Privacy policy.

Last updated: 11 June 2026

Data controller
GDPR & legal basis
Personal data we collect
Purposes of data processing
Cookies & localStorage
Tracking & pixels
AI services
Third parties & data processors
Transfers to third countries
Storage & deletion
Your rights
Security
Changes
Contact & complaints

1. Data controller

nooncph ApS
Sundkaj 125, 2150 Copenhagen
CVR: 42207047
Email: imb@nooncph.dk
Telephone: +45 71 74 04 19

nooncph ApS (hereafter "noon", "we", "us") is the data controller for the processing of the personal data we receive about you. This policy describes how we collect, use, store and protect your data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the Danish Data Protection Act.

We process personal data on the following legal bases:

Consent (Art. 6(1)(a)): When you actively give consent to cookies, newsletters or marketing. You can withdraw your consent at any time.
Performance of a contract (Art. 6(1)(b)): When we process data in order to deliver the corporate lunch, catering or event service you have ordered.
Legitimate interest (Art. 6(1)(f)): For the improvement of our services, the prevention of misuse and operational statistics, where our interest does not override your fundamental rights.
Legal obligation (Art. 6(1)(c)): For accounting, tax reporting and other legislation.

3. Personal data we collect

Information you give us

Name, email address, telephone number and company name (via contact forms, orders and trial sign-ups)
Billing information: address, CVR number, payment details
Preferences: menu choices, allergens, number of covers, delivery address
Correspondence: emails, chat messages and telephone conversations

Information we collect automatically

IP address and approximate geographic location
Device information: browser type, operating system, screen resolution, language
Behavioural data: page views, click paths, scroll depth, session duration
Referrer URL (where you came from)
Unique device and user ID via cookies and localStorage

4. Purposes of data processing

We use your information to:

Deliver and administer corporate lunches, catering and events
Process orders, billing and delivery
Communicate with you about offers, changes and service updates
Personalise content and advertising across platforms
Carry out statistics and analysis to improve our products
Comply with legal requirements (accounting, VAT, GDPR documentation)
Prevent fraud and ensure the operation of the website

5. Cookies & localStorage

Cookies are small text files stored on your device. localStorage is a similar technology that stores data locally in your browser without an expiry date. We use both to remember your preferences, analyse traffic and serve relevant advertising.

Necessary cookies

These are necessary for the website to function correctly (e.g. cookie consent, session ID). They do not require consent.

Analytical cookies

We use Google Analytics 4 (GA4) to understand how visitors use the website. GA4 collects anonymised data about page views, session duration and user journeys. IP anonymisation is enabled.

Marketing cookies

These cookies are used to show relevant advertising and measure the effectiveness of our campaigns. See section 6 for details of the specific tracking pixels we use.

localStorage

We use localStorage to store:

Your cookie consent choice
Session data and user ID for analytics purposes
UI preferences (e.g. menu choices, most recently visited pages)
Campaign and attribution data (UTM parameters)

You can delete localStorage data via your browser's settings under "Clear site data".

6. Tracking & pixels

With your consent we load tracking pixels from the following platforms. These pixels send data about your behaviour on our website to the respective advertising platforms, so that we can measure campaign results and show you relevant advertising:

Platform	Technology	Purpose	Data processor
Meta (Facebook/Instagram)	Meta Pixel, Conversions API	Advertising, retargeting, conversion tracking	Meta Platforms Ireland Ltd.
Google Ads	Google Ads Tag, Enhanced Conversions	Search and display advertising, remarketing	Google Ireland Ltd.
Google Analytics 4	gtag.js	Web analytics, user journeys, conversion tracking	Google Ireland Ltd.
TikTok	TikTok Pixel	Advertising, conversion tracking	TikTok Technology Ltd. (Ireland)
Snapchat	Snap Pixel	Advertising, retargeting	Snap Inc.
Reddit	Reddit Pixel	Advertising, conversion tracking	Reddit Inc.
LinkedIn	LinkedIn Insight Tag	B2B advertising, conversion tracking	LinkedIn Ireland Unlimited Co.
Pinterest	Pinterest Tag	Advertising, retargeting	Pinterest Europe Ltd.
Microsoft/Bing	UET Tag	Search advertising, remarketing	Microsoft Ireland Operations Ltd.
Google Tag Manager	GTM Container	Tag management and orchestration	Google Ireland Ltd.
Hotjar	Hotjar Script	Heatmaps, session recordings, feedback	Hotjar Ltd. (Malta/EU)

All marketing pixels are loaded only after your active consent via our cookie banner. You can change your consent at any time by clicking "Cookies" at the bottom of the page.

