Privacy Statement
In this statement, we explain how we process the personal data of our customers and visitors to our website. First, here is a summary of the key issues. For those who are particularly interested in data protection (like ourselves!) we have made a longer and more detailed text version of the same issues below.
Registrar: Molemmat Oy, business ID 3242728-7
Contact information for checking data and exercising other data protection rights: [email protected]
Supervisory authority: The Finnish Data Protection Ombudsman, www.tietosuoja.fi
| Piece of information | Where do we get it | When do we delete it | Will be transferred outside the EU | What it is used for |
|---|---|---|---|---|
| WWW server log information: IP address, User-Agent, requested document, time stamp, server response code, referring site, possible unique link | From you/your device when you come to our website. Information about opening a unique link is only stored if you open a link tailored to you. | After 2 years | No | Technical functionality of the website, data security and visitor counting. The unique link is used for sales development. |
| Contact form information (name, e-mail address, what the contact is about, message and time stamp) | From you, when you send us the information using the contact form on our website | When the contact has been processed, or when the customer relationship has ended | No | To respond to your contact request, to monitor the customer relationship |
| Company name, business ID, address* | From the customer company or public sources (e.g. trade register) | 3 years after the end of the customer relationship or after the retention period required by accounting (5 or 10 years). | No | Managing customer relations and contracts, accounting and invoicing |
| Contact person’s name and contact information and position | From the client company | 3 years from the end of the customer relationship | No | Managing the customer relationship and contract |
| Customer company needs and interests* | From the client company | 3 years from the end of the customer relationship | No | Managing the customer relationship and contract |
| Services purchased by the customer company* | From the client company | 3 years from the end of the customer relationship | No | Managing the customer relationship and contract |
| Company decision-makers and owners (name, position) | From the customer company or public sources (e.g. trade register) | 3 years after the end of the customer relationship or after the retention period required by accounting (5 or 10 years) | No | Managing customer relations and contracts, accounting and invoicing |
| Signatories of the agreements (name and position) | From the customer or vendor company | After the retention period required by accounting (5 or 10 years) | No | Contract conclusion, accounting and invoicing |
| A breakdown of the invoice, which shows the person performing the work, contact person, phone number and other contact information | From the customer or vendor company | After the retention period required by accounting (5 or 10 years) | No | Contract conclusion, accounting and invoicing* Information marked with an asterisk is personal information in the case of a one-person company. At other times, we consider the data to be company data (ie not personal data) |
| URL & Title of pages viewed, URL & Title of any links that are clicked on pages viewed, Referrer, User agent, Screen resolution, Language, x/y coordinates of mouse events, Anonymized IP address | From you/your device when you come to our website | After 1 year | Yes | Improving our marketing and sales |
| Email address,IP address, timestamp, which form you subscribed from | From you when you subscribe to our newsletter | 3 years after unsubscribing from the list | Yes | Managing newsletter subscriptions and sending the newsletter to you |
| Name, Email address, IBAN number & name on account & Billing address, Payment card information & Country or Region, Activity with timestamps related to OpalOPC purchase, IP address | From you when you purchase OpalOPC Professional License | 3 years after the end of the customer relationship or after the retention period required by accounting (5 or 10 years). | Yes | Receiving payments from customers |
| OS version, Client type, City, Region, Country, Scan settings excluding target and credential information, Number of discovered issues, Number of errors, Timestamp, Scan duration | From you when you use OpalOPC security scanner | 90 days | No | Improving OpalOPC |
Website
We use the services of German Hetzner to run our website. When you visit our website we get the following log data from the web-server:
- IP address (your computer or mobile device’s unique identifier that can be traced back to you)
- Your browser’s User-Agent
- Requested document (i.e. the part of our website that you have clicked or looked at)
- Timestamp
- Server’s HTTP Response Code
- Referrer
- The potential tracking URL (i.e. the identifier of the marketing etc. material that we have shared with you)
- This data will be kept on our server for two (2) years, after which it will be permanently deleted.
