Privacy policy for Framery Online Services

1 Controller

Framery Oy
Patamäenkatu 7, 33900 Tampere, Finland
+358 40 7239995
security@frameryacoustics.com

2 Contact person for register matters

Veikko Lindberg
Patamäenkatu 7, 33900 Tampere, Finland
+358 50 5406887
veikko.lindberg@frameryacoustics.com

3 Name of the register

Framery Online Services User Register

4 Scope of Framery Online Services and this privacy policy

Framery Online Services (referred later individually as Service and together as Services) consist of separate services for different use cases. Since it might not be obvious for the user when he or she moves from one service to another we will cover the privacy matters for all services in this privacy policy.

Framery Online Services consist of:

5 The purpose and legal grounds for processing data

The purpose and legal ground for processing data varies by Service and whether the user has logged into the service or not.
Website and Portal are services that users can use without logging in. In this case the legal ground for gathering data from users is that they have entered a Service and have interest toward the Controller or the Controller’s products.

The purpose why we process data of users that have not logged in is to develop our Website and Portal to serve our visitors better and to understand demographic background of users visiting our Services. Framery uses tools like Google Analytics to analyse the data of the users. Based on user analytics provided by these tools we analyse what type of content we should provide for the users and how the user interacts with the user interface we have developed.

On Website and Portal there is a possibility to contact the Controller via online forms. The data provided through these forms is processed by the Controller in order to fulfill the request the user has sent. The Controller can use user’s personal data for direct marketing purposes if user provides his/her personal data through online forms and gives a consent for it.

Services that can be accessed by logging into them are Portal and Pod control. Credentials to these services are created by the Controller and only if the user or the organization that the user is part of agrees so. The purpose why we process data of users in these services is to provide them them functionality we have agreed to provide. The Controller processes data itself and uses subcontractors for processing personal data on behalf of the controller.

Subcontractors the Controller uses are SaaS providers that provide software the Controller uses to run its daily business operations, web analytics providers, such as Google Analytics, and consultants who develop Framery Online Services together with the Controller. The Controller discloses only the types of the subcontractors because co-operation with the subcontractors is not continuous and the Controller has required Data Processing Agreements with the subcontractors.

6 Data content of the register and categories of data subjects

The Controller processes the following types of personal data of users in connection with the Services.

6.1 Data content processed on Website

On Website the Controller tracks the behavior of the user with cookies. The Controller uses Google Analytics, Facebook Pixel and Hotjar to analyse this data. These services do not enclose personal data of users to the Controller as they only aggregate the data into analyses of users and their behavior on Website.

The controller uses Facebook and LinkedIn services for online marketing. If an user who visits the controller’s website is logged in to their Facebook or LinkedIn accounts then this fact can be used for targeting ads of the controller’s products to the user when he/she uses these services.

More information about the privacy of Google services is available here: https://www.google.com/intl/en/policies/privacy/. More information about the privacy of Facebook services is available here: https://www.facebook.com/full_data_use_policy. More information about he privacy of LinkedIn services is available here: https://www.linkedin.com/legal/privacy-policy More information about the privacy of Hotjar is available here: https://www.hotjar.com/privacy.

If user uses an online form on Website to contact the Controller the mandatory information user must provide are: Company or organization of the user, name, email address, city, state and country. Optional information is telephone number. We ask users to provide this information so that we are able to fulfill the request the user sends us.

6.2 Data content processed on Portal

On Portal the Controller tracks the behavior of the user with cookies. The controller uses Google Analytics and Hotjar to analyse this data. These services do not enclose personal data of users to the Controller as they only aggregate the data into analyses of users and their behavior on Portal. More information about the privacy of Google services is available here: https://www.google.com/intl/en/policies/privacy/. More information about the privacy of Hotjar is available here: https://www.hotjar.com/privacy.

If a user uses Portal to send a quote request to the Controller the mandatory information the user must provide are: company or organization’s contact name, contact phone number, contact email, company or organization name, address, postal code, city and country.

If a user has log in credentials to Portal and logs in the user gets access to its organization’s order and other commercial data. Part of this data is organization’s contact person information. Content of this data is contact person’s name, company email address, phone number and name and address of contact’s employer. In addition to these user’s username and password are processed in Portal.

