Introduction

Confidentialmind Oy and its Affiliates (“ConfidentialMind”) are committed to ensure compliance with applicable data protection laws and regulations the European Union (“EU”), as well as any other data protection requirement in any of the jurisdictions where ConfidentialMind operates. By means of this Privacy Policy we would like to inform you about how and why we collect, process and use personal data of any data subject, and about your rights as a data subject regarding the processing of your personal data.  

Scope and Supplement

This Privacy Policy covers all forms of processing of personal data by ConfidentialMind, with the exception of personal data of employees and applicants which are subject to a separate privacy notice. It describes how ConfidentialMind collects, uses, and shares personal data obtained directly from the user, or from customer, supplier, business partner, or other, or obtained indirectly from other sources. It applies to the processing of personal data obtained through any channel of communication or by any means, including but not limited to email, file transfer, feeding personal data into applications and tools, websites or mobile apps, social media pages and platforms.

1. Application of national laws

While the GDPR is applicable to processing of data of EU residents, there may be laws and regulations in some countries which specify further data protection requirements, in particular conditions for lawful data processing. The applicability of such laws will be considered on a case by case basis.  

2. Personal Data we process, Purposes and Legal Basis

This section of our Privacy Policy describes what personal data we collect and process, for what purposes and on what legal basis. The amount of personal data we process depends on the context and circumstances of your interaction with us and we strive to minimize it.

2.1 Handling orders and contractual obligations

When you place orders to purchase goods or services from us, or if you request information about products and services prior to placing an order, or if you request support regarding the product or services you have ordered, we will process personal data that is necessary to negotiate and execute a contract and to fulfill any contractual obligations, and to exercise our rights under the contract. This also includes advisory services under the contract if this is related to the contractual purpose. Prior to the conclusion of a contract personal data can be processed to prepare bids or tenders or to fulfill other requests of the prospect that relate to the contract conclusion.

For this purpose, we process personal data (including name, title, email, telephone, postal address, shipping and billing address), order and customer information (including goods and services ordered and provided, instructions regarding the order, customer business activities and interests and order history), financial information (including in certain cases invoice data, preferred payment options, term of payment, legal persons’ bank account and credit card information).

The legal basis for processing personal data for the purpose of handling orders and fulfilling contractual obligations and exercising contractual rights is Article 6 (1) b) GDPR (contractual necessity). The legal basis for processing personal data for the purposes of understanding customer business activities and interests and order history is Article 6 (1) f) GDPR (legitimate interests). The legal basis for processing and keeping personal data for the purpose of complying with record keeping obligations (including commercial accounting standards and tax and fiscal retention obligations) is Article 6 (1) c) GDPR (legal obligation).

2.2 Browsing or registering on our websites, social media pages or platforms

When you browse our websites, social media pages or platforms, we may use cookies and other tracking technologies to capture and understand how you use our websites, social media pages and platforms.  

Depending on the cookies and tracking technologies in use, we collect information about your online browsing behavior on our websites, social media page or platform, including information how react to adverts and offers. We may also collect information about the device you have used to access our websites, social media pages or platforms, (including device model and operating system, browser type, IP-address, mobile device identifiers).

You can disable cookies at any time by accessing the pop-up menu on the visited website or by blocking them on your browser.

When you register on one of our websites, social media pages or platforms we will additionally process personal details (including name, title, email, telephone), and account details (including username, password, login-/logoff data), except where registration under an alias or pseudonym is permitted.

The legal basis for processing information about online browsing behavior, if it contains personal data, is Article 6 (1) a) GDPR (consent), if we ask you to provide consent and to agree to the processing of your personal data. Specific other provisions in laws relating to data processing in an online context may require your consent as well. Under some circumstances e.g. when we process a limited amount of personal data which, by type and nature does not significantly affect your rights and freedoms, the legal basis for processing your personal data in the context of your browsing or registering on our websites, social media pages or platforms is Article 6 (1) f) GDPR (legitimate interests).

2.3 Communication, marketing, taking part in promotions, events and feedback

When you contact us for any sort of inquiry or request, we will process your personal details (including name, title, company or organization you work for, email, telephone, other contact information), as far as this is necessary to deal with your inquiry or request and to respond to.

When you have purchased goods or services from us, or if you have indicated to us that you are interested in certain goods or services, we may process your personal details (including name, title, company or organization you work for, email, telephone, other contact information) to contact you and to send you information about our or our business partners’ goods and services, new technological developments, special offers and business opportunities.

When you take part in promotions or events hosted or sponsored by us, we will process your personal details (including name, title, company or organization you work for, email, telephone, other contact information) to manage your participation in the promotion or event, to provide you with information about our or our business partners’ goods and services, new technological developments, special offers and business opportunities. We will also process your personal details to ask for your feedback regarding the promotion or event, your satisfaction with our or our business partners’ goods or services and performance. We may also ask you for contributions to improve and enhance our goods and services and collaboration with our business partners.