We use the data to resolve potential technical issues on our website, to ensure the cyber security of the site and to count the visits to our site. With the data we can estimate how many visits we get within a certain timeframe, how many times a document has been requested within a certain timeframe, what devices are used to access the website (User-Agent), how many and which documents each visitor has requested as well as which websites the visitors are coming from.
We get the data directly from you (or rather from your device) when you visit our website. We do not disclose data to outside parties, and we do not transfer data outside of the EU/ETA area. We also do not use your data for automated decision-making or profiling. We do not use tracking cookies or tracking software that could be used to follow you after you have left our website.
We process your data according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In practice this means that the website has to process your data for its technical functioning. Otherwise you would not be able to access our website at all.
However, the technical functionality does not require saving the log data for a longer period of time. This longer processing time is based on the GDPR’s article 6.1 section f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. Molemmat Oy has a legitimate interest in storing data to ensure cyber security, in order to e.g. resolve hostile attacks or misconduct. We also have a legitimate interest in getting to count the amount of visits on our site and seeing which parts of our site get the most traffic in order to develop our website. We also have a legitimate interest to know how often our marketing material is viewed in your organization, so that we can better target our marketing to just those who are interested in our products. Since we do not process much data on you and since the data we process cannot be deemed as very sensitive, we are of the opinion that in this case your rights according to data protection legislation do not weigh more than our legitimate interest to process your data.
Website Analytics
We use Clicky by Roxr Software Ltd for website analytics to improve our marketing and sales.
When you visit our website the following information is collected:
- URL & Title of pages viewed
- URL & Title of any links that are clicked on pages viewed
- Referrer
- User agent
- Screen resolution
- Language
- x/y coordinates of mouse events
- Anonymized IP address
- The collected information is automatically deleted after one year.
We use the data to improve our marketing and sales. With the data we can see the effectiveness of our marketing campaigns and how our website is used, we can estimate how many visits we get within a certain timeframe, how many times a document has been requested within a certain timeframe, what devices are used to access the website (User-Agent), how many and which documents each visitor has requested as well as which websites the visitors are coming from.
We get the data directly from you (or rather from your device) when you visit our website. The information is sent to the Clicky servers in the United States for analysis. The transfer of data is based on the Data Privacy Framework (read more: https://www.dataprivacyframework.gov/s/). Roxr Software Ltd acts as a data processor. See Clicky’s privacy policy for more detail. We do not use your data for automated decision-making or profiling. We do not use tracking cookies or tracking software that could be used to follow you after you have left our website.
e process your data according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. We have a legitimate interest in analysing which channels bring customers to our site, how effectively they find what they are looking for, and seeing which parts of our site get the most traffic in order to develop our website and marketing. We also have a legitimate interest to know how often our marketing material is viewed in your organization, so that we can better target our marketing to just those who are interested in our products. Since we do not process much data on you and since the data we process cannot be deemed as very sensitive, we are of the opinion that in this case your rights according to data protection legislation do not weigh more than our legitimate interest to process your data. If you wish to opt-out from this analysis, you can use the opt-out tool.
Contact Form
Our website also has a contact form which you can use to contact us. When you use the form we get the following data on you:
- Name
- Email address
- Purpose of contact
- Your message
This data is saved on our website’s server. We are only left with the data that you yourself have put into the form. Please note that your visit to our website also creates log data, which we have discussed in more detail above. After you have filled in the form, we can use the data you gave us to send you an email. If you do not wish to work with us after we have gotten back to you, we delete the data related to your contact immediately. If, on the other hand, you do wish to work with us, we can save your data into our own client folder. In this case, too, your data will be deleted from our website’s server after we have gotten back to you. Below you can find more information on how we process client data and what other data we might gather on you as a result of us working together.
We do not disclose data to outside parties from you contacting us, and we do not transfer data outside of the EU/ETA area. We also do not use your data for automated decision-making or profiling.
We process the data you put in to the contact form according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In practice this means that since you have requested for us to be in contact with you, we have to be able to process the data you have given us. Otherwise we would not be able to answer your contact request.
