PRIVACY NOTICE

This privacy notice has last been updated on 10.3.2022.

  1. Controller

Zimple Oy, Business ID 3095157-9 (“Zimple”)

Address: Keilaranta 1, 02150 Espoo

  1. Contact information For Data Protection Matters

The contact person whom you may contact in matters related to personal data is Mr. Juho Koski.  

Email: juho.koski@zimple.fi

Telephone: +358 400 277 049

  1. processing of personal data covered by this notice

  1. This privacy notice describes how Zimple processes the personal data of the following categories of data subjects:

  1. representatives and employees of Zimple’s customer companies;

  2. representatives and employees of Zimple’s potential customers, to whom services and products are marketed;

  3. representatives and employees of Zimple’s current and potential suppliers, subcontractors and partners;

  4. representatives and employees of Zimple’s partners’ customers, partners, potential customers and potential partners;

  5. subscribers to Zimple’s newsletter; and

  6. visitors to Zimple’s website.

  1. All the aforementioned natural persons are referred to in this privacy notice as “person”.

  1. Purpose and legal basis FOR processing of personal data

  1. Collecting personal data may be necessary
  1. Providing the requested personal data to Zimple is necessary in order for Zimple to provide its services and fulfil its obligations under each contract. If Zimple does not receive the personal data it requests, it cannot fulfil its obligations as a contracting partner.
  2. Zimple cannot provide the customer with the requested service, if the person declines to provide the personal data necessary in order to identify the order or customer when contacting Zimple’s customer service or in matters related to customer complaints or warranties.
  3. The person may decline most of the Cookies (as defined below) on Zimple’s website, but some Cookies are necessary in order for Zimple’s website to function trouble-free. Declining other Cookies will not prevent the person from using Zimple’s website, but consenting to Cookies may make the experience more agreeable.
  4. For other personal data, such as newsletter consent, the person may freely choose whether or not to provide this information to Zimple.
  1. Personal data is processed for the following purposes:

  1. When entering into contracts and processing customer orders, the purposes for processing may be administration of the customer relationship, contract or contact details; processing of orders and providing products and services; filing of orders; dealing with customer complaints and warranty matters; invoicing and collecting payments; and taking care of other agreed matters.

  2. Development of Zimple’s operations, customer experience and services and creating reports on Zimple’s operations, such as activities and purchases.

  3. Maintenance of customer relationships, providing customer service and tracking communication with a customer.

  4. Purchasing products or services and developing cooperation relationships or dealing with problems and/or errors related to contractual relationships.

  5. Zimple’s legal obligations under applicable laws, such as accounting or information security obligations.

  6. Providing information on Zimple’s and Zimple’s partners’ services and sales and marketing of Zimple’s and Zimple’s partners’ services in the limits allowed by law, including targeted content and marketing.

  7. Cookies and similar technologies are used on Zimple’s website as described below in the Section “Cookies” and the Cookie tool on Zimple’s website. For the sake of clarity, usually only the device used by a person, not the person themselves, is identifiable by way of information provided by Cookies.

  8. Securing Zimple’s customer data and preventing misconduct.

  1. Legal basis for processing:

  1. When a person enters into a contract or makes an order in the name of an organisation, the legal basis for processing is the contractual relationship between Zimple and the organisation represented by the person and the steps necessary in order to enter into the contract and performance of the contract.

  2. When Zimple buys products or services from a supplier, subcontractor or a partner or contacts their contact person regarding such products or services, the legal basis for processing is the contractual relationship between Zimple and the organisation represented by the person and the steps necessary in order to enter into the contract and performance of the contract.

  3. Zimple’s legal obligations is the legal basis for processing when Zimple processes personal data for information security or accounting matters.

  4. When the person, acting for an organisation, makes a customer complaint regarding a product, the legal basis is the performance of the contract between Zimple and the customer.

  5. When Zimple provides customer service or attends to a customer by other means than those described above, the legal basis for processing is Zimple’s legitimate interest, the person’s consent or performance of the contract.

  6. The legal basis for processing is consent when Zimple shares personal data of its customers’ or potential customers’ employees and representatives with partners in order for the customer or potential customer to enter into a service agreement, e.g. SaaS agreement, with the partner.

