Privacy Notice for Roidu Customer and  Marketing Register 

Latest update on 10.10.2022

1. Controllers 

Roidu Oy 
Hatanpään valtatie 2 a 
33100 Tampere 
Finland 
+358 20 771 0870 

(hereafter ”we” or ”Roidu”) 

2. Contact person for register matters 

Pasi Norolampi, Roidu Oy 
Address: Hatanpään valtatie 2 a, 33100 Tampere, Finland 
Phone number: +358 20 771 0870 
info@roidu.com 

3. Name of register 

CUSTOMER AND MARKETING REGISTER

4. What is the legal basis for and purpose of the  processing of personal data? 

The basis of processing personal data is the performance of a contract and Roidu’s legitimate  interest (e.g. customer relationship management, invoicing, direct marketing). 

The purposes of processing the personal data are: 

the delivery and development of our products and services, 

fulfilling our contractual and other rights, promises and obligations, 

taking care of the customer relationship and communications with the customers, organizing marketing events, 

analyzing and profiling behaviour of a customer or other data subject such as a potential  customer, 

electronic and direct marketing, 

targeting advertising in our and others’ online services. 

We use automated decision-making (inc. profiling) to identify the data subjects’ online behavior  and purchase habits and create profiles based on the information. We use this information to  target marketing and develop our services. 

5. What data do we process? 

We process the following personal data of our customers, their employees or other data  subjects (like individuals participating in our trainings and events) in connection with the  customer and marketing register:

Information of company and company’s contact persons such as name and Business ID of the  company and names, contact details, country of residence, language of use, username and/or  other identifying identifier, password, role/title and professional interests of the contact persons; 

Information related to the account and licenses of the data subject such as Roidu account  identities, software license information, access rights data; 

Information related to event participation and trainings such as the name, date and location of  the event, dietary or allergy information (only collected with the consent of the data subject); 

Information supplied by the data subject him-/herself in Roidu’s services such as web form  submissions, online discussion forum posts and profile information, feedback; 

Information related to the behavior of the data subject in the services and website, which is used  for profiling purposes such us the sites and services visited, the duration of visits/use, actions  taken on the sites and in services; 

Technical information about the data subject’s end devices such as IP address, MAC address  and operating system; 

Other possible information supplied by the data subject him-/herself. 

6. From where do we receive data? 

We receive personal data concerning customers primarily from the following sources: from the  data subject him-/herself, the customer company the data subject works for and our resellers. 

We receive personal data concerning potential customers primarily from the following sources:  from the data subject him-/herself, our resellers and group companies, search engines,  newspapers and other news sources, professional social media networks, contact information  providers and company websites. 

For the purposes described in this privacy policy, personal data may also be collected and  updated from publicly available sources and based on information received from authorities or 

other third parties within the limits of the applicable laws and regulations. Data updating of this  kind is performed manually or by automated means. 

7. To whom do we disclose data and do we transfer data  outside of EU or EEA? 

We process information ourselves and use subcontractors that process personal data on behalf  of and for us e.g. providing support and maintenance to our customers, maintaining and hosting  our cloud services, marketing services and IT environment as well as providing the hardware  and network connections for our products and services. 

We disclose personal data to our resellers. Data may be disclosed to authorities under  compelling provisions. 

8. Transfers of personal data outside the EU or EEA 

Some of our trusted partners or service providers working for us are established or may have  access to personal data outside the European Union or the European Economic Area (together  “EEA”), so their processing of your personal data will involve a transfer of data outside the EEA.  In these cases, we will take necessary steps to provide appropriate safeguards for international  data transfers and to the extent necessary implement supplementary measures for protection of  personal data as required by applicable laws. 

This means that 

personal data is transferred only to countries that have been deemed to provide an adequate  level of protection of personal data by the European Commission (“countries with adequate  protection”). For further details, see Adequacy decisions | European Commission (europa.eu) 

with a service provider that is based outside countries with adequate protection, we will use  specific contract clauses approved by the European Commission and implement necessary  technical, organisational, or contractual supplementary measures to ensure that personal data 

has the same protection as in EEA. For further details, see Standard Contractual Clauses  (SCC) | European Commission (europa.eu) 

9. How do we protect the data and how long do we store  them? 

Only those of our employees, who on behalf of their working duties are required to process  customer data, have access to the systems containing personal data. Each user has a personal  username and password to the system. The information is collected into databases that are  protected by firewalls, passwords and other technical measures. The databases and the backup  copies of them are stored in locked premises and can be accessed only by certain pre designated persons. 

We store the personal data for as long as is necessary considering the purpose of the  processing. Personal data about customers is processed and retained during the customer  relationship and as long as we deliver services, and after the relationship or service provision  has ended for three (3) years. Personal data about potential customers is deleted or updated  when it is discovered to be outdated or the data subject is deemed unresponsive to the  marketing. 

We estimate regularly the need for data storage taking into account the applicable legislation. In  addition, we take care of such reasonable actions of which purpose is to ensure that no  incompatible, outdated or inaccurate personal data is stored in the register taking into account  the purpose of the processing. We correct or erase such data without delay. 

10. What are your rights as a data subject? 

As a data subject you have a right to inspect the personal data conserning yourself, which is  stored in the register, and a right to require rectification or erasure of the data. You also have a  right to withdraw or change your consent, in cases where the processing of the data is based on  your consent.

As a data subject, you have a right, according to EU’s General Data Protection Regulation  (applied from 25.5.2018) to object to the processing or request restricting the processing of your  personal data. Additionally, you have a right to request your data to be delivered to you in a  standard format, in case where the processing of data is based on your consent or a contract  between us. 

You also have a right to lodge a complaint with a data protection authority in your jurisdiction or  with the power to investigate processing concerning your personal data. 

For specific personal reasons, you also have a right to object to profiling and other processing  concerning you, when processing of the personal data is based on our legitimate interest. In  connection to your claim, you should identify the specific grounds on which you object to the  processing. We can refuse to act on such a request on the basis of the privacy legislation. 

As a data subject you have the right to object to profiling in so far as it relates to direct  marketing. 

11. Who can you be in contact with? 

All contacts and requests concerning this privacy policy shall be submitted in writing or in  person to the person mentioned in section two (2). 

12. Changes in the Privacy Policy 

Should we make amendments to this privacy notice, we will place the amended statement on  our website, with an indication of the amendment date. If the amendments are significant, we  may also inform you about this by other means, for example by sending an email or placing a  bulletin on our homepage. We recommend that you review this privacy notice from time to time to ensure you are aware of any amendments made.