ZenTreasury OY'S PRIVACY POLICY AS A CONTROLLER

Last Modified: September 7, 2018

This ZenTreasury Oy's (hereinafter ZenTreasury Oy may also be referred to as "we" or "us") privacy policy describes the personal data processing activities of ZenTreasury Oy as the controller (hereinafter "Privacy Policy"). This Privacy Policy contains ZenTreasury Oy's records of processing activities as the controller, and it also acts as a communication from us to our data subjects (hereinafter our data subjects may also be referred to as "you" or "your") through which we inform the data subjects of the ways ZenTreasury Oy processes their personal data. Thus, this Privacy Policy contains at least the information that Articles 13, 14 and 30 of the EU's General Data Protection Regulation (679/2016) (hereinafter "GDPR") require of us.

We also act as the processor for the personal data our customers disclose to us when they use our SaaS services. When we process that personal data on behalf of our customers, we apply the practices that are described in Sections 14 and 15 below. Otherwise we comply with the provisions of each relevant data processing agreement.

ZenTreasury Oy aims to ensure that this Privacy Policy is always publicly, transparently and easily available at ZenTreasury Oy's websites.

1) CONTROLLER

Name: ZenTreasury Oy

Business ID: 2762104-2

Address: Aalto Start-Up Center Otakaari 5, 02150 Espoo, Finland

2) PERSON IN CHARGE OF DATA FILES

Name: Lars Nevalainen

Contact details: +358942468301, [email protected]

3) CATEGORIES OF DATA SUBJECTS

ZenTreasury Oy's Privacy Policy as the controller concerns the following categories of data subjects:

  • 3.1) persons who act as contact persons of our customers or are otherwise our customers;

  • 3.2) persons who act as our potential customers contact persons or otherwise could act as our customers;

  • 3.3) persons who are the shareholders of ZenTreasury Oy, employed by ZenTreasury Oy or seek employment from ZenTreasury Oy; and

  • 3.4) persons who contact us through email or other similar means.

4) CATEGORIES OF PERSONAL DATA

The data files concerning the data subjects of Sections 3.1) - 3.2) may contain the following categories of personal data:

  • contact information, such as full name, address, phone numbers and e-mail addresses;

  • nationality, age, gender, title or profession and language skills;

  • possible registration information, such as username, pseudonym, password and other unique identification;

  • information regarding the customer relationship, such as billing and payment information, product-, service- and ordering information, information regarding customer feedback and contacts and cancellation information;

  • information relating to the implementation of communications and information relating to use of services, such as browsing and search information; and

  • possible other information gathered with the data subject's consent.

The data files concerning the data subjects of Sections 3.3) - 3.4) may contain the following categories of personal data:

  • contact information, such as full name, address, phone numbers, e-mail addresses and personal identification numbers;

  • videos and pictures;

  • nationality, age, gender, title or profession and mother tongue;

  • other information derived from the CVs, such as the work experience, educational background and other such skills;

  • bank account data;

  • possible registration information, such as username, pseudonym, password and other unique identification;

  • information relating to the implementation of communications and information relating to use of services, such as browsing and search information; and

  • possible other information gathered with the data subject's consent.

5) PURPOSE OF THE PROCESSING OF PERSONAL DATA

Personal data of the data subjects of Sections 3.1) - 3.2) can be processed for the following purposes:

  • management and development of the customer relationship;

  • customer service;

  • management and development of the customer relationship;

  • to enable us to comply with our legal and regulatory obligations; and

  • analysis and statistics.

Personal data of the data subjects of Sections 3.3) - 3.4) can be processed for the following purposes:

  • management and development of the employee and jobseeker relationships;

  • management of employment contracts and other related matters;

  • customer service;

  • management and development of the customer relationship;

  • to enable us to comply with our legal and regulatory obligations; and

  • analysis and statistics.

6) LEGAL BASIS FOR PROCESSING

The controller has the right to process the personal data of the data subjects, depending on the situation at hand, based on the:

  • consent received from the data subject;

  • performance of a contract to which the data subject is party or request of the data subject prior to entering into a contract;

  • legitimate interests pursued by the controller or by a third party; or

  • legal obligation to which the controller is subject.

