This policy describes which personal data People's Group processes in connection with People's Wallet, why we process it, how we protect it, and the rights you have. The policy covers visits to peopleswallet.ai and waiting-list sign-ups.

1 Who we are

People's Wallet is a citizen-facing digital health bank, delivered by People's Group, Teglværksvej 2, 5600 Faaborg, Denmark (CVR 40930809).

You can reach us via:

2 Roles, data controller, and data processor

People's Group is the data controller for the personal data we process from visitors to peopleswallet.ai and people on the waiting list: contact form, support correspondence, and technical operational logs.

When People's Wallet eventually opens to users, health data will be processed under a separate user agreement with explicit consent per data category and per recipient. We will update this policy before that happens, and notify existing contacts.

3 Which data we process

We process the following categories of data from you as a visitor or waiting-list member:

  • Waiting list: your email, language preference, and consent status.
  • Technical metadata: referrer, timestamp, any UTM parameters.
  • Session data: anonymised session ID and form flow time (elapsed_ms) for bot protection.
  • Analytics (consent only): anonymised usage data via cookie-based tracking.

We do not process special categories of personal data (GDPR Art. 9) before we open the product. When health data is included, it happens under a separate user agreement with Art. 9 legal basis and granular consent.

4 Purposes and legal basis

Each category of data is processed for a specific purpose with a specific legal basis:

  • Waiting list, purpose: contact you when we open access and send product updates. Legal basis: consent (GDPR Art. 6(1)(a)).
  • Technical metadata and session data, purpose: operational security, bot protection, and access documentation. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). Balancing test: the need to protect infrastructure and users against abuse outweighs the individual visitor's interest in entirely absent logging.
  • Analytics, purpose: improve the website and its content. Legal basis: consent (GDPR Art. 6(1)(a)).

5 AI and automated decisions

For visitors to peopleswallet.ai and waiting-list members, no automated decision-making takes place under GDPR Art. 22. Inquiries are handled manually by our team.

When People's Wallet opens to users, any AI features (e.g. explanations of test results) will be explicit opt-in, and we will document classification under the EU AI Act (Regulation (EU) 2024/1689) in the separate user agreement. People's Wallet will be EU AI Act-aligned.

6 No training on your data

Your data is never used to train, fine-tune, or optimise AI models, whether in identifiable, anonymised, or aggregated form. When AI features open in the product, they run in inference-only mode.

Your data is not sent to external AI APIs, including OpenAI, Anthropic, Google, or other third-party providers.

7 Retention and deletion

We only retain data for as long as necessary for the purpose for which it was collected:

Data categoryRetention period
Waiting list (email + consent)Until you unsubscribe, or at most 24 months after our last update to you
Technical operational logs185 days
Analytics dataDeleted on consent withdrawal or at most after 26 months
Encrypted backupsIncluded in the above periods; deletion requests are reapplied to restored backups

Deletion is technically irreversible after the retention period. Earlier-deletion requests can be sent to support@peopleswallet.ai.

8 Sub-processors

We use sub-processors in the following categories:

  • Cloud hosting of peopleswallet.ai in EU region (Frankfurt).
  • Form handling via our own platform in EU region.

An updated list of specific sub-processors can be requested from support@peopleswallet.ai.

9 Data location

peopleswallet.ai is hosted in EU region (Frankfurt). Data from the waiting list passes through EU-hosted infrastructure and does not leave the EU.

When the product opens and health data is involved, location will be specified in the separate user agreement - with the same EU-only principle.

10 Transfers outside the EU/EEA

No transfers of personal data outside the EU/EEA. Data from the waiting list and contact inquiries is processed exclusively in EU-hosted infrastructure.

For the website's hosting, we use a provider whose primary business activity is outside the EU, but hosting takes place in EU region. There may theoretically be transfer of operational metadata (not form data) to the United States through the provider's global infrastructure. Such transfer is covered by EU Standard Contractual Clauses (SCC).

11 Technical and organisational security measures

We have implemented the measures that are appropriate to the risk under GDPR Art. 32, including particularly stringent requirements for regulated industries:

Encryption:

  • In transit: TLS 1.2 or newer on all network traffic.
  • At rest: full-disk encryption on database servers.
  • Backups: AES-256 encryption on separate EU storage.

Access control:

  • Role-based access control (RBAC) with the principle of least privilege.
  • MFA/TOTP required for all privileged access.
  • VPN required for administrative access to production.
  • Four-eyes principle for production changes.

Monitoring and integrity:

  • File integrity monitoring on production nodes.
  • Centrally collected system logs.
  • SHA-256 hashing of critical transaction logs (immutable audit trail).

Organisational:

  • Staff have no default access to personal data. Access in specific support situations is documented.
  • Confidentiality agreements for all staff with access to the production environment.
  • Regular security training.

12 Audit and certification

Our controls are reviewed on an ongoing basis against recognised standards. Current audit status is available on request.

13 Your rights

You have the following rights under GDPR in relation to the data we process about you:

  • Access (Art. 15): confirmation of whether we process data about you, and a copy of the data.
  • Rectification (Art. 16): correction of inaccurate data.
  • Erasure (Art. 17): deletion without undue delay when the conditions in Art. 17(1) are met.
  • Restriction (Art. 18): restrict our processing in specific situations.
  • Data portability (Art. 20): receive data in a structured, commonly used, and machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interest.
  • Withdrawal of consent (Art. 7(3)): where processing is based on consent, consent can be withdrawn with effect going forward.

How to exercise your rights: contact support@peopleswallet.ai.

We respond within 30 days, per GDPR Art. 12(3). Complex requests can be extended by up to two months with reasoned notice within the same deadline. We do not charge a fee unless the request is manifestly unfounded or excessive (Art. 12(5)).

14 Security breaches

If a personal data breach occurs:

  • The Danish Data Protection Agency (Datatilsynet) is notified within 72 hours of detection, per GDPR Art. 33.
  • Affected data subjects are notified under Art. 34 if the breach is likely to result in a high risk to their rights and freedoms - internal target is the same day as detection.
  • We publish a public post-mortem within 14 days.

Security incidents can be reported to support@peopleswallet.ai.

15 Cookies and website tracking

peopleswallet.ai currently uses strictly necessary cookies only (session ID and language preference). We do not use marketing trackers, fingerprinting, or cross-site tracking.

When analytics or marketing cookies are added in the future, consent is collected via a cookie banner before such cookies are set. Consent can be withdrawn at any time via "Cookie settings" at the bottom of the page.

16 Complaint to the Data Protection Agency

You can complain to the Danish Data Protection Agency (Datatilsynet) if you believe that our processing of your data violates data protection rules:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
dt@datatilsynet.dk
www.datatilsynet.dk

You are not required to contact us first, but we encourage you to give us the opportunity to find a solution before you file a complaint.

17 Changes to this policy

Material changes are communicated to registered customers via email at least 30 days before they take effect. Minor changes (clarifications, updated contact information) can be published without separate notice.

Previous versions can be requested via support@peopleswallet.ai.