Optishake Ltd. Privacy Policy

1) DATA CONTROLLER

Name: Optishake Ltd
Business ID: 2988291-6
Address: Läkkisepäntie 11, 00620 Helsinki, Finland

2) PERSON RESPONSIBLE FOR PERSONAL DATA

Name: Joonas Kiminki
Email: joonas.kiminki@optishake.fi

3) CATEGORIES OF DATA SUBJECTS

Optishake’s privacy policy applies to the following categories of data subjects:

3.1) Individuals who contact Optishake via email or the website;
3.2) Individuals who work for or apply to work for Optishake;
3.3) Individuals who have consented to receive marketing communications from Optishake.

4) CATEGORIES OF PERSONAL DATA

The records concerning the data subjects mentioned in sections 3.1) – 3.3) may contain the following categories of personal data:

• Contact information, such as full name, address, phone numbers, and email addresses;
• Information about your device, such as device type, browser, IP address, and other device data;
• Any other information collected with the data subject’s consent.

The records concerning the data subjects mentioned in section 3.1) may also contain the following categories of personal data:

• Username;
• Nationality, age, gender, job title, company, and native language.

The records concerning the data subjects mentioned in section 3.2) may also contain the following categories of personal data:

• Nationality, age, gender, job title, work background, and native language.

5) PURPOSES OF PERSONAL DATA PROCESSING

The personal data of the data subjects mentioned in sections 3.1) – 3.3) may be processed for the following purposes:

• Customer service;
• Development of customer experience;
• Analysis and statistics.

The personal data of the data subjects mentioned in section 3.1) may also be processed for the following purposes:

• Management and development of customer relationships;
• Marketing, marketing surveys, and research.

The personal data of the data subjects mentioned in section 3.2) may also be processed for the following purposes:

• Recruitment;
• Employee data may be used to perform necessary company duties.

The personal data of the data subjects mentioned in section 3.3) may also be processed for the following purposes:

• Marketing, marketing surveys, and research.

Personal data may also be processed by Optishake’s potential Finnish partners in accordance with the Finnish Personal Data Act, the EU General Data Protection Regulation (GDPR), and the Finnish Data Protection Act.

6) LEGAL BASIS FOR PROCESSING

The data controller has the right to process the personal data of the data subjects based on the following:

• Consent provided by the data subjects;
• Processing is necessary for the legitimate interests of the data controller or a third party, except when such interests are overridden by the data subject’s interests or fundamental rights and freedoms, particularly if the data subject is a child.

7) REGULAR DATA SOURCES

Information about the data subjects is regularly collected:

• From the individuals themselves through site forms (HubSpot, Gravity Forms);
• Via cookies and similar technology.

8) DURATION OF PERSONAL DATA STORAGE

The data controller does not retain personal data longer than necessary, considering the purpose of the data processing.

If an employee is not selected for the position they applied for, we do not retain their data without their consent. If we do not receive their consent, we will immediately destroy the data. If they provide consent, we may retain their data for six (6) months, after which all such data will be destroyed.

The data controller reviews the necessity of the stored data on a monthly basis.

9) CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Recipients of personal data may belong to the following categories:

• Optishake’s Finnish partners;
• Third-party cloud service providers;
• Third-party providers of auditing, marketing, and audit services;
• Third parties assisting Optishake in fulfilling its legal obligations.

Any data concerning data subjects mentioned in section 3.2) may only be disclosed with the data subject’s consent for marketing purposes, in accordance with the Finnish Personal Data Act and the EU General Data Protection Regulation.

10) REGULAR DISCLOSURE AND TRANSFER OF DATA OUTSIDE THE EU OR THE EUROPEAN ECONOMIC AREA

Data may be transferred and stored on a server outside the EU or the European Economic Area for processing by the data controller or by a partner of the data controller on behalf of the data controller, in accordance with the Finnish Personal Data Act, the EU General Data Protection Regulation, and the Finnish Data Protection Act.

11) RIGHTS OF THE DATA SUBJECT

The data subject has the right to exercise all of the rights mentioned below.

Contact information related to the rights is provided to the person responsible for the data file mentioned in section 2. The data subject’s rights can only be exercised once the data subject has been reliably identified.

Right to Access Information

When the data subject has provided sufficient and necessary information, they have the right to know what data the data controller has stored about them in this register or if any data has been stored at all. When the data controller has provided the requested information to the data subject, the data controller must inform the data subject of the regular data sources of the register, as well as where the personal data is used and to whom it is regularly disclosed.

Right to Rectification and Erasure

The data subject has the right to request the data controller to correct inaccurate or incomplete personal data concerning the data subject.

The data subject may request the data controller to erase personal data concerning the data subject if:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• The data subject withdraws their consent on which the processing is based;
• The personal data has been processed unlawfully; or
• The personal data must be erased to comply with a legal obligation under EU law or the laws of the member state to which the data controller is subject.

If the data controller does not accept the data subject’s request to correct or erase personal data, it must provide a written decision to the data subject. The decision must include all the reasons why the request is not fulfilled. The data subject may escalate the matter to the appropriate authorities (Data Protection Ombudsman).

The data controller must notify the parties to whom the data controller has disclosed or received personal data of the correction or erasure of the personal data. However, this obligation does not apply if fulfilling the obligation is practically impossible or otherwise unreasonable.

Right to Restriction of Processing

The data subject may request the data controller to restrict the processing of personal data concerning the data subject in the following cases:

• The data subject contests the accuracy of the personal data, in which case the processing may be restricted for a period allowing the data controller to verify the accuracy of the personal data;
• The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; or
• The data controller no longer needs the personal data for processing purposes, but the data subject requires the data for the establishment, exercise, or defense of legal claims.

If the data controller has based the restriction of the processing of personal data on the above criteria, the data controller must notify the data subject before lifting the restriction.

Right to Object

When personal data is processed for direct marketing purposes, the data subject has the right at any time to object to the processing of their personal data for such marketing and related profiling.

Right to Data Portability

The data subject has the right to receive the personal data they have provided to the data controller in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller without hindrance from the data controller to which the data was provided.

Right to Withdraw Consent

When the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent.

12) RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

The data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of their personal data violates the EU General Data Protection Regulation.

A complaint can be lodged in the member state where the data subject resides or works or where the alleged infringement occurred.

13) MERGERS AND ACQUISITIONS

In the event of mergers, acquisitions, or forced transfers involving all parts of Optishake’s business, the entity acquiring the business and its business partners will gain access to Optishake-managed data, which may include personal data.

In the above-mentioned case, external parties will enter into a confidentiality agreement with Optishake, covering any potential disclosure of personal data.

14) PRINCIPLES OF DATA PROTECTION

Optishake uses all reasonable means to protect personal data physically, electronically, and administratively from any unauthorized and inappropriate processing but notes that the internet is not always a secure communication channel.

Optishake limits access to the data of registered individuals only to Optishake’s staff who need the information, for example, to respond to the inquiries or requests of the registered individuals.