This policy has been issued on June 4, 2024.

1 REGISTRAR

Oy Idlis Ab (Business ID 3280500-6) (“Idlis”)
Address: Linnankatu 1 a, 20100 Turku, Finland
contact@idlis.com

2 DATA PROTECTION OFFICER

Thomas Grandell
dpo@idlis.com

3 NAME AND PURPOSE OF REGISTER

3.1 The name of the register is Idlis service (“Service”) personal data register.

3.2 If you do not provide the data marked as obligatory when the data is requested, Idlis is not able to provide you with the Service.

3.3 The Service has specific terms and conditions for processing of personal data, namely the Consumer Terms and Conditions of Use for Idlis Service (“Terms”). You are informed of the Terms and your consent is asked for the Terms.

3.4 You have the right to withdraw any consent given by you to the processing of your personal data by Idlis by at any time. The withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal.

4 AGE LIMIT

4.1 You are at least eighteen years of age.

5 CONTENT OF REGISTER

5.1 The register includes the following personal data of you collected through or in connection with Idlis’ software application, for mobile use, for the provision of the Service:

(a) name;

(b) email address;

(c) mobile phone number;

(d) year of birth;

(e) city and country of residence;

(f) IMEI of your mobile device;

(g) cookies and pixels;

(h) website cookies and cookie consent cookie;

(i) optional referral code;

(j) IP address of your device during each session;

(k) session token for each session;

(l) advertisement interactions, such as views, skips, call-to-action clicks, questionnaire answers;

(m) IAB and Idlis-managed taxonomies, which could purport for example demographic information and purchase intent;

(n) Idlis system user ID;

(o) Idlis analytics ID;

(p) Google Analytics ID;

(q) Apple Identifier for Advertisers (IDFA);

(r) Google Advertising ID (GAID);

(s) email communications with Idlis;

(t) information regarding vouchers provided to you as rewards;

(u) racial or ethnic origin;

(v) political opinions;

(w) religious or philosophical beliefs;

(x) trade union membership;

(y) data concerning health;

(z) data concerning a natural person’s sex life or sexual orientation; and

(aa) other personal data collected by third parties as explained in Section 7.

6 PURPOSE OF PROCESSING AND LEGAL BASIS OF PROCESSING

6.1 The personal data defined in Section above is used for the following purposes:

(a) handling of customer service; governing and handling of potential support requests or complaints.

(i) Performance of a contract and in order to take steps prior to performance of the contract is the legal basis for processing the personal data for this purpose.

(b) marketing to you through the Service by third parties.

(i) Your consent is the legal basis for processing the personal data for this purpose;

(c) creation of anonymous data to be provided to Idlis’ advertiser-customers’ advertisements displayed in the Application.

(i) Your consent is the legal basis for processing the personal data for this purpose.

(d) providing you with reward(s).

(i) Your consent is the legal basis for processing the personal data for this purpose.

(e) to develop Idlis’ services.

(i) Legitimate interests pursued by Idlis is the legal basis for processing of personal data for this purpose;

(f) when the processing is necessary for compliance with a legal obligation to which Idlis is subject.

(i) Idlis’ legal obligations is the basis for processing of the personal data for this purpose;

(g) for the establishment, exercise or defence of legal claims.

(i) Legitimate interests pursued by Idlis is the legal basis for processing of personal data for this purpose;

(h) for creating a profile of you as explained in the Terms section 11.7

(i) Your consent is the legal basis for processing the personal data for this purpose.

(i) for the purposes as explained in Section 7, by third parties who collect personal data in connection with the Service.

(i) Your consent is the legal basis for processing the personal data for this purpose.

6.2 To the extent the processing is based on Idlis’ legitimate interests, those legitimate interests exist as there is a relevant and appropriate relationship between you and Idlis as you use Idlis’ Service and/or provide your information. Your interests and fundamental rights and freedoms are respected. Idlis’ information security methods described in Section 13 are maintained by Idlis in order to protect the data from unauthorized access.

7 PERSONAL DATA COLLECTED BY THIRD PARTIES

7.1 Please make sure that you review the privacy policies and terms and conditions of service referred hereunder each time you use the Idlis Application, as the entities listed below may update their policies and terms at any time. Idlis may change service providers as Idlis deems necessary, when Idlis also updates this privacy policy.