  7. When the law requires consent of the person for marketing, the legal basis for marketing is consent. If consent is not required by law, the legal basis for processing of personal data for marketing purposes is Zimple’s legitimate interest.

  8. Legitimate interest is the legal basis for processing also when personal data is processed for the development of Zimple’s services, customer experience or operations.

  9. When consent is required for the processing of Cookie data, the legal basis for processing is the person’s consent. If consent is not required by law, the legal basis for processing is Zimple’s legitimate interest.

When the legal basis for processing is the legitimate interest pursued by Zimple, Zimple has performed the following assessment:

Such legitimate interests exist because there is a relevant and appropriate relationship with the person and/or his/her organization and Zimple, such as a customer relationship, or according to Zimple’s review, the person works in a role in which the person could benefit from the services provided by Zimple, or the person has shown interest in Zimple’s services, for example, by visiting Zimple’s website or reading Zimple’s posts on Linkedin. The interests and fundamental rights and freedoms of the person are respected, as no data pertaining to the special categories of personal data are processed and the person can expect Zimple’s processing activities and Zimple’s activity does not differ from customary marketing activities. Provision of Zimple’s services, performance of a contract or cooperation with the person would not be possible without processing of the personal data. It is not entirely to avoid processing personal data when Zimple processes personal data in order to develop its operations. There is only a very slight risk to the interests and fundamental rights and freedoms of the person in this case.

  1. Categories of personal data

Zimple processes the following categories of personal data for the purposes described above:

  1. first name and surname;

  2. address of the organisation;

  3. country;

  4. language choices for the services and website;

  5. email address;

  6. telephone number;

  7. other contact details;

  8. the organisation represented by the person;

  9. title or role in the organisation;

  10. invoicing details and invoices;

  11. information about the organisation for which the person orders a product or service;

  12. notes from meetings or calls with a person;

  13. logs of the person’s activity on the website;

  14. order and delivery numbers;

  15. customer complaints and warranty matters;

  16. email and other correspondence with the person;

  17. data collected by Cookies – for example, the device and browser used, IP address and length of visit and notice that the person has opened a newsletter and clicked on a link as well as information on the person’s browsing activity;

  18. subscription to newsletter;

  19. consent and withdrawal of consent;

  20. marketing restriction;

  21. answers to customer surveys and other feedback;

  22. online user names; and

  23. other online information on the person, such as work history.

  1. Sources of personal data

Sources of personal data are:

  1. the person;

  2. the organisation that the person represents;

  3. service providers of marketing data. Zimple uses different service providers, including e.g. Qualifier.ai, to find potential customers, and

  4. Zimple’s service providers, such as Pipedrive, SharpSpring and HubSpot, who may share information on potential customers or sales commissions with Zimple.

  1. Transfers of personal data

  1. Recipients and categories of recipients of personal data
  1. ICT, financial administration, invoicing, customer relationship management system (CRM) and enterprise resource planning system (ERP) suppliers, suppliers of customer survey systems, newsletter systems and other mailing systems, and suppliers of other similar support services, and subcontractors of all these suppliers process data for Zimple. These suppliers process personal data for these purposes only in order to provide services and systems to Zimple. They do not process the personal data for other purposes.
  2. These aforementioned third parties include, for example:

  1. Pipedrive OÜ (Germany): customer relationship management and sales software;

  2. HubSpot Ireland Limited (EU, United States): supplier of the marketing automation software;

  3. Google Inc. (EU, United States): email and office software service and cloud service provider;

  4. Microsoft Corporation (EU): email system and office software service and cloud service provider; and

  5. Visma Solutions Oy (EU, United States): service provider of the financial administration and invoicing software.

  1. In particular situations, personal data can also be transferred to the following third parties:

  1. Authorities, such as the police, as required by law.

  2. Zimple may transfer data also to other recipients, for example attorneys, banks and insurance companies, whose activities are regulated by law and who, therefore, process the data for their lawful purposes as controllers, not processors.

  3. With the person’s consent, Zimple may also transfer Cookie data to service providers. More information on Cookies can be found below in Section 8 and the Cookie tool on Zimple’s website.

