Privacy policy in accordance with the EU General Data Protection Regulation

Valid as of May 16, 2018

Taitori Oy
Fredrikinkatu 34 A, 00100 Helsinki
Company ID: 2373571-2

Generalities

In this document, we tell how we, as controller, process the personal data of a registered user. Processing will be in accordance with the requirements of the EU General Data Protection Regulation (GDPR) that shall enter into force in May 2018. This document constitutes, simultaneously and jointly with our terms of use, an agreement on the processing of personal data in situations in which we are considered to be processing personal data on your account or on your company’s account (DPA = data processing agreement). Juridically, we shall then be the processor of the personal data and you or the company that you represent shall be the controller.

This document constitutes, simultaneously and jointly with our terms of use, an agreement on the processing of personal data in situations in which we are considered to be processing personal data on your account or on your company’s account (DPA = data processing agreement). Juridically, we shall then be the processor of the personal data and you or the company that you represent shall be the controller.

Ground and purpose for processing personal data

Personal data are processed in order to enable us to individualize the users of a given service and to connect the bookings or catering orders saved in the service with the respective users. We may use personal data also for service-related communication, invoicing, and statistics.

Processing personal data is based on the service agreement concluded by you or by your employer with Taitori Oy. Use of service is always subject to you having approved this privacy policy as well as the terms of use of the service. These approvals are asked in conjunction with the registration of the user or the activation of a user account.

Regular data sources

As a rule, the data to be entered in a personnel register are obtained from the data subject in person.

In some cases, your data may be added into the system by a third party. For example, a colleague of yours may invite you to use the service or the data may be imported via an agreed integration from your employer’s system. If you wish to change or delete data added in this way, contact primarily the party that has added your data or is in charge of the integrated system. One can also review and modify one’s data in the user account settings.

Possible client company systems from which personal data can be imported via integration:

• The e-mail systems of the client company (Exchange, O365, Google)
• The AD (Active Directory) system of the client company if a SSO (Single Sign On) login has been agreed on

Other systems from which personal data can be imported into the service:

• Payment service systems (e.g. Maksukaista)

Personal data to be processed

We will process one or more of the following personal data of our users:

• First name and last name
• E-mail address
• Telephone number
• Company position
• Place of business
• Special dietary regimes
• Credit card data
• Data to be gathered technically (e.g. IP address and browser type)
• Auditing data related to service use (e.g. login time)

As a user, you may invite new users into the service. In this case, you are responsible for ensuring that you have the right to process the personal data that you enter into our service at the time of the invitation.

You shall ensure that you only invite such people to use the service who have the right to review the data saved into the service.

When you save data into the service you shall ensure that you only save such data that you are entitled to. When a user saves data into the service Taitori is considered to be the processor of the personal data. In these situations, you are in charge of fulfilling the obligations of data protection legislation concerning the data itself with the exception of the protection methods that we have committed ourselves to in accordance with the “Personal data protection” chapter below.

Our personal data processor(s)

Your personal data shall only be processed by people who have grounds to access such data in their line of work. All of our employees are bound by an extensive confidentiality agreement.

Our main partners processing personal data for Taitori are:

• Machine room services: Microsoft Ireland Operations, Ltd
• Client communication: HubSpot Inc.
• Web traffic monitoring: Google LLC
• Financial management software: Accountor Finago Oy

Personal data may be disclosed to third parties in situations related to service production.

These cases include:

• Disclosure of participant data to actors delivering catering orders (cafés, restaurants, etc.)
• Disclosure of invoicing data to the party responsible for invoicing
• Disclosure of booking data to the parties in charge of administering the premises

Personal data may also be processed, subject to limitations, by the SMS and e-mail service providers, client service providers, software developers, accountants, and consultants used by us as the case may be.

An accurate data protection evaluation and relevant confidentiality agreements are part of the selection of these partners and service providers. We will inform of any significant changes in relation to our partners before their implementation.

Written agreements are always entered into with all partners, and we require our partners to adhere to the level of data protection as established in this privacy policy.

We only disclose personal data saved into our service to outsiders if required by the law to do so.

We will provide you personally upon request with up-to-date information on all of our partners that process personal data and on the data to be disclosed.

Transfers of personal data into third countries

For technical reasons, your personal data may be transferred outside the European Union or the European Economic Area. A prerequisite for the transfer is that the European Commission has stated that the level of data protection in the target country is sufficient or that the party receiving such data outside the EU commits to the relevant safeguards as required in the data protection legislation (GDPR).

On request, we will provide you personally with detailed information on the safeguards implemented in such cases where data may be transferred outside the EU.

