via the website contact form.

Legal basis: Art. 6(1)(b) (steps prior to contract) and Art. 6(1)(f) (legitimate interest in responding to inquiries).
Data subjects: Individuals who voluntarily submit the contact form.
Personal data: Name (first/last or company name), email, any attached files, optional company name, message content.
Recipients: Resend (email provider, US — EU-US Data Privacy Framework certified), Cloudflare Workers (our backend, EU edge), Supabase Postgres (EU region).
Retention: Until inquiry resolved or max 5 years (Bookkeeping Act §12 if the inquiry results in a paid engagement).

Payment processing via Stripe Checkout — collecting payment, issuing receipts, bookkeeping and VAT settlement.

Legal basis: Art. 6(1)(b) (contract performance) and Art. 6(1)(c) (legal obligation — Bookkeeping Act and VAT Act).
Data subjects: Customers who have completed a payment.
Personal data: Name, email, billing address, country, optional VAT/CVR number, payment method type (card/MobilePay/Link), Stripe identifiers (charge ID, session ID, receipt nr), amount, description of services delivered. NO card data — Stripe handles that in their PCI-DSS environment.
Recipients: Stripe (PCI-DSS-certified payment processor, US/EU — EU-US Data Privacy Framework + EEA SCCs), Resend (receipt email), Supabase Postgres (EU region), Cloudflare Workers (EU edge).
Retention: 5 years from end of accounting year (Bookkeeping Act §12). Erasure of personal data from invoice records is not possible until this period expires — legal obligation overrides Art. 17 right to erasure.

Anonymised first-party usage analytics on philipsloth.com — pageviews, sources, performance — to understand audience and optimise the site. Cookieless and aggregated. The processing is not consent-gated; a discreet privacy notice is disclosed on first visit and an opt-out is available at any time via the banner toggle, the /legal/cookies page, the browser's Do-Not-Track header, or by clearing site data.

Legal basis: Art. 6(1)(f) (legitimate interest in understanding aggregate site usage; balanced against data-subject interests and an opt-out is readily available at any time).
Data subjects: Visitors to philipsloth.com, unless they have opted out of analytics.
Personal data: Locally generated pseudonymous ID (UUID in localStorage, no national identifier), session ID, page path, referrer, browser, OS, device type, language, viewport, scroll depth, duration, geographic country/city/region (server-side derived from IP, IP itself is NOT stored).
Recipients: Cloudflare Workers (EU edge — geo data comes from Cloudflare's own edge headers), Supabase Postgres (EU region). NO third-party analytics tools (no Google Analytics, Meta Pixel, Plausible cloud, etc.).
Retention: Raw events: 30 days (auto-deleted thereafter). Aggregated daily rollups: 24 months. Visitor rows: erased on opt-out.

Access control to the admin panel (owner only) via Supabase magic-link.

Legal basis: Art. 6(1)(f) (legitimate interest in secure access).
Data subjects: Owner (Philip Sloth) — the only account on the allowlist.
Personal data: Email address, login timestamp, session token (JWT), IP address at login moment (Supabase audit log).
Recipients: Supabase Auth (EU region), Resend (magic-link email).
Retention: Session data: 30 days. Audit log: 90 days (Supabase default).

Sub-processors

The following third-party providers process personal data on our behalf. All have a signed data-processing agreement (DPA) or equivalent contractual safeguard.

Provider	Purpose	Region	Safeguards
Cloudflare Inc.	Hosting (Pages), backend (Workers), DNS, anti-bot (Turnstile)	EU-edge (data flyder primært gennem EU-datacentre)	EU-US Data Privacy Framework certificeret + Standard Contractual Clauses
Supabase Inc.	Postgres-database, autentifikation, storage	EU (eu-central-1, Frankfurt)	Data ligger i EU; SCCs for evt. support-adgang fra US
Stripe Inc.	Betalingsbehandling, kvitteringer, OSS-rapportering	EU (Stripe Payments Europe i Irland) + US (Stripe Inc.)	EU-US Data Privacy Framework certificeret + EEA SCCs (Modul 2 og 3) + EU-US Data Privacy Framework
Resend	Transaktionel e-mail (kvitteringer, magic-link, faktura-link)	US	EU-US Data Privacy Framework certificeret + DPA på fil
EU VIES (Europa-Kommissionen)	Validering af kunders VAT-numre	EU	Offentlig EU-tjeneste, ingen DPA nødvendig

Security measures (Art. 32)

TLS 1.3 on all endpoints (Cloudflare-managed).
Row Level Security (RLS) enabled on every Postgres table — customers cannot read each other's data.
Service-role keys server-side only (Cloudflare Worker secrets), never in browser bundles.
Cloudflare Turnstile + honeypot + per-IP rate-limiting on public forms.
Magic-link authentication for admin (no passwords to steal), allowlist-based access.
MIME allowlist + filename sanitisation on file uploads.
Stripe webhook signatures verified via HMAC-SHA256 (rejects forged webhooks).
Backup: Supabase Point-in-Time Recovery (Pro tier — enabled at scale).

Your rights

As a data subject, you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). Email [email protected] — we respond within 30 days.

Note: For data subject to the 5-year retention obligation under the Danish Bookkeeping Act (invoice-related personal data), we CANNOT erase until the statutory period expires. The legal obligation overrides Art. 17.

Last updated: May 2026. Versions of this record are kept in the bookkeeping folder for Datatilsynet inspection.