Data privacy statement

This Statement was last updated 10th April 2024.

Your privacy is important to us, and we are committed to protecting the personal information that you may provide to us. This Privacy Statement (hereinafter “Statement”) explains what information we may collect of our customers, potential customers, website users, as well as to describe the conditions under which we process personal data to ensure that the legal requirements for the protection of personal data and privacy of data subjects are met.

This privacy statement is prepared by Aivan Innovations Oy (“Zefort“ or “us”), and it is drafted in accordance with the requirements set by the EU General Data Protection Regulation (2016/67) (GDPR). For the purpose of this Statement, the term “person” refers to all natural persons whose personal data are included in the Customer and Marketing Register of Zefort.

The Services supplied by Zefort enable contract lifecycle management, electronic agreement signing and verification, sending agreements to your contracting parties for signature, archiving agreements and utilizing electronic forms.

When Zefort offers its Services, it has two roles within the framework of GDPR:

a) Zefort as a data controller in relation to its customers and its website users
Zefort acts as the Data Controller as intended by the GDPR when it processes its customers’ personal data, as well as the data of its website users, for its own purposes in a way that this personal data forms the customer and marketing register of Zefort.

b) Zefort as a data processor in relation to the personal data that the customer has added to Zefort's services

Zefort offers contract management services and electronic signature services, where the customer can add personal data of others. Zefort acts as the data processor as intended by the GDPR when it processes personal data on behalf of the customer, i.e. personal data that the customer has added to the service of Zefort. In this processing situation, the customer acts as the Data Controller as intended by the GDPR, and if you, as an end user, have questions about how personal data is processed, the controller must be contacted.

The processing operations of Zefort regarding situations where Zefort acts as the data processor are described in section 12 of this Statement.

It is of paramount importance to us that you can rely on the secure processing of your data. We encourage you to read this Statement and contact us if you have any questions.

1. Controller

Aivan Innovations Oy

Business ID: 2855757-2

Kairiskulmantie 12, 4th floor

FI-20760 Kaarina

Finland

2. Contact information

Data Privacy Officer:

Ville Laurikari, ville@zefort.com

3. The categories of the data subjects

In this Statement, data subjects refer to the following categories:

Customers as well as contact persons of our customer companies
Potential customers as well as contact persons of our potential customer companies
Users of our website
Contact persons of our co-operation partners such as the personnel of our subcontractors as well as of our service, system, and product providers

4. Legal basis and the purposes of processing personal data

The processing of personal data of our customers is based on a contract concluded between us. The processing of personal data of potential customers and website users, on the other hand, is Zefort’s legitimate interest and/or consent provided by the data subject. A data subject has the right to withdraw his or her consent at any time, for example by using the unsubscribe link at the bottom of each email that is sent to the data subject.

Processing of personal data will be limited to what is justifiable to provide our website users with improved experience when browsing at our website, and to what is deemed necessary for Zefort in carrying out its business and improving its services, provided that these interests are not outweighed by the data subjects’ rights and interests.

Personal data may be processed for following purposes: managing and maintaining customer relationships; gaining customer loyalty; improving the customer experience; providing customer service; delivering newsletters and blog notifications; administering campaigns; direct marketing (if the person has given consent); organizing events and providing information regarding them; improving Zefort’s operations and services; operational management, administration, analysis, categorization and development of a person’s data; statistical analyses; development and reporting related to the business operations; handing job applications and completing the recruitment process; prevention of abuse; fulfilling the obligations based on law and orders of the authorities

5. Regular sources of Personal Data

Zefort collects personal data primarily from the person themselves or from the company with which Zefort has a contract with.

6. Content of Personal Data in the Register

The Register may contain the following personal data:

Basic information, such as

Name
E-mail address
Phone number
Postal address
Country
Profession
The company/organization represented
Title and position in an organization

Data related to website visits, such as

IP address and cookies
Website actions, e.g. sent forms, visiting time, web page usage

Other data, such as

Person’s direct marketing permissions and prohibitions
Chat discussions and information on contact with our customer service
Person’s activity (submission of reviews, information on received/opened e-mails from Zefort)

7. Transfers and disclosures of personal data

The data that Zefort processes may be transferred to third parties we use as service providers or subcontractors. We use trusted contractors with whom our contracts take into account the requirements of the GDPR and other applicable legislation. Zefort ensures a high level of data security and protection when transferring data in accordance with the GDPR.