7) REGULAR SOURCES OF INFORMATION

Information regarding the data subject are regularly gathered:

  • from data subjects themselves through our service, via phone, internet, e-mail or in other similar fashion;

  • with cookies and other similar tech;

  • by ZenTreasury Oy's other affiliate companies; and

  • from the Population Register Center/Population Information System, Posti's address database, phone companies' databases and other similar private and public registries.

8) PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

  • 8.1) We shall retain only the necessary data of the data subjects of Section 3.1) for a period of two (2) years following the end of customer relationships.

  • 8.2) We shall retain only the necessary data of the data subjects of Section 3.2) for a period of three (3) years following collection of the data, if the data subjects have not turned into our actual customers.

  • 8.3) We shall retain only the necessary data of our current and former shareholders of Section 3.3) for indefinitely, as we are required to do under the applicable law.

  • 8.4) We shall retain only the necessary data of our employees of Section 3.3) for a period of ten (10) years following the end of their employment in our company, because we have a legal obligation to provide our former employees with references during that period.

  • 8.5) We shall not retain the data of the jobseekers of Section 3.3) if the data subjects do not explicitly give us their consent to do so. Having received such a consent, we may retain only the necessary data of the data subjects for a period of six (6) months following explicit consent.

  • 8.6) We shall retain only the necessary data of the data subjects of Section 3.4) for a period of three (3) years following the contact.

  • 8.7) However, we may retain the data of the data subjects of Sections 3.1) - 3.4) for longer than is described above, where we are required to do so by law, it is necessary due to legal proceedings and it is necessary for any similar reason. We shall be careful not to apply this Section in vain.

  • 8.8) We inspect the necessity of the personal data stored every twelve (12) months and keep records of the inspections.

9) CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The recipients of personal data may consist of the following categories:

  • ZenTreasury Oy's affiliate and customer companies;

  • parties who offer cloud services;

  • parties who offer accounting and auditing services;

  • parties who help ZenTreasury Oy to fulfill its legal obligations; and

  • ZenTreasury Oy's customers.

10) INFORMATION TRANSFER OUTSIDE OF EU OR THE EUROPEAN ECONOMIC AREA

Personal data may also be transferred outside of the EU or EEA. The Personal data is located in data warehouses of the owners of the services that we use. When we transfer personal data outside the EU or the EEA, we ensure that the data is processed in accordance with the relevant personal data protection laws.

11) DATA SUBJECTS' RIGHTS

The data subject has a right to use all of the below mentioned rights.

The contacts concerning the rights shall be submitted to the person in charge of the data file stated in Section 2. The rights of the data subject can be put into action only when the data subject has been satisfactorily identified.

Right to inspect

Having presented the adequate and necessary information, the data subject has the right to know what, if any, data the controller has stored of her/him. While providing the requested information to the data subject, the controller must also inform the data subject of the controller's regular sources of information, to what are the personal data used for and where is it regularly disclosed to.

Right to rectify and erasure

The data subject has a right to request the controller to rectify the inaccurate and incomplete personal data concerning the data subject.

The data subject can request the controller to erase the personal data concerning the data subject, if:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • the data subject withdraws consent on which the processing is based on;

  • the personal data have been unlawfully processed; or

  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Let it be known that the data subjects' rights to rectify and erase data does not concern the data which the controller must retain due to its legal obligations.

If the controller does not accept the data subject's request to rectify or erase the personal data, it must give a decision of the matter to the data subject in a written form. The decision must include the reasons for which the request was not granted. The data subject may refer the matter to the relevant authorities (the Data Protection Ombudsman in Finland).

The controller must inform the party to whom the controller has disclosed the personal data to or has received the personal data from of the rectification or erasure of personal data. However, there is no such obligation where the fulfilment of the obligation would be practically impossible or otherwise unreasonable.