7. AI services

We may use AI-based services to improve our customer service, content and internal processes. These services may process data in the following ways:

Service	Provider	Purpose	Data processing
Claude	Anthropic (USA)	Customer service, content production, internal analysis	Text sent to the API; data is not used for training (API agreement)
ChatGPT / GPT-4	OpenAI (USA)	Customer service, text generation, internal analysis	Text sent to the API; data is not used for training (API agreement)
Gemini	Google (USA/Ireland)	Content analysis, search optimisation	Data processed under a Google Cloud agreement
Bing Chat / Copilot	Microsoft (USA/Ireland)	Search optimisation, content analysis	Data processed under a Microsoft agreement

Important: We never send personally identifiable customer data (names, emails, telephone numbers) to AI services without prior anonymisation or pseudonymisation. AI services are used primarily for general content and analysis tasks.

Transfers to the USA take place on the basis of the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC) — see section 9.

8. Third parties & data processors

We share data with the following categories of third parties:

Advertising platforms: Meta, Google, TikTok, Snapchat, Reddit, LinkedIn, Pinterest, Microsoft (see section 6)
Analytics tools: Google Analytics, Hotjar
Payment providers: Stripe, MobilePay (for billing and payment)
Email & CRM: Mailchimp, HubSpot or similar for newsletters and customer communication
Hosting: Cloudflare (CDN, DNS, hosting), Hetzner (server infrastructure)
Ordering system: Kanpla (ordering platform for corporate lunches)
AI services: Anthropic, OpenAI, Google, Microsoft (see section 7)

We have entered into data processing agreements with all third parties in accordance with GDPR Art. 28. Data is shared only to the extent necessary to deliver the service in question.

9. Transfers to third countries

Some of our data processors are established outside the EU/EEA, primarily in the USA. Transfers take place on the following basis:

EU-US Data Privacy Framework (DPF): For companies certified under the DPF (Meta, Google, Microsoft, Anthropic, OpenAI and others)
Standard Contractual Clauses (SCC): The European Commission's standard contractual clauses, where the DPF is not available
Supplementary measures: Encryption in transit (TLS) and at rest, pseudonymisation and access control

10. Storage & deletion

We store your personal data for as long as it is necessary for the purpose for which it was collected:

Customer data (active customers): For the contract period + 12 months after termination
Billing and accounting data: 5 years pursuant to the Danish Bookkeeping Act
Consent data: Documentation is kept for 2 years after consent has been withdrawn
Contact forms (leads): 24 months after the most recent enquiry
Cookie data: Varies per cookie — typically 30 days to 13 months
localStorage: Until you manually delete your browser data

After this, data is deleted or anonymised, unless legislation requires longer storage.

11. Your rights

As a data subject, you have the following rights under the GDPR:

Right of access (Art. 15): You can find out which personal data we process about you.
Right to rectification (Art. 16): You can have inaccurate information corrected.
Right to erasure (Art. 17): In certain cases you can have your information deleted ("the right to be forgotten").
Right to restriction (Art. 18): You can ask for processing to be restricted temporarily.
Right to data portability (Art. 20): You can have your data provided in a machine-readable format.
Right to object (Art. 21): You can object to processing based on legitimate interest.
Right to withdraw consent: You can withdraw your consent at any time without this affecting the lawfulness of processing carried out before the withdrawal.

To exercise your rights, please contact us at imb@nooncph.dk. We respond to enquiries within 30 days.

12. Security

We take the protection of your data seriously and have implemented the following measures:

TLS/HTTPS encryption on all pages and API calls
Access control based on the principle of least privilege
Regular security updates of software and infrastructure
Hosting with GDPR-compliant providers in the EU (Cloudflare, Hetzner)
Logging and monitoring of unauthorised access
Internal policy for data processing and staff training

13. Changes to this policy

We reserve the right to update this privacy policy. In the event of material changes, we will inform you by email or a clear banner on the website. The latest version is always available on this page, with the date of the most recent update.

14. Contact & complaints

If you have questions about our data processing or wish to exercise your rights, you are welcome to contact us:

nooncph ApS
Att.: Data Protection
Sundkaj 125, 2150 Copenhagen
Email: imb@nooncph.dk
Telephone: +45 71 74 04 19

You also have the right to lodge a complaint with:

Datatilsynet (the Danish Data Protection Agency)
Carl Jacobsens Vej 35, 2500 Valby
www.datatilsynet.dk
Email: dt@datatilsynet.dk