Processing of Personal Data of Smartly.io’s Customers and Website Users
Updated: 5 February 2019
We at Smartly.io Solutions Oy (business ID 2555760-6) together with our affiliates (“we” or “us”) believe that
protecting our customers’ and business partners’ privacy is crucial to our business and values. In the course of
our business operations, we receive, collect, maintain, use and share personal data on customers and business
partners. We are committed to protecting the privacy of individuals who visit our website (visitors), individuals
who register to use our services (customers), and individuals who register to attend our corporate events
(attendees) (collectively hereinafter “Data Subject(s)” or “User(s)”).
directly or indirectly identify a Data Subject (the “Personal Data”) and describes our practices in relation to
the use of our website(s) and the related applications and services offered by us (collectively, the “Services”),
as well as Data Subjects’ choices regarding their rights such as use, access and rectification of Personal Data.
We act as a controller with respect to the information we process in connection with our business relationships.
For example, we are the controller in relation to Data Subjects’ contact details and other commercial Personal
Data. On the other hand, we may also act as a processor of Data Subjects’ Personal Data when our customer
and business partners engage us to process Personal Data on their behalf, for example in connection with the
provision of the Services. We may also act as a processor in certain circumstances when our customers use
third party service providers in connection with our Services (e.g. Facebook). When we act as the processor,
we process the data in accordance with applicable privacy laws and the data processing agreement entered into
with the controller, where applicable. In such a case, please refer to the Privacy Policies of controllers for
further information on the processing of Personal Data.
in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).
1 Processing of Personal Data
We process Personal Data of Data Subjects to offer the Services, including the processing and
execution of demo requests relating to the Services, and to contact and market our Services to the
participants of our business events and to contact and send marketing material to the visitors of our
websites who submit us their information in a form or otherwise with the intent to receive marketing
or other information from Smartly.io. In this context, Personal Data may be processed for market
and customer analysis, reporting and statistical purposes, marketing purposes such as customised
marketing, administration notices, database management and maintenance, product suggestions
and offers, interaction with external social networks, access to third party services' accounts and
platforms, heat mapping and newsletters. Personal Data may be used for direct marketing, including,
where applicable, by electronic means unless objected by the Data Subject. Personal Data may also
be processed to better understand how website visitors interact with Smartly.io’s websites.
Further, Personal Data may be used for invoicing and to send important information to the Data
Subject e.g. regarding changes of applicable fees, price list and conditions, or to contact the Data
Subject and provide information customised Services according to the interests of the Data Subject.
We process Personal Data on the following basis:
• for the performance of the contract between us and the Data Subject (Article 6.1(b) of the
• for the purposes of our legitimate interests related to the customer and business
relationships between us and the Data Subjects (Article 6(f) of the GDPR);
• to comply with legal obligations applicable to us (Article 6(c) of the GDPR, such as
corporate and accounting).
We may ask for Data Subject’s consent for the processing of certain type of Personal Data (for
example for a campaign). When collecting such consents, we inform the Data Subject of the
respective purposes of processing and such processing is conducted only when appropriate consent
We may ask for certain Facebook permissions allowing us to perform actions with the Data Subject’s
Facebook account and to retrieve information, including Personal Data, from it. This allows our
Services to connect with the User's account on the Facebook social network, provided by Facebook
Inc. In this context, the following permissions may be asked: About Me, Access Rights (including but
not limited to Ad Account Access, Business Manager Access), App Notifications, Contact Email,
Manage Advertisements, and Manage Pages. For more information about the Facebook permissions,
refer to the Facebook permissions documentation and to the Facebook Data Policy.
2 Personal Data we collect and use
Personal Data processed by us is mainly obtained directly from the Data Subject. Provision of such
Personal Data is necessary to use and purchase our Services, to accommodate Data Subject’s request
for information relating to our Services and to organize communication in relation to our business
events. We may not provide the Services to a Data Subject that refuses the processing of his/her
Personal Data. We process also Personal Data accumulating from the use of our Services (including
Personal Data may be updated and supplemented by collecting data from private and public
We collect the following Personal Data in conjunction with the Data Subject's (i) use of our Services,
(ii) requests for information through our website and (iii) participation to our business events: name,
phone number, e-mail address, usage data and cookies or any other information the user can provide
via form (in website). In addition, we may process various other types of Personal Data generated in
connection with the Data Subject’s use of any third-party services and applications as specified in the
We for example use Hotjar’s technology services to understand our website users’ needs better and
to improve user experience in our website (e.g. by understanding how much time our visitors spend
on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables
to collect data on our users’ behaviour and their devices (in particular device's IP address (captured
and stored only in anonymized form), device screen size, device type (unique device identifiers),
browser information, geographic location (country only), preferred language used to display our
website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will
ever use this information to identify individual users or to match it with further data on an individual
Hotjar’s use of tracking cookies on other websites can be opted out by following this opt-out link. In
We do not collect sensitive information (Personal Data of special categories).
3 Disclosure of Personal Data
authorities, other companies within the same group of companies as us, companies which the group
cooperates with and to other third parties, such as third-party service providers used in connection
with our Services and services related thereto.
Personal Data may be transferred outside the European Union and the European Economic Area
(“EU/EEA”), including but not limited to, the United States of America, China, Australia, Singapore
and Argentina as well as other locations and jurisdictions in which we conduct our business. Such
transfers outside the EU/EEA are performed subject to appropriate safeguards such as standard data
protection clauses adopted or otherwise approved by the EU Commission in accordance with the
GDPR (“Standard Data Protection Clauses”).
The applicable Standard Data Protection Clauses are made available for review to the Data Subject
4 Retention Period
We retain Data Subject’s Personal Data for 3 years from Data Subject’s latest purchase or contact
with us. Personal Data may be, wholly or in part, retained for longer or shorter term if required by
applicable law or if there is other justified reason to retain or delete them. In such a case, Data
Subject’s Personal Data shall be erased with no further delay after there is no longer any need for
such a retention.
We evaluate the necessity and accuracy of the Personal Data on a regular basis.
5 Data Subjects’ Rights
Data Subject has a right to request from us:
• access to and rectification or erasure of Data Subject’s Personal Data;
• for restriction of processing concerning the Data Subject or to object to processing; and
• to receive, under certain preconditions, Data Subject’s Personal Data in a structured,
commonly used and machine-readable format and to transmit those data to another
Data Subject may exercise the aforementioned rights by sending a written request to us. Where the
processing is based on consent, Data Subject has a right to withdraw such consent at any time. Please
Policy that this will not affect the lawfulness of processing based on consent before its withdrawal.
In case the Data Subject considers that its rights under the data protection laws are infringed, the
Data Subject may lodge a complaint with the supervisory authority of the Data Subject’s residence in
the EU (e.g. in Finland the Finnish Data Protection Ombudsman).
6 Security Safeguards
Securing the integrity and confidentiality of Personal Data. We have taken adequate technical and
organisational measures in order to keep Personal Data safe and to secure it against unauthorized
access, loss, misuse or alteration by third parties, such as encryption, access controls and firewalls.
Nevertheless, considering the cyber threats in modern day online environment, we cannot 100%
guarantee that our security measures will prevent illegally and maliciously operating third parties
from obtaining access to Personal Data and the absolute security of that information during its
transmission or its storage on our systems.
the website every now and then, referring to the date of the last modification listed at the top of this
cease using the Services, where applicable, and can request that we remove the Personal Data, unless
applicable laws require storage of the Personal Data. Unless stated otherwise, the then-current
8 Contact information of data controller
Data controller: Smartly.io Solutions Oy (business ID 2555760-6) and its affiliates