Data privacy statement

This Statement was last updated 10th April 2024.

Your privacy is important to us, and we are committed to protecting the personal information that you may provide to us. This Privacy Statement (hereinafter “Statement”) explains what information we may collect of our customers, potential customers, website users, as well as to describe the conditions under which we process personal data to ensure that the legal requirements for the protection of personal data and privacy of data subjects are met.

This privacy statement is prepared by Aivan Innovations Oy (“Zefort“ or “us”), and it is drafted in accordance with the requirements set by the EU General Data Protection Regulation (2016/67) (GDPR). For the purpose of this Statement, the term “person” refers to all natural persons whose personal data are included in the Customer and Marketing Register of Zefort.

The Services supplied by Zefort enable contract lifecycle management, electronic agreement signing and verification, sending agreements to your contracting parties for signature, archiving agreements and utilizing electronic forms.

When Zefort offers its Services, it has two roles within the framework of GDPR:

a) Zefort as a data controller in relation to its customers and its website users
Zefort acts as the Data Controller as intended by the GDPR when it processes its customers’ personal data, as well as the data of its website users, for its own purposes in a way that this personal data forms the customer and marketing register of Zefort.

b) Zefort as a data processor in relation to the personal data that the customer has added to Zefort's services

Zefort offers contract management services and electronic signature services, where the customer can add personal data of others. Zefort acts as the data processor as intended by the GDPR when it processes personal data on behalf of the customer, i.e. personal data that the customer has added to the service of Zefort. In this processing situation, the customer acts as the Data Controller as intended by the GDPR, and if you, as an end user, have questions about how personal data is processed, the controller must be contacted.

The processing operations of Zefort regarding situations where Zefort acts as the data processor are described in section 12 of this Statement.

It is of paramount importance to us that you can rely on the secure processing of your data. We encourage you to read this Statement and contact us if you have any questions.

1. Controller

Aivan Innovations Oy

Business ID: 2855757-2

Kairiskulmantie 12, 4th floor

FI-20760 Kaarina

Finland

2. Contact information

Contact Us: privacy@zefort.com

Data Privacy Officer:

Ville Laurikari, ville@zefort.com

3. The categories of the data subjects

In this Statement, data subjects refer to the following categories:

  • Customers as well as contact persons of our customer companies
  • Potential customers as well as contact persons of our potential customer companies
  • Users of our website
  • Contact persons of our co-operation partners such as the personnel of our subcontractors as well as of our service, system, and product providers

4. Legal basis and the purposes of processing personal data

The processing of personal data of our customers is based on a contract concluded between us. The processing of personal data of potential customers and website users, on the other hand, is Zefort’s legitimate interest and/or consent provided by the data subject. A data subject has the right to withdraw his or her consent at any time, for example by using the unsubscribe link at the bottom of each email that is sent to the data subject.

Processing of personal data will be limited to what is justifiable to provide our website users with improved experience when browsing at our website, and to what is deemed necessary for Zefort in carrying out its business and improving its services, provided that these interests are not outweighed by the data subjects’ rights and interests.

Personal data may be processed for following purposes: managing and maintaining customer relationships; gaining customer loyalty; improving the customer experience; providing customer service; delivering newsletters and blog notifications; administering campaigns; direct marketing (if the person has given consent); organizing events and providing information regarding them; improving Zefort’s operations and services; operational management, administration, analysis, categorization and development of a person’s data; statistical analyses; development and reporting related to the business operations; handing job applications and completing the recruitment process; prevention of abuse; fulfilling the obligations based on law and orders of the authorities

5. Regular sources of Personal Data

Zefort collects personal data primarily from the person themselves or from the company with which Zefort has a contract with.

6. Content of Personal Data in the Register

The Register may contain the following personal data:

Basic information, such as

  • Name
  • E-mail address
  • Phone number
  • Postal address
  • Country
  • Profession
  • The company/organization represented
  • Title and position in an organization

Data related to website visits, such as

  • IP address and cookies
  • Website actions, e.g. sent forms, visiting time, web page usage

Other data, such as

  • Person’s direct marketing permissions and prohibitions
  • Chat discussions and information on contact with our customer service
  • Person’s activity (submission of reviews, information on received/opened e-mails from Zefort)

7. Transfers and disclosures of personal data

The data that Zefort processes may be transferred to third parties we use as service providers or subcontractors. We use trusted contractors with whom our contracts take into account the requirements of the GDPR and other applicable legislation. Zefort ensures a high level of data security and protection when transferring data in accordance with the GDPR.

The information may also be disclosed to a third party during a negotiation of any merger or acquisition and the receiving party has undertaken to follow non-disclosure liabilities with respect to the disclosed information. Only necessary personal data is shared with these third parties.

Zefort does not process or transfer personal data to a third country operating outside the EU/EEA.

Personal Data may be disclosed to authorities in cases required by the mandatory local legislation or court order. Data may also be disclosed if the disclosure is permitted by applicable law, regulation or agreement or consented by the Participant.

The list of data Sub-processors is at Zefort.com website Security & Compliance | Zefort.

8. Retention of Personal Data

Personal data will be stored only as long as and only to the extent that is necessary in relation to the initial and compatible purposes of processing. When such requirements no longer exist, personal data will be deleted. Zefort will keep up to date internal policies regarding the erasure of such personal data from the Register.

In any event the personal data is stored in accordance with possible applicable lawful storing period.

Zefort evaluates the need to store personal data regularly. In addition, Zefort performs all possible reasonable measures to ensure that any inaccurate, incorrect or outdated personal data will be deleted or corrected without delay.

