1
Controller

Name

Vainu. io Software Oy (Business-ID 2557864-2) (hereinafter “Vainu”). All subsidiaries of Vainu Corporation also apply the principles and policies described herein.

Address

PL 220, 00101 Helsinki

Contact Details

info@vainu.io

2

Data Privacy

Officer

Name

Saara Somersalmi

Address

Arkadiankatu 6 D, 00100 Helsinki, Finland

Contact Details (i.e. phone number, email address)

saara@vainu.io

3

Name of Register


The name of the personal data register is Customer Register of Vainu (“hereinafter Register”). Data subjects of the Register are Customers of Vainu and parties who have subscribed the demo version of Vainu’s service (“hereinafter Customers”).  

4

Purposes and legal basis of processing personal data


The main purpose of the register is management of customer relationships.


The personal data of the Customers is processed for the following purposes:

  • Carrying out and administering the customer relationships
  • To create, develop, operate, deliver, and improve products, services, content and advertising
  • Customer communications such as sending notices, communications about purchases and changes to our terms, conditions, and policies
  • Carrying out customer satisfaction surveys and monitoring the results
  • Creating statistics and analytics about customers and
  • Direct marketing based on customer relationship
  • Creation of personal user identification and password mandatory for using the service and administering such prospective client and user

The legal basis for the processing of personal data is performance of a contract and legitimate interest of the controller.


In addition, Vainu’s Service provides to the endusers of our Customers the possibility to link their email or other accounts to the Service. Explicit consent is required from the endusers for this processing. In doing so, we may receive the limited data as explicitly granted by you that we will process in accordance with this policy.


In general, our services are designed in a manner that we do not collect or store all of data to which you may provide us access, but minimize our processing through technology. The purpose is to provide the endusers with automated information concerning the legal entities from the Service they are in contact with through their email or other accounts.


The endusers may at any time disconnect the link between the Service and their email or other accounts at their own will, after which the processing will cease. Vainu does not store the contact details or contents of any emails during the processing,

5

Legitimate interest of the controller


The processing of personal data for marketing purposes based on prior business and/or contractual relationship with Customers is regarded as legitimate interest of the controller.

6

Personal Data Groups


The Register contains the following personal data:


Basic information on the user such as name, title, role, email address, phone number


User credentials such as personal user identification and password, authentication data for integrations, saved searches, permissions, saved reports


ICT and security data such as IP-address, cookies


Historical data such as signup date, last login, other usage data, analytics


Client feedback and marketing data such as chat and other communication with prospects and customers, feedback from customers


Customer specific information such as information received from meetings or phone calls, which is deemed necessary for the administration of customer relationships

7

Regular sources of personal data


Personal data is primarily collected from the signed agreements by Customers and from the data subject or colleague/manager of the data subject. In the registration process, the nature content of collected data depends on information which the Customer/user has submitted. Personal data is also collected directly from the Customers in connection with information received during phone calls, meetings or other collaboration in connection with the administration of the business relationship, which may be added to the register by Vainu employees.


8

Automated Decision-making and Profiling


Data concerning the use of the service by Customers is assessed by Vainu. The purpose is to provide targeted customer content in both when using the software and customer communication (emails, website, software, chat, 1 on 1 communication, recommendations on available features) based on the used features, adaptation of content and customer satisfaction feedback. These procedures include automated profiling.

9

The Recipients of Personal Data


Primary recipient of personal data are employees of Vainu. The controller may disclose the personal data to its group companies, subsidiaries and other third parties based on contractual obligations or authority demands.


Personal information may be shared with companies who provide services such as information processing, maintenance, fulfilling customer orders, delivering services, managing and enhancing customer data, providing customer service, assessing interest in products and services, and conducting customer research or satisfaction surveys.


For the above mentioned purposes, personal data of the Customers can, based on performance of a contract, be disclosed to the following parties:


System vendors and administrators of the servers


Cooperation partners and service providers


Communication platforms such as Slack.

Contact register. Customer data is partly transferred to the internal contact register of Vainu.


In case necessary by law, legal process, litigation, and/or requests from public and governmental authorities, Vainu may disclose your personal information.





10

Transfer of Data outside EU/EAA


In connection with the purposes for processing personal data in the Register, Vainu may tranfer certain information to trusted third parties, which transfer and store the data outside EU/EAA area. Transfer of personal data is secured in accordance with the requirements of the law. Only limited amount of personal data is transferred to Vainu’s service providers, which is necessary for the performance of the tasks in accordance with the service contract in place.   


