Zefort customer register
Name: Aivan Innovations Oy (Business-ID 2855757-2) (hereinafter “Aivan”).
Address: Kairiskulmantie 12, 4th floor, 20760 Kaarina, Finland
Contact Details: firstname.lastname@example.org
2. Data Privacy Officer
Name: Ville Laurikari
Address: Kairiskulmantie 12, 4th floor, 20760 Kaarina, Finland
Contact Details: email@example.com
3. Name of Register
The name of the personal data register is Customer Register of Aivan (“hereinafter Register”). Data subjects of the Register are Customers of Aivan and parties who have subscribed the demo version of Aivan’s service (“hereinafter Customers”).
4. Purposes and legal basis of processing personal data
The main purpose of the register is management of customer relationships.
The personal data of the Customers is processed for the following purposes:
- Carrying out and administering the customer relationships
- To create, develop, operate, deliver, and improve products, services, content and advertising
- Customer communications such as sending notices, communications about purchases and changes to our terms, conditions, and policies
- Carrying out customer satisfaction surveys and monitoring the results
- Creating statistics and analytics about customers and
- Direct marketing based on customer relationship
- Creation of personal user identification and password mandatory for using the service and administering such prospective client and user
The legal basis for the processing of personal data is performance of a contract and legitimate interest of the controller.
5. Legitimate interest of the controller
The processing of personal data for marketing purposes based on prior business and/or contractual relationship with Customers is regarded as legitimate interest of the controller.
6. Personal Data Groups
The Register contains the following personal data:
Basic information on the user such as name, title, role, email address, phone number
User credentials such as personal user identification and password, authentication data for integrations, saved searches, permissions, saved reports
ICT and security data such as IP-address, cookies
Historical data such as signup date, last login, other usage data, analytics
Client feedback and marketing data such as chat and other communication with prospects and customers, feedback from customers
Customer specific information such as information received from meetings or phone calls, which is deemed necessary for the administration of customer relationships
7. Regular sources of personal data
Personal data is primarily collected from the signed agreements by Customers and from the data subject or colleague/manager of the data subject. In the registration process, the nature content of collected data depends on information which the Customer/user has submitted. Personal data is also collected directly from the Customers in connection with information received during phone calls, meetings or other collaboration in connection with the administration of the business relationship, which may be added to the register by Aivan employees.
8. Automated Decision-making and Profiling
Data concerning the use of the service by Customers is assessed by Aivan. The purpose is to provide targeted customer content in both when using the software and customer communication (emails, website, software, chat, 1 on 1 communication, recommendations on available features) based on the used features, adaptation of content and customer satisfaction feedback. These procedures include automated profiling.
9. The Recipients of Personal Data
Primary recipient of personal data are employees of Aivan. The controller may disclose the personal data to its group companies, subsidiaries and other third parties based on contractual obligations or authority demands.
Personal information may be shared with companies who provide services such as information processing, maintenance, fulfilling customer orders, delivering services, managing and enhancing customer data, providing customer service, assessing interest in products and services, and conducting customer research or satisfaction surveys.
For the above mentioned purposes, personal data of the Customers can, based on performance of a contract, be disclosed to the following parties:
System vendors and administrators of the servers
Cooperation partners and service providers
Communication platforms such as Slack.
Contact register. Customer data is partly transferred to the internal contact register of Aivan.
In case necessary by law, legal process, litigation, and/or requests from public and governmental authorities, Aivan may disclose your personal information.
10. Transfer of Data outside EU/EAA
In connection with the purposes for processing personal data in the Register, Aivan may transfer certain information to trusted third parties, which transfer and store the data outside EU/EAA area. Transfer of personal data is secured in accordance with the requirements of the law. Only limited amount of personal data is transferred to Aivan’s service providers, which is necessary for the performance of the tasks in accordance with the service contract in place.