9. Data Protection Principles

The information security of personal data and processing and confidentiality, integrity and usability are ensured with appropriate technical and administrative measures in accordance with Zefort’s information security principles.

Vast majority of Zefort’s personal data is in electronic form. In case there are physical documents containing personal data, such documentation is destroyed immediately in a secure way. The servers used by Zefort are protected by appropriate firewalls and technical security.

All databases and information systems are accessible only with individual and personal login information (username and password) granted by Zefort. The rights to access the database are restricted, so that the information can only be viewed and processed by persons who are legally admitted and required to do so.

The employees of Zefort have bound themselves to comply with professional secrecy and concealment regarding the information they receive during the processing of personal information. Privacy and security guidelines have been communicated to employees and Zefort shall strictly enforce privacy safeguards within the company. The employees of Zefort have received comprehensive training and instructions related to the appropriate processing of personal data.

If, despite all the security measures, a personal data breach including negative effects on the data subjects’ privacy takes place, we will notify the authorities as well as the data subjects concerned in accordance with the applicable legislation.

10. Rights of the Data Subject

Data Subjects have the following rights concerning the information what has been recorded into the Register:

Information and access to personal data

Data subject has the right to receive information; what data is being collected, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the recipients or categories of recipients of the personal data, if any.

Right of access by the data subject

Data subject has the right to obtain a confirmation from Zefort as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. If a request is made by the data subject, Zefort will provide a copy of the personal data undergoing processing. Obtaining the copy of personal data shall not adversely affect the rights and freedoms of others.

Right to rectification

Data subject shall have the right to obtain from Zefort, without undue delay, the rectification of inaccurate personal data concerning him or her.

Taking into account the purposes of the processing, data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In case there are changes in personal data recorded in the Register, the data subject must notify such changes to Zefort. In addition, Zefort is responsible for ratifying data it recognizes erroneous itself without delay.

Data used for direct marketing

Data subject has the right to object processing, to the extent that it is related to direct marketing, whether with regard to initial or further processing, at any time and free of charge.

Zefort shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Zefort will inform the data subject about those recipients if the data subject requests it.

Right to erasure

Data subject has the right to request erasure of personal data in the Register, if the legal basis for processing of personal data has ceased. Despite the request for erasure, the data may not be erased if Zefort is obliged to process personal data for the establishment, exercise or defense of legal claims.

Right to data portability

Data subjects have the right to receive personal data concerning him or her, which he or she has provided to Zefort, in a structured, commonly used and machine-readable format and it is deemed technically appropriate and not disproportionate for Zefort, the right to transmit the data to another controller.

Contact details for requests

All requests concerning the exercise of data subjects’ rights may be submitted primarily to the following address privacy@zefort.com.

Request for access to personal data (Article 15), request for rectification (Article 16), and request for restriction of processing (Article 18) may, in addition, be delivered to the Data Privacy Officer mentioned above.

You may also lodge a complaint to the supervisory authority, if you consider that the processing of personal data violates the relevant data protection legislation in force. The national supervisory authority in Finland is Data Protection Ombubsman (tietosuoja@om.fi).

11. ISO 27001 Certification: Ensuring Your Information Security

At Zefort, we prioritize the safeguarding of your information, and we are proud to announce our ISO 27001 certification, a globally recognized standard for information security management. This certification underscores our unwavering commitment to protecting the confidentiality, integrity, and availability of your data. Achieving ISO 27001 certification involves rigorous assessment of our information security practices, demonstrating our adherence to international best practices. This certification is not merely a milestone but an ongoing commitment to continuous improvement. We believe in transparency, and you can verify the authenticity of our ISO 27001 certification from Security & Compliance | Zefort.

12. Zefort’s operations of processing personal data added by the customer to the Service of Zefort

As the Data Controller, the customer decides the purposes and means of processing the personal data they have added to the Service of Zefort. The customer is obliged to ensure that there is a legal basis for the processing of personal data in accordance with the GDPR. Zefort does not process personal data added by the customer for any other reason or in any other way than based on the agreement between Zefort and the customer.

Zefort processes personal data added by the customer to Zefort’s Services only as long as Zefort and the customer have a valid agreement for the use of the Services. After the termination of the agreement, Zefort shall delete all personal data and other customer data, or if requested in writing within thirty (30) days from termination by the customer, return them to the customer, and delete existing copies of it, unless the applicable legislation requires Zefort to store the personal data.

The rights and obligations of the data controller (customer) and data processor (Zefort) are set out in more detail in Zefort’s Personal Data Processing Annex, which is an integral and inseparable part of Zefort’s General Terms and Conditions. An updated version of the Personal Data Processing Annex is available at is available here.

13. Use of cookies and related technology

With the cookies Zefort can collect information about a person’s usage of the internet and online service in general. With this information we can improve our website and the services to meet the needs of website users such as offer services targeted more accurately to a person’s liking, e.g. by saving your favorites and by identifying you every time you return to our site. Cookies may be disabled from a person’s browser. Please note that disabling cookies can prevent you from using some content/services on our website.

Zefort may use other technologies or third party analytical software to collect and use certain non-personal data that does not enable Zefort to identify the person. Zefort may use such non-personal data for purposes of analysing usage of the websites and services, and managing, providing and further developing the websites and services.

Non-personal data may include general, aggregated or demographic information. It will not be linked to any personal information, through cookies or other means, without a person's consent. This type of anonymous, aggregated profiling and session data may include information that the person has provided to Zefort through the use of the websites, services or products, or taking a part in surveys, polls, etc. However, it will not be tied to any personal information, without the person’s consent.

14. Changes to privacy statement

We monitor changes in data protection legislation and want to continuously improve our business. Therefore, we reserve the right to change or update this Statement as necessary.