The information may also be disclosed to a third party during a negotiation of any merger or acquisition and the receiving party has undertaken to follow non-disclosure liabilities with respect to the disclosed information. Only necessary personal data is shared with these third parties.

Zefort does not process or transfer personal data to a third country operating outside the EU/EEA.

Personal Data may be disclosed to authorities in cases required by the mandatory local legislation or court order. Data may also be disclosed if the disclosure is permitted by applicable law, regulation or agreement or consented by the Participant.

The list of data Sub-processors is at Zefort.com website Security & Compliance | Zefort.

8. Retention of Personal Data

Personal data will be stored only as long as and only to the extent that is necessary in relation to the initial and compatible purposes of processing. When such requirements no longer exist, personal data will be deleted. Zefort will keep up to date internal policies regarding the erasure of such personal data from the Register.

In any event the personal data is stored in accordance with possible applicable lawful storing period.

Zefort evaluates the need to store personal data regularly. In addition, Zefort performs all possible reasonable measures to ensure that any inaccurate, incorrect or outdated personal data will be deleted or corrected without delay.

9. Data Protection Principles

The information security of personal data and processing and confidentiality, integrity and usability are ensured with appropriate technical and administrative measures in accordance with Zefort’s information security principles.

Vast majority of Zefort’s personal data is in electronic form. In case there are physical documents containing personal data, such documentation is destroyed immediately in a secure way. The servers used by Zefort are protected by appropriate firewalls and technical security.

All databases and information systems are accessible only with individual and personal login information (username and password) granted by Zefort. The rights to access the database are restricted, so that the information can only be viewed and processed by persons who are legally admitted and required to do so.

The employees of Zefort have bound themselves to comply with professional secrecy and concealment regarding the information they receive during the processing of personal information. Privacy and security guidelines have been communicated to employees and Zefort shall strictly enforce privacy safeguards within the company. The employees of Zefort have received comprehensive training and instructions related to the appropriate processing of personal data.

If, despite all the security measures, a personal data breach including negative effects on the data subjects’ privacy takes place, we will notify the authorities as well as the data subjects concerned in accordance with the applicable legislation.

10. Rights of the Data Subject

Data Subjects have the following rights concerning the information what has been recorded into the Register:

Information and access to personal data

Data subject has the right to receive information; what data is being collected, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the recipients or categories of recipients of the personal data, if any.

Right of access by the data subject

Data subject has the right to obtain a confirmation from Zefort as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. If a request is made by the data subject, Zefort will provide a copy of the personal data undergoing processing. Obtaining the copy of personal data shall not adversely affect the rights and freedoms of others.

Right to rectification

Data subject shall have the right to obtain from Zefort, without undue delay, the rectification of inaccurate personal data concerning him or her.

Taking into account the purposes of the processing, data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In case there are changes in personal data recorded in the Register, the data subject must notify such changes to Zefort. In addition, Zefort is responsible for ratifying data it recognizes erroneous itself without delay.

Data used for direct marketing

Data subject has the right to object processing, to the extent that it is related to direct marketing, whether with regard to initial or further processing, at any time and free of charge.

Zefort shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Zefort will inform the data subject about those recipients if the data subject requests it.

Right to erasure

Data subject has the right to request erasure of personal data in the Register, if the legal basis for processing of personal data has ceased. Despite the request for erasure, the data may not be erased if Zefort is obliged to process personal data for the establishment, exercise or defense of legal claims.

Right to data portability

Data subjects have the right to receive personal data concerning him or her, which he or she has provided to Zefort, in a structured, commonly used and machine-readable format and it is deemed technically appropriate and not disproportionate for Zefort, the right to transmit the data to another controller.

Contact details for requests

All requests concerning the exercise of data subjects’ rights may be submitted primarily to the following address privacy@zefort.com.

Request for access to personal data (Article 15), request for rectification (Article 16), and request for restriction of processing (Article 18) may, in addition, be delivered to the Data Privacy Officer mentioned above.