Customer Information
We collect data on our clients’ representatives through our contact form as well as through communication with our clients. Some data we get from public sources such as the Finnish Trade Register. The processing of the data from our contact form is explained above in The Website’s Contact Form -section. We process the following data on our clients:
- The name of the company, Business ID, address (this is counted as personal data when it applies to a one-person company; in the case of larger companies it is deemed business data)
- The name and contact details of the contact person, such as (work) telephone number and (work) email address, as well as position
- The needs and interests of the client company (this is counted as personal data when it applies to a one-person company; in the case of larger companies it is deemed business data)
- The services bought by the client company and the data related to them (this is counted as personal data when it applies to a one-person company; in the case of larger companies it is deemed business data)
- The decision-makers and owners of the company (name and position)
We use the data to improve our sales and customer service so that we can offer you the services that are best suited to the specific needs of your company. In addition we use the data for the maintenance and daily upkeep of the customer relation.
We do not disclose data to outside parties, and we do not transfer data outside of the EU/ETA area. We also do not use your data for automated decision-making or profiling.
We check our register annually and delete the data that is no longer valid (such as if the client company has closed down or the contact person has changed, or if the client company has not bought our services in the last two years). In this way we ensure that all data is deleted at least 2 years after the data has expired, or 3 years after the last purchase. We will naturally delete the data earlier at the client’s request or announcement.
We process client data according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In practice this means that we need the data in order to make offers and fulfill the contractual relationship between us.
Accounting and Contracts
We have outsourced our accounting and we are using a digital accounting and invoicing system. Our accounting and contracts hold some personal data:
- The signatories and contact persons, as well as their positions in the client company
- The possible breakdown in the invoices which states the person who carried out the work, the contact person, the phone number as well as the other contact details, which might be personal
We get the data from the client and seller companies or from public sources such as the Business Information System. The data is used to create contracts as well as in invoicing and accounting. We do not use the data for other purposes. The data may be disclosed to an auditor or to the authorities. We do not transfer data outside of the EU/ETA area. We also do not use your data for automated decision-making or profiling.
We process the data in our accounting and contracts according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section c): “processing is necessary for compliance with a legal obligation to which the controller is subject”. This means that the data processing is based on tax and accounting legislation. We store the data for as long as the legislation requires, which is generally 5 or 10 years when it comes to accounting records.
Advertising
We use the Google Ads -service for advertising. We buy advertising space in Google’s ad network on the internet so that Google shows our ads to the target groups we request or when someone uses specific words in a Google search. Google targets the advertisements through the information it owns as well as through following its users. Google charges us according to how many people visit our website through a Google ad. Thus, if you come to our website through a Google ad, Google Ads adds a cookie to your browser, from which it can then tell that you have visited our website thanks to a Google ad.
At Molemmat Oy we do not process personal data with our advertising and we are not the controllers i.e. the ones responsible for the information that Google uses to target its advertisements. Moreover, we do not have Google’s or any other third party’s cookies on our website.
You can find more information about the data that Google processes on you and how Google targets ads for you on Google’s own site https://policies.google.com/privacy?hl=en. On the same website you can also find information on how you can affect the data that Google gathers on you and how your data is used.
Newsletter Subscription
You can subscribe to our newsletter by filling in the subscription form on our website. We use Mailchimp service to manage the newsletter subscriptions and to send the newsletter to you. We also use the information to monitor the usage of complimentary OpalOPC-licenses and to prevent fraudulent use of our complimentary licenses.
The following information is processed about you:
- Email address
- IP address
- timestamp
- which form you subscribed from
We get the information directly from you when you send us the subscription. You can unsubscribe from the newsletter anytime you want. Your data is stored for three years after you unsubscribe to allow us to monitor that our terms for complimentary licenses are not violated. The information is processed and stored in Mailchimp service and The Rocket Science Group is the data processor. The Rocket Science Group may use the information also to their own purposes in which case The Rocket Science Group is the data controller. You can read more about this from their privacy policy: https://www.intuit.com/privacy/statement/. The data is transferred to the United States using Data Privacy Framework as a transfer mechanism. Read more about Data Privacy Framework here: https://www.dataprivacyframework.gov/s/.
