| Data category | Source | Lawful basis (Art. 6) | Retention | Storage |
|---|---|---|---|---|
| Customer email + name + company | Onboarding form | Contract performance + legitimate interest | Length of relationship + 3 years | Supabase EU |
| Stripe customer-ID | Stripe webhook | Contract performance | 7 years (DK Bogføringslov) | Stripe EU + Supabase EU |
| AI inventory content (customer-provided) | Customer upload | Contract performance | Length of relationship + 1 year | Supabase EU (encrypted) |
| Article 4 register entries | Customer questionnaire | Contract performance | Length of relationship + 7 years (audit) | Supabase EU |
| Annex IV documentation | Generated by PowerQuant + customer | Contract performance + audit-trail obligation | 7 years post-delivery | Supabase EU + customer copy |
| Council-vote audit-log | PowerQuant internal | Legitimate interest (audit-trail) | Permanent (Ed25519 chain) | Supabase EU |
| LLM-prompt + LLM-output | PowerQuant pipeline | Contract performance | 90 days for debugging; redacted after | Supabase EU |
| Email transactional | Resend webhook | Contract performance | 12 months | Resend EU |
| IP address (web visit) | Cloudflare WAF | Legitimate interest (security) | 7 days | Cloudflare aggregated |
| Stripe payment metadata | Stripe webhook | Contract performance + legal obligation | 7 years (DK Bogføringslov) | Stripe EU |
Special categories (Article 9 GDPR)
PowerQuant does NOT process special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, trade union, genetic, biometric, health, sex life). If a customer's AI system processes such data, PowerQuant stores only the categorical reference (e.g. "system processes biometric data per Article 9(2)(g)") in the AI inventory, not the actual special-category data.
Children's data
PowerQuant does not process children's data.
Customer-controlled data export (GDPR Article 20)
Customers can request export of their data in machine-readable JSON format within 30 days of request to dpo@powerquant.dk.