The legal basis for processing personal data for the purpose of communicating with you and to respond to any sort of inquiry or request is Article 6 (1) b) GDPR (contractual necessity), as far as it occurs in the context of preparing or facilitating the conclusion of a contract or to answer to inquiries and requests in connection with a contract. As far as personal data is processed for communicating with you on other matters, the legal basis is Article 6 (1) f) GDPR (legitimate interests).

2.4. Legal obligations and compliance

Our business is subject to various laws and regulations that impose legal obligations on us. Some of these laws and regulations may require the collection and processing of personal data (e.g. tax laws, commercial laws, trade and export compliance regulations etc.). Where such legal obligations are based on EU or EU Member State laws and regulations, the legal basis for processing personal data is Article 6 (1) c) GDPR. Where such legal obligations are based on laws and regulations of third countries (non-EU), compliance with these legal obligations may represent a legitimate interest. If so, the legal basis for processing personal data is Article 6 (1) f) GDPR. The latter applies also to the processing of personal data for the purpose of ensuring compliance with our policies, codes of conduct and regulations.

3. Sharing Personal Data with Service Providers and Third Parties

Not all processing of your personal data will be carried out by ConfidentialMind itself. Sometimes we will make use of service providers and vendors (“processors”) who will process personal data for us, on our behalf and under our instructions. Any such outsourcing of data processing will follow a service provider / vendor due diligence and monitoring protocol and will be governed by a Data Processing Agreement.

The ConfidentialMind software operates in your environment, whether on-premises, private cloud or virtual private cloud, meaning you are the processor for the purposes of the data being processed using the ConfidentialMind software.  

3.1. Storing periods for Personal Data

Generally, we keep personal data for no longer than is necessary for pursuing or achieving the purposes for which the personal data is processed.  

If we process personal data for the purpose of handling orders and fulfilling contractual obligations, we will keep your personal data for as long as you have a customer or business relation with us. Personal data that is included in documents or files that are subject to tax laws will be kept for 10 years (unless statutory provisions or pending lawsuits or tax proceedings require longer retention), personal data that is included in documents or files that are subject to commercial laws will be kept for 6 years (unless statutory provisions or pending lawsuits require longer retention).

If we process personal data for the purpose of understanding your online browsing behavior, we will keep personal data only for as long as necessary to create user statistics and analytics reports that use aggregate data (non-personal data).  

If we process personal data for the purpose of communication, marketing, promotion, event and feedback purposes, we will keep the data for a maximum of 6 months, or for as long as we have a legitimate interest to provide you with business, product and service information, or marketing, event and promotion materials, except where you have objected to the processing of your personal data for such purposes.  

If we process personal data for the purpose of compliance with laws and regulations that impose legal obligations on ConfidentialMind, we keep personal data for as long as such laws and regulations require.

If we process personal data for the purpose of recruitment and carrying out the application process, we keep personal data for as long as necessary to review and assess the applications, to select applicants, to negotiate and execute an employment contract, and to exercise rights or defend against claims in the context of the applications process. If an application is successful, your personal data – as far as necessary for carrying out the employment contract – will be kept for as long as you are employed with ConfidentialMind and after termination of your employment, for as long as necessary to comply with retention requirements, or for as long as forthcoming or pending lawsuits require longer retention. If your application is not successful, we will keep your personal data for up to six months for the purpose of defending us against potential claims and lawsuits.

If you application was not successful, but you have agreed that we keep your personal data on file for future opportunities, we will keep your personal data for up to two years, unless specified otherwise on our careers websites, recruitment platforms or job portals, or in a job advertisement.

3.2. Transfers of Personal Data to Third Countries

To provide you with the services you require we may need to transfer your personal data to a jurisdiction outside the EEA. In this case we will do so in compliance with the applicable laws and regulations of the EU.

3.3 Security of Personal Data

We have implemented technical and organizational security measures to protect personal data we process against accidental or unlawful manipulation, destruction or loss, alteration, and against unauthorized disclosure or access by third parties. Such security measures include authentication tools, firewalls, monitoring of IT systems and networks, pseudonymization and encryption of personal data.

The technical and organizational security measures are reviewed and adjusted on a regular basis, taking into account the state of the art of technology, the nature, scope, context and purposes of processing and the risks and probability of occurrence. However, given the dynamic context of security measures, state of the art of technology, vulnerabilities, threats and risks, absolute security cannot be guaranteed.

If you have a particular concern about the security of your personal data, you may make an inquiry at info@confidentialmind.com.

