Last Updated: May 23rd, 2018
 
INTRODUCTION
This privacy policy describes the ways in which Viima Solutions Oy (“Viima”, “We”, “Us”) protects the privacy of the user of our services and what personal data we collect and process about the user. Personal data refers to the information that can be used to identify a natural person.
 
This document describes and informs about our user registry under the Finnish Personal Data Act (523/1999) 10 and 24 § and other applicable European legislation, such as the EU General Data Protection Regulation (“GDPR”).
 
Please note that this privacy policy covers the Personal Data that is related to the User (“User”) using the Viima Services (“Service”, “Services”), which includes any websites, applications and other services under the viima.com domain, as well as the Viima homepage of www.viima.com (“Homepage”, “Website”, “Site”).  Any re-directions, links or referrals to second or third parties’ online services or websites that the user might come in contact with while in the domain of using the Viima Service or Site are not applicable by this privacy policy. Please also be aware that we are not responsible for the privacy policies or practices of any second or third parties.
 
Do keep in mind that you might violate the privacy and data protection rights of another user (natural person), if you submit material that can be identifiably linked to the other user. That being stated, please retain from submitting material that might violate the rights of another user. By using the Service, you also agree to our terms of service, please do read them.
 
THE DATA VIIMA COLLECTS
In this section we describe the personal data collected by the Service and/or Site. As the Site and Service serve different purposes and collect and process data separately, these shall be discussed separately below.
 
THE DATA WE COLLECT ABOUT OUR END-USERS
In this document, the users of our Services, such as app.viima.com, are referred to as “End-users”. If you are a user of these Services, this section applies to you.
 
The data that the Service collects about its End-users depends on behavioural factors, such as what the actions of the End-users have been, and the access right requirements set by the Customers of Viima. We may collect information about our End-users that includes, but is not limited to, the attributes listed below, which represents the Personal Data collected as of the writing of this section. The data can partially be collected through a second or third-party service account, provided that the End-user has allowed for the Service to use their third-party account. Further details about utilizing third party accounts can be found at the end of this section.
  • Name
  • Gender
  • E-mail address
  • Phone number
  • Current location based on IP-address
  • Information related to the device, browser, and operating system used to access the Service
  • Employer and employment related information, such as but not limited to, job title and department
  • Pictures, video and other audiovisual material
  • Usernames or IDs used in connected third-party accounts
  • Pages visited and/or actions performed while using the Service
  • Other information submitted via forms or via chat while using the Service
If the End-user (or someone from their organization on their behalf) allows for the Service to access a second or third-party service, such as Microsoft Office 365 or Google, to utilize their account information, we may collect the attributes listed above and/or additional Personal Data that are available in accordance with the terms of service and the privacy settings of the second or third-party service used for signing into (or otherwise connected to) the Service. You may control the types of Personal Data available in the profile of such third-party services by adjusting the privacy settings available therein.
 
THE DATA WE COLLECT ABOUT OUR VISITORS
In this document, the people visiting our Homepage (www.viima.com) are referred to as “Visitors”. If you are a visitor to Viima’s Homepage, this section applies to you.
 
The data that our Homepage collects about its Visitors depends on behavioural factors, such as what the actions of the Visitor have been. We may collect information about our Visitors that includes, but is not limited to, the attributes listed below, which represents the Personal Data collected as of the writing of this section. The data can also be collected through second or third-party tools, provided that the Visitor has allowed for the Site to use cookies for improving their experience with Us. Further details about the third-party tools can be found in the next section of this document.
  • Name
  • E-mail address
  • Phone number
  • Current location based on IP-address
  • Information related to the device, browser, and operating system used to access the Site
  • Employer and employment related information, such as but not limited to, job title and department/team
  • Pictures, video and other audiovisual material
  • Pages visited and/or actions performed while on the Site 
  • Other information submitted via forms or via chat while using the Site
 
DATA COLLECTED AUTOMATICALLY
The Site and Service may automatically collect the following information from our users that in certain circumstances may constitute Personal Data.
 
We collect meta data from the http(s) requests (and other network traffic) transferred between the User’s client device and the Service and/or Site. The meta data includes the anonymized Internet protocol (IP) address of the device the user uses to access the Site and/or Service and information about the operating system and browser of the client device, as well as the device itself.
 
We may place “cookies” on the hard drive of the device that the user uses to access the Service and/or Site and/or use other similar technical measures, such as clear gifs (a.k.a. web beacons). While using the Site, you have the option to decline from our use of cookies and similar technology by clicking on a link on this page. In this case, our standard cookie shall not be placed but we do still need to place a small cookie on your browser to remember your choice. We would also like to remind you that if you disable cookies (via the aforementioned mechanism or for example by turning them off in your browser), you might not be able to use some features of the Service and/or the Site.
 
The actions performed by individual users within the Site can be recorded while preserving anonymity.
 
Google Analytics and/or other third-party analytics tools and tools containing analytics features, such as (but not necessarily limited to) HubSpot, HotJar, Drift, Facebook, and YouTube are used on the Site and/or Service. These services can also be used as an element of the Site and/or the Service. By using cookies, and other technology, such as clear gifs (a.k.a. web beacons), these services can collect and store data, such as (but not limited to) time of visit, pages visited and actions performed, and time spent on each page of the Site and/or Service, the Internet Protocol address, and the type of browser and operating system used in the devices used to access the Service and/or Site. You can also opt out from tracking of these analytics on our Site from the same link on the opt out page.
 
THE PURPOSES FOR WHICH WE USE THE DATA
All data that will be processed by Viima as either the Data Controller, or Data Processor, will be based on one or more of the lawful grounds for processing personal data according to Article 6.1 of the GDPR. Whenever feasible and reasonable, we always seek to acquire explicit consent from the data subject for most purposes, such as marketing or other communication. We also seek consent for each purpose separately, whenever feasible but do occasionally process data according to our legitimate interests, for example by performing actions aimed to grow the business, such as direct marketing, in which case you shall always have right to opt-out at any time by simply contacting our Data Protection Officer or via other applicable means.
 
The majority of the processing we do, will however, be based on our contractual obligations towards our Customers as Data Controllers, whom shall be responsible for the lawfulness of their own processing practices.
 
All of our processing shall be based on one or more of the following:
  • Consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
  • Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

We use the data that we collect about our Users for the following purposes:
 
a) Personal data you provide to the Service and/or Site: We use the personal data you provide to the Service and/or Site for the following purposes:
  • To set up and maintain your user account with the Service and/or Site
  • To communicate and let partners communicate with you
  • To provide features and information available in and via the Service and/or Site
  • To personalize the Service and/or Site
  • To develop, improve, protect and manage the Service and/or Site
  • To process any transactions you may enter into in the Service and/or Site
  • For market research and direct electronic marketing, or the facilitation of that, in accordance with applicable law. In all such correspondence, You shall always have the opportunity to unsubscribe from receiving direct marketing free of charge.
  • To prevent and investigate fraud and other misuses
  • To protect our rights and/or our property
  • To audit and analyze the Service and/or Site and/or your use of the Service and/or Site
  • To ensure the technical functionality and security of the Service and/or Site
In addition, certain actions you choose to make in the Site and/or Service, can lead to automated actions and decision-making. These shall always be used only for the purposes mentioned above. For instance, by subscribing for blog or guide updates, you shall be sent automated emails about new content to our site when new content is published, by downloading one or more of our guides, you shall automatically be sent related materials via email and by signing up for our software, you shall be assigned to one of our account managers and your contact details shall be forwarded to them in order for them to help you get the most out of the Service and you might also receive one or more emails related to helping you get started with Viima. You can always opt-out of any of these actions at any time, either via the opt-out link in the footer of automated emails, or by contacting our Data Protection Officer.
 
b) Data collected automatically: We use the data collected automatically for the following purposes:
  • To provide features and information available in and via the Service and/or Site 
  • To personalize the Service and/or Site
  • To develop, improve, protect and manage the Service and/or Site
  • For market research and direct electronic marketing, or the facilitation of that, in accordance with applicable law. In all such correspondence, You shall have the opportunity to unsubscribe from receiving direct marketing free of charge
  • To audit and analyze the Service and/or Site and/or your use of the Service and/or Site
  • To ensure the technical functionality and security of the Service and/or Site
 
