Skip to main content
Privacy Notice
Privacy Notice

Information about how Purpose and Means processes personal data, including risks you need to be aware of.

Last updated: April 2026

Interactive Privacy Notice #

The interactive visual below provides an overview of how Purpose and Means processes personal data. Click the red icons on each stop along the journey to read more. For full details, read the written notice below.

This resource is best viewed on a desktop computer or tablet.

Who We Are #

Purpose and Means is a sole proprietorship registered in Denmark (CVR number: 18895692) and is the data controller for personal data processed via this website for conducting its business of providing organisations and individuals with various products and services.

Purpose and Means uses a Quality Management System (QMS) for conducting its training activities, approved and audited by APMG International based in the UK.

Purpose and Means is owned by Timothy Clements.

Our Take on Data Protection #

Purpose and Means is based in Denmark and is subject to laws and regulations including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. As we also operate globally, we are subject to a range of applicable data protection and privacy laws. Being a very small business, we are not able to fully comply with every single law, but we regularly make ourselves aware of key nuances between the GDPR and other laws, especially where client demand necessitates greater focus.

Purpose and Means sees data protection as a key part of doing business and respects key principles including lawfulness, fairness and transparency, data minimisation, and purpose limitation.

We do not have a Data Protection Officer (DPO) appointed because in our business context, we do not meet the criteria specified within the GDPR.

In our processing context we do not assess our processing activities to pose a ‘high risk’ to the rights and freedoms of individuals.

Please do contact us if you have any questions, concerns, or feedback about how Purpose and Means processes personal data.

Contact Us #

Purpose and Means
Esthersvej 21
2900 Hellerup
Denmark
Email: tc@purposeandmeans.io

Data Collection #

Active Data Collection #

Active data collection is when you knowingly provide personal data to Purpose and Means. We actively collect data from you when you:

  • Complete a web form
  • Register for an education or training course
  • Sign up for a newsletter
  • Request information about a product or service via email

Passive Data Collection (Website Technical Data) #

When you visit our website, certain technical data is processed automatically to deliver the website to your device and keep it secure. This can include:

  • Your IP address
  • The date and time of your visit and requests
  • The pages and files you request
  • Device and browser information (such as user agent, language, and approximate device type)
  • Diagnostic and security information (e.g., error logs and activity that may indicate abuse)

Website Infrastructure and Third-Party Data #

Our website is a static site hosted on a Virtual Private Server (VPS) managed by Hetzner Online GmbH in Germany. There are no third-party content delivery networks, cookie consent tools, advertising trackers, or analytics services used on this website.

When you visit our website, your browser connects only to our own server. No third parties receive your technical data as part of a standard website visit.

The only exceptions are:

YouTube (embedded videos): Some learning pages embed YouTube videos used within our self-hosted interactive learning content (H5P). If you visit such a page, your browser will connect to YouTube’s servers. YouTube (Google LLC) will receive your IP address and device/browser information and may set cookies in accordance with their own privacy policy.

Booking system (Cal.com): Our Book a Call page embeds a booking calendar hosted on our own subdomain (cal.purposeandmeans.io), which runs on a separate server also operated by Purpose and Means. When you load or interact with the booking page, your browser connects to this server. If you complete a booking, your name, email address, and chosen time are processed to schedule the meeting. No data from the booking system is shared with third parties.

Cookies #

Our website uses no cookies by default. Zero cookies are set when you visit purposeandmeans.io.

The only exception is if you watch an embedded YouTube video. In that case, YouTube may set cookies in accordance with Google’s privacy policy.

