Customer Register


1. Controller

Name: Vainu. io Software Oy (Business-ID 2557864-2) (hereinafter “Vainu”). All subsidiaries of Vainu Corporation also apply the principles and policies described herein.

Address: Siltasaarenkatu 8-10, 00530 Helsinki, Finland

Contact Details:

2. Data Privacy Officer

Name: Sami Kekäläinen

Address: Siltasaarenkatu 8-10, 00530 Helsinki, Finland

Contact Details:

3. Name of Register

The name of the personal data register is the Customer Register of Vainu (“hereinafter Register”). Data subjects of the Register are Customers of Vainu and parties who have subscribed to the free trial version of Vainu’s service (“hereinafter Customers”).

4. Purposes and legal basis of processing personal data

The main purpose of the register is the management of customer relationships.

The personal data of the Customers is processed for the following purposes:

- Carrying out and administering the customer relationships
- To create, develop, operate, deliver, and improve products, services, content, and advertising
- Customer communications such as sending notices, communications about purchases, and changes to our terms, conditions, and policies
- Carrying out customer satisfaction surveys and monitoring the results
- Creating statistics and analytics about customers and
- Direct marketing based on customer relationship
- Creation of personal user identification and password mandatory for using the service and administering such prospective client and user

The legal basis for the processing of personal data is the performance of a contract and the legitimate interest of the controller.

In addition, Vainu’s Service provides to the end-users of our Customers the possibility to link their email or other accounts to the Service. Explicit consent is required from the end-users for this processing. In doing so, we may receive the limited data as explicitly granted by you that we will process in accordance with this policy.

In general, our services are designed in a manner that we do not collect or store all of the data to which you may provide us access, but minimize our processing through technology. The purpose is to provide the end-users with automated information concerning the legal entities from the Service they are in contact with through their email or other accounts.

The end users may at any time disconnect the link between the Service and their email or other accounts at their own will, after which the processing will cease. Vainu does not store the contact details or contents of any emails during the processing.

5. Legitimate interest of the controller

The processing of personal data for marketing purposes based on prior business and/or contractual relationship with the Customer is regarded as a legitimate interest of the controller.

6. Personal Data Groups

The Register contains the following personal data:

- Basic information on the user such as name, title, role, email address, phone number
- User credentials such as personal user identification and password, authentication data for integrations, saved searches, permissions, saved reports
- ICT and security data such as IP-address, cookies
- Historical data such as signup date, last login, other usage data, analytics
- Client feedback and marketing data such as chat and other communication with prospects and customers, feedback from customers
- Customer-specific information such as information received from meetings or phone calls, which is deemed necessary for the administration of customer relationships

7. Regular sources of personal data

Personal data is primarily collected from the signed agreements by Customers and from the data subject or colleague/manager of the data subject. In the registration process, the nature of the content of collected data depends on information that the Customer/user has submitted. Personal data is also collected directly from the Customers in connection with information received during phone calls, meetings, or other collaboration in connection with the administration of the business relationship, which may be added to the register by Vainu employees.

8. Automated Decision-making and Profiling

Data concerning the use of the service by Customers are assessed by Vainu. The purpose is to provide targeted customer content both when using the software and customer communication (emails, website, software, chat, 1 on 1 communication, recommendations on available features) based on the used features, the adaptation of content, and customer satisfaction feedback. These procedures include automated profiling.

9. The Recipients of Personal Data

The primary recipient of personal data are employees of Vainu. The controller may disclose the personal data to its group companies, subsidiaries and other third parties based on contractual obligations or authority demands.

Personal information may be shared with companies who provide services such as information processing, maintenance, fulfilling customer orders, delivering services, managing and enhancing customer data, providing customer service, assessing interest in products and services, and conducting customer research or satisfaction surveys.

For the above-mentioned purposes, personal data of the Customers can, based on the performance of a contract, be disclosed to the following parties:

- System vendors and administrators of the servers
- Cooperation partners and service providers
- Communication platforms such as Slack.
- Contact register. Customer data is partly transferred to the internal contact register of Vainu.

In case necessary by law, legal process, litigation, and/or requests from public and governmental authorities, Vainu may disclose your personal information.

10. Transfer of Data outside EU/EAA

In connection with the purposes for processing personal data in the Register, Vainu may transfer certain information to trusted third parties, which transfer and store the data outside EU/EAA area. Transfer of personal data is secured in accordance with the requirements of law. Only a limited amount of personal data is transferred to Vainu’s service providers, which is necessary for the performance of the tasks in accordance with the service contract in place.

