1.1 This agreement (the "Agreement") is entered into between the user company ("Data Controller") and Shine Denmark ApS ("Data Processor" or "TaxHelper by Shine"), each individually called a "Party" and collectively the "Parties".
1.2 The Data Processor processes the types of personal data on behalf of the Data Controller set out in Appendix 1, which are necessary for the TaxHelper by Shine service to be used. The personal data concerns the data subjects listed in Appendix 1.
1.3 For user companies that transfer financial data, the Data Controller hereby instructs the Data Processor to anonymize all data for statistical and benchmarking purposes.
2.1 The Data Processor may only process personal data for purposes that are necessary for the Data Controller to use the TaxHelper by Shine service.
3.1 To the extent that the Data Controller processes personal data in connection with the use of the TaxHelper by Shine service, the Data Controller is responsible for ensuring that there is a valid basis for processing, including that any consent is explicit, voluntary, unambiguous and informed. The Data Controller is obliged, at the Data Processor's request, to explain and/or document the basis for processing in writing.
3.2 The Data Controller also warrants that the data subjects to whom the personal data relates have received sufficient information regarding the processing of the personal data. TaxHelper by Shine's privacy policy in force from time to time can be found on TaxHelper by Shine's website (https://www.taxhelper.dk/privatlivspolitik-business).
4.1 The Data Processor may only process the personal data necessary for the Data Controller to use the TaxHelper by Shine service in accordance with the terms of use available on the TaxHelper by Shine website (https://www.taxhelper.dk/handelsbetingelser-business) (the "Terms of Use"). The Data Processor is obliged to comply with the data protection legislation in force at any time.
4.2 The Data Processor shall take the necessary technical and organizational security measures, including such additional measures as may be necessary to prevent the accidental or unlawful destruction, loss or deterioration of the personal data specified in sections 1.2 and 1.3, and to prevent them from being disclosed, misused or otherwise processed in violation of data protection legislation.
4.3 The Data Processor shall ensure that the employees involved in the processing of personal data are bound to confidentiality or are subject to a statutory duty of confidentiality.
4.4 At the Data Controller's request, the Data Processor must account for and/or document that the Data Processor meets the requirements of data protection legislation, including being able to present documentation of the Data Processor's data flows and procedures/policies for processing personal data.
4.5 If the Data Processor processes personal data in another EU/EEA member state, the Data Processor must comply with the legislation on security measures in that member state.
4.6 The Data Processor is obliged to notify the Data Controller of suspected breaches of personal data legislation or other irregularities in connection with the processing of personal data within 48 hours of identification. At the request of the Data Controller, the Data Processor shall assist the Data Controller in clarifying the security breach, including in connection with any notification to the Danish Data Protection Agency and/or registered persons.
4.7 The Data Processor is obliged to notify the Data Controller of operational disruptions within a reasonable time.
4.8 The Data Processor shall, at the Data Controller's request, provide the Data Controller with sufficient information to enable the Data Controller to ensure that the Data Processor has taken the necessary technical and organizational security measures. The Data Controller is entitled to have the Data Processor's processing of personal data subjected to an annual audit by an independent third party at its own expense. The Data Controller shall reimburse the Data Processor for the time spent in connection with the above request. At the Data Processor's request, the Data Controller will send a copy of the Data Controller's latest ISAE 3402 audit statement, which is updated annually.
4.9 If the Data Processor or another data processor (sub-processor) who has received information receives a request for access to registered personal data from a data subject or his/her agent, or a data subject objects to the processing of his/her registered personal data, the Data Processor shall send such request and/or objection to the Data Controller for further processing by the Data Controller, unless the Data Processor is entitled to handle such request itself. The Data Processor shall, at the request of the Data Controller, assist the Data Controller in relation to responding to the request and/or objection.
5.1 The Data Processor may only transfer the personal data specified in section 1.2 to sub-processors if the Data Controller gives written instructions to this effect. The Data Processor is not entitled to disclose personal data to third parties without the Data Controller's prior written instruction, unless such disclosure is required by law.
5.2 The Data Controller hereby grants the Data Processor a general authorization to enter into agreements with sub-processors, the Data Processor must notify the Data Controller of any planned changes regarding the addition or replacement of sub-processors. The Data Controller may object to such changes.
5.3 Prior to the transfer of personal data to a new sub-processor, the Data Processor shall ensure that such sub-processor has entered into a written data processing agreement in which it undertakes to be bound to the Data Processor on "back-to-back" terms in relation to the provisions of this Agreement.
5.4 If the personal data is transferred to foreign sub-processors outside the EU/EEA, it must be stated in the said data processing agreement that it is the Data Controller's country's data protection legislation that applies to foreign sub-processors. If the receiving sub-processor is also established within the EU, the data processing agreement must state that the receiving EU country's special legislative requirements regarding data processors, such as requirements for notification to national authorities, must be complied with.
