Privacy policy on the processing of our customers' personal data
The purpose of this notice is to inform our customers (company customers and creators), about how we process their personal data. It is Boksi.com Solutions Oy's policy to respect your privacy regarding any information we may collect from you across our platform on the website, https://boksi.com, and other sites we own and operate. We take compliance with the EU General Data Protection Regulation (hereinafter “GDPR”) and other applicable personal data processing legislation seriously when processing personal data. We also ensure that processing is secure and that our data protection practices allow the full exercise of data subjects' rights.
Controller
Boksi.com Solutions Oy
Business ID2913651-8
Lönnrotinkatu 18 A 11, 00100 Helsinki
E-mail address: gdpr@boksi.com
(hereinafter "we")
Any communication or requests concerning this document should be made in writing or in person to the contact person indicated in this section.
Personal data processed, purpose of processing and legal basis
|
Personal data
|
Purpose of processing
|
Legal basis
|
|
Basic information such as name, date of birth, social security number, customer number, user name and/or other unique identifier, password, language of service
Contact information such as email address, phone number, address details
Information about the company and its contact persons, such as the business ID and the names, titles and contact details of the contact persons
|
Providing you with our platform's core features and developing our services. Enabling you to access and use our website, associated applications and associated social media platforms.
|
Our legitimate interest in managing and developing the customer relationship
|
|
Customer surveys
|
|
Fulfilling our contractual and other promises and obligations.
|
Performance of a contract
|
|
Billing
|
|
Marketing our services to businesses
|
Our legitimate interest in sending electronic direct marketing to businesses
|
|
Accounting
|
Legal obligation
|
|
Direct marketing bans and consents
|
Respecting the customer's wish regarding direct marketing
|
Our legal obligation to comply with the prohibition on direct marketing
|
|
Information related to the events the customer attends such as registration details, special dietary requirements, invoicing information
|
Organising events
|
Our legitimate interest to host events and, if necessary, to invoice
|
|
Consent for health information (e.g. allergies)
|
|
Customer and contract information such as information about past and current contracts, correspondence and other communications, payment information and information the customer has voluntarily provided to our systems
|
Fulfilling our contractual and other promises and obligations
|
Implementation of the agreement
|
|
Billing
|
|
Customer relationship management
|
Our legitimate interest in managing and developing the customer relationship
|
|
Accounting
|
Legal obligation
|
|
Information about the communication connection and terminal device, such as IP address, device ID or other device-specific identifier, and cookie information
|
Targeting advertising on our online services
|
Consent
|
|
Behavioural analysis and profiling
|
Where you consent to our use of information about you for a specific purpose, you have the right to change your mind at any time (but this will not affect any processing that has already taken place).
Data sources
Personal data is primarily obtained from the customer through, for example, our platform, messages sent via web forms, email, telephone, cookies, social media services and other situations where the company customers and creators disclose their data.
In addition, personal data may also be collected and updated for the purposes described in this Privacy Notice from publicly available sources.
Transfers, disclosures and recipients of personal data
We use subcontractors, such as software service providers and online tool providers, to process personal data on servers managed by us. Data may be published to the extent agreed with the customer.
Some of the online tools we use allow data to be transferred outside the EU or EEA, for example to the United States. Where personal data is processed outside the EU/EEA, we will ensure that the subcontractor is bound by the EU Commission's Model Clauses on the processing of personal data.
General description of technical and organisational safeguards
Only those of our employees who are entitled to process customer data as part of their job are entitled to use the systems containing personal data. Each user has his/her own user name and password to the system. We have signed agreements with system providers and other partners who process personal data, in which our partners have committed to comply with the data protection and security requirements of the GDPR.
Databases containing personal data are protected by passwords and access control. The data is located in an environment protected by appropriate security software and technical arrangements. Manually processed documents containing customers' personal data are kept in locked storage facilities.
Retention period of personal data
We will not retain your personal data for longer than is permitted by law and necessary to provide the service or essential elements of the platform service. The retention period depends on the nature of the data and the purposes of the processing. The maximum period may therefore vary depending on the purpose of use.
Retention period when registering on the platform (account creation and data collected through it):
- Core customer data is stored for the duration of the customer relationship.
- The customer account is considered terminated and will be automatically deleted unless the customer logs into the account at least once every 6 years.
- When a customer account is closed, all data associated with it, including subscription history, will be deleted or anonymised.
In addition, after the end of the customer relationship, personal data relating to customer transactions may be kept for longer than as shown above, in accordance with the retention periods required by the Accounting Act.
We regularly assess the necessity of data retention in the light of applicable laws. In addition, we will take reasonable steps to ensure that no personal data relating to data subjects is incompatible, outdated or inaccurate for the purposes of processing. We will correct or destroy such data without undue delay.
Your rights
Access to the personal data: You may request details of the personal information that we hold about you. You may also request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading or out of date.
Request the deletion of data: Where the customer has withdrawn consent or where one of the other conditions set out in Article 17 of the GDPR is met. Please note that we may not delete all of your personal data, for example, if we have outstanding claims against you or there are other compelling reasons for processing your personal data that are specified or accepted by law, such as minimum retention periods specified by law or the need to use the data to establish, exercise or defend against a legal claim.
Object to the processing of data: Where the processing is based on legitimate interests and involves a particular personal situation or where the data are processed for direct marketing purposes. We will comply with your request unless we have a compelling legitimate ground that overrides your interests and freedoms or unless the continued processing of your personal data is necessary for the establishment, exercise or defence of legal claims.
Restrict: You may choose to restrict the collection or use of your personal information if the accuracy of the data is contested or one of the other conditions set out in Article 18 of the GDPR is met. In this case, we will limit the processing of your personal data to the mere storage of personal data. However, notwithstanding the limitation of processing, we may also process your personal data for the establishment, exercise or defence of legal claims.
Transfer data to a system held by another party: You may request that we erase the personal information we hold about you, or transfer it from one system to another at any time. You may also request that we transfer this personal information to another third party.
Withdraw consent: Where processing is based on consent, you can always withdraw your consent. Please note that this does not affect the lawfulness of the processing carried out before the withdrawal of consent.
The above requests, denials and cancellations may be made by sending them in writing gdpr@boksi.com. The request must contain the name and contact details of the data subject. In order to ensure data protection, we may ask the customer to verify their identity. We will respond to customer requests and enquiries about the exercise of data subjects' rights within one month.
Cookies
We use “cookies” to collect information about you and your activity across our site. A cookie is a small piece of data that our website stores on your computer, and accesses each time you visit, so we can understand how you use our site. This helps us serve you content based on preferences you have specified. Please refer to our Cookie Policy for more information.
