Terms of Service

Privacy Policy

We are very keen on being compliant with the European data protection rules and principles to protect you and your personal data. We at Act4 will always go the extra mile to protect your privacy data and never sell it to any third parties. This Privacy Policy contains all information related to the data processing of Act4, concerning the collection, use, storage, disclosure and erasure of data.  Please, revise this Privacy Policy carefully before you disclose any of your personal data to us.

This Policy comes into effect upon its publication. The current version of this Policy is available on the website: https://act4.io. Act4 reserves the right to amend this Privacy Policy at any time. Amendments will be published immediately on the website. 

1. Preamble

1.1. Act4.io is a commercial brand exclusively owned and used by Nordic Waves Group ApS (reg. no.: 40363866), a company incorporated and operating under the laws of Denmark and located at Mønmestervej 12g, 1th., 2400, Copenhagen, Denmark (Nordic Waves Group ApS providing services on Act4.io hereinafter referred to as: “Act4”). Act4 as data controller Act4 is committed to protect the planet and encourage mitigation of carbon emissions and greenhouse gases. Act4 supports the transition to more sustainable economies, mitigating the loss of biodiversity, and accelerating “green” and nature-based solutions. On the Website, Act4 offers the offsetting of VCCs, which can be purchased by the Customer.

1.2. For the purposes of this Privacy Policy, the terms ‘we’ or ‘our’ etc. shall mean Act4.

1.3. Capitalized words and terms used in this Privacy Policy have the same meaning as described in our Terms of Service.

1.4. This Privacy Policy requires your expressed consent, which you may withdraw at any time. You give your consent by placing a tick in the box before you place your Order or contact us. Your consent shall be voluntary, expressed and based on the related, detailed information we provide to you.

1.5. Act4 is responsible for the conclusion, enforcement, updating and amending of this Privacy Policy. Act4 may amend this Privacy Policy unilaterally, at any time as the business processes and the relevant legal requirements develop. If you don’t agree with the modifications, you can stop using the Website and the Services, or delete your Account anytime. Please, keep in mind that deleting your Account does not mean that we delete your personal data too. This Policy gives you detailed information on how long we keep your personal data even after you delete your Account.

1.6. Act4 handles your personal data confidentiality and is committed to take all the safety, technical and organizational measures that guarantee the security of your data.

1.7. Act4 is also committed to process your personal data lawfully, fairly and in a transparent manner; we only collect and process data that are suitable and relevant for the purposes of data processing and are necessary to achieve such purposes.

1.8. Act4 attempts to ensure the accuracy and up-to-date nature of the personal data; therefore, we take all necessary measures for the immediate erasure or rectification of inaccurate data. However, Customer is solely responsible for the lawfulness, reality and accuracy (i.e. the quality) of the data provided under criminal liability.

1.9. Your personal data is only yours, therefore, you can request the restriction of data processing, rectification or erasure of your data and you can object to our data processing at any time, free of charge via email: act4@nordicwaves.org. We respond to you without undue delay, but the latest within one month from the receipt of the request. If we have to reject to perform your request, we will provide a proper justification of rejection. In justified cases, depending on the complexity and number of requests, we may extend the deadline by two further months. We will inform you about such extension within one month of the receipt of your request, together with the reasons for the delay.

2. Service Provider's Data

Name of service provider:
Nordic Waves Group ApS

Registered seat of service provider:
Møntmestervej 12g, 1th., 2400, Copenhagen, Denmark

The contact details of service provider, electronic mailing address:

Company VAT number:

The name of the registering authority
Danish Business Authority (Erhvervsstyrelsen


3. Applicable laws

Act4 hereby declares to process your personal data in compliance with the prevailing laws and regulations, with special regard to the following:
- The related EU regulation: the General Data Protection Regulation of the European Union (Regulation 2016/679 (EU), the “GDPR”);Danish - Data Protection Act nr. 502 of 23 May 2018 (Databeskyttelsesloven).

