Privacy Policy for Hydrohex – Business customers

Last update: 21 March 2024

Introduction

We value your fundamental right to privacy. As a company based in the European Union, we adhere to our obligations under the General Data Protection Regulation (GDPR). In this document, we inform you about our processing of your personal data if you’re a business customer (or a representative of one).

For clarity, we have divided the privacy policy into two parts:

Part 1 contains general information about personal data processing at Hydrohex.
Part 2 applies to the processing of your personal data as a business customer (or a representative of one).

If you have any questions or concerns regarding the processing of your personal data at Hydrohex, please don’t hesitate to contact us:

Hydrohex Oy Ltd

Privacy team
[email protected]

We may update our privacy policies from time to time. The date of last update is shown above. Minor changes will be shown in this document, and we ask that you review it regularly. Changes that significantly affect the rights and freedoms of our customers will be communicated to you by email or notification if we have your contact details.

Part 1: General information

Categories of personal data

As our customer (or a representative of one), we regularly process certain categories of your personal data. These are:

Name, contact details and position (e.g. your title at the company that you represent)
Messages and correspondence
Financial information and public records (e.g. to fulfil our financial due diligence or to make sure that you are entitled to represent your company)
Payment information and payment history

(Some of these categories are normally information related to the company that you represent, but in some cases such information may be considered your personal data under the GDPR.)

Occasionally, we process certain additional categories of your personal data. These are:

Technical identifiers (e.g. device identifiers, IP addresses, geolocation data)
Video and sound recordings and photographs (e.g. if we record a video seminar that you attend, or if we record a customer service phone call)
Preferences and activity (e.g. if we take notes of your customer service interactions and our customer relationship activity with you)
Social media content and other public information (e.g. if we take notes of your company’s online presence or check your information for marketing purposes)

Mandatory categories of personal data

Some categories of personal data are mandatory in the sense that without certain data, we cannot provide our services to you or carry out other critical processes related to our customer relationship. In some cases we may also have a legal duty to process certain categories of your personal data.

In Part 2 of the privacy policy, we have marked clearly which categories of personal data are mandatory for a given purpose.

Sources of personal data

We primarily process personal data that you give us, for instance when we discuss our business matters or sign a contract.

However, in some cases we may receive personal data relating to you from other sources. These are:

Public records (e.g. company registers, business data services)
Marketing registers (e.g. if we include your information in a marketing dossier)
Your company (e.g. if your employer updates your contact details with us)
Social media and the internet
Technical sources such as cookies, scripts, databases and similar technologies (e.g. if you access our website or online services)

Retention periods of personal data

When processing your personal data, we adhere to the principle of data minimisation. That means we only keep your personal data as long as necessary for the purposes that we describe more in detail below, and only as long as we have a legal basis set out in the GDPR to process the data.

As soon as no relevant purpose or legal basis applies, we will either destroy your personal data or anonymise it in an irreversible manner.

In Part 2 of the privacy policy, we have marked clearly all retention periods of your personal data for a given purpose.

Sharing personal data with third parties

As a commercial service provider, we like most other companies have to outsource some of the processing of your data to trusted partners. Because of that, we transfer certain categories of personal data to third parties.

We always make sure that all transfers are protected by a contractual arrangement between us and our trusted partners as required by the GDPR.

Our trusted partners can be categorised as follows:

Website, data storage and technical operations

Web hosting companies (e.g. to operate our website and online services)
Content management services and content delivery networks (e.g. to operate our website and onlice services and to store and process online data)
Cloud storage (e.g. to store customer and contract information)
Online collaboration tools (e.g. if we plan and discuss our services with you internally)

Communications and deliveries

E-mail and messaging services
Chatbox service providers (e.g. if you use our customer service chatbox)
Video call service providers (e.g. if we have a video call with you)
Postal service providers and delivery companies (e.g. to ship our hardware to you)

Financial service providers

External accountants and auditors
Accounting software service providers (e.g. to store our invoices for bookkeeping obligations)
Banks and payment processors

Professional advisers

Law firms
Business consultants

Customer and contract management

Hosted customer management services
Digital signature services
Calendar and booking services (e.g. to book and handle meetings with you)

Public authorities

Any information lawfully requested by a public authority

Transfers outside the EU/EEA

We normally process your personal data within the European Union and European Economic Area. In some cases, we or our trusted partners process your personal data outside these areas.

