In relation to the provision of the Service, we also operate from time to time as a data processor for our customer organisations, in which case the customer organisation is regarded as the data controller. This means that we process personal data based on contracts on behalf of our customers in accordance with their instructions and not for our own purposes. As a data controller, the customer has full control and responsibility on what personal data it decides to enter in the Service and under what legal basis it has the right to process and transfer it to Happeo, including acquiring necessary consents, if required. Happeo does not review the data entered into the Service by the customer organisation. We do not use any personal data submitted to the Service by the members of our customer organisations (the “End-User Data”) for any sales and/or marketing purposes.
PERSONAL DATA PROCESSED AND SOURCES OF DATA
We collect two types of information concerning our Users: (i) User Data; and (ii) Analytics Data.
User Data is primarily received directly from the Users or the representative of the relevant customer (such as the customer’s admin user of the Service). Analytics Data is collected automatically as you use the Service. Although we do not normally use Analytics Data to identify individuals, sometimes individuals can be recognised from it, either alone or when combined or linked with other data. In such situations, Analytics Data shall also be considered to be personal data under applicable laws, and we will treat the combined data as personal data.
User Data and Analytics Data typically consist of the following categories of data. This data is either inputted directly by the User or synchronized by the organisation from an integrated solution, such as G Suite:
- Email addresses (primary and secondary)
- Phone numbers & labels
- Profile picture
- Manager’s email
- Organisation information, such as title, department, cost center and location
- Pseudonymised user identifier
- Time of visit
- Browser type and version
- Action and action related pseudonymised identifiers
- IP address
- Geographical location
- Browser type
- Referral source
- Length of visits
- Pages viewed
PURPOSES AND LEGITIMATE GROUNDS OF PROCESSING
Legal grounds for processing
In relation to the provision of the Service, we primarily process personal data on a contractual basis. For individuals acting as representatives of our customer organisations, personal data is primarily processed based on our legitimate interest whilst fulfilling our contractual obligations towards the organisations they represent.
We may also process personal data based on our legitimate interests, for example in connection with analytics. When choosing to use your data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy.
In certain cases, you may be requested to grant your consent for the processing of your personal data. In this event, the legal ground for such processing is your consent. You may withdraw your consent at any time.
Purposes of processing
We collect, store and process personal data only for predefined purposes. We also always make sure that there is at least one legal basis for processing personal data. The main purposes and the applicable legal basis for processing personal data are:
To provide our Service. We collect and process personal data to be able to offer the Service to our Users and to run and maintain our operations. Personal data may be processed in order to carry out our contractual obligations towards an individual User or towards the organisation the User represents. The legal basis for this processing is our legitimate interest and contract between Happeo and the customer.
For our legal obligations. We process personal data to enable us to administer and fulfil our obligations under law. This includes data processed for complying with our accounting obligations and providing information to relevant authorities. The legal basis for this processing is to ensure the compliance with our legal obligations.
For claims handling and legal processes. We may process personal data in relation to claims handling, debt collection and legal processes. We may also process data for the prevention of fraud, misuse of our Service and for data, system and network security. The legal basis for this processing is our legitimate interest.
For communication. We may process personal data for the purpose of contacting our Users regarding our Service, including handling of support requests and customer feedback as well as notifying Users about the Service. The legal basis for this processing is our legitimate interest.
For quality improvement and trend analysis. We may process information regarding your use of the Service to improve the quality thereof, for example by analysing any trends in the use of our Service. Similarly, we may process any feedback provided by you to improve our operations in general. Where possible, we will do this using only aggregated, non-personally identifiable data. The legal basis for this processing is mainly our legitimate interest.
PERSONAL DATA RECIPIENTS
Personal data is mainly stored in electronic format and only authorised personnel within our organisation have access to the data.
We may also use third party service providers for data storage (e.g. cloud storage), digital marketing, processing of payments and other processing of personal data. In these situations, we make sure we have a written contract with each respective service provider with minimum data processing provisions. We will also otherwise ensure that the confidentiality of personal data is secured, and data is otherwise processed and transferred lawfully. Some of these service providers include, at the date of writing this policy, HubSpot, Google and Stripe.
We may also disclose or transfer personal data to fulfil legal obligations or when a legal authority requires a disclosure. We may also disclose personal data if we are a party of a business sale, such as a merger or an acquisition.
TRANSFERS OUTSIDE THE EU
By default, personal data is not transferred outside the EU. However, in various situations data may be transferred outside the EU if our service provider is located there.
If personal data is transferred outside the EU, we make sure that (i) the transferee is located in a country with adequate safeguards (as decided by the EU commission from time to time); (ii) the transferee is Privacy Shield certified (if a US-based company); or (iii) the transfer occurs by using model clauses published by the EU commission.
DATA STORAGE PERIOD AND SECURITY
We will not store personal data for a longer period than is necessary for its purpose or required by contract or law. The retention periods for personal data may vary based on its purpose and the situation. The retention periods may also be based on applicable laws (e.g. accounting, tax laws, employment contracts act). We may also update data from time to time. With respect to the End-User Data, it is each customer’s responsibility to plan and supervise the data retention periods for such data.
Personal data is stored and secured in accordance with general industry standards and practices. We consider and keep personal data confidential. Subcontractors that we use for processing personal data are selected also based on their data security measures. For our own systems and data storage, we use only well-established service providers and robust software tools. Access to personal data is also protected with user-specific logins, passwords and user rights. Our premises are also safe and secure.
Right to access
You have the right to confirm whether we are processing your personal data and also to know what data we have about you.
Right to withdraw consent
If we process personal data based on your consent, you can at any time withdraw your consent by contacting us. Withdrawing a consent may lead to fewer possibilities to use our Service. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to rectify
You have the right to request that we correct any inaccurate or outdated personal data we have about you by contacting us.
Right to prohibit direct marketing
You have the right to request that your personal data is not processed for direct marketing purposes.
Right to unsubscribe marketing communications
You may unsubscribe from receiving our marketing communications at any time by clicking the "unsubscribe" link located on the bottom of our emails or by contacting us.
Right to object
If we process your personal data based on public interest or our legitimate interest, you have the right to object processing of your data, to the extent that there is no such significant other reason that would override your rights or the processing is not necessary for handling legal claims. Please notice that in this situation we may not be able to serve you anymore.
Right to restriction of processing
You may request us to restrict processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may however lead to fewer possibilities to use our Service.
Right to data portability
If we process your personal data based on your consent or fulfilling of a contract, you have the right to require transfer of the data you have provided to us to another service provider in a commonly used electronic format.
How to use the rights
You can execute and use your rights by contacting us by sending email to firstname.lastname@example.org. In such case, we ask you to provide us your name, contact details, phone number as well as something that we can use to verify your identity, such as written and signed (and scanned) request, or a copy of your personal ID, but without social security number and other such information that we don’t need. If you consider that the processing of your personal data is not lawful, you can always also make a notification to a supervisory authority (in Finland tietosuojavaltuutetun toimisto).