Privacy notice

DfG Professional sandbox · Last updated 4 June 2026

This notice explains how the DfG Professional sandbox handles data, and reflects the wider privacy policy of the DATA for GOOD Foundation (dataforgoodfoundation.org/privacy-policy). Where this sandbox and the production platform differ, the differences are called out below.

Data controller

DATA for GOOD Foundation — a commercial foundation with a non-profit purpose, promoting data-based research and development, health promotion, prevention and disease treatment.

Biskop Svanes Vej 62C, 1. tv.
3460 Birkerød, Denmark
CVR: 39708493 · Phone: +45 24 65 11 19
General: info@dfgfoundation.com
Data Protection Officer: dpo@dfgfoundation.com

What this sandbox is

DfG Professional is the governance console for the DATA for GOOD platform — it lets research organisations define cohorts, check consent, and run governed, aggregate-only analyses, with an evidence trail at every step.

This sandbox uses no real personal data. The cohort it operates on is model-generated and has no relationship to any living person — no real health data, identifiers, or clinical records are present. No record-level data is ever returned; results are aggregate-only and suppressed below a k-anonymity floor.

What we process when you use this sandbox

When you sign in we process a role token that grants you a view (operator, researcher, governance, or organisation admin). It is not a real identity, is not linked to a named person, and is not used for marketing or profiling. We do not collect your name, email, IP address, or location in this sandbox.

Cookies and local storage

The sandbox sets only the following, and nothing else:

Name	Type	Purpose	Lifetime
dfg_session	HTTP cookie — httpOnly, SameSite=Lax, Secure	Keeps you signed in and carries your role. Strictly necessary.	8 hours, or cleared on sign-out
dfg_cookie_banner_dismissed	Browser local storage	Remembers you dismissed this notice. Stored in your browser only — never sent to us.	Until you clear site data

We set no analytics, advertising, or third-party tracking cookies and no tracking pixels. Web fonts are self-hosted, so loading a page makes no call to any third-party font service or CDN. Because only strictly-necessary storage is used, no cookie consent is required under the ePrivacy rules — the banner is informational only.

Lawful bases (GDPR)

This sandbox — role-token sign-in: legitimate interest, Art. 6(1)(f) (operating a secure governed-analytics environment for research-governance purposes).
Platform — membership administration & platform access: contract, Art. 6(1)(b).
Platform — project participation and collecting data from consented sources: consent, Art. 6(1)(a); for health and other special-category data, Art. 9(2)(a).
Platform — responding to enquiries and newsletter fraud-prevention: legitimate interest, Art. 6(1)(f).

How long we keep data

In this sandbox: the role token lasts only for its 8-hour lifetime or until you sign out; the local-storage flag remains until you clear site data; the cohort is model-generated and contains no personal data. Governance evidence events here are append-only and are cleared when the environment is reset.

In the production platform:

Membership data: during membership and 2 years after termination.
National-ID identification key: during membership only.
Consent records (to document consent under Art. 7(1)): anonymised 5 years after termination or withdrawal.
Data-source login credentials: not stored after retrieval.
Data collected from sources: until computation is complete and aggregated, then deleted.
Newsletter/marketing consent: 2 years after the last communication.

Data may be kept longer where required to establish, exercise or defend legal claims, or to meet a legal obligation.

Recipients, processors and international transfers

This sandbox is hosted within the EU (Scaleway, Paris region). In the production platform, data is shared only with recipients you have expressly consented to, or where legally required. IT, hosting, communication and support providers act as data processors under written data processing agreements, receive only what is necessary, and may not use it for any other purpose. The Foundation does not generally use processors outside the EU/EEA; any such processing takes place only in a secure third country or under appropriate safeguards (for example, the European Commission's Standard Contractual Clauses).

Security

Egress is aggregate-only and a k-anonymity floor suppresses any group too small to be safe, so no record-level data leaves the system. In the production platform, analysis runs via multi-party computation with data kept at source: identifiable data is split across independent parties so no single party can read it, and verified identity gates access. Data in transit and at rest is encrypted.

Your rights

You have the right to:

access your personal data;
have inaccurate data corrected;
have your data erased;
restrict processing of your data;
data portability — receive your data in a structured, machine-readable format;
object to processing, in particular for direct marketing;
withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these, contact info@dfgfoundation.com or the DPO at dpo@dfgfoundation.com. We respond within one month.

Questions and complaints

Please raise any question or complaint with our Data Protection Officer at dpo@dfgfoundation.com first. You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet), datatilsynet.dk.

The DfG consent model

The DATA for GOOD Foundation promotes data-based research and health promotion while enabling citizens to retain control over their own data. In the full DfG platform, citizen consent records are the authoritative source of truth for all data access — append-only, evidence-anchored, and revocable at any time. DfG acts as governance coordinator; data custodians (hospitals, registers, service providers) retain ownership and lawful-basis responsibility for their own datasets.