Lawful Bases for Processing #

1. Private Individuals #

  • Consent — to receive a marketing newsletter from Purpose and Means no more than once a month
  • Legitimate interests — to conduct profitable commerce providing our portfolio of products and services
  • Compliance with legal obligations — in line with Danish tax and financial laws
  • Performance of a contract — prior to, or actual purchasing of Purpose and Means products and services

2. Employees of Purpose and Means Clients #

  • Legitimate interests — to conduct profitable commerce providing our portfolio of products and services

What Data is Collected? #

Provided Data #

  • First name and surname
  • Postal address
  • Email address
  • Opinions about products and services provided

Derived Data #

  • Attendance levels (for courses)
  • Purchase history
  • Levels of understanding (knowledge checks, quizzes)

Inferred Data #

  • Propensity to purchase other products or services (for manual recommendations)

Website Technical Data #

When you browse our website (without filling in a form), we may process:

  • IP address
  • Device and browser information (user agent)
  • Request metadata (pages/files requested, timestamps)
  • Limited referrer information (typically indicating you came from purposeandmeans.io)

Data Retention #

Personal data is securely retained and backed up by Purpose and Means in Denmark, and replicated to servers in Germany managed by Hetzner Online GmbH (see ‘Data Transfers’).

Invoices #

For accounting purposes we use Dinero, a Danish company, that stores invoice information. This data is retained for 5 years to comply with Danish financial and tax laws.

Email #

Purpose and Means uses mailbox.org part of Heinlein Hosting GmbH, a German company for all email and calendar processing. Personal data received by email is retained mailbox.org. Unless there are specific purposes to continue processing, this personal data is retained for 3 years.

Complaints and Complaint Log #

Personal data related to a complaint will be retained for 2 years after the complaint is resolved.

Data Subject Requests #

From completion of the request, personal data will be retained for 5 years, in line with recommendations issued by Datatilsynet.

Records of consent will be retained for 2 years or until no longer necessary, in line with recommendations issued by Datatilsynet.

Website and Server Logs #

Technical logs generated when you visit our website are retained for 30 days for security, troubleshooting, and performance purposes, then deleted or anonymised.

Data Usage #

  • Providing you with a promotional newsletter

Legitimate Interests #

  • Dealing with your business-related requests and enquiries
  • Improvement of our products and services through feedback requests
  • Promotion of Purpose and Means products and services through testimonials
  • Determining levels of understanding of our training courses (quizzes, knowledge checks)
  • Security and anti-fraud activities

Performance of a Contract #

  • Prior enquiries, registration and purchase of a product or service
  • Transfer of necessary data to third-party training instructors (email address)
  • Complying with Danish financial and tax laws

Website Operation and Security #

We use technical data from website visits for the following purposes:

  • To deliver and render the website
  • To maintain security and prevent abuse
  • To troubleshoot and improve reliability

Data Transfers #

Within the EU/EEA #

Website hosting: purposeandmeans.io is hosted on a VPS with Hetzner Online GmbH in Germany. All website files are served directly from this server. No CDN or third-party delivery network is used.

Cloud storage: We store personal data in a Nextcloud solution hosted in Germany at Hetzner Online GmbH.

Email, calendar and video conferencing: We use the German company, mailbox.org, part of Heinlein Hosting GmbH for processing of email and calendar data. We use their video conferencing tool, OpenTalk, for conducting online calls and meetings. Personal data received by email is retained and replicated by Heinlein Hosting GmbH in accordance with their Data Processing Agreement.

Outside the EU/EEA #

YouTube (embedded videos): Some learning pages embed YouTube videos. If you interact with these pages, your browser connects to Google’s servers in accordance with Google’s privacy policy.

Data Deletion #

Data about you is deleted when there is no longer a purpose to retain it. Retention is determined by the purposes of processing described in the ‘Data Usage’ section and the retention periods in ‘Data Retention.’

For example, if you withdraw consent for our newsletter, your email address in relation to that activity is deleted, unless it is also retained for another purpose such as a financial transaction.

Website technical data (such as access logs) is deleted or rotated in line with the retention periods described above.

