This Privacy Policy is meant to help you understand what information we collect and why we collect it.

CanopyLAB is the data controller, and we ensure that your Personal Data is processed in accordance with the applicable laws.

When you convey information relating to an identified or identifiable natural person (“Personal Data”) on the CanopyLAB website and/or on the CanopyLAB learning platform (the “Service”) we collect and process that information. The protection of your Personal Data is important to us and we wish to explain how we handle your Personal Data.

In order to protect your Personal Data as best possible, we continuously assess the level of risk that our data processing affects your rights. We are particularly aware of the risk of you being subject to discrimination or ID theft, or to suffer financial loss, loss of reputation or data privacy.


1. What kind of Personal Data do we collect?

1.1 We collect the following Personal Data when you sign up for and use the Service:

  • name,
  • email address,
  • job title,
  • organisational affiliation, if any
  • courses taken,
  • knowledge tags,
  • exercise tags,
  • likes, shares and comments on posts,
  • follow and followers,
  • personal direct messages,
  • bio text,
  • personal posts,
  • assignments submitted
  • training program history and progression.


2. For which purpose do we use your Personal Data?

1.2 We use your Personal Data to create a data-driven learning platform in order to provide differentiated and adaptive learning experiences targeted the individual user and to provide you with insights into your personal learning history and progression.

3. We only process relevant Personal Data

3.1 We only process Personal Data about you that are relevant and sufficient in relation to the purposes defined above. The purpose is crucial for the kind of data that are relevant to us. The same applies to the amount of Personal Data we process – we do not process more Personal Data than needed for the specific purpose.

4. We process only the required Personal Data

4.1 We collect, process and store only the Personal Data acquired to meet the already established purposes. Additionally, it may be decided by law which data we are required to collect and store to run our business. The type and extent of the Personal Data we process may also be required to fulfil a contract or other legal obligation.

4.2 We want to ensure that we process only the Personal Data necessary for each of our specific purposes. Therefore, our IT systems collect only the Personal Data necessary by default. It is also automatically ensured that the amount of processing is not unnecessarily large and the storage time is not too extensive.

4.3 To protect you from unauthorized persons accessing your Personal Data, we use IT solutions that automatically ensure that your data are only available to the relevant employees. There is furthermore embedded protection against an unlimited number of persons receiving access to your data.

4.4 To detect, prevent and address fraud, unauthorized use of the Service, violations of our terms or policies, or other harmful or illegal activity, or to protect ourselves or our users we will investigate the service user history of any of our users upon receiving a credible complaint concerning the use of the Service of that user, or if we otherwise become aware of any abuse of the Service by that user.

Before investigating the service user history of any of our users we will notify said user of the investigation, as well as our reasons for conducting such unless the circumstances prevent us from doing so on important grounds of public interest.


5. We amend any inaccurate Personal Data about you

5.1 As the Services are dependent on your Personal Data being accurate and up to date, we ask that you provide us with relevant changes to your Personal Data so we can alter our register accordingly.


6. For how long do we keep your Personal Data?

6.1 We delete your Personal Data, when they are no longer necessary to meet the purpose for which we gathered, processed and stored it. We delete your Personal Data at your request according to section 12, or upon termination of your subscription to the Services.


7. We will obtain your consent before processing your Personal Data

7.1 We obtain your consent before processing your Personal Data for the purposes described above unless we have a legal basis for collecting them. If we collect your Personal Data on such a legal basis, we will inform you of such a basis as well as any legitimate interest in processing this Personal Data.

7.2 Your consent is voluntary and can be withdrawn at any time by contacting us. We make sure that it shall be as easy to withdraw as to give your consent. Please contact us on the following address, if you would like to withdraw your consent or have any questions concerning the above:

7.3 If we wish to process your Personal Data for another purpose, we will inform you and obtain your consent before we begin the processing of your Personal Data. If we have other legal grounds for processing your Personal Data than your consent, we will inform you accordingly.


8. We do not disclose your Personal Data without your consent

8.1 In some cases, we will pass on the Personal Data to others. The passing on of Personal Data will take place to the extent and to whom it is necessary in order for us to provide you with the Service.