3.4. Marketing Preferences

We may have a legitimate interest to process your personal details (including name, title, company or organization you work for, email, telephone, other contact information) to manage your participation in a promotion or event, or to provide you with information about our or our business partners’ goods and services, new technological developments, special offers and business opportunities. For these purposes may use your personal details, in accordance with any preferences, if expressed, to send you product and service information and marketing messages by email, post, phone and social media, unless you have asked us not to.

Unless consent is required as a legal basis, which would also require an opt-in, you will always have the opportunity to opt-out of receiving product and service information and marketing messages by simply ticking a box or clicking on a button or link, or by changing your preferences in your account settings, as applicable.

You can of course instruct us in the same way to stop sending you product and service information and marketing messages at any time afterwards. If you instruct us to stop sending you product and service information and marketing messages it might take some time for all our systems and applications to be updated, so you might still get messages from us while we fully process your instruction.

Please note that instructing us to stop sending marketing messages will not stop our other communication with you, such as order conformations, order updates, shipping notices or payment requests.

3.5. Your Rights over your Personal Data

You have many rights over your personal data and how it is used. These rights are summarized below. To assert any of these rights you may contact info@confidentialmind.com.

3.5.1. Right to access your Personal Data

You have the right to request confirmation as to whether we process personal data concerning you.

If we process personal data about you, you have the right to request access to the personal data and to obtain information regarding the purpose of the processing; the categories of personal data concerned; who else outside ConfidentialMind might have received the data; any available information what the source of the data was, if you did not provide it directly to us; the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. You may also request a copy of the personal data undergoing processing.

3.5.2. Right to rectify your Personal Data

You have a right to rectify or request a correction of the record of your personal data processed by us, if it is inaccurate or incorrect.

3.5.3. Right to erase your Personal Data

You have the right to request erasure of your personal data. However, there may be reasons and legal grounds for keeping your personal data despite your request, e.g. if we need the data to fulfill orders or other contractual obligations, or if record keeping obligations prevent the erasure, or when we handle an ongoing complaint. If we need to continue to process your personal data, we will tell you why we need to do this when we respond to your request.

3.5.4. Right to object to the processing of your Personal Data

You have the right to object to the processing of your personal data on grounds relating to your situation and circumstances. However, there may be reasons and legal grounds for processing your personal data despite your objection. If we refuse your request, we will provide you with information explaining why we have refused your request.

As far as we use your personal data for direct marketing purposes, you have the right to object at any time. This includes any profiling of your personal data that is related to direct marketing.

3.5.5. Right to restrict the processing of your Personal Data

You have the right to restrict the processing of your personal data. This means that under certain conditions you can limit the way we process and use your personal data. The right to restrict the processing may be exercised if you have issues with the content of the personal data we hold or how it is processed.

3.5.6. Right to withdraw Consent to process your Personal Data

Where consent is the legal basis for the processing of your personal data, you have the right to withdraw your consent at any time. However, withdrawal of consent takes effect for the future only.

3.5.7. Right to portability of your Personal Data

You have the right to request us to move, transfer or copy personal data you have provided to us so that you can use the personal data in a different service or with a different provider. You can request to receive a copy of the personal data in a commonly used and machine-readable format, so you can store it for further personal use. You can also request that we transmit it directly to another organization.

However, the right to data portability may be subject to limitations due to the technical feasibility of a transmission. The right to data portability does not create an obligation for us to adopt or maintain processing systems which are technically compatible with those of other organizations.

3.5.8. Right to lodge a complaint with the Data Protection Authority

You have the right to lodge a complaint with the relevant Data Protection Authority if you believe that we have not handled your personal data correctly and lawfully or if you believe that we have not dealt appropriately with your requests.

The relevant Data Protection Authority where the complaint should be made is the one that is competent for the place of your habitual residence or place of work, or the one that has jurisdiction over the place where the alleged infringement has occurred. When you have lodged a complaint, the Data Protection Authority will inform you of the progress and outcome of the complaint. 

3.6. How to contact us on Data Protection

If you have any questions or concerns about this Privacy Policy or about the protection of your personal data, please feel free to contact us at info@confidentialmind.com.  

3.7. Data Controller and Data Processor

If we determine the purpose and means of the personal data processing, we are the data controller and will operate in compliance with this Privacy Policy.  If the purpose and means of the personal data processing are determined by another entity or company, we will process the data in accordance with the instructions of such entity or company and we will only be a data processor under the applicable regulations. If this case, this data protection Privacy Policy will not apply directly to you but unless otherwise agreed with the entity or company controlling the processing, it will serve as basis for processing on behalf of such company.    

3.8. Amendments to this Privacy Policy

We reserve the right to amend this Privacy Policy at any time.

‍