Vainu will only disclose personal data based on a contract to third parties operating outside EU/EAA, which have taken steps to ensure that adequate data protection arrangements are in place in accordance with the data protection regulation. These may include but are not limited to, Data Protection Agreements or standard contractual clauses provided by the European Commission.

11. Storage Period of Personal Data

Personal data will be stored only as long as and only to the extent that is necessary in relation to the initial and compatible purposes of processing. In any event, the personal data is stored in accordance with the possible applicable lawful storing period. Personal data will be stored with the following time period or criteria used to determine that time period: The personal data received based on customer relationship is stored for a period of two (2) years, from the termination of the contract

The controller evaluates the need to store personal data regularly. In addition, the controller performs all possible reasonable measures to ensure that any inaccurate, incorrect, or outdated personal data will be deleted or corrected without delay.

12. Data Security principles of Personal Data

The vast majority of the controller's personal data is in electronic form. In case there are physical documents containing personal data, such documentation is destroyed immediately. The servers used by the controller are protected by appropriate firewalls and technical security.

All databases and information systems are accessible only with individual and personal login information (username and password) granted by the controller. The rights to access the database are restricted so that the information can only be viewed and processed by persons who are legally admitted and required to do so.

The employees of the controller have bound themselves to comply with professional secrecy and concealment regarding the information they receive during the processing of personal information. privacy and security guidelines have been communicated to employees and strictly enforce privacy safeguards within the company.

13. Right of access and right to rectification by Data Subject

Information and access to personal data

Data subject has right to receive information; what data is being collected, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the recipients or categories of recipients of the personal data if any.

Right of access by the data subject

Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The controller shall provide a copy of the personal data undergoing processing. Obtaining a copy of personal data shall not adversely affect the rights and freedoms of others.

Right to rectification

Data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Taking into account the purposes of the processing, data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In case there are changes in personal data recorded in the Register, the data subject must notify such changes the controller. The controller is responsible for ratifying data it recognizes erroneously itself without delay.

Data used for direct marketing

Data subject has the right to object processing, to the extent that it is related to direct marketing, whether with regard to initial or further processing, at any time and free of charge.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The controller shall inform data subject about those recipients if data subject requests it.

The request may be submitted to the following address

Request for access to personal data (Article 15), request for rectification (Article 16), and request for restriction of processing (Article 18) may, in addition, be delivered to the Data Privacy Officer.

14. Right to erasure

The controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

- personal data that is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- personal data have been unlawfully processed;
- personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

Despite the request for erasure, the data does need to be erased in case the controller is obliged to process personal data for the establishment, exercise, or defense of legal claims.

The controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to those personal data.

15. Right to restriction of processing

Data subject has the right to obtain from the controller restriction of processing where one of the following applies:

- the processing is unlawful and data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by data subject for the establishment, exercise or defence of legal claims

In case data subject has demanded for restriction of processing, the personal data may be processed only based on consent of data subject (excluding storage of data) OR for the establishment, exercise or defense of legal claims OR protect the vital interests of data subject or of another natural person OR to protect vital interest pursuant to Union or Member State law.

Data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted, besides if the provision of such information proves impossible or would involve a disproportionate effort.

16. Right to withdraw the consent and right to object

Data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The right to object shall not apply when processing of personal data is necessary for the performance of a contract or when processing is necessary for compliance with a legal obligation.

Data subject is obliged to object processing of personal data when the lawfulness of the processing is based on the controller’s legitimate interest

17. Right to Data Portability

When the processing is based on consent or on a contract:

- Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have

- In case technically appropriate and not disproportionate for the controller, data subject has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Transmission of data shall not adversely affect the rights and freedoms of others.

18. Right to lodge a complaint to the supervisory authority

Data subject has a right to lodge a complaint with a supervisory authority, in case data subject considers that the processing of personal data violates the relevant data protection legislation in force. The national supervisory authority is Data Protection Ombudsman.

Data Protection Ombudsman: Visiting address: Ratapihantie 9, 6th floor: 00520 Helsinki: FINLAND

Postal address: : P.O. Box 800: 00521 Helsinki: FINLAND

Telephone exchange: +358 29 56 66700: E-mail: