Privacy Policy – Business Customers
Last update: 11 October 2024
Introduction
We value your fundamental right to privacy. As a company based in the European Union, we adhere to our obligations under the General Data Protection Regulation (GDPR). In this document, we inform you about our processing of your personal data if you’re a business customer (or a representative one).
For clarity, we have divided the privacy policy into two parts:
- Part 1 contains general information about personal data processing.
- Part 2 applies to the processing of your personal data as a business customer (or a representative of one).
If you have any questions or concerns regarding the processing of your personal data, please don’t hesitate to contact us:
Cloudamite Oy
Privacy team
Elektroniikkatie 2, 90590 Oulu, Finland
[email protected]
Contact person: Antti Pohjola
Tel: +358 40 8672 113
Email: [email protected]
We may update our privacy policies from time to time. The date of last update is shown above. Minor changes will be shown in this document, and we ask that you review it regularly. Changes that significantly affect your rights and freedoms will be communicated to you by email or notification if we have your contact details.
Part 1: General information
Categories of personal data
As you are our business customer (or a representative of one), we regularly process certain categories of your personal data. These depend on the various purposes that we process your data for. A detailed list of the various purposes and categories of data that we process is shown in Part 2 of this privacy policy.
Some categories of personal data are mandatory in the sense that without certain data, we cannot provide our services to you or carry out other critical processes related to our business relationship. In some cases we may also have a legal duty to process certain categories of your personal data. We have marked clearly, which categories of personal data are mandatory for a given purpose.
Sources of personal data
We primarily process personal data that you give us, for instance when we discuss our business matters or sign a contract, or when you subscribe to your company newsletter.
However, in some cases we may receive personal data relating to you from other sources. These are:
| Source | Examples |
|---|---|
| Public records | Before signing a contract, we may check company registers and business data services to see if you are authorised to sign the contract for your company.
We may also check certain public background data, such as official sanctions registers and insolvency information to manage our KYC obligations and legal and financial risks. |
| Marketing registers | When we market our services, we may check marketing registers and business data services to check that you’re the right person in your company to receive our communications. |
| Your company or organisation | Many times we receive your contact details and information updates from the company or organisation that you represent, rather than directly from you. |
| Social media and the internet | Often we look for your company information using social media and the internet. Sometimes this information may contain your personal data. |
| Technical sources | We use cookies and similar technologies on our website and other platforms. These often collect and process certain techical personal data, such as your IP address and device identifiers. |
Retention periods of personal data
When processing your personal data, we adhere to the principle of storage minimisation. That means we only keep your personal data as long as necessary for the purposes that we describe more in detail in Part 2, and only as long as we have a legal basis set out in the GDPR to process the data.
As soon as no relevant purpose or legal basis applies, we will either erase your personal data or anonymise it in an irreversible manner.
Sharing your personal data with third parties
As a provider of commercial services, we like most other companies have to outsource some of the processing of your data to our trusted partners. Because of that, we share certain categories of personal data with third parties.
We always make sure that all disclosures are protected by a contractual arrangement between us and our trusted partners to protect your personal data, as required by the GDPR.
Our trusted partners can be categorised as follows:
| Category of recipient | Examples |
| Customer and contract management | We use cloud-based CRM systems provided by our trusted partners to store and manage our customer and contract information. Your personal data is also included in this information.
Other examples include: Digital signature services |
| Data storage and information management services | We use cloud-based data storage and information management systems provided by our trusted partners to store and manage various types of documents and other data. Many of these documents and other data include also your personal data.
Other examples include: |
| Communications and deliveries | We use hosted emailing and other communications systems (such as instant messaging platforms) provided by our trusted partners. When we communicate with you, or when we include your personal data in our communications with others, your personal data passes through these systems.