5.5 The Data Processor is obliged to enter into written data processing agreements with sub-processors within the EU/EEA. In relation to sub-processors established outside the EU/EEA, the Data Processor must ensure the necessary transfer basis and enter into sub-processor agreements by entering into standard agreements in accordance with the EU Commission's standard agreements ("Standard agreements"). Standard agreements can be based on either Decision 2010/87/EU of February 5, 2010 or 2016/679/EU of June 4, 2021:
5.5.1 Standard agreements based on 2010/87/EU of February 5, 2010 can be entered into until September 27, 2021, and can be used until 27. December 2022, after which they must be replaced by Standard Contracts based on the General Data Protection Regulation 2016/679/EU of June 4, 2021.
5.5.2 Standard Contracts based on Decision 2016/679/EU can be used from June 27, 2021 of June 4, 2021.
5.6 When entering into the Agreement, the Data Processor uses the sub-processors listed in Appendix 2.
6.1 The Parties are liable for damages in accordance with the general rules of Danish law, however, so that none of the Parties are entitled to claim compensation for indirect loss or consequential damage, regardless of whether it is the Data Controller, the Data Processor or a third party who suffers such indirect loss or consequential damage. Loss of business opportunities, loss of profit, operating loss, loss of revenue, loss of goodwill, loss of data, including loss in connection with the restoration of data shall always be considered indirect loss/consequential damage.
6.2 The Data Processor's total liability for damages under the Agreement is limited in terms of amount, see clause 12 of the Terms of Use.
7.1 The Agreement enters into force when a user is created on the Website.
7.2 The Agreement terminates when the customer relationship is terminated. However, the Data Processor is bound by this Agreement as long as it processes personal data on behalf of the Data Controller.
7.3 In the event of termination of the Agreement, the Data Controller is entitled to demand that the personal data be returned and/or deleted, unless continued storage of the personal data is necessary to comply with EU or national legal obligations. The personal data shall be provided on a medium decided by the Data Processor in a commonly readable format.
8.1 We may update this Agreement at any time. When we do this, we will change the last updated date at the bottom of this page. We encourage Users to check this page regularly for changes to stay informed about how we are helping to protect the personal information we collect. In the case of major changes, these will be communicated to users via email.
9.1 This Agreement is governed by Danish law.
9.2 Any claim or dispute arising out of or in any way connected with this Agreement shall be settled by the Copenhagen City Court.
For user companies transferring data for other companies (e.g. for accountants or bookkeepers):
Registered persons:
1) Persons referred to in transferred financial information, e.g. invoice recipients
2) Contact persons communicated with through the TaxHelper service
3) Employees or other persons related to the user company for which data is transferred
4) Persons related to companies invited to use the TaxHelper service
Types of personal data
1) Contact information, such as name, email and phone number
For user companies transferring their own data (e.g. the companies themselves):
Registered persons:
1) Persons referred to in transferred financial information, such as invoice recipients and employees
2) Contact persons communicated with through TaxHelper
3) Persons related to companies invited to use the TaxHelper service
Types of personal data:
1) Contact information, such as name, email and phone number
Firebase
Usage: Firebase is used for hosting servers and authorization of login etc.
Data processing: https://firebase.google.com/terms/data-processing-terms
Google Cloud
Usage: Processing and analysis of attachments/documents in connection with VAT analysis VAT analysis
Data processing: https://cloud.google.com/terms/data-processing-addendum
Google Analytics
Usage: Google Analytics is used to gather information to improve our service and platform
Data processing: https://privacy.google.com/businesses/processorterms/
Stripe
Usage: Stripe is used to receive and refund payments
Data processing: https://stripe.com/us/privacy
Skattestyrelsen
Usage: Skattestyrelsen is used to obtain control information in order to utilize certain functions in the product, such as VAT reconciliation
Data processing: https://www.skat.dk/skat.aspx?oid=1325
Facebook Pixel
Usage: Facebook's Pixel is used to collect information to improve our service and platform
Data processing: https://www.facebook.com/policy.php
TikTok Pixel
Usage: TikTok's Pixel is used to collect information to improve our service and platform
Data processing: https://www.tiktok.com/legal/privacy-policy-eea
Snapchat Pixel
Usage: Snapchat's Pixel is used to gather information to improve our service and platform
Data processing: https://values.snap.com/da-DK/privacy/privacy-policy
ActiveCampaign
Usage: ActiveCampaign is used to send newsletters and communicate with the User
Data processing: https://activecampaign.com/legal/gdpr-updates/gdpr-overview
If you have any questions regarding this data processing agreement, the Website's practices or your dealings with the Website, you are welcome to contact us at:
Shine Denmark ApS
Fiolstræde 17b
1171 København K
asbu@ageras.com
This policy was last updated on November 12, 2025