We process client data according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In practice this means that we need the data in order to send you the newsletter which you have subscribed to.
However, the longer processing time after you unsubscribe is based on the GDPR’s article 6.1 section f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. We have a legitimate interest in storing data to ensure that our complimentary licenses are not used fraudulently. Since we do not process much data on you and since the data we process cannot be deemed as very sensitive, we are of the opinion that in this case your rights according to data protection legislation do not weigh more than our legitimate interest to process your data.
Professional License Purchases
We use the services of Stripe to facilitate selling of professional software licenses. We direct Stripe to take payments from our customers.
The following information is processed about you (depending on the payment method you choose):
- Name
- Email address
- IBAN number & name on account & Billing address
- Payment card information & Country or Region
- Activity with timestamps related to OpalOPC purchase
- IP address
Stripe gets this information directly from you when you purchase OpalOPC Professional License. Stripe is the data processor, and processes the data outside ETA. Stripe will not sell, retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and to comply with Law, unless otherwise permitted by your Stripe Services Agreement or DP Law.
At your request, Stripe will delete or return all Personal Data to you after the Term, and delete existing copies held by Stripe, unless Stripe is required or authorized by DP Law to store Personal Data for a longer period.
You can read more about this from their privacy policy: https://stripe.com/en-fi/privacy. The data may be transferred globally using varying transfer mechanisms that are interpreted as approved (EEA SCCs, the UK Data Transfer Addendum or any data transfer mechanism a supervisory authority approves under DP Law). You can read more in Stripe’s Data Processing Agreement: https://stripe.com/en-fi/legal/dpa.
Stripe shares this information with us, but with only partial payment information.
We process client data according to the EU’s General Data Protection Regulation’s (GDPR) article 6.1 section b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In practice this means that we need the data in order to enter in to license agreement with you and to manage the payments according to our agreement.
Telemetry
We use Azure Application Insights by Microsoft to collect telemetry of the usage of OpalOPC. This information is used to improve the product.
The following information is processed about you:
- OS version
- Client type
- City, Region, Country
- Scan settings excluding target and credential information
- Number of discovered issues
- Number of errors
- Timestamp
- Scan duration
- IP address
Microsoft gets this information from you when you use the OpalOPC security scanner. Microsoft is the data processor, and processes the data inside ETA. Microsoft will not sell, retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and to comply with Law.
Microsoft shares this information with us in anonymized form (without the IP address).
Molemmat Oy is the data controller, and at your request will delete or return all Personal Data to you after the Term, and delete any existing copies help by Microsoft. By default, all data is deleted after 90 days.
Your rights and the contact details of the Data Protection Ombudsman
You have the right to check the data we hold on you, the right to ask for correcting the data, deleting it, for limiting the processing of your data, as well as the right to oppose the processing of your data. You also have the right to ask to have your data moved from one system to another. Please note, that we cannot always fulfill your request of e.g. deleting your data if we have a legal or other obligation to store the data (e.g. the data required by the Accounting Act).
Make a request about your personal data by sending an email to [email protected]. In the email please state which data you wish to check or any other right you wish to exercise, and tell us your name and any other information that we can use to help find your data on our registers. When submitting the request you do not need to give us any more data than what we already have.
You have the right to make a complaint to the Data Protection Ombudsman, if you suspect that we are using your data in a way that goes against data protection legislation. The Data Protection Ombudsman will also advise you on your data protection rights. The contact details for the Office of the Data Protection Ombudsman are:
Office of the Data Protection Ombudsman
Website: www.tietosuoja.fi/en/home
Visiting Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal Address: PL 800, 00531 Helsinki, Finland
Email: tietosuoja(at)om.fi
Switchboard: +358 (0)29 566 6700
General guidance for private persons: +358 (0)29 566 6777