4. Legal Ground for Data Processing

4.1. The legal ground for personal data processing is one or more of the followings: 
A) your voluntary consent (Article 6 (1) (a) of GDPR);
B) contract concluded by and between Act4 and the Customer for contractual performance (Article 6(1) (b) of GDPR);
C) the processing of the personal data is necessary for the performance of Act4’s legal obligations, such as auditing and accounting liabilities (Article 6(1) (c) of GDPR);
D) for the enforcement of the legitimate interest of Act4 or a third party (Article 6(1) (f) of GDPR).

4.2. You can grant and withdraw your consent to the use of your personal data for advertisement purposes.

5. The data processed by ACT4

5.1. In order to be able to use the Services, you shall disclose certain personal information to Act4 through the Website. If you refuse to comply with such a request, Act4 is entitled to lawfully reject the provision of Services, so you may be unable to use them.

5.2. Within the scope of data processing, we can in particular pursue the following activities: to collect, record, register, systematize, store and use the personal data for the purposes of data processing, to query, block, erase and destruct your data and to prevent the further use thereof. In lack of a related legal obligation, we never publish, align or coordinate your personal data with each other.

5.3. Mandatory data provision by CustomersAct4 may process the following data provided by the Customers. The disclosure of these data is necessary for the provision of the Services with special regard to the registration process:

Data Subject:
Customer registering on the Website and/or placing order

Legal grounds:
4.1. b), c), d)

Data category:
Name (first name and last name), address, e-mail address

Purpose of Data Processing:
- Conclusion, amendment and performance of the contract
- Identification and verification of the Customer and ensuring the communication
- Establishment and maintenance of a reliable and safe environment Enforcement of claims and rights
- Information used by the payment system, service fee invoicing


Act4 may process the following data provided by the Customer to Act4 in the course of the performance of Services, in addition to the data set out above. The disclosure of these data is necessary for the proper performance of the parties’ contractual obligations, and the actual categories of data in case of a Customer may depend on the individual circumstances, such as the content of the claim submitted:

Data Subject:
Customer placing order

Legal grounds:
4.1. b), c)

Data category:
Card processing information (such as last four digits, brand, holder and expiry date of the credit card of the Customer), expected amount to arrive at ACT4

Purpose of Data Processing:
- Conclusion, amendment and performance of the contract
- Establishment and maintenance of a reliable and safe environment


Data Subject:
Complainant, claimant, inquirer

Legal grounds:
4.1. b), c)

Data category:
Data provided in the complaint/ claimant/ inquirer when contacting ACT4

Purpose of Data Processing:
- Conducting the complaint management process, carrying out a request or claim submitted to Act4
- Identification and verification of the Customer and ensuring the communication


5.4. Optional data provision by Customers or other persons
ACT4 may process the following data provided by the Customers voluntarily and manually. We do not collect them during the registration process, and they are not collected automatically if not included in the data processing covered by 5.3.:

Data Subject:
Data provided after the registration process of the Customers in case of a data change

Legal grounds:
4.1. a), b)

Data category:
Name (first name and last name), address, e-mail address

Purpose of Data Processing:
- Conclusion, amendment and performance of the contract
- Identification of the user and ensuring the communication
- Ensuring the communication
- Advertisement, marketing activities


We may also collect data from other persons who are not our Customers. The collection of these data is carried out voluntarily and manually, they are not collected automatically:

Data Subject:
Contractual contact person designated by the business partner of Act4 or networking contacts provided by the partner

Legal grounds:
4.1. a), d)

Data category:
Other data provided voluntary during networking

Purpose of Data Processing:
- Establishment of business partnerships
- Identification of the partner
- Ensuring the communication
- Conclusion, amendment and performance of contract


Data Subject:
Job applicant

Legal grounds:
4.1. a)

Data category:
Name (first name and last name)
E-mail address
Telephone number
Other data provided voluntarily in the CV, such as educational background, employment history, language skills, certificates and obtained licenses.

