What is the legal basis for and purpose of the processing of personal data?
The basis for processing personal data are our legitimate interests (e.g. customer relationship management, marketing), consent of a customer, performance of a contract and/or a legal obligation.
The purpose of processing personal data is:
- the delivery of the Semantix Service to the customer,
- fulfilling our contractual and legal obligations (such as accounting laws) and other promises,
- problem solving and analysing usage data to further develop the Service to be best suited to its intended use,
- communicating marketing messages, newsletters and details of our business which we think may be of interest to you by post or email or similar technology (you can inform us at any time if you no longer require marketing communications).
What kind of data do we process?
We process the following personal data of our customers or other data subjects relating to this customer and marketing register:
- Basic information of the data subject such as name*, date of birth, identification number, customer number, username and/or other identifier, mother tongue;
- Contact information of the data subject such as e-mail address*, phone number, postal address;
- Information of the company and company’s contact persons such as Business ID* and names* and contact details* of the contact persons;
- Information of the connection and device the data subject is using such as the IP address, operating system, hardware version, device ID or other device identifier and cookies;
(*) Committing personal data marked with an asterisk, is a requirement for our contractual and/or customer relationship. Without necessary information we may not able to provide certain services or personalise your experience.
From where do we receive data?
We receive information primarily from the data subject him-/her-/itself, authorities, credit information companies, contact information service providers and other similar reliable sources.
For the purposes described in this privacy policy, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.
Data disclosure and providing data to third parties
We don’t disclose information of the register to external third parties. We may disclose the information to our other group companies.
We both process information ourselves and use subcontractors that process personal data on behalf of and for us. We have outsourced our IT management to an outside service provider on whose server the personal data are stored.
We may transfer personal data outside EU/EEA as a part of our operations. If we do, we will make sure that the personal data in question is protected according to the privacy legislation in force from time to time.
We have outsourced some of our IT-services to third party providers where personal data can be stored. We always secure processing of personal data by third parties through NDAs, DPAs and strict security requirements. Semantix only works with IT-providers that process data within the EU/EEA.
Privacy and security measures
Semantix are serious about protecting your personal data. We protect our data through several technical controls on both facility, infrastructural and application level. We also regularly train and inform all employees in Information security.
The information is collected into databases protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons. Each user has a personal username and password to the systems where personal data are stored.
Storage and deletion
We store personal data only as long as necessary for the purposes described above or to comply with specific legal requirements. This means that the storage times for different types of information may vary. The Bookkeeping Act requires invoice information to be stored for a minimum of seven years. We need to store your contact information as long as you are our client (and for a certain period of time thereafter, e.g., to be able to provide you with the best possible service should you choose to return to us), while we may store other data (e.g. chat logs from your discussions with customer service) for a shorter period of time.
Project files and e-mails will be stored for seven years, unless otherwise agreed with you.
Personal data in the customer and marketing register is erased after the claim period related to a specific customer relationship or service has elapsed or the data related to marketing activities has been identified as outdated or unresponsive.
We regularly review the need for data storage considering the applicable legislation. In addition, we take all reasonable actions to ensure that no incompatible, outdated or inaccurate personal data are stored in the register considering the purpose of the processing. We correct or erase such data without delay.
Your rights
As a data subject you have the right to access the personal data stored in this register concerning yourself, and the right to require rectification or erasure of that data. You also have the right to withdraw your consent and the right to data portability.
As a data subject, you have the right, according to EU’s General Data Protection Regulation (applied from 25.5.2018), to object to processing or to request restricting the processing, and to lodge a complaint with a supervisory authority.
For specific personal reasons, you also have a right to object to profiling and other processing concerning you, when processing the data is based on the customer relationship. In connection to your claim, you should identify the specific situation on which you object to the processing. We can refuse to act on such request based on the law.
As a data subject you have the right to object to processing at any time free of charge, including profiling in so far as it relates to direct marketing.
All requests and requirements concerning this section should be submitted using the Rights of the Data Subject form.
Updates
Should we make amendments to this privacy policy statement, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review these privacy policy principles from time to time to ensure you are aware of any amendments made.
Contact us
We welcome your opinions on our policy. If you wish to contact us with questions or comments, please send an email to privacy@semantix.com or a letter to the address given above.
Semantix’ cookie policy
For information on how we use cookies, read our Cookie Policy.
Latest update May 11, 2021.