(a) SERVICES BY GOOGLE INC. (“GOOGLE”)

(i) Personal Data may be processed by Google as stipulated in the Terms and Google’s contract documentation available in here:

https://www.google.com/intl/en/policies/privacy

https://play.google.com/intl/en-us_us/about/play-terms.html

https://firebase.google.com/terms

https://marketingplatform.google.com/about/analytics/terms/fi

(b) SERVICES BY APPLE INC (“APPLE”)

(i) Personal Data may be processed by Apple as stipulated in the Terms and Apple’s contract documentation available in here: https://www.apple.com/legal/internet-services/itunes/us/terms.html

(c) SERVICES BY AMAZON WEB SERVICES, INC (“AMAZON”)

(i) Personal Data may be processed by Amazon as stipulated in the Terms and Amazon’s contract documentation available in here:

https://aws.amazon.com/service-terms

(d) SERVICES BY TWILIO INC (“TWILIO”)

(i) Personal Data may be processed by Twilio as stipulated in the Terms and Twilio’s contract documentation available in here:

https://www.twilio.com/en-us/legal/tos

8 REGULAR SOURCES OF PERSONAL DATA

(a) from you in the Service;

(b) personal data given by you when contacting Idlis;

(c) data from third parties listed in Section 7.

9 REGULAR TRANSFEREES OF DATA

9.1 Personal data can be transferred to following third parties for the following purposes:

(a) Idlis can provide the personal data to its subcontractors who process the personal data on behalf of Idlis, such as Idlis’ ICT service providers; and

(b) personal data can be transferred if it is necessary to comply with legislation or requirements of authorities.

10 PERIOD FOR WHICH PERSONAL DATA WILL BE STORED

10.1 Personal data will be processed by Idlis as long as necessary to fulfil the purposes defined in Section 6 above.

(a) As a rule, the Section 5.1 (a) through (e) stated data is processed for a period of the existence of your Account (please see Section 1.1 in the Terms) and for a period of two years immediately following any termination or lapse of your Account. The reason for the time period is that we will be able to solve possible disputes regarding personal data processing.

(b) The Section 5.1 (f) through (z) stated data is processed for a period of 12 months as of i) when you provided the same or ii) when the same was created in the Service. For the avoidance of doubt, it is stated that these types of data (Section 5.1 (f) through (z)) are always, in the maximum, processed only for a period of 12 months.

(c) The above rules (a) and (b) will have an exception in case you withdraw any of your consents for processing. If you withdraw any of your consents, all your personal data will be deleted right away, except that your Section 5.1 (a) through (e) stated data is processed for a period of two years immediately following the withdrawal of consent. The reason for the time period is that we will be able to solve possible disputes regarding personal data processing.

(d) If you are placed back on the waiting list for the first time in accordance with the Section 8.1 of the Terms, the Section 5.1 (f) through (z) stated data is processed for a period of 6 months as of when you were placed on the waiting list. If you are placed back on the waiting list for a second or consecutive times, the above rules (a) and (b) shall apply.

(e) The Section 5.1 (aa) stated data is processed in accordance with the Section 7 terms and conditions.

11 TRANSER TO COUNTRIES OUTSIDE EEA

11.1 Idlis may transfer your personal data to countries outside the European Economic Area (EEA) and European Union (EU) (“Third Country”) to its subcontractors who process personal data on behalf of Idlis and with whom Idlis has entered into standard data protection clauses adopted by the EU Commission or there is another legal basis for the transfer of personal data to Third Countries.

11.2 Also, the third parties defined in Section 7 may transfer your personal data to Third Countries, according to their service terms and conditions.

11.3 The basis of the transfer is your consent to the transfer, in which case you are hereby informed of the risks of such transfers. Such risks may include that the level of protection of individuals arising out of the EU laws is not necessarily guaranteed in those Third Countries, which can include e.g. that third parties or authorities can have access to the data to wider extent than according to EU laws, the security methods might not be at the level as regulated under EU laws and the users might not have effective remedies to inspect their data, rights to access their data or get their data corrected at the level as regulated under EU laws.

11.4 A right to transfer the data to a Third Country is also as follows: A transfer may take place where either: (i) the EU Commission has decided that the Third Country or a territory or a processing sector within that Third Country ensures an adequate level of protection, (ii) the transferee has entered into standard data protection clauses adopted by the EU Commission, or (iii) there is other legal basis for the transfer, such as the so called EU-US Data Privacy Framework approved by the EU Commission.

12 PROCESSING BY THIRD PARTIES

12.1 The Service can include links to third party websites or services. Idlis is not liable for processing of data by these third parties.

13 METHODS HOW REGISTER IS SECURED

13.1 In order to protect personal data, Idlis has implemented appropriate technical and organizational measures to ensure that, the personal data processed by Idlis is secured by using the following methods and principles:

(a) locks at Idlis’ premises;

(b) electrical surveillance systems of Idlis’ service providers’ premises;

(c) firewall, anti-malware services and filtering services in Idlis’ ICT systems and other software and hardware that protect the information security;

(d) professional knowledge of Idlis’ personnel;

(e) training of Idlis’ personnel;

(f) the content of the register is in electronic format and there are different categories of user rights;

(g) secure passwords to all ICT services and enforced policies concerning passwords;

(h) key service providers have encryption for data at rest;

(i) all key service providers of Idlis are using SSL or TLS encrypted data connections;

(j) looking at only data of Idlis, there is only one connection between a user and his/her profile;

(k) all fields with user interaction have strict validations (e.g. only limited number of characters can be submitted in a field in user interfaces)

(l) multi-factor authentication in all ICT systems; and

(m) Idlis’ policies and guidelines relating to personal data matters.