HOW VIIMA DISCLOSES DATA
We do not sell, lease, rent, share or otherwise disclose personal data, including user details, with third parties, unless otherwise stated below. The personal data collected in the Service and/or Site may be disclosed in the following manner:
 
a) Personal data you provide to the Service and/or Site: We may disclose personal data you provide to the Service and/or Site with the following categories of third parties:
  • To service providers, such as payment processors and data storage and processing service providers, which enable us to provide the Service and/or Site to you
  • To our customers and/or partners in compliance with applicable laws
  • To public authorities, such as law enforcement, if we are legally required to so or if we need to protect our rights or the rights of third parties; and
  • To our subsidiaries and affiliates or a subsequent owner, co-owner or operator of the Service and/or Site and their advisors in connection with a corporate merger, consolidation, restructuring, or the sale of substantially all of our stock and/or assets or other corporate reorganization, in accordance with this Privacy Policy.

b) Data collected automatically: The data collected automatically in the Service and/or Site may be disclosed to the following categories of third parties:
  • To service providers, such as data analysis companies;
  • To our customers and/or partners in compliance with applicable laws;
  • To public authorities, such as law enforcement, if we are legally required to do so or if we need to protect our rights or the rights of third parties; and
  • To our subsidiaries and affiliates; or a subsequent owner, co-owner or operator of the Service and/or Site and their advisors in connection with a corporate merger, consolidation, restructuring, or the sale of substantially all of our stock and/or assets or other corporate reorganization, in accordance with this Privacy Policy.
Moreover, we may disclose information to aforementioned third parties in an aggregate format that does not constitute personal data and does not allow the identification of individual users.
 
CUSTOMER’S AND USER’S RIGHTS
We honor the data subjects’ rights and shall comply with relevant legislation as both as a Data Processor (for any data we Process on behalf of a Data Controller) and Data Controller (any data for which our Customers are the Data Controller for).

As a Data Subject, you shall have the following rights, except where otherwise determined by Applicable Law: to “be forgotten” (via deletion or pseudonymization), to have your personal data corrected or updated, to data portability and to receive a copy of the data being processed, to object to processing and collection of your personal data and to withdraw your consent at any time, as well as to lodge a complaint with the supervisory authority.
Whenever you withdraw consent, you acknowledge and accept that this may have a negative influence on the quality of the Site and/or Services as well as may cause the impossibility of access to certain Services. You further agree that Viima shall not be held liable with respect to any loss and/or damage to Your personal data. 

If you are a Data Subject looking to exercise your rights under this section (Data Subject Access Rights Procedure), you should notice that your personal data in the Viima App (Service) is usually owned and controlled by our Customers as Data Controllers. In practice, this means that we have no right to provide you with access to your data, or otherwise respond to your requests as we can only act on requests directly from the Data Controller. Thus, you should usually contact the Data Controller instead of us to exercise your rights as a data subject.

However, if you do want to exercise your rights under this section related to the data that we control regarding you, you should send a written request to dpo@viima.com. Prior to us being able to let you exercise your rights, you must verify your identity in order for us to ensure that your rights can’t be exercised, and your data be accessed, by another party. If your request is valid, we are the Data Controller for the said data, and you have successfully identified yourself, we shall comply with your request without unnecessary delay, typically within a month, unless there are legal, accounting, reporting or practical obstructions to your request, in which case we shall let you know of these obstructions in the same timeframe.
For our Customers, if you are the Data Processor and shall receive these kinds of requests from your data subjects, you are free to use our APIs to proceed with the request. For requests that require manual action from us, please submit your request to dpo@viima.com in writing and provide us with proof your authority to act on behalf of the Customer, as well as the original request by the Customer along with any and all information required to identify and prove that the request originates from said Data Subject. We shall seek to comply to you request without unnecessary delays, typically within the same one-month time period, unless there are legal, accounting, reporting or practical obstructions to your request, in which case we shall let you know of these obstructions within the same time period. Please note that this work is generally not part of any of our plans or contracts and we shall thus invoice you based on the hourly price from our mutual Agreement (or Terms of Use in case there isn’t a separate Agreement) and the realized number of hours required to fulfill the request.
 
To honor our commitments to data portability, we offer APIs for our Users and Customers that provide them self-service possibilities for exercising many of the aforementioned rights. Should the requests need Viima to deliver data in some formats, the used formats shall be a commonly used, structured and machine-readable format, such as JSON or CSV, which shall generally also be the formats supported by our APIs.
 
