Legal

Privacy Policy

How ConfidentialMind collects, processes, and protects personal data.

Introduction

Confidentialmind Oy and its Affiliates (“ConfidentialMind”) are committed to ensuring compliance with applicable data protection laws and regulations in the European Union (“EU”), as well as any other data protection requirements in jurisdictions where ConfidentialMind operates. This Privacy Policy explains how and why we collect, process, and use personal data, and it outlines your rights as a data subject.

Scope and Supplement

This Privacy Policy covers all forms of processing of personal data by ConfidentialMind, except for personal data of employees and applicants, which is subject to a separate privacy notice. It describes how ConfidentialMind collects, uses, and shares personal data obtained directly from users, customers, suppliers, business partners, or other parties, as well as personal data obtained from indirect sources.

It applies to personal data collected through any channel or medium, including email, file transfer, applications and tools, websites or mobile apps, social media pages, and platforms.

1. Application of National Laws

While the GDPR applies to the processing of data of EU residents, specific countries may impose additional data protection requirements, particularly on conditions for lawful data processing. The applicability of such laws will be considered on a case-by-case basis.

2. Personal Data We Process, Purposes, and Legal Basis

The personal data we process depends on the context and nature of your interaction with us. We strive to minimize the personal data we process.

2.1 Handling Orders and Contractual Obligations

When you place orders, request product information, or seek support, we process personal data necessary to negotiate and execute contracts, fulfill contractual obligations, and exercise contractual rights. This includes advisory services related to the contract.

We may process personal details (such as name, title, email, telephone, postal address, shipping and billing address), order and customer information (including goods and services ordered, instructions, business activities, interests, and order history), and financial information (such as invoice data, payment terms, and payment preferences).

The legal basis for handling orders and contracts is Article 6(1) (b) GDPR (contractual necessity). For understanding customer activities and order history, the legal basis is Article 6(1) (f) GDPR (legitimate interests). For complying with record-keeping obligations, the legal basis is Article 6(1) (c) GDPR (legal obligation).

2.2 Browsing or Registering on Our Websites, Social Media Pages or Platforms

When you browse our websites, social media pages, or platforms, we may use cookies and tracking technologies to understand how you use them. Depending on the technologies used, we may collect information about your online behavior, device data, and the way you interact with advertisements and offers. You can disable cookies via the website pop-up or your browser settings.

When you register on our sites or platforms, we additionally process personal details (name, title, email, telephone) and account details (username, password, login/off data), unless alias or pseudonym registration is permitted.

The legal basis for processing online behavior data is Article 6(1) (a) GDPR (consent) where required. In some contexts, when the data has limited impact on rights and freedoms, we rely on Article 6(1) (f) GDPR (legitimate interests).

2.3 Communication, Marketing, Promotions, Events, and Feedback

When you contact us, we process your personal details (name, title, company, email, phone, and other contact information) to address your request. We use similar data to provide product information, updates, and opportunities when you have purchased or expressed interest in our services.

For promotions or events, we process personal details to manage participation, share relevant information, and collect feedback or contributions for improvement.

The legal basis for processing in the context of contracts is Article 6(1) (b) GDPR (contractual necessity). For other communications, marketing, and feedback, the legal basis is Article 6(1) (f) GDPR (legitimate interests).

2.4 Legal Obligations and Compliance

We process personal data to comply with legal obligations (e.g., tax, commercial, trade, and export regulations). When these obligations stem from EU laws, the legal basis is Article 6(1) (c) GDPR. For obligations from non-EU laws, compliance may constitute a legitimate interest, making Article 6(1) (f) GDPR the legal basis. The same applies to compliance with internal policies and codes of conduct.

3. Sharing Personal Data with Service Providers and Third Parties

ConfidentialMind may engage service providers and vendors to process personal data on our behalf. Such processing is governed by contractual agreements, including Data Processing Agreements, and is subject to due diligence and monitoring protocols.

The ConfidentialMind software operates in your environment (such as on-premises or private cloud), making you the processor for data processed using the software.

3.1 Storing Periods for Personal Data

We retain personal data only as long as necessary to fulfill the purposes for which it was collected.

  • Orders and contracts: Personal data is kept as long as you maintain a business relationship with us. Data required for compliance with tax laws is retained for 10 years and data under commercial laws for 6 years, unless longer retention is legally required.
  • Online browsing data: Retained only as long as needed to generate anonymized statistics and analytics.
  • Communication & marketing data: Retained for up to 6 months or as long as we have a legitimate interest, unless you object.
  • Compliance data: Retained for as long as laws and regulations require.
  • Recruitment data: Retained for the duration of the application process and up to 6 months thereafter for legal defense purposes. If you consent, we may retain data for up to two years for future opportunities.

3.2 Transfers of Personal Data to Third Countries

To deliver services, we may transfer personal data to jurisdictions outside the EEA. Such transfers are conducted in compliance with EU laws and regulations.

3.3 Security of Personal Data

We implement technical and organizational measures to safeguard personal data against unauthorized access, alteration, and loss. These measures include authentication tools, firewalls, monitoring, and encryption. We regularly review and update these measures to address emerging risks and technologies.

While we strive for robust security, absolute protection cannot be guaranteed. If you have specific concerns, contact us at [email protected].

3.4 Marketing Preferences

We may process personal details to manage participation in promotions or events and to communicate product and service updates, subject to any expressed preferences. We may send marketing communications via email, post, phone, or social media unless you opt out.

You may unsubscribe or adjust your preferences at any time. Please note that opting out of marketing does not affect essential communications such as order confirmations or payment notices.

3.5 Your Rights Over Your Personal Data

You have several rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. These rights include:

  • Right to access: Request confirmation and access to personal data we process about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of data, subject to legal obligations or other valid reasons to retain it.
  • Right to object: Object to processing based on your situation. We will explain if we must continue processing.
  • Right to restrict processing: Request limits on how we process your data in certain circumstances.
  • Right to withdraw consent: Withdraw consent for future processing where consent is the legal basis.
  • Right to data portability: Request transfer of data in a machine-readable format to you or another organization, subject to technical feasibility.
  • Right to lodge a complaint: File a complaint with the relevant Data Protection Authority if you believe we have not handled your personal data correctly.

3.6 How to Contact Us on Data Protection

If you have questions or concerns about this Privacy Policy or your personal data, contact us at [email protected].

3.7 Data Controller and Data Processor

When ConfidentialMind determines the purposes and means of processing personal data, it acts as the data controller and complies with this Privacy Policy. Where another entity determines the processing purposes and means, we act as a data processor in accordance with their instructions. Unless otherwise agreed, this Privacy Policy serves as the basis for such processing.

3.8 Amendments to This Privacy Policy

We reserve the right to amend this Privacy Policy at any time.