Privacy statement for customers

Privacy statement for customers

The privacy of our customers is important to us, and we want to be as transparent as possible in matters related to data protection. We have established a Privacy Policy that informs you of our policies regarding the collection, use, disclosure, transfer and retention of information about our customers. Please read our Privacy Policy and let us know if you would like more information.

1. Data controller

Lemonsoft Oyj
2017863-1
Vaasanpuistikko 20 A, 65100 VAASA

2. Contact person for the controller in matters concerning personal data registers

Lemonsoft Oyj (2017863-1)
Data Protection Officer Jaakko Suninen
Keskikatu 11 B, FI-45100 KOUVOLA
jaakko.suninen@lemonsoft.fi

3. Name of the register

Lemonsoft customer register

4.Purpose and basis of processing personal data

How we use personal data
Lemonsoft Oyj uses the data of its customers’ personnel to manage the relationship between Lemonsoft Oyj and the customer. Examples of uses:

• Verifying the user-based invoicing basis of Lemonsoft Oyj’s services
• Identifying a person in customer support and customer service situations
• Relaying information and carrying out marketing related to the use of Lemonsoft Oyj’s services and other matters related to the customer relationship.
• We may also use personal data for Lemonsoft Oyj’s internal purposes, such as inspections, data analysis and research, in order to improve our services and customer communications.

Collection and use of non-personal information
We also collect data in log files in a form that cannot be directly linked to a specific person. We may use such information for any purpose.

In matters related to the use, invoicing and support of the Lemonsoft programs, the basis for the processing of personal data is a contract and, in other cases, the legitimate interest of the controller. The controller has carried out a balance test of legitimate interest. Based on the test, the controller has concluded that a legitimate interest can be used as a basis for processing personal data.

5. Data content of the register

Personal data is information that can be used to identify or contact an individual. A person may prohibit the use of their data by Lemonsoft Oyj, but in this case, the use of the products and services may become significantly more difficult, or in some situations it may prove impossible.

Lemonsoft Oyj collects and processes the data of customer companies and persons using Lemonsoft Oyj’s products and services, as well as the data of Lemonsoft Oyj’s job applicants.

If you use Lemonsoft Platform Services, read more about data protection in Platform Services: Privacy Statement for Platform Services

If you are a jobseeker, read more about data protection for jobseekers: Privacy Statement for the Jobseeker

When a person starts using Lemonsoft Oyj’s services, a username is created for them to use the service. The data related to the username are usually the person’s name, the username created for the person in the company, the person’s work email address and, in some cases, the person’s work phone number and position in the company. The amount of data associated with the username is minimised and its registration is appropriate.

Non-personal information includes:

• URLs, IP addresses and times, which we collect to detect potential abuse and improve data security
• The type of browser application, language and regional information, which we collect to improve our services
• The usage of our services, which we collect to develop the services
• Error messages generated by our services, which we collect in order to improve our products
• Cookies and other website technologies, which we use to improve our communications and target our marketing

Non-personal information will be treated as personal information in accordance with this Privacy Policy if the information is related to personal information.

6. Retention period of personal data

We will retain your personal data for the time necessary for us to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required by law.

The personal data of a user of Lemonsoft Oyj’s services will be deleted from the user data register after the user has stopped using the system, for example, due to the termination of the employment relationship. The termination of the use must be verified by an activation event in the service in question or in some other way in writing.

7. Regular sources of data

Personal data is collected directly from the customer in connection with the establishment of a customer relationship, during the customer relationship and during the work carried out to establish a possible customer relationship. The data can be collected and supplemented with the consent of the person (e.g. by using cookies), from the population register and other third-party registers. Data may also be collected in connection with various marketing activities, such as events. With regard to information on the organisation, information may also be retrieved from the Finnish Patent and Registration Office’s Business Information System or from public sources, such as web pages.

8. Regular disclosure of data

Third parties do not have access to the systems or databases used by Lemonsoft Oyj in which personal data are processed. Lemonsoft Oyj may disclose personal data to its strategic partners who provide their own services in cooperation with Lemonsoft Oyj. Such situations include, for example, data transferred between the services as a result of technical integration related to the use of the service by either Lemonsoft Oyj or the partner. Lemonsoft Oyj may also disclose the contact information of a person to a partner for the purpose of customer service or other communications. Lemonsoft Oyj has agreed with its partners on matters related to data protection, and an adequate level of data protection and encryption is used in data transfers. A list of such partners can be found in the Appendix “Subcontractors” to the Privacy Policy.