We also use hosted computing systems to deliver our services. When we deliver our services to you, these systems process your personal data (e.g. device identifiers, unique ID’s and similar). Other examples include: * Internet phone call services (e.g. VoIP) |
| Marketing | We use trusted partners in sending out marketing communications. When we do so, these partners process some of your personal data (such as name and contact details). |
| Billing, accounting and taxation | We use payment processing, invoicing and debt collecting services provided by our trusted partners. When we send you our invoices or otherwise process payment information involving your company, your personal data (such as name and contact details) may be shared with them.
We also use external accountants and auditors to handle our bookkeeping and other financial matters. They have a legally mandated access to our financial documentation, which may include your personal data (such as name and contact details). Other examples include: * Accounting software service providers (e.g. to store our invoices for bookkeeping obligations) |
| Website and other platforms | We use hosted website and content delivery network systems, as well as cookie management tools provided by our trusted partners. When you use our website and other platforms, these systems process your personal data (such as your IP address and device identifiers) through technical sources. |
| Professional advisers | From time to time we use external consultants and advisers to help us with various things. These may be for example business consultants, financial advisers, and legal advisers who, depending on the circumstances, may need to access various types of information, including our customer data. |
| Public authorities | If we are legally required to hand over information about our business transactions or other things to public authorities, this may include your personal data. |
| Mergers and acquisitions | If we are ever subject to a merger or acquisition by another company, all of our data, which naturally includes customer data, may be legally transferred to that company. |
Transfers outside the EU/EEA
We normally process your personal data exclusively within the European Union and European Economic Area. In some cases, we or our trusted partners process your personal data outside these areas. If that happens, we will make sure through various safeguards that your personal data will be processed in a compliant way.
Some of your personal data are transferred to the following countries:
| Country | Safeguards |
|---|---|
| United States | We and our trusted partners make sure that transfers are protected under the EU-US Data Privacy Framework. If not, we and our trusted partners make sure transfers are protected by contractual arrangements using the Standard Contractual Clauses (SCC) issued by the European Commission. Should we be unable to take any of these precautions, ultimately we’ll ask for your consent for the transfer. |
If you wish to learn more about the ways we protect your data when transferring outside the EU/EEA, please contact us using the contact details above.
Your rights
According to the GDPR, you have various rights as we process your personal data. These are:
| Type of right | Description |
| Right of access | You may ask us whether we process any personal data about you, and if we do, you have a right to request a copy of some or all of the data. You also have a right to ask for more information regarding the third-party recipients of your personal data as well as our protective measures applicable to the transfers of your data to our trusted partners and outside the EU/EEA.
If you request a copy of your data, we will send it to you electronically. In most cases we will be glad to accommodate your request, but if we receive repeated or manifestly unfounded requests from you, we may have to refuse or charge a reasonable administrative fee to process your request. |
| Rectifying incorrect or incomplete personal data | If you consider that some of your personal data that we process is incorrect or incomplete, you may ask us to correct or complete the data. We will investigate your request without undue delay, and accommodate it if we can be sufficiently certain that the request is justified. |
| Erasing personal data (“the right to be forgotten”) | If you don’t want us to process your personal data, you may ask us to erase a part or all of it. We will do our best to accommodate your request, but in some cases we may have to refuse or postpone the request. This may happen e.g. if we have an on-going business relationship with you and we need your personal data to provide our services to you, or if we have a legal duty or a legitimate interest to retain some of your data (we have described these in more detail in Part 2). |
| Restricting the processing of personal data | If you consider that our processing of your personal data breaches the GDPR or other laws, you may ask us to restrict the processing (i.e. to stop the processing for the time being). We will accommodate your request as well as possible while we investigate the matter.
You may also ask us that we do not erase or otherwise process your personal data if you need the data e.g. in a legal dispute and the erasure or other processing would jeopardise your interests in that regard. We will aim to accommodate your request as well as possible. |
| Objecting to processing of personal data | As explained in detail in Part 2, we sometimes process your data on the basis of our or someone else’s legitimate interest. If that’s the case, you may object to our processing of your data on that basis due to a reason relating to your particular circumstances. We will aim to accommodate your request as much as possible, however in some cases the legitimate interests in question may be so important that they outweigh your interest to object.