You may also lodge a complaint to the supervisory authority, if you consider that the processing of personal data violates the relevant data protection legislation in force. The national supervisory authority in Finland is Data Protection Ombubsman (tietosuoja@om.fi).

11. ISO 27001 Certification: Ensuring Your Information Security

At Zefort, we prioritize the safeguarding of your information, and we are proud to announce our ISO 27001 certification, a globally recognized standard for information security management. This certification underscores our unwavering commitment to protecting the confidentiality, integrity, and availability of your data. Achieving ISO 27001 certification involves rigorous assessment of our information security practices, demonstrating our adherence to international best practices. This certification is not merely a milestone but an ongoing commitment to continuous improvement. We believe in transparency, and you can verify the authenticity of our ISO 27001 certification from Security & Compliance | Zefort.

12. Zefort’s operations of processing personal data added by the customer to the Service of Zefort

As the Data Controller, the customer decides the purposes and means of processing the personal data they have added to the Service of Zefort. The customer is obliged to ensure that there is a legal basis for the processing of personal data in accordance with the GDPR. Zefort does not process personal data added by the customer for any other reason or in any other way than based on the agreement between Zefort and the customer.

Zefort processes personal data added by the customer to Zefort’s Services only as long as Zefort and the customer have a valid agreement for the use of the Services. After the termination of the agreement, Zefort shall delete all personal data and other customer data, or if requested in writing within thirty (30) days from termination by the customer, return them to the customer, and delete existing copies of it, unless the applicable legislation requires Zefort to store the personal data.

The rights and obligations of the data controller (customer) and data processor (Zefort) are set out in more detail in Zefort’s Personal Data Processing Annex, which is an integral and inseparable part of Zefort’s General Terms and Conditions. An updated version of the Personal Data Processing Annex is available at is available here.

13. Use of cookies and related technology

With the cookies Zefort can collect information about a person’s usage of the internet and online service in general. With this information we can improve our website and the services to meet the needs of website users such as offer services targeted more accurately to a person’s liking, e.g. by saving your favorites and by identifying you every time you return to our site. Cookies may be disabled from a person’s browser. Please note that disabling cookies can prevent you from using some content/services on our website.

Zefort may use other technologies or third party analytical software to collect and use certain non-personal data that does not enable Zefort to identify the person. Zefort may use such non-personal data for purposes of analysing usage of the websites and services, and managing, providing and further developing the websites and services.

Non-personal data may include general, aggregated or demographic information. It will not be linked to any personal information, through cookies or other means, without a person's consent. This type of anonymous, aggregated profiling and session data may include information that the person has provided to Zefort through the use of the websites, services or products, or taking a part in surveys, polls, etc. However, it will not be tied to any personal information, without the person’s consent.

14. Changes to privacy statement

We monitor changes in data protection legislation and want to continuously improve our business. Therefore, we reserve the right to change or update this Statement as necessary.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-100866936-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_lfa	2 years	This cookie is set by the provider Leadfeeder to identify the IP address of devices visiting the website, in order to retarget multiple users routing from the same IP address.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__adroll	1 year 1 month	This cookie is set by AdRoll to identify users across visits and devices. It is used by real-time bidding for advertisers to display relevant advertisements.
__adroll_fpc	1 year	AdRoll sets this cookie to target users with advertisements based on their browsing behaviour.
__adroll_shared	1 year 1 month	Adroll sets this cookie to collect information on users across different websites for relevant advertising.
__ar_v4	1 year	This cookie is set under the domain DoubleClick, to place ads that point to the website in Google search results and to track conversion rates for these ads.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
B	1 year	This Cookie is used by Yahoo to anonymously store data related to user's visits, such as the number of visits, average time spent on the website and what pages have been loaded. This data helps to customize website content to enhance user experience.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
c	1 year	This cookie is set by Rubicon Project to control synchronization of user identification and exchange of user data between various ad services.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
i	1 year	This cookie is set by OpenX to record anonymized user data, such as IP address, geographical location, websites visited, ads clicked by the user etc., for relevant advertising.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid	1 year	The tuuid cookie, set by BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu	1 year	This cookie, set by BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_gaexp_rc	past	No description available.
_lfa_test_cookie_stored	past	No description
_te_	session	No description
1e5a17c8ab	session	No description available.
A3	1 year	No description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

See Zefort in action