14 RIGHT OF ACCESS

14.1 After having supplied sufficient search criteria, you have the right to get information on which personal data on you are being processed by Idlis or information that no such personal data is being processed.

14.2 Where such personal data is being processed by Idlis, Idlis shall provide you a copy of the data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data is to be or have been disclosed, in particular to recipient in Third Countries;

(d) the period for which the personal data will be stored;

(e) the existence of the right to request from Idlis rectification or erasure of personal data concerning you or to object to the processing of such personal data;

(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;

(g) where the personal data is not collected from you, any available information as to their source; and

(h) the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

14.3 For any further copies requested by you, Idlis may charge a reasonable fee based on administrative costs

15 RECTIFICATION, PERIOD FOR WHICH PERSONAL DATA WILL BE STORED AND RIGHT TO LODGE COMPLAING TO SUPERVISORY AUTHORITY

15.1 Idlis shall, at your request, without undue delay correct, erase or supplement your personal data contained in its personal data register in case of erroneous, unnecessary, incomplete or obsolete data taking into account the purpose of the processing, including by way of supplementing a corrective statement.

15.2 If Idlis does not take such action on your request, Idlis shall inform you without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Please note that you may bring the matter to be handled by the supervisory authority.

15.3 The personal data will be stored during the time period for which is necessary in relation to the purposes for which they are processed.

15.4 You have the right to lodge a complaint to the supervisory authority. The contact details of the supervisory authority:
https://tietosuoja.fi/yhteystiedot

Office of the Data Protection Ombudsman
P.O. Box 800
FIN-00531 HELSINKI
FINLAND

Address:
Lintulahdenkuja 400530 HELSINKI
Tel: +358 29 56 66700 (exchange)
Email: tietosuoja@om.fi

16 RIGHT TO PROHIBIT AND OBJECT PROCESSING

16.1 You have the right not to be subject to a measure which produces legal effects concerning you or significantly affects you, and which is based solely on automated processing, including profiling, intended to evaluate certain personal aspects relating to you or to analyse or predict in particular your economic situation, location, health, personal preferences, reliability or behaviour. However, your objection to profiling could mean that the Idlis services might not be available for you anymore. Automated decision-making is not used to process personal data at the moment by Idlis when its processes personal data according to this policy.

16.2 You have the right to object, on grounds relating to your particular situation, to the processing of personal data which is based on either of the following grounds for processing: (i) when processing has been found necessary for the purposes of the legitimate interests of Idlis or (ii) when processing has been found necessary in order to protect your vital interests. You however do not have the right to object, if Idlis demonstrates compelling legitimate grounds for the processing which override your interests or fundamental rights and freedoms or for the establishment, exercise or defence of legal claim.

17 RIGHT TO DATA PORTABILITY

17.1 At your request, if Idlis processes the personal data based on your consent or on a contract with you and if the processing is carried out by automated means:

(a) Idlis shall provide you with the personal data which you have provided to Idlis, in a structured, commonly used and machine-readable format;

(b) On your request and if technically feasible, Idlis must transmit the personal your data in the same format directly to another controller.

17.2 This right referred may not adversely affect the rights and freedoms of others.

18 RIGHT TO BE FORGOTTEN AND ERASURE

18.1 You have the right to have your personal data erased at request if one of the following grounds applies:

(a) the personal data is no longer necessary for the purposes for which they were collected or otherwise processed;

(b) you withdraw consent on which the processing is based and where there is no other legal ground for the processing;

(c) you object to the processing;

(d) the personal data have been processed unlawfully; or

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Idlis is subject.

18.2 However, Idlis does not have to erase the data based on above grounds to the extent Idlis still needs to process the data:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by law to which Idlis is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with legal requirements;

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with legal requirements; or

(e) for the establishment, exercise or defence of legal claims.

19 RIGHT TO RESTRICTION OF PROCESSING

19.1 ‘Restriction of processing’ means the marking of stored personal data with the aim of limiting its use in the future.

If you request, Idlis must restrict processing in the following situations:

(a) the accuracy of the personal data is contested by you, for a period enabling Idlis to verify the accuracy of the personal data;

(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

(c) Idlis no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; or

(d) you have objected to processing, but verification whether the legitimate grounds of Idlis override those of yours is still ongoing.

19.2 In the situations listed above, Idlis can only process the personal data:

(a) with your consent or for the establishment, exercise or defence of legal claims;

(b) for the protection of the rights of another natural or legal person;

(c) for reasons of important public interest of the Union or of a Member State; and

(d) to store the data.