Purpose of Data Processing:
- Conducting the professional selection process
- Identification of the applicant and ensuring the communication
- Establishment of the legal relationship


Data Subject:
Employee, Subcontractor, Volunteer

Legal grounds:
4.1. a), b), c)

Data category:
Name (first name and last name)
Telephone number
Social Security number
Bank Account Number

Purpose of Data Processing:
- Conclusion, amendment and performance of the legal relationship; 
- Identification of the applicant 
- Ensuring the communication.
- Compliance with legal obligations relating to employment (e.g. informing necessary authorities)


5.5. Automatic collection of data in the course of the Services

Data Subject:
Customers using the Services

Legal grounds:
4.1. a),

Data category:
- Date of the registration
- Login history
- Log data and device information
- Data collected by Google Analytics or other third party service provider
- Data collected by payment service provider (see the actual data categories in Section 5.3.)

Purpose of Data Processing:
Maintenance and development of the Service


5.6. Data collected from third parties

We only collect your personal data collected by third parties in order to comply with our legal obligations, or, in other cases, if you have given your explicit consent to the data transfer directly to those third parties, which is your responsibility to arrange. We do not supervise that your consent is properly given, we trust both you and those third parties who shall also be compliant with the data protection rules. Therefore, we are not liable for the collection and processing of such data by third parties. 

Due to the nature of the Service, Customers use services of third parties, related to payment and payment methods. Act4 has no influence on the operation of these service providers, they are obliged to ensure their data protection measures in their own competence. Currently, we support Stripe as payment service provider (“Payment Service Provider”). 

If you use the services of a third-party service provider (such as Facebook, LinkedIn, Instagram, Google, Skype, etc.) in order to contact Act4, we do not request any data of yours from the concerned third party. To the provision or change of such data, the privacy policies of the concerned third-party service provider shall apply.

6. Cookie Policy

6.1. What is a cookie? Cookies are small data files of information that our website transfers to your hard drive or mobile device to store and sometimes track information about you. Although cookies do identify a Customer’s device, cookies do not personally identify Customers. Additionally, mobile devices may use other tracking files which are similar to cookies (for example iOS devices use Apple’s “identifier for advertisers” (IDFA) and Android devices use Google’s Android ID). 

6.2. Why we use cookies: Our website uses cookies to distinguish you from other Customers. This helps us to improve our website and to provide you with a good experience when you browse.

6.3. Types of cookies we use: 
A) Strictly necessary cookies
: these are cookies that are required for the operation of a website, such as to enable you to log into secure areas.
B) Performance cookies: these types of cookies recognize and count the number of visitors to a website and are used to see how users move around. This information is used to improve the way the website works.
C) Functionality cookies: these cookies recognize when you return to a website, enable personalized content and recognize and remember your preferences.
D) Targeting cookies: these cookies record your visit to a website, including the individual pages visited and the links followed.

Generally, the strictly necessary cookies and some performance and functionality cookies only last for the duration of your visit to a website or expire when you close the website: these are known as “session cookies”. The functionality cookies and some targeting and performance cookies will last for a longer period of time: these are known as “persistent cookies”. 

By visiting the Website, the Customer consent to the use of session cookies by Act4 in relation to the Website, which are (in the sole consideration of Act4) explicitly needed to browse through the Website and to use the functions thereof (e.g. recording of operations performed by visitor). The validity of such cookies is limited to the current visit of the Customer; such cookies are automatically deleted from the computer upon the end of the working session or by closing the browser. 

Act4.io uses persistent cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. Act4.io sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.

Third party cookies: Some of the persistent and session cookies used by our website may be set by us, and some are set by third parties (e.g. Google, Facebook), who are delivering services on our behalf. For example, we use Google Analytics to track what users do on the website so we can improve the design and functionality. These external service providers (e.g. Google, Facebook) store the data of previous visits of the Customer on the Website by means of cookies, that allows them to display personalized advertisements for the Customer (so-called remarketing activity). To the data processing activities of such external service providers the provisions of their data policies shall apply. Act4’s liability for such data processing is explicitly excluded.