You also have the right to opt out of receiving electronic direct marketing communications from us: To opt out of all electronic direct marketing communications (such as email or SMS-messages) that you may receive from us, please adjust your notification settings by clicking on the link in the footer of any marketing email you’ve received from us, or by contacting us at dpo@viima.com.
 
Please note that certain Service and/or Site related email communication is mandatory for our Customers, such as communication related to billing and other transactions, as well as those related to certain actions performed by the user, such as password reset request. For other notifications from the Service, please adjust the notification settings of the relevant Service. If you have any concern about your privacy, you are kindly requested to forward an email to us at dpo@viima.com containing a detailed description of concerns. Viima will do its best to resolve such issues within a reasonable time and without unnecessary delay.
 
DATA SECURITY
We care about your privacy and do our best to protect any and all of your data from undesired parties through a variety of organizational and technical measures, such as physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures, and data separation. For example, access to your information is behind a password and our servers and/or service provider’s services are secured and protected by a number of measures, such as firewall and adherence to principles of security by design. Even so, we cannot guarantee that your personal data are always secure because data security measures in use from time to time may be vulnerable due to a number of factors. By using the Service and/or Site, you accept the risk of any and all vulnerabilities leading to exposure of your personal data. For additional details on security of our Service, please see our Data Protection Agreement and/or contact our Data Protection Officer.
 
DATA RETENTION
With respect to the retention of data in our Services, we seek not to keep or process data any longer than necessary to fulfill our obligations towards our Customers and other stakeholders. As a general rule of thumb, data is stored until Customer cancels their plan and up to a maximum of 12 months after that for customer service and backup purposes. If a User requests to delete their account, or exercise their rights related to Personal Data, their data can either be deleted or pseudonymized (for example if deletion would lead to loss of other data) to fulfill their right to be forgotten. Backups, which may contain otherwise deleted data, are kept for a maximum of 12 months. These policies are subject to exceptions due to obligations in areas such as legal, reporting and audit.
 
INTERNATIONAL TRANSFERS OF PERSONAL DATA
We currently store all of the data for our Service inside the European Union and are taking measures to keep the situation that way also in the future. However, certain Sub-Processors of ours have operations also outside of the European Union and, depending on the situation, may transfer data outside of the European Union. In these situations, we have binding agreements with our Sub-Processors to ensure they have taken appropriate measures to ensure an adequate level of protection for the data as described in the EU Data Protection Directive and other applicable legislation, such as the General Data Protection Regulation. We include a list of Sub-Processors used to provide the Service in our Data Protection Agreement and are also glad to provide you with a list of our current Sub-Processors for both the Service and the Site, as well as more details on the transfers being made upon a request to our Data Protection Officer.
 
We also reserve the right for the Service and/or the Site, or some elements of them, to be hosted on servers located in countries outside the European Union or European Economic Area. In this case, appropriate measures shall be taken to ensure the privacy, security and confidentiality of your data as described in appropriate legislation. However, the laws applicable to the protection of personal data in such countries may be different from those applicable in your home country. By using the Service and/or the Site, you consent to personal data about you being transferred outside the European Union.
 
CHANGES TO THE PRIVACY POLICY
From time to time we may change this Privacy Policy without further notice. We will be updating the “Last Updated” legend on top of this page accordingly. Should we significantly change the ways in which we gather, use and/or disclose personal data, we might send an e-mail to users of our service, whose email address we hold. By using the Service and/or Site following any changes to this Privacy Policy constitutes your acceptance of any such changes made.
 
GOVERNING LAW AND DISPUTE RESOLUTION
This Privacy Policy forms an integral part of Our Terms of Service. The Governing Law and Dispute Resolution mechanism found in Our Terms of Service shall also apply to Our Privacy Policy.
 
CONTACT INFORMATION
Viima has elected to appoint a Data Protection Officer. The current Data Protection Officer serves as the primary point of contact in all matters privacy related. He/she may be reached via e-mail at dpo@viima.com.
 
For any further inquiries, you may contact us (Viima Solutions Oy), the owner and administrator of the register, via e-mail at privacy@viima.com.

Viima Solutions Oy

Business id: 2573325-1
Säynävätie 3 B 7
02740 Espoo
Finland