Aivan will only disclose personal data based on a contract to third parties operating outside EU/EAA, which have taken steps to ensure that adequate data protection arrangements are in place in accordance with the data protection regulation. These may include, but are not limited to, standard contractual clauses provided by the European Commision, Privacy shield compliance and certificate or Data Protection Agreements.
11. Storage Period of Personal Data
Personal data will be stored only as long as and only to the extent that is necessary in relation to the initial and compatible purposes of processing. In any event the personal data is stored in accordance with possible applicable lawful storing period.
Personal data will be stored with the following time period or criteria used to determine that time period: The personal data received based on customer relationship is stored for a period of two (2) years, from the termination of the contract
The controller evaluates the need to store personal data regularly. In addition, the controller performs all possible reasonable measures to ensure that any inaccurate, incorrect or outdated personal data will be deleted or corrected without delay.
Vast majority of the controllers personal data is in electronic form. In case there are physical documents containing personal data, such documentation is destroyed immediately. The servers used by controller are protected by appropriate firewalls and and technical security.
12. Data Security principles of Personal Data
All databases and information systems are accessible only with individual and personal login information (username and password) granted by the controller. The rights to access the database are restricted, so that the information can only be viewed and processed by persons who are legally admitted and required to do so.
The employees of the controller have bound themselves to comply with professional secrecy and concealment regarding the information they receive during the processing of personal information. privacy and security guidelines have been communicated to employees and strictly enforce privacy safeguards within the company.
13. Right of access and right to rectification by Data Subject
Information and access to personal data
Data subject has right to receive information; what data is being collected,
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the recipients or categories of recipients of the personal data, if any.
Right of access by the data subject
Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The controller shall provide a copy of the personal data undergoing processing. Obtaining the copy of personal data shall not adversely affect the rights and freedoms of others.
Right to rectification
Data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In case there are changes in personal data recorded in the Register, the data subject must notify such changes the controller. The controller is responsible for ratifying data it recognizes erroneous itself without delay.
Data used for direct marketing
Data subject has the right to object processing, to the extent that it is related to direct marketing, whether with regard to initial or further processing, at any time and free of charge.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform data subject about those recipients if data subject requests it.
The request may be submitted to the following address firstname.lastname@example.org.
Request for access to personal data (Article 15), request for rectification (Article 16), and request for restriction of processing (Article 18) may, in addition, be delivered to Data Privacy Officer.
14. Right to erasure
The controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- personal data that is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- personal data have been unlawfully processed;
- personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
Despite the request for erasure, the data does need to be erased in case the controller is obliged to process personal data for the establishment, exercise or defense of legal claims.
The controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that data subject has requested the erasure by such controllers of any links to those personal data.
15. Right to restriction of processing
Data subject has the right to obtain from the controller restriction of processing where one of the following applies:
- the processing is unlawful and data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by data subject for the establishment, exercise or defence of legal claims;
In case data subject has demanded for restriction of processing, the personal data may be processed only based on consent of data subject (excluding storage of data) OR for the establishment, exercise or defense of legal claims OR protect the vital interests of data subject or of another natural person OR to protect vital interest pursuant to Union or Member State law.
Data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted, besides if the provision of such information proves impossible or would involve a disproportionate effort.
16. Right to withdraw the consent and and right to object
Data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The right to object shall not apply when processing of personal data is necessary for the performance of a contract or when processing is necessary for compliance with a legal obligation.
Data subject is obliged to object processing of personal data when the lawfulness of the processing is based on the controller’s legitimate interest
17. Right to Data Portability
When the processing is based on consent or on a contract:
- Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have
- In case technically appropriate and not disproportionate for the controller, data subject has right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Transmission of data shall not adversely affect the rights and freedoms of others.
18. Right to lodge a complaint to supervisory
Data subject has a right to lodge a complaint with a supervisory authority, in case data subject considers that the processing of personal data violates the relevant data protection legislation in force. The national supervisory authority is Data Protection Ombudsman.
Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor
P.O. Box 800
Telephone exchange: +358 29 56 66700