  4. If Zimple’s customer or potential customer has expressed their interest to use the services of one of Zimple’s partner companies, Zimple can transfer personal data to this partner. Such third parties include, for example, HubSpot Inc. (25 First Street, 2nd Floor, Cambridge, MA 02142, U.S.A., Attention: General Counsel).

Both Zimple and the SaaS supplier are independent controllers of personal data in situations where Zimple has referred a customer or a potential customer to a SaaS supplier and the customer or potential customer and the SaaS supplier enter into a separate service contract. In these situations, both Zimple and the SaaS supplier may be in contractual relationships with the customer and process the customer’s personal data for their own purposes according to their own privacy policies.

The privacy notice for HubSpot: https://legal.hubspot.com/privacy-policy 

  1. Situations where Zimple and the service provider exchange information

  1. In situations where Zimple manages pages on third party services and receives data, such as analytics information on visitors on its page, from these third parties, both Zimple and the third party are controllers of personal data for their share of processing. In these instances, Zimple processes personal data for the purposes of this privacy notice and the service provider according to its own privacy notice.
  1. Linkedin page
LinkedIn Ireland Unlimited Company
Attn: Legal Dept. (Privacy Policy and User Agreement)
Wilton Plaza
Wilton Place, Dublin 2
Ireland
  1. Facebook page and Facebook Insights service
Facebook Ireland Limited,
4 Grand Canal Square,
Grand Canal Harbour,
Dublin 2
Ireland 

  1. Information on transfers of personal data

  1. Zimple does not itself transfer personal data to countries outside the European Economic Area (”EEA”) or the European Union (”EU”), unless authorized to do so under applicable laws or unless consented to or instructed by the person or the customer. This may happen for example when the customer company is situated outside the EU or EEA.
  2. The third parties used by Zimple and their subcontractors may transfer personal data also outside the EEA and the EU and process the personal data outside the EEA and the EU. Zimple has entered into an agreement with each subcontractor in which Zimple requires the subcontractor to ensure that the appropriate safeguards, such as the standard contractual clauses approved by the European Commission, apply to the transfer. The person should, however, note that the protection of personal data outside the EEA and the EU may not be of the same level as within these areas.

  1. Cookies used by zimple

  1. Zimple uses and sets cookies and similar technologies, such as pixels and beacons, on the person’s device when the person visits Zimple’s website or Zimple’s page in the service provided by a third party or opens Zimple’s newsletter. For the sake of clarity, the term “Cookie” is used for all aforementioned technologies in this privacy notice.
  2. Zimple will ask for the person’s consent to Cookies when the person first visits Zimple’s website. The person may even after this change his or her Cookie settings by using the tool provided by Zimple. The person may also decline Cookies by changing their settings in their browser or mobile phone.
  3. The person may also forbid the use of their personal data by several service providers for marketing and remarketing purposes with the following third-party service providers: European Interactive Digital Advertising Alliance (EDAA) https://www.youronlinechoices.eu/ ja Network Advertising Initiative https://optout.networkadvertising.org/?c=1.
  4. Cookies that are necessary for the functioning of the website or other service cannot usually be declined or removed, and consent is not a requirement for the use of this type of Cookies.
  5. Zimple uses the following third-party services to which personal data collected by Cookies may be transferred or who otherwise process personal data for Zimple and the purposes described in their policies:

  1. Google Analytics: analytics, targeted advertising and remarketing

  2. Google Tag Manager: managing tags

  3. Google AdSense: marketing, targeted advertising and remarketing

  1. The aforementioned Cookies are provided by Google Inc., with the following contact details:
1600 Amphitheatre Parkway,
Mountain View,
CA 94043, USA.
  1. More information on the use of Cookie data by this service provider can be accessed at the following addresses:
https://policies.google.com/technologies/partner-sites
https://policies.google.com/privacy
  1. The person may also modify the consent given to targeted advertising here: https://adssettings.google.com/.

