Privacy Policy

Data controller

Accel Comply (CVR: DK37260312), operated by Behzad Motaghi, is the data controller for personal data collected through this website.

Accel Comply is a sole-trader practice. Throughout this privacy policy, "I," "me," and "my" refer to Behzad Motaghi personally. Where the policy uses "we" or "our," this refers to the same sole trader; there are no other data controllers or co-owners involved in this website.

Contact: bm@accelcomply.com

What we collect

When you use our website, contact form, or scoping questionnaire, we collect the information you provide. This may include your name, work email, phone number, company, legal entity name, CVR number, role, message content, form responses, deadline information, customer or prospect names or anonymised descriptions, customer industry, contract value or ARR context, exact or summarised customer wording, document owners and roles, tooling status, audit or assessment history, infrastructure descriptions, and other business information you choose to submit.

Do not submit passwords, secrets, production credentials, special-category personal data, criminal-offence data, full customer contracts, regulator correspondence, or privileged legal advice unless we have expressly agreed a secure route and your company has confirmed that disclosure is permitted.

Scoping questionnaire and third-party business contacts

If you identify colleagues, document owners, customers, prospects, auditors, advisors, authorities, or other business contacts in a form response, we process that information as an independent controller for the limited purpose of evaluating the enquiry, preparing a scoping call, preparing a proposal or engagement letter, conflict and admin checks, and protecting our legal interests. We obtain that information from the person submitting the form or from your company. We ask you to provide only business information and to anonymise or redact where required by law, NDA, customer contract, legal privilege, or internal policy.

Google Ads click identifier (gclid)

When you arrive on this site via a Google Ads campaign, your URL contains a `gclid` parameter that identifies the specific ad click. If you submit the contact form, that identifier is captured alongside your form data and used for: (1) campaign attribution, and (2) sending back to Google Ads, in hashed form, that an enquiry occurred. Legal basis: legitimate interest under Art. 6(1)(f) GDPR. You can object by emailing bm@accelcomply.com; objecting will not prevent your enquiry from being answered. The gclid value is stored on your HubSpot contact record for the duration of our business relationship and then deleted per the deletion policy below.

Legal basis

B2B enquiry, contact-form, and scoping-questionnaire data is processed on the basis of our legitimate interests under GDPR Article 6(1)(f): responding to business enquiries, assessing fit, preparing proposals, managing pre-contract communications, operating a secure website and CRM, and protecting our legal interests.

Where you personally ask us to take steps before entering into a contract with you as an individual or sole trader, GDPR Article 6(1)(b) may also apply.

Non-essential analytics, marketing cookies, pixels, remarketing, and advertising conversion measurement are used only where consent is required and obtained through the cookie banner. First-party campaign attribution needed to understand which business enquiry a campaign produced may be processed on legitimate interests, unless consent is required for the relevant technology.

Whether you must provide the data

Providing scoping-questionnaire data is not a statutory requirement. It is necessary if you want us to assess fit, prepare for the Day 1 assessment call, and prepare a meaningful proposal. If you do not provide the requested information, we may be unable to scope the work, price it, or proceed.

Cookies

This site uses three categories of cookies:

• Necessary: Required for site security and remembering your cookie preferences.
• Analytics: Google Analytics for site usage measurement. Requires consent.
• Marketing: Google and LinkedIn tags for advertising and conversion tracking. Requires consent.

You can manage your cookie preferences at any time using the cookie settings link in the footer.

Data retention

Contact-form and scoping-questionnaire data for enquiries that do not become engagements is deleted or anonymised within 12 months after the last substantive contact, unless we need to retain it to establish, exercise, or defend legal claims, comply with law, or you have asked us to keep in touch.

For enquiries that become engagements, business-contact and contract-administration data is retained for the duration of the business relationship plus 2 years, unless a longer period is required by law or needed for legal claims.

Personal data processed on a client's behalf during a signed engagement is returned or deleted according to the applicable data processing agreement. Analytics data is retained for 14 months unless the cookie tool or analytics provider is configured differently.

Your rights

Under GDPR, you have the right to access, correct, delete, restrict processing of, and receive a portable copy of your personal data. You can also withdraw consent at any time. Contact bm@accelcomply.com to exercise these rights.

You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

Engagement data subjects

The services I provide to business clients (NIS2 readiness, ISO 27001 readiness, security assessments) involve reviewing client systems, documents, and processes. These reviews may involve personal data belonging to the client's employees, IT staff, vendors, and other individuals (collectively, "engagement data subjects").

If you are an engagement data subject, meaning your personal data has been reviewed as part of a security assessment carried out for your employer or another organisation, the following applies to you under GDPR Art. 14:

Who controls your data: The organisation that engaged Accel Comply (your employer or the commissioning organisation) is the data controller for your personal data in the engagement context. They determine what is reviewed and why. I process that data as a data processor on their behalf.

What data is involved: Typically your name, work email, job title, system access rights, usernames in log files, and similar professional information visible in the systems under review. No health, financial, or sensitive personal data is processed unless the engagement scope explicitly includes it.

Why it is processed: To assess the organisation's cybersecurity posture and compliance with applicable requirements. The legal basis is the controller's legitimate interest (Art. 6(1)(f)) or, for public-sector engagements, performance of a task in the public interest.

How to exercise your rights: Your rights of access, rectification, erasure, and objection are exercisable against the controller (the organisation that engaged me). Contact that organisation's data protection contact. I will assist the controller in responding to your request if you contact me directly: bm@accelcomply.com.

How long your data is retained: Engagement data is deleted or returned to the controller within 30 days of the engagement ending, per the DPA between Accel Comply and the controller. I do not retain engagement data beyond that period except where required by law.

Recipients, service providers, and international transfers

We use service providers to operate our website, forms, CRM, hosting, analytics, and marketing. Current recipients and service providers include HubSpot for CRM, forms, and the scoping questionnaire; Vercel for website hosting; Google Analytics and Google Ads where consented; and LinkedIn where consented.

HubSpot processes CRM and form data for us as a processor where it acts on our instructions. Depending on the features enabled, some HubSpot tracking or enrichment processing may be controller-to-controller processing under HubSpot's terms. Google and LinkedIn may also act as independent controllers for some analytics or marketing processing.

Personal data may be transferred outside the EU/EEA, including to the United States, through provider support, hosting, tracking, subprocessor access, or group-company access. We rely on relevant safeguards such as the EU-US Data Privacy Framework, Standard Contractual Clauses, and provider data processing terms where applicable.

Automated decision-making

We do not use automated decision-making under GDPR Article 22 to accept, reject, or price engagements.

Changes to this policy

We may update this privacy policy to reflect changes in our practices or legal requirements. The date at the bottom of the page indicates when it was last revised. Material changes will be communicated via the website.