Your Rights #

Rights Applying to All Processing #

  • Right to access — request confirmation that we are processing your personal data and request a copy
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to restrict processing — request that we limit use of your data
  • Right to not be subject to automated decision-making including profiling
  • Right to lodge a complaint with a Supervisory Authority — as we are a Danish company, complaints should be made to Datatilsynet (though they recommend first complaining to the Data Controller)

Additional Rights Depending on Lawful Basis #

  • Right to withdraw consent — applies where consent is the lawful basis (typically for our marketing newsletter)
  • Right to erasure — applies where the lawful basis is consent, performance of a contract, or legitimate interests
  • Right to data portability — applies where the lawful basis is consent or performance of a contract
  • Right to object — applies to direct marketing conducted under legitimate interests

How to Exercise Your Rights #

Please send an email detailing your request to tc@purposeandmeans.io with the subject line ‘Data Subject Request.’ We may request proof of identity and/or context in order to process your request.

Information Security #

We recognise that information security is a vital part of data protection. While no data transmission can be completely secure, we implement a variety of physical, technical, and procedural measures to protect personal data from unauthorised access, use, disclosure, alteration, or destruction.

Our website is a static HTML site with no database, no login page, and no user accounts. HTTPS is enforced across all connections. Security headers including HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, and Referrer Policy are implemented. Zero cookies are set by default.

Some Content Security Policy directives are intentionally permissive — specifically, stylesheets and images are permitted from any HTTPS source. This is required for our self-hosted interactive learning content (H5P) and booking system to function correctly. In practice, our website loads stylesheets and images only from our own server. No external sources are currently used, but the browser-level policy does not technically restrict this to a named allowlist of domains.

LinkedIn #

Purpose and Means maintains a LinkedIn presence to promote its services and publish professional content. LinkedIn is operated by LinkedIn Ireland Unlimited Company (a subsidiary of Microsoft). When you interact with Purpose and Means content on LinkedIn, your data is processed by LinkedIn under their own terms of service and privacy policy. Purpose and Means does not control LinkedIn’s processing of personal data on its platform, and does not use LinkedIn’s Insight Tag or any LinkedIn tracking tools on this website. If you navigate from LinkedIn to this website, this privacy notice applies from the point of arrival.

Residual Risks You Need to Be Aware of (Website Use) #

We identify the following residual risks associated with visiting this website. We do not consider any of these to give rise to actual harm in practice, and we disclose them here in the interest of full transparency.

Pages with Embedded YouTube Videos #

Third-party visibility of visits: YouTube (Google LLC) can see your IP address and device/browser information and may infer that you visited purposeandmeans.io.
Possible impact to you: reduced anonymity online and reduced confidentiality of browsing habits. We do not consider this to give rise to actual harm, given that this is standard behaviour when visiting any website that embeds YouTube content.

Cross-site correlation: Google may be able to correlate your visit with other sites using technical signals, depending on their practices.
Possible impact to you: your visit may contribute to profiling and inferences about your interests. We do not consider this to give rise to actual harm in the context of a professional website visit, though we acknowledge that Google’s broader data practices are outside our control.

International processing: YouTube resources are served from Google’s global infrastructure, which may involve processing outside the EU/EEA.
Possible impact to you: your technical data may be processed in jurisdictions with different legal protections. We do not consider this to give rise to actual harm, as Google operates under standard contractual clauses and other transfer mechanisms recognised under GDPR.

Book a Call Page #

Booking page server connection: When you visit our Book a Call page, your browser connects to cal.purposeandmeans.io, a separate server operated by Purpose and Means. Your IP address and browser information are processed by this server in addition to the main website server.
Possible impact to you: your technical data is processed by a second server. We do not consider this to give rise to actual harm, as this server is operated and controlled entirely by Purpose and Means and is subject to the same security measures as our main website.

Content Security Policy Technical Limitation #

Broad stylesheet and image policy: Our website’s Content Security Policy permits stylesheets and images to load from any HTTPS domain. This is a technical requirement of our self-hosted interactive learning content (H5P). In practice, our site loads these resources only from our own server.
Possible impact to you: the browser-level protection is less strict in this area than it could be. We do not consider this to give rise to actual harm, as no external stylesheets or images are currently loaded from third parties. This is a policy limitation, not an active data flow.