  1. Facebook Custom Audience Pixel: marketing, analytics, targeted advertising and remarketing

  1. The Cookie is provided by Facebook Ireland Limited with the following contact information:
    4 Grand Canal Square,
    Grand Canal Harbour,
    Dublin 2, Ireland 
  2. More information on the use of Cookie data by this service provider can be accessed here: https://www.facebook.com/policy.php.
  3. A registered user of this service provider may also modify the consent given to processing of personal data for targeted advertising by this service provider in the settings of the service.

  1. Linkedin Insight Tag: marketing, analytics, targeted advertising and remarketing

  1. The Cookie is provided by LinkedIn Ireland Unlimited Company with the following contact information:
LinkedIn Ireland Unlimited Company
Attn: Legal Dept. (Privacy Policy and User Agreement)
Wilton Plaza
Wilton Place, Dublin 2, Ireland.
  1. More information on the use of Cookie data by this service provider can be accessed at the following addresses:
https://www.linkedin.com/help/linkedin/answer/65521
https://www.linkedin.com/legal/privacy-policy
  1. A registered user of this service provider may also modify the consent given to processing of personal data for targeted advertising by this service provider in the settings of the service.

  1. HubSpot tracking cookies: marketing, analytics and targeted advertising

  1. The Cookies are provided by HubSpot Ireland Limited, with the following contact details:
HubSpot Ireland Limited,
HubSpot House,
One Sir John Rogerson's Quay,
Dublin 2, Ireland.
  1. More information on the use of Cookie data by this service provider can be accessed at the following addresses:
https://legal.hubspot.com/product-privacy-policy
https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser

  1. Rretention times of personal data

  1. Personal data is destroyed after Zimple does not have any legal right or obligation to store the personal data. Personal data may also be anonymized and used after this for analytics purposes.
  2. Data related to a customer relationship is processed during the contract relationship and after this for the claims period related to the establishment, exercise or defence of legal claims regarding the contract. As a rule, the retention time for customer contracts and the correspondence related to the relationship is the duration of the customer relationship and three years thereafter. Personal data related to a customer relationship may be processed even after this period, if there is another lawful purpose for the processing, such as a marketing purpose.
  3. Sales receipts and other accounting material is retained for the period required by accounting laws, which as a rule is ten years from the termination of the accounting period during which the purchase was made. These receipts may contain for example names of contact persons or other personal data.
  4. Information received for marketing purposes that is not also customer data is retained for the duration of the marketing campaign and a for reasonable time after its termination. A typical marketing cycle is one year.
  5. If the person restricts the use of his or her personal data for marketing purposes, Zimple will retain the marketing restriction for as long as the person, according to Zimple’s knowledge, is a representative of the organisation or for as long as the organisation is Zimple’s customer, subcontractor or partner. If the person represents an organisation that is not in a contractual relationship with Zimple, the marketing restriction for the contact details in question is stored until the person consents to direct marketing.
  6. Zimple will also retain information on the execution of a data subjects rights, such as answers to information requests by data subjects, for the applicable claims and complaint period.
  7. The retention time of such Cookie data that may be personal data depends on the type of Cookie in question. The specific retention times of Cookies are listed in the Cookie tool on Zimple’s website.

  1. Right of access to personal data

  1. The person has the right to obtain from Zimple confirmation as to whether or not personal data concerning him or her are being processed.
  2. Where such personal data is being processed by Zimple, Zimple shall provide the person with a copy of the personal data and the following information:

  1. the purposes of the processing;

  2. the categories of personal data concerned;

  3. the recipients or categories of recipients to whom the personal data is to be or has been disclosed;

  4. the period for which the personal data will be stored;

  5. the existence of the right to request from Zimple rectification or erasure of personal data concerning the person or to object to the processing of such personal data;

  6. the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;

  7. any available information as to the source of personal data; and

  8. the existence of automated decision-making and information about the significance and the envisaged consequences of such processing for the person.

  1. For any further copies requested by the person, Zimple may charge a reasonable fee as determined by applicable legislation.

  1. Right to Data Portability

If Zimple processes the person’s personal data by automated means based on the person’s consent or a contract with the person, the person may request:

  1. that Zimple provide the person with the personal data which he or she has provided to Zimple, in a structured, commonly used and machine-readable format; and

  2. if technically feasible, that Zimple transmit the personal data in the same format directly to another data controller.