Lemonsoft Oyj may also be required to disclose personal data by law, either in connection with legal proceedings or at the request of the authorities. Lemonsoft Oyj may also disclose personal information in connection with a business reorganisation, merger or sale to a third party, related to the aforementioned transaction.

Information is also disclosed to:

• the accountant and auditor (invoicing)
• other possible personal data registers of the controller
• necessary cloud service providers, for the processing of data in the service provider’s systems
• processors involved in the maintenance of systems and software
• public authorities, in accordance with a court order, law or public authority order
• identification information and other personal data may be used for the prevention, detection and investigation of money laundering and terrorist financing
• the data controller’s direct marketing register

For email communication and email list management, Lemonsoft Oyj uses the US HubSpot service, with which we have agreed on matters related to data protection. The supplier of the HubSpot service is committed to complying with the European Commission’s standard contractual clauses, which ensure an adequate level of data protection.

To manage support requests submitted to customer service, Lemonsoft Oyj uses the US Zendesk service, with which we have agreed on matters related to data protection. The supplier of the Zendesk service is committed to complying with the European Commission’s standard contractual clauses, which ensure an adequate level of data protection.

From the point of view of data protection, a subcontractor of Lemonsoft Oyj is considered to be a party that provides the service provided by Lemonsoft Oyj under its own name, either in part or in full. A customer using the services of Lemonsoft Oyj may transfer personal data to a subcontractor, in which case the data is transferred between the products or services either by Lemonsoft Oyj or by the partner related to the technical integration of products and services. All information shared with subcontractors is protected by appropriate means. Lemonsoft Oyj has agreed with its subcontractors on data protection issues as required by data protection legislation. The details of the subcontractors were updated on 16 February 2022.

LemonHub Services
– SD Worx provides the operator service for Lemonsoft Verkkopalkka.
– Basware Oyj provides the operator service for Lemonsoft Verkkolasku.
– Intrum Oy produces the Lemonsoft Perintä collection service.
– Ropo Capital Oy produces the Lemonsoft Rahoitus financial service.
When using any of the above services, the customer may submit personal data via a secure connection via Lemonsoft Oyj’s LemonHub service to the subcontractor.

Platform solutions and cloud services
Telia Finland Oyj
– Telia Helsinki Data Center
– The data containing the personal data of a customer using the Lemonsoft Platform Service is located in the protected premises of the Telia Helsinki Data Center.
Microsoft Corporation
– Microsoft Azure service
– Lemonsoft software user information is maintained in the Microsoft Azure service.
– Cold backup copies of the data containing the personal data of a customer using the Lemonsoft Platform Services are stored in the protected premises of the Microsoft Azure service.
– Depending on the application, personal data of a customer using the Lemonsoft software may be transferred to the Microsoft Azure service, where the application’s functions are performed.

Other services
Poplatek Payments Oy
– Poplapay payment terminal services
– Poplatek Payments Oy acts as the provider of Lemonsoft Maksupääte service and equipment deliveries.
– A customer using the Lemonsoft Maksupääte and Lemonsoft Kassa must note that the payment information of the end customer is transmitted between the Lemonsoft software and Poplapay.
Link Mobility Oy
– Link Mobility Oy (formerly Labyrintti Media) provides the Lemonsoft software’s SMS messaging functions.
– A customer using the SMS sending functions of the Lemonsoft software must note that the A phone number of the SMS messages, as well as any personal and other information contained in the content of the message, is transmitted to Link Mobility Oy.
nShift Oy
– Consignor and Unifaun services
– nShift Oy provides the operator service for Lemonsoft Kuljetussanomat.
– A customer using Lemonsoft Kuljetussanomat must note that the data content in the sales orders is transmitted to nShift Oy if the customer has selected Consignor or Unifaun as the operator service provider.
OWS Finland Oy
– OWS Finland Oy provides the operator service for Lemonsoft EDI.
– A customer using Lemonsoft EDI must note that the information content of sales orders and invoices is transmitted to OWS Finland Oy if the customer has chosen OWS Finland as the operator service provider.
– Trade Connector Oy
– Trade Connector Oy provides the operator service for Lemonsoft EDI.
– A customer using Lemonsoft EDI must note that the data contents of sales orders and invoices are transmitted to Trade Connector Oy if the customer has chosen Trade Connector as the operator service provider.

