DPO365 privacy notice

DPO365 Privacy Notice 

This privacy notice was updated on 17.1.2025  

Since privacy and data protection are at the core of our business, it is of paramount importance to us that when processing personal data, we do so in a lawful and responsible manner. With personal data we mean any piece of information relating to an identified or identifiable person (‘data subject’) that allows us to identify a person directly or indirectly. Processing personal data refers to any operation or set of operations performed on personal data, such as collection and storing of personal data.  

The standard for our personal data processing operations is the relevant national and international regulations and we adhere to the rules and principles set forth in the European General Data Protection Regulation (GDPR).  

We want to be transparent about our data processing. You can find more information about Privaon’s data processing from the chapters below. We may update this Privacy Notice from time to time If we make any substantial changes to our processing, we openly seek to inform you.  

Privaon as a Controller and Processor 

Privaon as controller 

Controller refers to a company or other party in charge of processing and determines how the personal data is processed. Privaon acts as a controller for the personal data concerning our sales and marketing efforts relating to DPO365. 

Please note that DPO365 contains links to websites that do not belong to or are not operated by Privaon. Such companies have their own policies for data protection. We recommend that you look at their privacy notices before using their services. 

Privaon as a processor 

Processor refers to a company or other party which is processing personal data on behalf of the controller and according to the instructions received from the controller. Privaon acts as processor for the personal data that we process in the context of providing DPO365. Our corporate customer remains the controller for the personal data and is responsible for lawfulness of processing. This Notice contains description of processing amending DPO365 agreement in section Description of processing.  

Contact Information 

Privaon Oy 

[email protected] 

+358 50 328 1446 

Hevosenkenkä 3 

02600 Espoo 

Finland 

2647800-2 

Collection and Use of Personal Data 

Our core business is not the collection of your personal data. Therefore, we process only the minimum amount of personal data necessary to operate our business, to offer and provide our services. In the context of DPO365, we will only process your personal data for predefined purposes, and we make sure that we have legal grounds for it. 

Purpose of processing   Legal basis  Categories of personal data 
Customer relationship management and communication  Legitimate interest based on the customer relationship between the controller and the organisation represented by the data subject and the work responsibilities of the data subject.  Name of customer representative, customer communication 
Marketing and advertising  Legitimate interest 

See more information below 

Name, contact information, information about purchases, your requests and information about your preferences, feedback from the use of products and services. 
Invoicing and accounting  Legitimate interest 

to allocate and manage invoicing 

 

Legal obligation as part of accounting materials and receipts 

Name of customer representative, customer communication 
Service development  Legitimate interest to improve our customer understanding and services to meet customer needs  Feedback from the use of products and services, free text feedback, survey responses. 
Prevent and investigate fraudulent or non-authorized activity  Legitimate interest to protect our own and stakeholders’ interests and avoid harmful or illegal activity  Name, contact details, system logs, numeric identifiers. 

Marketing and advertising 

As we are a company dependent on business operations, we do marketing for our business contacts. We keep records of our clients’ and potential clients’ details to market and provide more information about our products and services. This could mean for example invitations to our events and other marketing activities to promote our services. 

In this context, we process your personal data based on our legitimate interest in advertising our services. Our market research is based on our interest in gaining insights from customers, potential customers, and other stakeholders. With regards to electronic direct marketing 

  • we process your data based on our legitimate interest if you are a decision-maker or other person working in a position essentially related to the services or goods being offered via direct marketing in an organization that is our customer or potential customer. You can object processing at any time.  
  • If you are other representative of organization that is our customer or potential customer, we only process your data if you have given your consent for it. Consent can be removed at any time. 

We use online advertising networks, social media companies and other third-party services to send marketing communication and display ads on other websites and services you may use. You can ask us to remove your data from these channels at any time by contacting us. You can unsubscribe from our mailing list by using the unsubscribe link in the relevant email.  

Cookies 

The Service only uses strictly necessary cookies which help make the Service navigable by activating basic functions such as page navigation and access to secure Service areas. Without these cookies, the Service would not be able to work properly. 

Transfers and Disclosures 

Transfers to Processors  

We use third-party service providers to provide our services and to help operate our business efficiently.  

As a responsible company, we always use various contractual and other arrangements to ensure that our service providers process your personal data in accordance with the laws and good data processing practices. To ensure confidentiality and a high level of protection for your data, we have a data processing agreement with every service provider we use for personal data processing. Our processors do not have permission to process your information in any way beyond the agreed services. 

Personal data is transferred to sub-processors for various purposes, including service delivery, user authentication, and email management. Transfers may occur outside the EU/EEA during support tasks, depending on the specific service. For user authentication, personal data is transferred to the U.S. under the European Commission Adequacy decision (Data Privacy Framework). In some cases, no personal data is transferred, particularly when utilizing AI assistance. 

Disclosures to other Controllers 

We may have to disclose certain information to the public or law enforcement authorities when this is required by law. We only do so based on an adequate legal warrant or subpoena issues by a Finnish or other relevant Court. 

In the event of mergers or acquisitions, the acquiring entity may obtain access to relevant customer data assets. 

Data Security 

Privaon has appropriate security policies and procedures in place to protect personal data from loss, misuse, or unauthorized access. 

We guarantee that your data is kept confidential and secure. All the employees authorized to process your data are committed to confidentiality. We have role-based access control, meaning that each employee is given access to resources and personal data based on the employee’s needs and job description. All networks and services used by our employees are protected with appropriate security measures. 

We have a procedure to manage data breaches which allows us to assess the possible risks, notify the relevant authorities and alert you in case your personal data may have been affected. We regularly educate all employees to ensure the protection of your personal data. 

Your Rights 

You have several rights concerning your personal data, such as right to access, update, delete and have a copy of such data. We seek to ensure that you can exercise your rights efficiently. 