Because of that, some of your personal data are transferred to the following countries:

United States: We and our trusted partners make sure that transfers are protected under the EU-US Data Privacy Framework. If not, we and our trusted partners make sure transfers are protected by contractual arrangements using the Standard Contractual Clauses (SCC) issued by the European Commission.

Your rights

According to the GDPR, you have various rights as we process your personal data. These are:

Right of access: You may ask us whether we process any personal data about you, and if we do, you have a right to request a copy of some or all of the data. You also have a right to ask for more information regarding the third-party recipients of your personal data as well as our protective measures applicable to the transfers of your data to our trusted partners and outside the EU/EEA.

If you request a copy of your data, we will send it to you electronically. In most cases we will be glad to accommodate your request, but if we receive repeated or manifestly unfounded requests from you, we may have to refuse or charge a reasonable administrative fee to process your request.

Rectifying incorrect or incomplete personal data: If you consider that some of your personal data that we process is incorrect or incomplete, you may ask us to correct or complete the data. We will investigate your request without undue delay, and accommodate it if we can be sufficiently certain that the request is justified.

Erasing personal data (“the right to be forgotten”): If you don’t want us to process your personal data, you may ask us to erase a part or all of it. We will do our best to accommodate your request, but in some cases we may have to refuse or postpone the request. This may happen e.g. if we have an on-going business relationship with you and we need your personal data to perform our services, or if we have a legal duty or a legitimate interest to retain some of your data (we have described these in more detail in Part 2).

Restricting the processing of personal data: If you consider that our processing of your personal data breaches the GDPR or other laws, you may ask us to restrict the processing (i.e. to stop the processing for the time being). We will accommodate your request as well as possible while we investigate the matter.

You may also ask us that we do not erase or otherwise process your personal data if you need the data e.g. in a legal dispute and the erasure or other processing would jeopardise your interests in that regard. We will aim to accommodate your request as well as possible.

Objecting to processing of personal data: As explained in detail in Part 2, we sometimes process your data on the basis of our or someone else’s legitimate interest. If that’s the case, you may object to our processing of your data on that basis. We will aim to accommodate your request as much as possible, however in some cases the legitimate interests in question may be so important that they outweigh your interest to object.

If that happens, we will let you know about our reasons for not accommodating your request and inform you about your right to lodge a complaint with the relevant data protection authorities.

If we have contacted you for direct marketing purposes, you may also object to our processing of your personal data for that purpose. (In other words, you may prohibit us from contacting you for direct marketing purposes). We will accommodate your request without undue delay.

Withdrawing consent: As explained in detail in Part 2, we sometimes process your personal data on the basis of your consent. If that’s the case, you may, at any time, withdraw your consent for that processing. We will accommodate your request without undue delay, however we may continue the processing if we have another legal basis to do so. Please note that withdrawing consent will not affect the prior processing of your personal data.

Right to lodge a complaint: If you consider that our processing of your personal data breaches the GDPR or other laws, you may at any time lodge a complaint with the relevant data protection authorities.

To exercice any of your above rights, please contact us using the contact details shown at the beginning of the document. We’ll be glad to assist you.

Cookies and tracking

Like most other companies, we use cookies and similar technologies on our website, online services and in marketing. We will adhere to applicable laws regarding the prerequisites for the processing of your personal data in such ways.

We have described in detail the types of cookies and similar technologies we use as well as their purposes in our cookie policy.

Part 2: Processing of your data

As you are a business customer (or act as a representative of one), we process your personal data in certain ways in the context of our business relationship. Here we describe the purposes of processing your personal data together with the appropriate legal bases for the processing, as well as the categories of personal data processed together with their retention periods.