6.4. Blocking cookies: Most browsers, mobile devices and apps automatically accept cookies but, if you prefer, you can change your browser, device or app settings to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser or device. If you object to the collection of your data by Act4 in connection with the use of the Website, you may fully or partially disable the use of the cookies among the settings of the browser or modify the settings of the cookie messages, acknowledging that this may make it more difficult to use the Website.

7. The method and term of using the data collected

7.1. We only process your personal data if it is essential, suitable for and limited to the extent and duration required to the achievement of the purposes set for processing.

Purpose of data processing
- Conclusion, amendment and performance of the contract
- Maintenance and development of the Service
- Identification of the Customer, user or applicant and ensuring the communication
- Establishment and maintenance of a reliable and safe environment, enforcement of claims and rights
- Information used by the payment system, invoicing
- Advertisement, marketing activities
- Conducting the complaint management process, carrying out a request or claim submitted to Act4
- Compliance with legal obligations relating to employment (e.g. informing competent authorities)

Justification of purpose
- Act4 shall use the data collected by it or through third party service providers for the following purposes, to create, modify and conclude the contract. The personal data collected during the use of the Service serves to facilitate and enable the Transaction initiated by the Customer. Act4 uses the Customer's personal data to enable the creation of the contractual background of the Customer’s service order and to facilitate the fulfilment of the contract.
- Act4 shall use the data collected by it or through third-party service providers for the following purposes of maintenance and development of the Service. Act4 shall use the personal data of the Customer to enable the continuous development and improvement of the Services.
- Act4 may use the Customer’s personal data to ensure the identification of the Customer, and for the purposes of effective communication with the Customer, in the course of which Act4 contacts and identifies Customer through their contact data provided. Act4 may use the applicant’s and other data subjects’ personal data in order to identify them and ensure effective communication through the contact data provided.
- Act4 may use the personal data of the Customer to secure the legitimate interests of Customers in the course of the use of Services. In the scope of the above, Act4 shall be entitled to the following activities: the prevention and termination of fraud, spam, misuses and other harmful activities, to perform security investigations and risk analysis, to check and verify the data provided by the Customer.
- During the payment for a Purchase, Act4 authorizes access to and use of the payment services. Act4 is not responsible for the further operation of the Payment Service Provider and does not manage the data contained therein, it has no effect on its operation and data protection settings. Act4 may use Customer’s personal data in order to send receipts and Certificates of Purchases initiated by the Customer.
- Act4 may use the personal data of Customers solely for the following advertisement and marketing activities: to send promotion messages, advertisements, newsletters, other information popularizing the Services via phone or email, to display the sponsored games, surveys, promotion activities and events of Act4 and its cooperating partners.
- Documentation and verification of the conduct of the procedure, the actual examination.
- Compliance with relevant information, reporting obligations and obligations connected to taxation, contributions, etc.

Duration of data processing
- Act4 shall process the personal data during the term of the contractual relationship or in case a contractual relationship has not been established, until the purpose of processing has ceased, or erases them in case further processing of such data is no longer necessary for the purpose of processing. Customer may request for the erasure of his/her data in a letter sent to the act4@nordicwaves.org email address. For the purposes of evidencing in the case of a dispute, the data of the concerned Customer shall be processed during the term of the general limitation period and for five (5) years when the Customer did not process a transaction or seven (7) years after when the Customer has made full use of the Service from the final and binding closure of the dispute.
- The Customer may unsubscribe from advertisement-related communication at any time, through the act4@nordicwaves.org email address. In the absence of such an act, Act4 shall process data for up to a maximum of 5 years.
- Act4 shall process the personal data concerned until the purpose of processing has ceased, or erases them in case further processing of such data is no longer necessary for the purpose of processing. The data shall be stored for 5 years according to consumer protection rules.
- Act4 processes the data for ten (10) years starting from the last day of the calendar year in which employment ends, with the prohibition to discard labor, wage and social security records. Otherwise, the limitation period in labor law is seven (7) years.

8. The persons having access to the data processed, data transfers

8.1. To be able to provide you with undisturbed Services, for quality assurance purposes, as well as to enable the investigation of customer claims and complaints, we might have to transfer your data to third parties. By accepting this Privacy Policy, you give your expressed consent to these data transfers.