If in that case we cannot accommodate your request, we will let you know about our reasons for not doing so and inform you about your right to lodge a complaint with the relevant data protection authorities. If we have contacted you for direct marketing purposes, you may also object to our processing of your personal data for that purpose. (In other words, you may prohibit us from contacting you for direct marketing purposes). We will accommodate your request without undue delay. |
| Withdrawing consent | As explained in detail in Part 2, we sometimes process your personal data on the basis of your consent. If that’s the case, you may, at any time, withdraw your consent for that processing. We will accommodate your request without undue delay, however we may continue the processing if we have another legal basis to do so. Please note that withdrawing consent will not affect the prior processing of your personal data. |
| Right to lodge a complaint | If you consider that our processing of your personal data breaches the GDPR or other laws, you may at any time lodge a complaint with the relevant data protection authorities. In Finland, you can contact the Data Protection Ombudsman: www.tietosuoja.fi |
To exercice any of your above rights, please contact us using the contact details shown at the beginning of the document. We’ll be glad to assist you.
Cookies and tracking
Like most other companies and organisations, we use cookies and similar technologies on our website, online services and in marketing. We will adhere to applicable laws regarding the prerequisites for the processing of your personal data in such ways.
We have described in detail the types of cookies and similar technologies we use as well as their purposes in our cookie policy.
Part 2: Processing of your data
As you are our business customer (or act as a representative of one), we process your personal data in certain ways in the context of our business relationship. Here we describe the purposes of processing your personal data together with the appropriate legal bases for the processing, as well as the categories of personal data processed together with their retention periods.
Purposes and legal bases of the processing of personal data
According to the GDPR, all processing of personal data must be justified using a legal basis found in the law. First, here is a short description of the legal bases that we use:
| Legal basis | Description |
|---|---|
| Contract (including contract preparation) | As you are our business customer (or represent one), to perform our contractual obligations we need to process certain categories of your personal data. |
| Legal obligation | As a provider of commercial services, we have a number of legal obligations to fulfil. For instance, we must keep financial records of our transactions, which may include your personal data. |
| Consent | In some cases, we may ask for your consent to process your personal data. If we receive your consent, we may process your data on that basis within the limits of the consent. For instance, we use cookies for statistical and marketing purposes, which may only be done if we receive your consent. |
| Legitimate interest | In some cases, we may process your personal data if it’s justified for our or someone else’s legitimate interest. We only do so after having assessed your rights and freedoms against the importance of the legitimate interest (we conduct a so-called “balancing test”). |
Here is a complete overview of our purposes of processing and the corresponding legal bases:
| Purpose | Legal basis | Examples |
|---|---|---|
| Ordering and delivering services; improving services | Contract | In order to provide our services as contracted, we need to process some of your personal data. |
| Ordering and delivering services; improving services | Legitimate interest | As we provide our services to you, we have a justified interest in processing some of your personal data internally to improve our services and ways of working. We may for example take notes of our discussions with you and improve your and our other customers’ service experience on their basis. |
| Managing customer relationship; improving business | Contract | Apart from performing our services, we do a number of things to maintain our contractual relationship with you. We may for instance take notes of our business interactions with you. |
| Managing customer relationship; improving business | Legitimate interest | To improve customer experiences and the ways we run our business, we may take notes and conduct case studies about our customer relationship internally. These may contain some of your personal data. |
| Billing and debt collection | Contract | As we provide our services to you, we bill you as agreed in our contract. To send an invoice, we may need to process some of your personal data. |
| Billing and debt collection | Legitimate interest | As we bill you for our services, and as we monitor our payments from you, we have a legitimate interest to make sure everything goes well. To do that, we may need to process some of your personal data. |