  1. Right to object to processing

  1. The person has the right to object, on grounds relating to their particular situation, to Zimple processing personal data on the basis of either (i) the legitimate interests of Zimple or (ii) protection of the person’s vital interests. Zimple shall no longer process the personal data unless Zimple has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the person.
  2. The person may always object to the use of his or her personal data for direct marketing purposes. The person may decide to object to direct marketing later on, in which case the easiest way to decline direct marketing is to use the link provided for this purpose in each message.

  1. Right to Restrict Processing

  1. Restriction of processing” means limiting the processing of personal data in the future.
  2. At the person’s request, Zimple restricts processing in the following situations:

  1. the accuracy of the personal data is contested by the person, in which case the processing is restricted for a period enabling Zimple to verify the accuracy of the personal data;

  2. the processing is unlawful and the person opposes the erasure of the personal data and requests the restriction of its processing instead;

  3. Zimple no longer needs the personal data for the purposes of the processing, but it is required by the person for the establishment, exercise or defence of legal claims; or

  4. the person has objected to processing, in which case the processing is restricted for the time during which it is verified whether Zimple nevertheless has legitimate grounds for the processing.

  1. In the situations listed above, Zimple shall only process the personal data:

  1. with the person’s consent or for the establishment, exercise or defence of legal claims;

  2. for the protection of the rights of another natural or legal person;

  3. for reasons of important public interest of the EU or of an EU Member State; and/or

  4. to store the personal data.

  1. Right to be forgotten

  1. The person has the right to request erasure of his or her personal data if one of the following grounds applies:

  1. the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

  2. the person withdraws consent on which the processing is based and where there is no other legal ground for the processing;

  3. the person objects to the processing in accordance with Section 12 and there are no overriding legitimate grounds for the processing;

  4. the personal data has been processed unlawfully; or

  5. the personal data has to be erased for compliance with a legal obligation in EU or EU Member State law to which Zimple is subject.

  1. However, Zimple does not have to erase the personal data based on the grounds above to the extent the processing by Zimple is necessary:
  1. in order to exercise the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by law to which Zimple is subject or for the performance of a task carried out in the public interest;
  3. for reasons of public interest in the area of public health in accordance with legal requirements;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with legal requirements; or
  5. for the establishment, exercise or defence of legal claims.

  1. Rectification AND right to lodge complaint with supervisory authority

  1. At the person’s request, Zimple shall without undue delay correct, erase or supplement personal data if, taking into account the purpose of processing, the personal data is erroneous, unnecessary, incomplete or obsolete.
  2. Should Zimple not take action as described in Sections 10 to 15.1 of this privacy notice at the person’s request, Zimple will inform the person of this and of the reasons for not taking action without delay and at the latest within one month of receipt of the request. The period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Zimple shall inform the person of any such extension within one month of receipt of the request, together with the reasons for the delay. The person may also lodge a complaint with the supervisory authority.
  3. If the person considers that the processing of personal data relating to him or her by Zimple is unlawful, the person may lodge a complaint with a supervisory authority. The contact details of the Finnish supervisory authority are:

www.tietosuoja.fi

Office of the Data Protection Ombudsman

Postal address: P.O. Box 800, FIN-00521 HELSINKI, FINLAND

Tel: +358 29 56 66700 (exchange)

Email: tietosuoja@om.fi 

  1. Information security

The personal data processed by Zimple is secured by using, for example, the following methods:

  1. The amount and quality of personal data transferred to a subcontractor depends on the scope of the subcontractor’s assignment.

  2. Mechanical or electric locks at Zimple’s premises.

  3. Electrical surveillance systems at Zimple’s premises.

  4. Firewall systems and anti-malware systems in Zimple’s ICT systems.

  5. Limited number of superusers.

  6. Personal user rights that can be traced in Zimple’s ICT systems and activity logs.

  7. Limited personal user rights.

  8. Professional knowledge and training of Zimple’s personnel.

  9. System backups.

  1. Automated decision making

Zimple uses automated marketing tools. However, Zimple does not use automated processing which produces legal effects concerning a person or similarly significantly affects a person.