Purposes and legal bases of the processing of personal data

According to the GDPR, all processing of personal data must be justified using a legal basis found in the law. We use the following legal bases for our processing:

Contract (including contract preparation): As you are our business customer (or represent one), to perform that contract we need to process certain categories of your personal data.
Legal obligation: As a commercial service provider, we have a number of legal obligations to fulfil. For instance, we must keep financial records of our transactions, which may include your personal data.
Consent: In some cases, we may ask for your consent to process your personal data. If we receive your consent, we may process your data on that basis within the limits of the consent. For instance, we use cookies for statistical and marketing purposes, which may only be done if we receive your consent.
Legitimate interest: In some cases, we may process your personal data if it’s justified for our or someone else’s legitimate interest. We only do so after having assessed your rights and freedoms against the importance of the legitimate interest (we conduct a so-called “balancing test”). For more information about this, please contact us using the contact details shown above.

Here is a complete overview of our purposes of processing and the corresponding legal bases:

Purpose	Legal basis	Examples
Performing services	Contract	In order to perform our services as contracted, we need to process some of your personal data.
Performing services	Legitimate interest	As we perform our services to you, we have a justified interest in processing some of your personal data, e.g. to improve our services.
Maintaining and developing our customer relationship	Contract	Apart from performing our services, we do a number of things to maintain our contractual relationship with you. We may for instance take notes of our business interactions with you.
Maintaining and developing our customer relationship	Legitimate interest	To improve our customer experience, we may conduct case studies about our customer relationship.
Billing and debt collection	Contract	As we perform our services to you, we bill you as agreed in our contract. To send an invoice, we need to process some of your personal data.
Billing and debt collection	Legal obligation	We have legal duties to keep records of our business transactions. For instance, our invoices must contain certain information which may be your personal data.
Accounting and taxation	Contract	To keep records of our sales and business transactions, we store and retain information about our dealings with you.
Accounting and taxation	Legal obligation	We have a legal duty to keep records of our business transactions. For instance, we must store and retain our invoices for a number of years.
Risk management and protecting interests	Contract	To manage mutual risks and protect the interest of you and us, we need to keep records of our due diligence processes, contractual relationships and business dealings.
	Legal obligation	In some cases, we may have to process certain background information as a legal duty. For instance, we may have to check and store information about economic sanctions.
	Legitimate interest	To manage risks and to protect various business interests, we process certain categories of personal data. For instance, we keep records of our contractual relationships and business dealings for a number of years in case a legal dispute arises. Also, we keep records of the usage of our intellectual property by our customers.
Communications	Contract	As part of our customer relationship with you, we often have discussions and correspondence with you. We store and retain these if they are relevant to our contractual relationship.
	Consent	In some cases, for instance if you contact us using a medium that processes certain technical identifiers, we may ask for your consent for processing the identifiers. Also, we may ask for your consent to use our communications with you for a purpose not depicted here, such as as a customer testimonial on our website.
	Legal obligation	In some cases, have a legal obligation to store and retain our communications with you. This may be the case for instance if we must include our correspondence as an exhibit in our financial records.
	Legitimate interest	In some cases, we store and retain our communications for various legitimate interests such as improving our customer service and training our staff.
Sales and marketing	Consent	In some cases, to process your personal data for sales and marketing purposes, we ask for your consent. This is case for instance when we use cookies and similar technologies for such purposes.
Sales and marketing	Legitimate interest	As a commercial service provider, we have a justified reason for instance to approach you with the purpose of discussing our offering with you. In those cases, we process your personal data as part of our legitimate interesta.
Technical functioning and security	Contract	Some of the services that we provide to you under our contract process personal data for technical reasons. For instance, to offer you our online services, we need to ensure the proper technical functioning and security of the platform. This often includes processing of personal data such as necessary technical identifiers.
	Consent	In some cases we offer you technical functions that do not strictly relate to our contractual relationship. This is for instance if you access our website for unrelated reasons. In those cases we process personal data for the technical functioning of the services. If the processing is not necessary for that purpose (e.g. in case of cookies used to improve the visual appeal of our website), we will ask for your consent to process the data.
	Legitimate interest	In some cases we have a justified reason to ensure the proper functioning and security of our services. In those cases we process certain technical personal data as part of our legitimate interests.