8.2 Your Personal Data may be passed on to: (i) suppliers with whom we cooperate to support our company (e.g. suppliers of services and technical support); or (ii) if it is required by law, court order or by prevailing legislation.

8.3 In order to protect your rights, your Personal Data will be rendered irreversibly anonymous in such a manner that you are no longer identifiable, before we disclose any data to your place of employment.

8.4 If we transfer your Personal Data to collaborators or other parties, including for marketing purposes, we will obtain your consent and inform you of how your data will be used. You may object to this kind of disclosure at any time and you can exclude yourself from marketing requests in the CPR registry.

8.5 We will not obtain your consent if we are legally required to disclose your Personal Data, for example, as part of reporting to an authority.


9. Data Security – what measures do we take?

9.1 We take precautionary measures of technical and organizational nature to protect your Personal Data from manipulation, loss, destruction or access from unauthorized persons. Our precautionary measures are revised on a regular basis in order for us to meet the legislative requirements for a suitable data security system.

9.2 However, we cannot guarantee that the data are completely protected against individuals who want to and succeed in breaking our precautionary measures and gain access to transfer information on the Internet, e.g. via e-mail.

9.3 In case of a security breach that results in high risks of discrimination, ID theft, financial loss, loss of reputation or other significant inconvenience, we will notify you of the security breach without undue delay.


10. Cookies – we obtain your consent before installing Cookies

10.1 Before we install cookies on your equipment, we ask for your consent. However, cookies required to ensure functionality and settings can be used without your consent.

10.2 You can find more information on the Website about our use of cookies and how to delete or reject them. If you want to revoke your consent, please see the instructions under our Cookie Policy.


11. Access – you are entitled to access your Personal Data

11.1 You are entitled to know which Personal Data we process about you, from where they originate, and for which purpose we use them. We will let you know for how long we store them and who receives them.

11.2 At your request, we will disclose what data we process about you. Access may, however, be limited for the protection of other persons’ privacy, trade secrets and intellectual property rights.

11.3 You can exercise these rights by contacting us by e-mail at


12. Rectification or Deletion – you are entitled to have inaccurate Personal Data corrected or deleted

12.1 If you believe that the Personal Data we treat about you are inaccurate, you are entitled to have them corrected. You can contact us and inform us of the inaccuracies and how they can be corrected.

11.2 In some cases, we will have an obligation to delete your Personal Data. This applies, for example, if you withdraw your consent. If you believe your Personal Data are no longer necessary for the purpose for which we obtained them, you may want to have them deleted. You may also contact us if you believe your Personal Data are being processed in violation of the law or other legal obligations.

11.3 When you convey a request to correct or delete your Personal Data to us, we will investigate whether the conditions are met and, if so, make changes or deletions as soon as possible.


13. Complaints – you are entitled to object to the processing of your Personal Data

13.1 You have the right to object to the processing of your Personal Data. You can also object to our disclosure of your data for marketing purposes. You can object by e-mail at If your opposition is justified, we will stop processing your Personal Data.


14. Data portability – you are entitled to retrieve your Personal Data

14.1 You are entitled to receive the Personal Data you have made available to us and those, if any, we have collected from a third party based on your consent. If we process Personal Data about you as part of a contract to which you are a party, you have the right to receive these Personal Data as well. You also have the right to transfer these Personal Data to another service provider. If you wish to exercise your right to data portability, we will transfer your Personal Data to you, or to the service provider of your choice, in a commonly used format

14.2 How long we retain your Personal Data depends on the type of data and the purpose for which we process the data. We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law.


15. Contact us, if you want to exercise your rights

15.1 Please contact us by e-mail

15.2 If you wish to access your data, have them corrected or deleted, or object to our data processing, we will investigate and respond to your request as soon as possible and no later than one month after we receive your request.

15.3 If we do not fully comply with your objection, you have the right to file a complaint with the Danish Data Protection Agency by following the instructions on the Danish Data Protection Agency’s website (in Danish):


Version November 2020