Vainu will only disclose personal data based on a contract to third parties operating outside EU/EAA, which have taken steps to ensure that adequate data protection arrangements are in place in accordance with the data protection regulation. These may include, but are not limited to, standard contractual clauses provided by the European Commision, Privacy shield compliance and certificate or Data Protection Agreements.

11

Storage Period of Personal Data


Personal data will be stored only as long as and only to the extent that is necessary in relation to the initial and compatible purposes of processing. In any event the personal data is stored in accordance with possible applicable lawful storing period.

Personal data will be stored with the following time period or criteria used to determine that time period: The personal data received based on customer relationship is stored for a period of two (2) years, from the termination of the contract


The controller evaluates the need to store personal data regularly. In addition, the controller performs all possible reasonable measures to ensure that any inaccurate, incorrect or outdated personal data will be deleted or corrected without delay.


12

Data Security principles of Personal Data


Vast majority of the controllers personal data is in electronic form. In case there are physical documents containing personal data, such documentation is destroyed immediately. The servers used by controller are protected by appropriate firewalls and and technical security.


All databases and information systems are accessible only with individual and personal login information (username and password) granted by the controller. The rights to access the database are restricted, so that the information can only be viewed and processed by persons who are legally admitted and required to do so.


The employees of the controller have bound themselves to comply with professional secrecy and concealment regarding the information they receive during the processing of personal information. privacy and security guidelines have been communicated to employees and strictly enforce privacy safeguards within the company.

13

Right of access and right to rectification by Data Subject


Information and access to personal data

Data subject has right to receive information; what data is being collected,

the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the recipients or categories of recipients of the personal data, if any.


Right of access by the data subject

Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The controller shall provide a copy of the personal data undergoing processing.  Obtaining the copy of personal data shall not adversely affect the rights and freedoms of others.


Right to rectification

Data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.


Taking into account the purposes of the processing, data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In case there are changes in personal data recorded in the Register, the data subject must notify such changes the controller. The controller is responsible for ratifying data it recognises erroneous itself without delay.


Data used for direct marketing

Data subject has the right to object processing, to the extent that it is related to direct marketing, whether with regard to initial or further processing, at any time and free of charge.


The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform data subject about those recipients if data subject requests it.


The request may be submitted to the following address info@vainu.io.


Request for access to personal data (Article 15), request for rectification (Article 16), and request for restriction of processing (Article 18) may, in addition, be delivered to Data Privacy Officer.

14

Right to erasure


The controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • personal data that is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  • personal data have been unlawfully processed;
  • personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

Despite the request for erasure, the data does need to be erased in case the controller is obliged to process personal data for the establishment, exercise or defense of legal claims.


The controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that data subject has requested the erasure by such controllers of any links to those personal data.

15

Right to restriction of processing


Data subject has the right to obtain from the controller restriction of processing where one of the following applies:

  • the processing is unlawful and data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by data subject for the establishment, exercise or defence of legal claims;

In case data subject has demanded for restriction of processing, the personal data may be processed only based on consent of data subject (excluding storage of data) OR for the establishment, exercise or defense of legal claims OR protect the vital interests of data subject or of another natural person OR to protect vital interest pursuant to Union or Member State law.


Data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted, besides if the provision of such information proves impossible or would involve a disproportionate effort.

16

Right to withdraw the consent and and right to object


Data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.


The right to object shall not apply when processing of personal data is necessary for the performance of a contract or when processing is necessary for compliance with a legal obligation.


Data subject is obliged to object processing of personal data when the lawfulness of the processing is based on the controller’s legitimate interest

17

Right to Data

Portability

When the processing is based on consent or on a contract:

  • Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have
  • In case technically appropriate and not disproportionate for the controller, data subject has right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Transmission of data shall not adversely affect the rights and freedoms of others.

18

Right to lodge a complaint to

supervisory

authority


Data subject has a right to lodge a complaint with a supervisory authority, in case data subject considers that the processing of personal data violates the relevant data protection legislation in force. The national supervisory authority is Data Protection Ombudsman.


Data Protection Ombudsman

Visiting address: Ratapihantie 9, 6th floor

00520 Helsinki

FINLAND


Postal address:

P.O. Box 800

00521 Helsinki

FINLAND


Telephone exchange: +358 29 56 66700

E-mail: tietosuoja@om.fi