On Portal the Controller also uses a tool to analyse possible system errors. This tool tracks the situation that caused error to occur and generates logs from it. This log however does not include any personal data unless the user has logged into Portal. If user is logged in and an error occurs then only the necessary information to analyse the cause of the error is processed.

6.3 Data content processed on Pod Control

Pod Control is only accessible to user if the Controller and user’s organization has agreed so and log in credentials has been created for the user. In this case the personal data processed in Pod Control is user’s username, password, email address and employer information.

On Pod Control the Controller tracks the behavior of the user with cookies. The controller uses Google Analytics and Hotjar to analyse this data. These services do not enclose personal data of users to the Controller as they only aggregate the data into analyses of users and their behavior on Pod Control. More information about the privacy of Google services is available here: https://www.google.com/intl/en/policies/privacy/. More information about the privacy of Hotjar is available here: https://www.hotjar.com/privacy.

On Pod Control the Controller also uses a tool to analyse possible system errors. This tool tracks the situation that caused error to occur and generates logs from it. This log however does not include any personal data unless the user has logged into Pod Control. If user is logged in and an error occurs then only the necessary information to analyse the cause of the error is processed.

7 Regular sources of data

Source of personal data in Website is the user.

In Portal if user hasn’t logged in the source of personal data is the user. If user has logged in the source of personal data is the user, the Controller’s Customer Relationship Management (CRM) system and the database of Portal.

Source of personal data in Pod Control is the user, the Controller’s Customer Relationship Management (CRM) system and the database of Pod Control.

The Controller regularly updates the data in Customer Relationship Management (CRM) system according to the data updates the Controller receives from its business partners which are employers of data subjects.

8 Regular disclosures of data and transfer of data outside the EU or the EEA

In a case where a user sends a quote request through Portal or a request to be contacted regarding offering of the Controller through online form on Website the data the user provided in the request can be disclosed to a reseller of the Controller’s products. If data the user provided in such request indicates that user’s organisation is located outside EU or the EEA the controller can disclose this data to a reseller located outside EU or the EEA. When the Controller discloses personal information to resellers there are appropriate contractual safety measures in place.

If user allows it when sending the contact request through a Framery Online Service then users personal information may be transferred to an email marketing system.

If user’s organisation forms a commercial relationship with the Controller then user’s personal data is transferred to ERP system and user becomes part of Partner Contact Register. Privacy policy of this register is available here.

Otherwise the Controller does not disclose to other parties or transfer personal data outside the EU or the EEA.

9 Principles of register protection and period of data storage

The Controller uses different technical and organizational security measures to protect personal data in Services. Only employees are entitled to use the system containing personal data that are entitled to process customer data based on their official capacity. Each employee has a personal username and password to the system. The data is collected to databases that are protected by firewalls, passwords and other technical means.

Personal data in Services is stored as long as the Controller has commercial or other contractual relationship with the data subject’s employer and other legal data storing requirements regarding the commercial transactions between the Controller and data subject’s employer has been fulfilled. If personal data in Services is not related to any commercial or contractual relationship of the Controller the data is stored for maximum of 24 months.

The controller regularly evaluates the necessity of data storage taking into account the applicable legislation. Additionally, the controller takes care of the reasonable measures that are used to ensure that personal data that is incompatible, outdated or incorrect concerning the purpose of processing the data is not stored, but rectified or removes such data without delay.

10 Right of the data subject

The data subject has right to request access from the controller to personal data concerning him/herself and the right to request rectification of such data or remove or restrict or object processing the data and the right to transfer the data from one system to another (in certain situations) and data subject´s right to lodge a complaint with a supervisory authority responsible for processing personal data.

The data subject has whenever right to withdraw his/her consent without an effect on the legal grounds of processing before the withdrawal. The data subject is entitled to review the data concerning him/herself that is stored in the register and to demand the removal of data or the rectification of incorrect data. Requests concerning the matter shall be delivered personally or in writing to the contact person referred to in section 2.

The data subject is entitled to object or request restriction of the processing of his/her personal data and to lodge a complaint concerning the processing of data to a supervisory authority in accordance with the General Data Protection Regulation (from 25.5.2018).