Categories of personal data processed and their retention times

Below is a list of our retention times for different categories of personal data under a given purpose. Once a specific retention period runs out, we will destroy the relevant personal data or anonymise it irreversibly, unless a different purpose with a longer retention period applies.

For instance, we keep personal data for the purposes of communications (like e-mails containing your name and e-mail address) for 1 year. Once the retention period runs out, we will destroy the relevant data unless we need to keep it for the purposes of risk management for 3 years. If so, we will continue to retain the data until the 3-year retention period runs out.

Purpose	Category of personal data	Retention period(s)	Examples
Performing services	Name, contact details, position	1 year from the end of performance	To perform and deliver our services to you, we need to process your personal data. We will keep the data in an active dossier for 1 year in case there are for instance immediate issues that have to be fixed.
	Messages and correspondence
	Technical identifiers
Maintaining and developing our customer relationship	Name, contact details, position	1 year from the end of customer relationship, or 5 years from collection and storage, whichever is sooner	To maintain and develop our active relationship, we will process your personal data. We will store the data in your customer dossier, and if the customer relationship ends (or you no longer represent your company towards us), we will retain the data for a safety period of 1 year.
	Messages and correspondence
	Preferences and activity
Billing and debt collection	Name, contact details, position	1 year from the end of the current financial year	As we bill you for our services, we process your personal data on invoices and in transaction records. We will retain that information for the current financial year and 1 year after that in order to keep our business records up to date.
	Financial information and public records
	Payment information and payment history
Accounting and taxation	Name, contact details, position	1 year after the current financial year (except legally prescribed information) 6 years after the current financial year (legally prescribed information)	As part of our annual accounting, we store and retain relevant personal data for the current financial year and 1 year after it. Some information, such as invoices and receipts, must be retained for a legally prescribed period, which is 6 years. During that period, we will only retain personal data which is necessary for that purpose.
	Messages and correspondence
	Financial information and public records
	Payment information and payment history
Risk management and protecting interests	Name, contact details, position	3 years from collection and storage	To protect your and our legitimate interests, we retain personal data for 1 to 3 years from the last instance of active processing (except in case of cookies and similar technologies, whose retention periods are stated in our cookie policy). We do so so that for instance in case of a legal dispute about our contract or service, any critical evidence will not have been destroyed.
	Messages and correspondence
	Financial information and public records
	Payment information and payment history
	Video and sound recordings and photographs
	Technical identifiers	1 year from collection and storage (except as stated in cookie policy)
	Social media content and other public information	1 year from collection and storage
Communications	Name, contact details, position	1 year from the communication	We retain personal data from our communications with you for 1 year in case we want to continue the discussion at a later time.
	Messages and correspondence
	Technical identifiers
	Social media content and other public information
Sales and marketing	Name, contact details, position	For the time being	As we have a legitimate interest in approaching you to discuss our offering, we keep your name, contact details and position on file for the time being, however only as long as you represent the company that is or has been our customer. This means we may contact you some time in the future unless you prohibit us from doing so.
	Messages and correspondence	3 years from collection and storage	If we haven’t had any business dealings with you (or your company) for the past 3 years, we’ll erase or anonymise your personal data unless we continue to retain them under another purpose.
	Video and sound recordings and photographs
	Preferences and activity
	Technical identifiers
	Social media content and other public information
	Consents and prohibitions		If you have prohibited us from approaching you for sales and marketing purposes, we’ll make a note of it and retain it indefinitely (or until you instruct us otherwise).
Technical functioning and security	Name, contact details, position	Immediately	We’ll destroy or anonymise your personal data immediately once they aren’t needed for the relevant purpose. Note however that our cookie management system stores cookies (which may include your personal data) in accordance with our cookie policy.
	Technical identifiers	1 year from the last active processing	We keep technical identifiers for 1 year from the last active processing (unless stated otherwise in our cookie policy) in case we need to investigate a technical or security issue in the future.
	Consents and prohibitions		If you have prohibited us from processing your personal data for non-necessary technical purposes, we’ll make a note of it and retain it indefinitely (or until you instruct us otherwise). Note however that our cookie management system stores your cookie and tracking preferences in accordance with our cookie policy.