| Accounting and taxation | Contract | To keep records of our sales and business transactions, we collect and retain information about our dealings with you. These notes may contain your personal data. |
| Accounting and taxation | Legitimate interest | We have a legal duty to keep records of our business transactions. For instance, we must collect and retain our invoices for a number of years, which may contain you personal data. |
| Sales and marketing | Consent | In some cases, to process your personal data for sales and marketing purposes, we ask for your consent. This is case for instance when we use cookies and similar technologies for such purposes. We also ask for your consent for direct marketing in legally required situations. |
| Sales and marketing | Legitimate interest | As a commercial service provider, we often have a justified reason to approach you with the purpose of discussing our offering with you. In those cases, we process your personal data as part of our legitimate interests. |
| Communications and PR | Contract | As part of our customer relationship with you, we often have discussions and correspondence with you. If our discussions and correspondence are essential to our contractual relationship, we process your personal data on this basis. |
| Communications and PR | Consent | In some cases, for instance if you contact us using a medium that processes certain technical identifiers, we may ask for your consent for processing the identifiers. Also, we may ask for your consent to use our communications with you for a purpose not depicted here, such as as a customer testimonial on our website. |
| Communications and PR | Legitimate interest | In some cases, we store, retain and process our discussions and correspondence with you for various legitimate interests such as improving our customer service and training our staff. |
| Managing risks and protecting interests | Legal obligation | In some cases, we may have to process certain background information as a legal duty. For instance, we may have to know our customers and check information about economic sanctions. These checks may involve processing some of your personal data. |
| Managing risks and protecting interests | Legitimate interest | To manage risks and to protect various business interests, we process certain categories of personal data. For instance, we keep records of our contractual relationships and business dealings for a number of years in case a legal dispute arises.
Also, we keep records of the usage of our name, brand and other intellectual property by our customers. These notes may contain your personal data, e.g. regarding social media posts that you have published as a representative of your company. |
| Technical functioning and security | Contract | Some of the services that we provide to you under our contract process personal data for technical reasons. For instance, to share materials and deliverables with you electronically, we need to ensure the proper technical functioning and security of the platform. This often includes processing of personal data such as necessary technical identifiers. |
| Technical functioning and security | Consent | In some cases we offer you technical functions that do not strictly relate to our contractual relationship. This is for instance if you access our website for unrelated reasons. In those cases we process personal data for the technical functioning of the services. If the processing is not necessary for that purpose (e.g. in case of cookies used to improve the visual appeal of our website), we will ask for your consent to process the data. |
| Technical functioning and security | Legitimate interest | In some cases we have a justified reason to ensure the proper functioning and security of our services. In those cases we process certain technical personal data as part of our legitimate interests. |
Categories of personal data processed and their retention times
The below table contains a detailed description of the categories of personal data that we process for our various purposes. If a certain category is mandatory by law or contract (e.g. if we need the information to fulfil our legal obligations or to serve you as our customer), we’ve mentioned that in the table.
The table also contains a list of our retention times for different categories of personal data under a given purpose. Once a specific retention period runs out, we will erase the relevant personal data or anonymise it irreversibly, unless a different purpose with a longer retention period applies.
For instance, we keep personal data for the purposes of communications (like e-mails containing your name and e-mail address) for 1 year. Once the retention period runs out, we will erase the relevant data unless we need to keep it for the purposes of risk management for 3.5 years. If so, we will continue to retain the data until the 3.5-year retention period runs out.