8.2. Data transfer may take place in the following cases:

Recipient of data transfer
- Transfer of data to employees
- Transfer of data to Act4’s subcontractors
- Data transfer within the company group
- Data transfer to the payment service providers, invoicing
- Accounting Company
- Law firm
- Publicly displayable information
- Compliance with Laws

Scope of data that may be transferred
- The personal data processed by us shall also be made available to the employees and contracted volunteers of Act4, but only if their access to and processing of personal data is required for the purposes of data processing related to the given data category and only in relation to their employment/volunteering tasks.
- Some of the members of our team are not employees of Act4 and are in a contractual relationship with Act4. The personal data shall also be made available to these subcontractors of Act4, but only if their access to and processing of personal data is required for the purposes of data processing related to the given data category and only in relation to their relevant tasks.
- To the personal data processed by us, Nordic Waves company group shall have access, but only if their access to and processing of personal data is required for the purposes of data processing related to the given data category only in relation to their relevant tasks.
- The payment for orders via Act4 is made through our Payment Service Provider partner. Customer registers his/her data directly in our partner’s system, therefore the actual data categories may differ for each partner Customer uses. Act4 does not have direct access to this data
- Data on employees, contributors and invoicing will be forwarded to our partner providing accounting services.
- All data necessary for the performance of the activity of the law firm shall be forwarded to our legal advisory partner.
- Act4 may only display your information publicly in case you have consented to their disclosure on the social media or other platforms of Act4 or our partners. We never display any information publicly without your explicit consent.
- Except for the cases defined in this section and the case if Act4 is instructed by various authorities to transfer data upon provisions prescribing mandatory data transfer to a specific authority, state or administrative organ and such instruction cannot be lawfully rejected, Act4 may not transfer the personal data provided to it to third parties.

8.3. To be able to provide you with undisturbed Services on the Website, we use the contribution of the following third-party service providers:

Hosting service provider to Act4 upon contractual relationship (Data Processor):
- Webflow, Inc.398 11th Street, 2nd FloorSan Francisco, CA 94103 https://webflow.com/
- Amazon Web Services EMEA SARL38, avenue John F. KennedyL - 1855 Luxembourg https://aws.amazon.com/

8.4. The Data Processor assists Act4 in the smooth operation of the IT infrastructure that facilitates the storage of personal data provided to Act4, Data Processor has no direct access to personal data. We expressly declare that we have no direct or indirect liability with respect to the data processing activity of the Data Processor and the security of personal data in the course thereof; in this regard, the privacy policies and regulations of the Data Processor shall apply.

8.5. One of the Data Processors, Webflow Inc. is located in a country (US) outside the European Economic Area (EEA), where the applicable law does not guarantee the same level of data protection as within the EEA, which results in certain risks related to your data. These risks may include and arise from the fact that there may not be a supervisory authority with the same competence as there are within the EEA, and that certain data subject rights might not be provided for in the US.

In relation to data transfers to the U.S., Webflow Inc. receives personal information pursuant to European Commission–approved Standard Contractual Clauses. Webflow Inc. also has certified its compliance with the EU-U.S. Privacy Shield Framework. We recognize that the Court of Justice of the European Union ruled in July 2020 that a certification under the EU-U.S. Privacy Shield Framework can no longer serve as the basis by which entities subject to the GDPR export personal information to countries whose laws have not been recognized by the European Commission as providing a high level of protection for the information. However, Webflow will continue to honor our obligation to comply with the Privacy Shield Principles with respect to such information.

We have taken necessary actions with this Data Processor, we guarantee that our IT systems uses the highest standards to protect your data, which would provide that your personal data transferred to the US is at low risk. Transfer of personal data to this Data Processor is necessary for the performance of the contract between you and Act4 and by accepting this Privacy Policy you explicitly consent to such transfer.