Right to restriction of processing

The data subject can request the controller to restrict the processing of the personal data concerning the data subject where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or

  • the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If the controller has based the restriction of the processing of personal data on the abovementioned criteria, the controller shall give a notification for the data subject before removing the restriction.

Right to object

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her/him for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to data portability

The data subject shall have the right to receive the personal data concerning her/him, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

However, the data subject shall not have the aforementioned right if the decision is:

  • necessary for entering into, or performance of, a contract between the data subject and us;

  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

  • is based on the data subject's explicit consent.

Right to withdraw consent

Where the legal basis for the processing of personal data is the consent of the data subject, the data subject shall have the right to withdraw her/his consent.

12) RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Data subject shall have the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The complaint can be lodged in the Member State of her/his habitual residence, place of work or place of the alleged infringement.

13) COOKIES

Our service uses cookies which are used in order to make it more user-friendly and anonymously track your use of the Service. This is a standard policy regarding most websites.

Cookies are small text files that a website stores on your device when you browse that website. Cookies store data of your website use.

Cookies are not used for identifying a person.

You can control and/or remove cookies freely at the individual browser level. Instructions can be found for example in here: aboutcookies.org

In order to improve our service, we gather, measure and analyze data concerning your use of the service including (but not limited to) activity, page views, unique visitors and bounce rate.

We use third party services, such as Cloudflare, Google Analytics, HubSpot CRM & Marketing and Mailchimp, to collect standard internet log information and details of visitor behaviour patterns. The services need to place cookies to enable their services.

Cloudflare

We use Cloudflare for CDN service, securing the service, DNS management, cache control and other network helps.

More information about Cloudflare privacy policy: https://www.cloudflare.com/security-policy

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses so-called "cookies", files that are stored on your computer and which are employed to provide an analysis of your use of our sites. The information collected by the cookie regarding your use of the site is generally transferred to Google servers in the US and stored there. In the event IP anonymization is activated for this website, Google will crop your IP address if it originates from within a member state of the European Union or any parties to the Agreement on the European Economic Union. Only in exceptional cases will a complete IP address be forwarded to Google servers in the US and then cropped. IP anonymization has been activated on our websites.

More information about Google Analytics privacy policy: https://support.google.com/analytics/answer/6004245?hl=en&ref_topic=2919631

More information about Google Analytics cookie usage: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google offers also a browser add-on which allows to block ('opt-out') Google Analytics cookies on all websites: https://support.google.com/analytics/answer/181881?hl=en&ref_topic=2919631

HubSpot CRM & Marketing

This website uses Hubspot CRM & Marketing, a web customer relationship management and marketing service provided by Hubspot, Inc. ("Hubspot"). Hubspot uses "cookies", which are text files placed on your computer, to help the company to manage their business clients. The information generated by the cookie about your use of the website will be transmitted to and stored by Hubspot on servers in the United States.

More information about HubSpot privacy policy:https://legal.hubspot.com/privacy-policy

More information about HubSpot cookie usage: https://knowledge.hubspot.com/articles/KCS_Article/Reports/What-cookies-does-HubSpot-set-in-a-visitor-s-browser

HubSpot is certified under the EU-US Privacy Shield in order to guarantee adequate level of data protection. More information about the EU-US Privacy Shield program can be found here: https://www.privacyshield.gov/welcome

Mailchimp

We use Mailchimp, to deliver our e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.

More information about Mailchimp privacy policy: https://mailchimp.com/legal/privacy/

14) SECURITY OF PROCESSING

We carry out the appropriate measures (including physical, digital and administrative measures) to protect personal data against loss, destruction, misuse and unauthorised access or disclosure). For example, personal data can only be accessed by the people who need it to carry out their work.

15) DATA PROTECTION PRINCIPLES

ZenTreasury Oy uses all reasonable efforts to maintain physical, electronic, and administrative safeguards to protect personal information from unauthorized or inappropriate access, but ZenTreasury Oy note that the Internet is not always a secure medium. ZenTreasury Oy restricts access to information about data subjects only to the personnel of ZenTreasury Oy that need to know the information e.g. for responding to inquiries or requests made by the data subjects.