Personal data protection

Servers

User data is processed in servers where the best safety and protection practices are used. These practices include protection against fires and power outages. The employee selection process is closely observed and access to machine rooms is monitored by access control. Up-to-date virus control is used in the servers, and eventual attacks are monitored, detected and repelled in real time by the server provider.

Databases

Only people entitled in their line of work to access personal data will have access to such data. Processing of personal data is confidential and every processor is bound by an extensive confidentiality agreement. Every person operating the database has an individual user ID so those people processing personal data can be identified and action can be monitored on the user level. Eventual attacks are monitored, detected and repelled in real time by the server provider. The database has been duplicated in real time on another server located in another machine room. Backup copies of data are made with regular intervals. The contents of the database and the backup copies are saved in their entirety with real-time encryption.

Small IoT devices and door managers

Personal data are not stored in small IoT devices. The door managers are of the kiosk type and their work desks cannot be logged into without a device-specific user ID and password. The booking data saved on a door manager have been encrypted with the AES256 technology. No other personal data are saved on the door manager. The door managers are equipped with real-time virus control, and the software and, if needed, the operating system of the device is automatically updated outside service time.

Data communication

All data communication into the databases and servers has been protected with firewalls. Communications from the user’s browser into the service or from the door manager into the service has been protected with strong SSL technology. Data communication from small IoT devices (e.g. sensors) into the service has been protected with AES256 technology.

Users’ login data and rights of use

Every user has a personal user ID and a password. If a user forgets a password, s/he can order a new one from the service. A forgotten password cannot be found out because passwords are saved in an encrypted mode. A user can change his/her password in the settings at any time after login. User groups are defined for every user. In addition, a user level is defined for every user in the user group. On the basis of this data, a user has only access to the data and to the functionalities that correspond to the user groups s/he belongs to and to the corresponding levels of use.

Information on security breaches

If we find out that a security breach has occurred on the personal data at our disposal and that the breach is likely to cause a high risk to your rights and freedoms, we will inform you of the breach without undue delay. All probable risk situations will be thoroughly examined and reported to supervision authorities.

Data storage period

Basically, we will keep your personal data in storage for as long as you have a user account in our service. In some cases, personal data will be kept in storage even after the deletion of a user account in order to enable use of the service. Such data include the personal data added to a future booking. This data will be deleted only after the time of the booking and other matters related to invoicing for example have been dealt with. When you wish to delete a user account, contact our client support (support@taitori.fi) so we will process the deletion of a user account on a case-by-case basis. In the case of a client company, all the user accounts related to the client company are deleted at the request of the client company when the client company decides to stop using the service. In some cases, we may delete user accounts that have been inactive for a long period of time. In these cases, we will contact you beforehand so that you will have the possibility to prevent deletion and keep using the service.

In the case of a client company, all the user accounts related to the client company are deleted at the request of the client company when the client company decides to stop using the service.

In some cases, we may delete user accounts that have been inactive for a long period of time. In these cases, we will contact you beforehand so that you will have the possibility to prevent deletion and keep using the service.

Profiling

Personal data may be used for automatic decision-making to ease the use of the service for you. For instance, the premises best suited for you may be suggested for you to book.

We do not use personal data for purposes of direct marketing.

The rights of a data subject

Please note that, as we are not responsible for the content of the data saved by our users such as bookings or catering orders and as we cannot disclose this data, we cannot extend these measures to the personal data possibly contained in such materials.

Right to access personal data

The data subject has the right to receive confirmation to whether personal data concerning him/her are processed, and if so, s/he has the right to obtain a copy of his/her personal data. We will deliver the data to you in a structured, commonly used and machine-readable format. You may check the contact information also in the settings of your user account.

Right to rectification

We will rectify, upon your request, any inaccurate or erroneous personal data gathered in our client register. You may also update your contact information yourself in the settings of your user account.

Right to erasure

We will, upon your request, delete all personal data concerning you from our client register unless we have special legal grounds to keep them (e.g. unpaid invoices). Use of the right to erasure also means closing your user account.

Right to restriction of processing

You may restrict our processing of your personal data if you have a legal basis thereto (e.g. the inaccuracy of the data).

Right not to be subject to automated decisions

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above shall not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller or is based on the data subject’s explicit consent.

Right to file a complaint to the supervisory authority

You have the right to have your matter handled by the supervisory authority if you find that personal data concerning you are processed in breach of relevant legislation. The data protection ombudsman working in conjunction with the Finnish Ministry of Justice is the national supervisory authority in matters related to personal data.

Further information

We will provide further information on your rights related to our data processing and data protection. If needed, please e-mail us at the address privacy@taitori.fi.