Privacy statement Stigma Technologies Oy

Report on the processing of personal data pursuant to the EU’s General Data Protection Regulation (679/2016).

This privacy notice applies to the stigmapp.com-website, the customer and marketing data of the data controller, and the Stigma mobile application.

The data controller is the entity responsible for the processing of personal data. A data processor, on the other hand, is an entity that processes personal data on behalf of the data controller based on an agreement between the data controller and the data processor.

Controller

Stigma Technologies Oy

Business ID: 3452860-4

address: Åkerlundinkatu 8, 33100 TAMPERE

email address: contact@stigmapp.com

Communication regarding privacy matters

Ronja Teppo

tel. +358 44 072 3684

email address: ronja@stigmapp.com

We request that data subjects contact the data protection officer for all questions related to the processing of personal data and situations related to the exercising of your rights.

Name of the filing system

a) Website Visitor Registry

b) Customer Registry

c) Marketing Registry

d) Mobile App User Registry

Basis and purpose of processing personal data

The legal basis for the processing of personal data is:

- The consent to the processing of personal data provided by the data subject

- The controller’s legitimate interest based on to the customer relationship between the data subject and the controller, as well as direct marketing

The purposes of processing personal data include

a) Website Visitor Registry

- Subscribing to newsletters

- Developing the website and communication based on visitor interests and needs

b) Customer Registry

- Managing and maintaining the contractual relationship between the data controller and the customer

c) Marketing Registry

- Customer marketing and other similar purposes

d) Mobile App User Registry

- Researching, analyzing, and compiling statistics related to the use of the platform

- Identifying users

- Ensuring university connections

- Enabling the use of the application

Regular data sources

The personal data to be processed is regularly received from the following sources:

a) Website Visitor Registry: Collected from the visitor through the website form

b) Customer Registry: Collected from the customer via email, phone, customer meetings, and other situations where the customer provides their information

c) Marketing Registry: Collected from public sources such as websites

d) Mobile App User Registry: Collected from data gathered and generated during the use of the platform, and from login services such as Google Sign-In or Microsoft 365 services

Personal data being processed

The controller only collects personal data concerning the data subjects that is essential and relevant for the purposes explained in this privacy statement.

a) Website Visitor Registry

- Email address

- Google Analytics data from the website

b) Customer Registry

- Person's name

- Person's position

- Company/organization

- Contact details (phone number, email address)

c) Marketing Registry

- Person's name

- Person's position

- Company/organization

- Contact details (phone number, email address)

d) Mobile App User Registry

- Email address

- Gender

- Language chosen by the user in the app

- Short videos viewed by the user

- Exercises viewed by the user

- Short videos and exercises marked as favorites by the user

- Wellness paths under progress and completed by the user

- Peer support groups subscribed by the user

- User activity in peer support groups: posts, comments, and reactions made by the user

Disclosure of personal data

Personal data is generally not disclosed to third parties. The data controller uses external data processors for the aforementioned purposes and does not use them for other purposes.

Data may also be disclosed to the authorities due to legal requirements.

Transfers of personal data to third countries

Personal data will not be transferred outside of the EU and the European Economic Area.

Protection of personal data

The controller processes personal data in a manner that aims to ensure the appropriate security of the personal data, including their protection against unauthorised processing and accidental loss, destruction or damage.

The controller uses appropriate technical and organisational safeguards in order to achieve this goal; these include the use of firewalls, encryption techniques and safe equipment rooms, appropriate access control, careful management of data system user IDs, and providing instructions to the personnel participating in the processing of personal data.

All employees processing personal data have a non-disclosure obligation for matters related to the processing of personal data of the data subjects based on the Employment Contracts Act (55/2001) and non-disclosure agreements that supplement it.

Retention period for personal data

The controller will process the personal data for until the basis for processing the personal data ends. At the end of this period, the controller will delete or anonymise the data according to the current legislation and guidance from authorities in accordance with the deletion processes it follows. Once the retention period ends, personal data is permanently deleted or anonymized.

The controller may have an obligation to process some personal data belonging to the filing system for longer than stated above in order to comply with the legislation or authority requirements.

a) Website Visitor Registry

- After processing the request or no later than one (1) year from the original request

- After processing the request or no later than two (2) years from the visit

b) Customer Registry

- No later than five (5) years after the end of the customer relationship, unless otherwise agreed

c) Marketing Registry

- No later than five (5) years

d) Mobile App User Registry

- General Data: After processing the request or no later than one (1) year from the original request

- Peer Support Group Log Data: Deleted one (1) year after the activity is performed, unless the user deletes it through the app, in which case the data is removed immediately

Cookies

The data controller uses Google Analytics cookies, which are anonymous and do not identify individual users. These cookies allow the data controller to analyze how users interact with the website at a general level. The cookies have a lifespan of up to two years.

The data controller's website and services do not use third-party cookies.

Rights of the data subject

The data subject has the right to receive confirmation regarding whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data.

The data subject has the right to request that inaccurate and erroneous personal data concerning them be rectified. The data subject also has the right to supplement incomplete personal data by submitting the required additional information.

The data subject has the right to request erasure of personal data concerning them if

a. the personal data is no longer required for the purposes for which they were collected;

b. the data subject withdraws their consent which the processing of personal data was based on, and no other legal basis exists for the processing; or

c. the personal data has been unlawfully processed.

The data subject has the right to restrict the processing of personal data concerning them if

a. the data subject contests the accuracy of their personal data;

b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; or

c. the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.

The data subject has the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them.

The controller shall no longer process the data subject’s personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

The data subject has the right to withdraw the consent they have provided for the processing, without affecting the lawfulness of processing based on consent before its withdrawal.

The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller.

The office of the Data Protection Ombudsman, operating under the Ministry of Justice, is the national supervisory authority for personal data matters. You have the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.

Amending the privacy policies

The controller is continuously developing its activities and may therefore be required to amend and update its privacy policies when necessary. The amendments may also be based on changes in the legislation concerning data protection.

If the amendments include new purposes for the processing of personal data or otherwise introduce substantial changes, the controller will provide an advance notification of them and, if necessary, request consent.