However, all disclosures are always carried out in accordance with and within the limits set by data protection legislation.

9. Transfer of data outside the EU or the EEA

Lemonsoft Oyj stores personal data in the EU, with the exception of data related to email communication and customer service.

10. Principles of register protection

We ensure that our customers’ data is secure by training our employees to comply with data protection and security guidelines, and by using data protection and data security practices effectively within our company.

As our company regularly processes confidential information related to our customers, the employment contract signed by each employee includes a confidentiality clause covering the confidentiality and non-disclosure of all data processing by Lemonsoft Oyj and its customers.

10.1 Manual material

The personal data are not stored in manual format.

10.2 Electronically stored data

Lemonsoft Oyj takes the protection of personal and other information seriously. Lemonsoft Oyj stores personal data in information systems that are accessible to specifically identified persons and that are located on premises protected by physical security measures. An agreement has been concluded between the controller and the service providers concerning the processing of personal data in accordance with the Data Protection Regulation.

For transfers of personal data, Lemonsoft uses systems that are protected by separate access rights and whose technology prevents the inspection of data during the transfer. The data is transferred using encrypted connections, which are protected with SSL encryption, for example.

If a person uses social media platforms produced by third parties used by Lemonsoft Oyj, other users of the platform will be able to see the information shared by the person and use it in different ways. In this case, the person is responsible for the personal data and other information they share.

11. Profiling

The data controller may also use the data for profiling purposes. Profiling is carried out by means of an identifier that allows the data on the data subject generated by the use of the service to be combined. The profile created in this way can then be compared, for example, with profiles created from other data subjects. However, profiling is not carried out automatically.

The purpose of profiling is to determine customer behaviour and the demand for services.

12. The data subject’s right to object to processing of personal data and direct marketing

The data subject has the right to object to profiling and other processing concerning him or her that the controller applies to the personal data of the data subject to the extent that the data processing is based on the controller’s legitimate interest. The data subject can present a claim regarding the objection in accordance with the Contact section of this privacy statement. The data subject must identify the special situation based on which he or she objects to the processing. The controller can refuse to implement the request for objection on grounds provided by law.

The data subject can present consents or prohibitions to the controller regarding direct marketing or profiling.

13. Other rights of the data subject regarding processing of personal data

13.1 Right of access by the data subject (right of inspection)

The data subject has the right to access the data concerning them that is being stored in the controller’s customer register. The request for inspection must be made in accordance with the Contact Us section of this Privacy Policy. The right to inspect may be denied on the grounds laid down by law. As a rule, exercising the right of inspection once a year is free of charge.

13.2 The data subject’s right to rectification, erasure or restriction of processing

Upon detecting incorrect information, the data subject may submit a request for the rectification, erasure or restriction of data, in accordance with the Contact Us section of this Privacy Policy.

The data subject also has the right to require the controller to restrict the processing of their personal data, for example in situations where the data subject is waiting for the controller’s response to a request for rectification or erasure of their data.

13.3 Right to transfer data to another system

Insofar as the data subject has themselves submitted to the customer register information that is processed on the basis of the consent given by the data subject or on the basis of an assignment, the data subject has the right to obtain such information, as a rule, in a machine-readable format for themselves or to be transferred to another controller.

13.4 Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the controller has not complied with the applicable data protection regulations in its operations.

13.5 Other rights

If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw consent by notifying the controller thereof, in accordance with the Contact Us section of this Privacy Policy.

14. Contact

In all questions related to the processing of personal data and in situations related to exercising one’s own rights, the data subject must contact the person presented in section 2. The request must be in writing. The controller or the person presented in section 2 can, if necessary, ask the data subject to clarify the request in writing, and if necessary, the data subject’s identity can be verified before taking other actions.

15. Changes to the statement

This statement will be updated if the methods or purposes of personal data processing change. Data subjects are advised to familiarize themselves with the content of the statement regularly.
The policy was saved on 19 January 2023.