| Purpose | Categories of personal data | Retention period(s) | Examples |
|---|---|---|---|
| Ordering and delivering services; improving services
All personal data for this purpose are mandatory to facilitate our contractual relationship. | Name, contact details, position
Messages and correspondence | 1 year from the end of order and delivery | To provide our services to you, we need to process your personal data. We will retain the data in case there are for instance immediate issues that have to be fixed. |
| Managing customer relationship; improving business
Personal data marked with (*) are mandatory to facilitate our contractual relationship. | Name, contact details, position (*)
Messages and correspondence (*) Signature (*) Client feedback, complaints | 1 year from the end of customer relationship | To maintain and develop our active relationship with you, we process your personal data. We will retain essential data in your customer dossier, and if the customer relationship ends (or you no longer represent your company or organisation towards us), we will retain the data for an additional safety period. |
| Billing and debt collection | Name, contact details, position
Financial information and public records Payment information and payment history | 5 years after the current financial year | As we bill you for our services, we process your personal data on invoices and in transaction records. We’ll retain that information to keep our business records up to date. |
| Accounting and taxation
Accounting and taxation All personal data for this purpose are mandatory to facilitate our contractual relationship as well as to fulfil our legal obligations. | Name, contact details, position
Messages and correspondence Financial information and public records Payment information and payment history | 5 years after the current financial year (except legally prescribed information)
6.5 years after the current financial year (legally prescribed information) 10.5 years after the current financial year (legally prescribed information) | As part of our bookkeeping, we collect and retain relevant personal data in our accounting platform as well as financial books and accounts.
Some information, such as invoices and receipts, must be retained for a legally prescribed period. During that period, we will only retain personal data that is contained in those legally prescribed documents. |
| Sales and marketing | Name, contact details, position | Retained indefinitely (as long as our legitimate interest to market our services applies) | As we have a legitimate interest in approaching you to discuss our offering, we keep your name, contact details and position on file for the time being, however only as long as you represent the company or organisation that is or has been our customer. This means we may contact you some time in the future unless you prohibit us from doing so. |
| Sales and marketing | Messages and correspondence
Preferences and activity | 2 years from the collection of the data | We store personal data that we collect for sales and marketing purposes, for example in case we discuss our offering and agree to come back to it at a later time. In order to continue our discussion later, it’s important that we have our notes and other relevant information at hand for the duration. |
| Sales and marketing | Consents and prohibitions | Retained indefinitely | If you have prohibited us from approaching you for sales and marketing purposes, we’ll make a note of it and retain it indefinitely (or until you instruct us otherwise). |
| Communications and PR
Personal data marked with (*) are mandatory if you wish to get in contact with us, or if we need to send important notices or updates to you. | Name, contact details, position (*)
Messages and correspondence (*) Social media content and other public information | 2 years from the communication | We retain personal data from our communications and PR correspondence with you, to make sure our correspondence won’t be lost too soon, or to make sure that you’ll receive any information and updates to matters that are relevant for you. |
| Risk management and protecting interests
Personal data marked with (*) are mandatory to facilitate our contractual relationship as well as to fulfil our legal obligations. | Name, contact details, position (*)
Messages and correspondence (*) Client feedback, complaints | 3.5 years from the end of active processing | To manage our risks and to protect your and our legitimate interests, we retain some personal data from the end of active processing in accordance with the other purposes described in this chart.
For example, once we deliver our services to you, we retain essential information about our contract, your contact details, our messages and correspondence with you, and any feedback or complaints that you may have for us. We do so so that for instance in case of a legal dispute about our contract or the service, any critical evidence will not have been lost. |
| Technical functioning and security
Personal data marked with (*) are mandatory to the extent that we have a justified interest in ensuring the technical functioning and security of our electronic services or we have a legal duty to acquire your consent. | Technical identifiers (*) | Deleted immediately after session or activity
(See also our cookie policy) | We collect, process and retain technical identifiers in case we need to address a technical or security issue.
Note that our website cookie management system stores cookies and other identifiers (which may include your personal data) in accordance with our cookie policy. |
| Technical functioning and security
Personal data marked with (*) are mandatory to the extent that we have a justified interest in ensuring the technical functioning and security of our electronic services or we have a legal duty to acquire your consent. | Consents and prohibitions (*) | See our cookie policy | If we use cookies and similar technologies to collect and process personal data for purposes that are not strictly necessary for the technical functioning and security of the website, we ask for you consent.
We record your consent (or denial) in our cookie management tool, which retains the information as described in our cookie policy. |