9. Customer’s rights

9.1. Rights of information, access to data
You can access your personal data which have been collected by us. Please, notify us of any change in your data, at act4@nordicwaves.org. You are responsible for ensuring the up-to-date status of the personal data. In order to protect you, in case of any requests coming concerning your data, we need to verify the person. We do not retain personal data for the sole purpose of being able to react to potential requests.

Act4 shall take appropriate measures to provide you with all information concerning the processing of personal data, in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible way. The information is mainly provided electronically on request at the e-mail address act4@nordicwaves.org. Proof of your identity is always required for the information.

Act4 shall, without undue delay, but in any case within one month from the receipt of the request, inform you of the action taken following your request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. Act4 shall inform you of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.

If Act4 does not take action at your request, it shall inform you without delay, but no later than within one month from the receipt of the request, of the reasons for non-action and that you may lodge a complaint with one of its supervisory authorities and may exercise its right of judicial review.

The first request is free of charge. The second and all additional requests repeatedly filed can be subject to a fee, if the request is related to the same subject or subject matter in the ongoing year, the request is not for information purposes and Act4 legally disregards the rectification, erasure or restriction of the personal data handled on the basis of the repeated application.

9.2. Rectification and erasure
You can ask us to rectify your personal data if necessary or to delete them where the retention of such data infringes the provisions of the related laws and regulations or if they are no longer necessary in relation to the purposes for which they are originally processed. In practice, this means that we may deny erasure of your data in cases where we have legal grounds other than your consent for the processing of those data. For example, we are legally obligated to retain your personal data in case you have carried out a Transaction with Act4. 

9.3. Withdrawal of consent and restriction of processing
The Customer is entitled to withdraw his/her consent given previously to the processing of his/her data. However, the further retention of the personal data is considered to be lawful where it is necessary for the protection of exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest, etc. The processing of personal data is essential until the contractual relationship between Act4 and the Customer is contractually fulfilled.

9.4. Right to object to processing
You still have the right to object against the processing of your personal data considering your individual circumstances even if it is lawfully processed by Act4, for example on grounds of the legitimate interests of the controller or a third party.

9.5. Right to data portability
If you need it, we can provide you with a structured, commonly used and machine-readable format of all of your personal data processed by us and you can transmit those data to another controller.

10. Miscellaneous

10.1. Automated decision making, profiling:
Act4 does not carry out automated decision-making during the processing of the data. 

10.2. Data Protection Officer:
In our standpoint, Act4 is not obliged to appoint a data protection officer, as the main activities do not involve data processing operations that would allow a regular, systematic and high-scale follow-up monitoring of the users; furthermore, Act4 does not process any special categories of personal data or crime-related data which have relevance from criminal law aspect.

10.3. Supervisory organs and other authorities:
The territorial scope of this Privacy Policy may also cover foreign authorities, if the Customers has a registered seat or business site out of Act4’s area of operation, in a foreign country. Our supervisory authority who you can turn to regarding our data processing is: Danish Data Protection Agency (Datatilsynet)Carl Jacobsens Vej 35, 2500 Valby 33 19 32 00dt@datatilsynet.dkForeign data protection authorities may also be involved if you have your location or place of business outside Denmark. You can search the relevant authority here

10.4. Processing of sensitive data
We do not process personal data of our Customers, which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. We do not process personal data of our Customers revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and we do not carry out processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or criminal data. 

10.5. Processing children’s data: We do not knowingly collect personal information online from children under the age of 18.

11. Personal data breach

11.1. In case of personal data breach, where the incident is likely to pose a high risk to the rights and freedoms of those concerned, we submit the report towards the data protection supervisory authority and as required by the laws and regulations, without undue delay, but in any case, within 72 hours from getting aware of the incident. We have developed internal procedures in case of personal data breach, and personal data breaches are also recorded into a registry. If you are affected by such personal data breach you will also be notified, if the prevailing laws and regulations require so.

11.2. If you detect a threat of personal data breach, we ask to report it immediately via email at act4@nordicwaves.org. Furthermore, in case of personal data breach, you may initiate a court case against Act4.