Read more 

  • When you have given your consent for the processing, and you do not want us to continue processing your data, you have a right to withdraw your consent at any point. You can unsubscribe from the mailing list by using the unsubscribe link in the relevant email. 
  • When we process your data, we have taken your rights and interests into consideration. Especially when we process your data based on our legitimate interests, for example for marketing and research purposes. We have assessed the processing, and we ensure that it will not cause any significant intrusion into your privacy, or any other undue impact on your interests and rights. If you wish to hear more about the assessments conducted, please contact us. You have the right to object to such processing at any time by contacting us. 
  • You have the right to obtain confirmation whether your personal data is being processed or not and if you wish, receive a copy of such data. This right is known as the right to access. 
  • We want your personal data to be correct and up to date. You can always contact us to have your data corrected, updated, and completed. This right is known as the right to rectification. 
  • In principle, you have the right to have your personal data erased in part or in full. If you request the erasure of your personal data, we will assess whether we can erase such data. Please note that we may have a legal right or obligation to keep your data for a certain period of time. This right is known as the right to erasure or the right to be forgotten. 
  • If you object to processing, contest the lawfulness of the processing or the accuracy of the data, or if you need your data in legal proceedings, you have the right to ask us to restrict the processing of your personal data until the matter has been solved. This right is known as the right to restriction of processing. 
  • If you consider that the processing of your personal data violates the General Data Protection Regulation (GDPR), you have the right to file a complaint with your local data protection authority. For customers in Finland, you can submit your complaint to the Finnish Data Protection Authority by following this link: Finnish Data Protection Authority. 

If you wish to exercise your rights, or if you have any other questions relating to the processing of your data or this Privacy Notice, please contact us. 

Retention Periods  

We have determined retention periods based on the purpose of the processing and the applicable legislation. For example, accounting laws require us to store your personal data for a certain period. We review the personal data we collect (e.g., the information of our business contacts) regularly to ensure that the personal data we have is up to date and is not retained longer than needed or required by the relevant laws. 

When not limited by applicable legislation, the retention periods are defined as follows: 

  • If you are a representative of our customer organization, your basic information such as name and contact details are retained for two years after the termination of the service agreement. 
  • Personal information contained in accounting materials are retained in accordance with legal retention periods for receipts for at least six years after the end of the financial year. 
  • If you are a representative of our potential customer organisation, your personal data is erased when we have no reason to assume that you would be interested in our services. This usually takes place if we have not been in touch with you for the past 12 months. 
  • Information needed for service development are retained 6 months from collection. 

If you wish to have more detailed information about our retention times, please contact us. 

Privaon as a Processor 

Description of Processing 
The nature and purpose of processing   Categories of personal data  Categories of data subjects 
Service delivery 

  • Setting up user accounts and onboarding 
  • Providing, operating, and maintaining services. 
  • Delivering AI-powered recommendations to aid decision-making and optimize service use. 
  • Providing user support and guidance. 

Sending technical updates, security notifications, and administrative communications. 

Name, contact details, job title, affiliation with certain organization, user photo (optional)   DPO365 users 
Safety and security 

  • Ensuring security by preventing, detecting, and investigating information security incidents 
Name, contact details, system logs, numeric identifiers.  DPO365 users 
Duration 

If not instructed otherwise in writing by our customer, Privaon deletes and destroys all the above-mentioned personal data processed within three (3) months after the termination of the DPO365 Agreement.  

Sub-processors 
Processor  Purposes  Categories of Personal Data  Personal Data Transfers Outside of the EU/EEA 
Koivu Solutions Oy 

(Koivu Cloud) 

Service delivery  

 

Safety and security 

Name, contact details, job title, affiliation with certain organization, user photo (optional), logs and activity in DPO365, content created by users 

 

Not by default. It is possible the support tasks may transfer some personal data outside EU/EEA. 
Google Inc. 

(Google Firebase) 

Safety and security, user authentication  Numeric identifiers  Personal data is transferred to U.S. under European Commission Adequacy decision (Data Privacy Framework) 
Microsoft Ireland Ltd. 

(Microsoft Azure) 

Safety and security, 

user authentication 

Numeric identifiers  No by default. It is possible the support tasks may transfer some personal data outside EU/EEA. 
Twilio Inc. 

(SendGrid) 

Service delivery, emails  Name, contact details  Personal data is transferred to U.S. under European Commission Adequacy decision (Data Privacy Framework). 
OpenAI Ireland Ltd. 

(ChatGPT) 

AI Assistants 

(read more below) 

Information in the filled forms  No personal data is transferred 
Information for data subjects 
Your Rights 

The controller that is DPO365 subscriber is responsible for the lawful processing of your personal data and executing your rights as a data subject. The customer using DPO365 has access to all their personal data and can execute their rights in the service. Upon request, Privaon assists customers executing their data protection rights. Privaon only processes personal data under a written instruction of the controllers, as defined by the written data processing agreements.

Automated Decision-Making and Profiling 

DPO365 does not engage in automated decision-making or profiling. All decisions regarding personal data are made through human intervention, ensuring that individuals are treated fairly and transparently. 

Use of Artificial Intelligence 

Privaon acknowledges the significance of recent technological advancements and their implications for our products and services. To ensure that our products and services remain valuable to our customers, we have integrated Artificial Intelligence (AI) solutions into DPO365. These functionalities help user analyze data faster and make better data protection decisions. 

Privaon has created appropriate notifications to inform users when their interactions are occurring with Artificial Intelligence.  

The development, implementation, use and maintenance of AI within DPO365 is governed by Privaon’s AI Governance Policy. 

For more detailed information regarding our AI implementation, please do not hesitate to contact us.