Privacy Policy

AG Web Studios
Effective date: 11 February 2026
Version: 5.1

This Privacy Policy explains how AG Web Studios processes personal data when you visit our website, contact us, submit a career inquiry, or use our client dashboard and related services. The policy is written to comply with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection law.

1. Data Controller

AG Web Studios is the data controller responsible for the processing of personal data described in this policy.

• Company: AG Web Studios
• CVR: 45281043
• Address: Kreibergsgade 35, 4800 Nykøbing F, Denmark
• Email: contact@agweb.studio

This policy applies to:

• www.agweb.studio
• dashboard.agweb.studio
• Related client portal and licensing services operated by AG Web Studios

2. Categories of Personal Data

2.1 Data you provide directly

Contact inquiries

• Name
• Organization or company name
• Email address
• Budget (if provided)
• Message content
• Consent acknowledgement
• Anti-spam metadata

Career inquiries

• Name
• Email address
• Area of expertise or specialty
• Portfolio or reference links
• Summary or message content
• Consent acknowledgement
• Anti-spam metadata

Client onboarding and organization data (dashboard)

When we create a client organization profile, we may process:

• Legal company name
• CVR number
• VAT ID (if applicable)
• Billing address and country
• Invoice email
• Phone number (if provided)

Client user accounts (dashboard)

When users access the dashboard or are invited to join an organization, we may process:

• First name and last name
• Email address
• Organization membership and role (e.g., admin)
• Invitation status and related onboarding metadata

2.2 Technical, security, and usage data

We process limited technical data necessary to secure and operate our services:

• IP-derived request metadata (for security, abuse prevention, and rate limiting)
• Authentication and access logs (e.g., login timestamps, org membership context)
• Browser and device metadata required to deliver the service securely

2.3 Billing and payment data

For subscriptions and billing, we process:

• Stripe customer, subscription, invoice, and transaction identifiers
• Subscription status and billing period dates
• Plan, price, product references
• Billing address and tax/VAT information (where collected via Stripe Checkout or billing portal)

Payment card details are processed directly by our payment provider and are not stored by AG Web Studios.

2.4 Webhook and event data

To keep billing and subscription status accurate, we process webhook events from our payment provider. We may store:

• Webhook event identifiers
• Processing status and error context
• In some cases, the webhook event payload (which may include billing or contact metadata)

2.5 License enforcement telemetry (website licensing)

If you use services that include license enforcement (for example WordPress plugin or integration licensing), we may process:

• License key fingerprinting data (e.g., hash and/or last characters)
• Domain and instance identifiers
• Environment information
• WordPress/plugin version metadata
• Last-seen timestamp and IP-derived metadata used for abuse prevention and license enforcement
• Activation and verification nonces/timestamps

2.6 Audit logs (administration and security)

We may store audit logs to document administrative actions and support security investigation, such as:

• Actor user identifier
• Action type
• Target organization identifier
• Timestamp
• Limited metadata related to the action (may include invite email or error context)

2.7 Analytics data (optional)

When you give explicit consent on the website:

• Page views
• Web-vitals and performance events

Analytics is disabled by default and only activated after opt-in.

3. Purposes and legal bases

We process personal data for the following purposes and legal bases under GDPR Article 6:

• Responding to contact or career inquiries: Art. 6(1)(b) pre-contractual steps and Art. 6(1)(f) legitimate interest
• Providing the dashboard, user accounts, organization management, and contracted services: Art. 6(1)(b) performance of a contract
• Subscription billing, invoicing, and bookkeeping compliance: Art. 6(1)(c) legal obligation and Art. 6(1)(b) performance of a contract
• Website and service security, abuse prevention, license enforcement, and fraud prevention: Art. 6(1)(f) legitimate interest
• Analytics and performance measurement (website): Art. 6(1)(a) consent
• Compliance with legal obligations: Art. 6(1)(c)

Where processing is based on legitimate interests, assessments have been conducted to ensure these interests do not override your fundamental rights and freedoms.

4. Client dashboard structure

When a client relationship is established:

1. We create a client organization profile containing legal and billing information.
2. We invite an administrator user to the organization.
3. Administrators may invite additional users (employees) and assign roles.
4. Authorized users may view invoices, subscription status, and manage organization details.

The dashboard is intended for business use.

5. Cookies and similar technologies

We use essential cookies and similar technologies required for authentication, security, and session management (for example for login and organization access).

Non-essential cookies (such as analytics) are used only after explicit opt-in consent on the website. Consent preferences can be adjusted or withdrawn at any time.

6. Recipients and data processors

We may share personal data with the following categories of processors, strictly for the purposes described above:

• Clerk, Inc.: authentication, invitations, organization membership management
• Stripe, Inc.: subscription management, invoicing, payment processing
• Supabase, Inc.: database storage and backend infrastructure
• Dinero (Visma Dinero): accounting and statutory bookkeeping (where applicable)
• Google LLC: Google Analytics 4 and embedded Google Maps (website only, after consent)
• Resend, Inc.: transactional email delivery
• Hosting and infrastructure providers: used for hosting, logging, and secure operation of the service

All processors act under data processing agreements in accordance with GDPR Article 28.

7. International data transfers

Some processors may process personal data outside the EU or EEA, including in the United States.

Where such transfers occur, they are protected using:

• European Commission Standard Contractual Clauses (SCCs)
• Supplementary technical and organizational measures where required

You may request further information about these safeguards by contacting us.

8. Retention periods

We retain personal data only for as long as necessary for the stated purposes:

• Contact and career inquiries: up to 24 months after last relevant communication
• Client organization and user account data: for the duration of the client relationship and as needed for dispute handling and legal obligations
• Invoice and accounting records: retained in accordance with Danish bookkeeping requirements, generally for a minimum of 5 years
• Webhook and event processing logs: retained for a limited period necessary for reconciliation, error handling, and auditability
• License enforcement telemetry: retained only as long as necessary for license enforcement, abuse prevention, and operational security
• Security and access logs: retained for a limited period necessary for security monitoring and incident investigation
• Consent preferences: stored locally in your browser until cleared or updated

Longer retention may apply where required by law or to establish, exercise, or defend legal claims.

9. Your rights

Under the GDPR, you have the right to:

• Access your personal data
• Rectification
• Erasure
• Restriction of processing
• Object to processing based on legitimate interests
• Data portability for data you have provided
• Withdraw consent at any time

Requests can be made by contacting contact@agweb.studio. We respond within one month, in accordance with GDPR Article 12.

10. Right to lodge a complaint

If you believe our processing infringes data protection law, you may lodge a complaint with a supervisory authority.

In Denmark, the competent authority is Datatilsynet.

11. Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

12. Children

Our services are intended for businesses and are not directed at children.

13. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. The effective date at the top of this page indicates the current version.

14. Contact

For questions about this policy or our data processing practices, contact:

contact@agweb.studio