For Happeo Application
For Happeo Application
This Privacy Statement is applicable to personal data processed by Happeo Oy (“Happeo”, “we” or “us”) relating to the users of our enterprise communication platform (the “Service”).
In relation to the provision of the Service, we also operate as a data processor for our customer organisations and our customer organisations operate as the data controllers. This means that we process personal data based on contracts on behalf of our customers in accordance with their instructions and not for our own purposes. As a data controller, the customer has full control and responsibility on what personal data it decides to enter in the Service and under what legal basis it has the right to process and transfer the data to Happeo. Happeo does not review the data entered into the Service by the customer organisation. We do not use any personal data submitted to the Service by the members of our customer organisations (the “End-User Data”) for any sales and/or marketing purposes.
We are committed to processing personal data in compliance with this Privacy Statement and applicable laws of the European Union, Finland, and those laws that are specifically agreed upon with the customer organisation in writing. This Privacy Statement contains information about what personal data we collect, what are the key principles of processing the data and what rights you have relating to your personal data.
The data processor relating to processing of personal data pursuant to this Privacy Statement is:
Iso Roobertinkatu 4-6 A, 00120, Helsinki, Finland
Business identity code: 2802188-2
PERSONAL DATA PROCESSED AND SOURCES OF DATA
We collect two types of information concerning our Users: (i) User Data; and (ii) Analytics Data.
User Data is primarily received directly from the Users or the representative of the relevant customer (such as the customer’s admin user of the Service). Analytics Data is collected automatically as you use the Service. Although we do not normally use Analytics Data to identify individuals, sometimes individuals can be recognised from it, either alone or when combined or linked with other data. In such situations, Analytics Data shall also be considered to be personal data under applicable laws, and we will treat the combined data as personal data.
User Data and Analytics Data typically consist of the following categories of data. This data is either inputted directly by the User or synchronized by the organisation from an integrated solution, such as G Suite:
- Email addresses (primary and secondary)
- Phone numbers & labels
- Profile picture
- Manager’s email
- Organisation information, such as title, department, cost center and location
- Pseudonymised user identifier
- Time of visit
- Browser type and version
- Action and action related pseudonymised identifiers
- IP address
- Geographical location
- Browser type
- Referral source
- Length of visits
- Pages viewed
PURPOSES AND LEGITIMATE GROUNDS OF PROCESSING
Legal grounds for processing
In order to provide the Service we process personal data on a contractual basis. For individuals acting as representatives of our customer organisations, personal data is primarily processed based on our legitimate interest whilst fulfilling our contractual obligations towards the organisations they represent.
We also process personal data based on our legitimate interests in connection with analytics.
Purposes of processing
We collect, store and process personal data only for predefined purposes. We also always make sure that there is at least one legal basis for processing personal data. The main purposes and the applicable legal basis for processing personal data are:
To provide our Service. We collect and process personal data to be able to offer the Service to our Users and to run and maintain our operations. Personal data may be processed in order to carry out our contractual obligations towards an individual User or towards the organisation the User represents. The legal basis for this processing is our legitimate interest and contract between Happeo and the customer.
For our legal obligations. We process personal data to enable us to administer and fulfil our obligations under law. This includes data processed for complying with our accounting obligations and providing information to relevant authorities. The legal basis for this processing is to ensure the compliance with our legal obligations.
For claims handling and legal processes. We may process personal data in relation to claims handling, debt collection and legal processes. We may also process data for the prevention of fraud, misuse of our Service and for data, system and network security. The legal basis for this processing is our legitimate interest.
For communication. We may process personal data for the purpose of contacting our Users regarding our Service, including handling of support requests and customer feedback as well as notifying Users about the Service. The legal basis for this processing is our legitimate interest.
For quality improvement and trend analysis. We may process information regarding your use of the Service to improve the quality thereof, for example by analysing any trends in the use of our Service. Similarly, we may process any feedback provided by you to improve our operations in general. Where possible, we will do this using only aggregated, non-personally identifiable data. The legal basis for this processing is our legitimate interest.
PERSONAL DATA RECIPIENTS
Personal data is mainly stored in electronic format and only authorised personnel within our organisation have access to the data.
We use third party service providers for storage and computing, email notifications, and analytics. In these situations, we make sure we have a written contract with each respective service provider with minimum data processing provisions. We will also otherwise ensure that the confidentiality of personal data is secured, and data is otherwise processed and transferred lawfully. These service providers are Google, The Rocket Science Group, and Pendo.
We may also disclose or transfer personal data to fulfil legal obligations or when a legal authority requires a disclosure. We may also disclose personal data if we are a party of a business sale, such as a merger or an acquisition.
TRANSFERS OUTSIDE THE EU
Personal data from the Service is transferred outside the EU only when the application sends out email notifications. When a notification is sent out we provide our partner The Rocket Science Group a list of email destinations and "quick peeks" of possibly interesting content for those users. This data is stored at our partner for 30 days if delivery is successful and 90 days if unsuccessful. If international data transfers are undesirable, we offer the option to disable email notifications to keep all customer controlled data inside EU.
If personal data is transferred outside the EU, we make sure that (i) the transferee is located in a country with adequate safeguards (as decided by the EU commission from time to time); or (ii) the transfer occurs by using model clauses published by the EU commission.
DATA STORAGE PERIOD AND SECURITY
Each data controller is reponsible for their controlled data and its proper retention. When Happeo is the data controller, we will not store personal data for a longer period than is necessary for its purpose or required by contract or law.
Personal data is stored and secured in accordance with general industry standards and practices. We consider and keep personal data confidential. Subcontractors that we use for processing personal data are selected also based on their data security measures. For our own systems and data storage, we use only well-established service providers and robust software tools. Access to personal data is also protected with user-specific logins, passwords and user rights. Our premises are also safe and secure.
3rd PARTY INTEGRATIONS
Happeo's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Where Happeo is the data controller the data subjects have the following rights.
Right to access
You have the right to confirm whether we are processing your personal data and also to know what data we have about you.
Right to withdraw consent
The Service is provided with contractual an legitimate interest legal basis and thus withdrawal of consent is not applicable to the service provided.
Right to rectify
You have the right to request that we correct any inaccurate or outdated personal data we have about you by contacting us.
Right to object
Where we process your personal data based on our legitimate interest, you have the right to object the processing of your data.
Right to restriction of processing
You may request us to restrict processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may however lead to fewer possibilities to use our Service.
Right to data portability
If we process your personal data based on your consent or fulfilling of a contract, you have the right to require transfer of the data you have provided to us to another service provider in a commonly used electronic format.
How to use the rights
You can execute and use your rights by contacting us by sending email to firstname.lastname@example.org. In such case, we ask you to provide us with sufficient evidence of your identity. If you consider that the processing of your personal data is not lawful, you can always also make a notification to a supervisory authority (in Finland tietosuojavaltuutetun toimisto).
PRIVACY STATEMENT UPDATES
We update this Privacy Statement when our operations change or develop. Also changes in law may make it necessary to update this Privacy Statement. The changes become valid once we have published them in the form of an updated Privacy Statement. Therefore, please visit this page and read this Privacy Statement from time to time.