Privacy Policy of the Data Controller

1. Background

Groweo Oy (Groweo or We) provides technology and cloud services (Service) to its customers (Customer) who offer the Service to their end users (End UserYou).

In this Privacy Policy, we explain how and for what purposes we process your personal data in the capacity of a data controller under the European Union’s General Data Protection Regulation (2016/679) (GDPR).

This Privacy Policy applies to the processing of personal data collected in connection with the use of the Service.

2. Data controller and its contact details

Groweo Oy (business ID: 3256882-1)
Mikonkatu 2 Aa, 00100 Helsinki

Phone: 010 7399 330 (select 3)
Email: privacy@groweo.com

3. Purposes of processing personal data and legal basis for processing

We process personal data for purposes such as the following:

  • Maintenance, communication, marketing, development, quality assurance and analytics for the Service and other services provided by Groweo.
  • Compliance with legal obligations.
  • Risk management and prevention of misuse.

The legal basis for processing your personal data is:

  • Groweo’s legitimate interest (Article 6(1)(f) of the GDPR) to maintain and develop its Service and business; or
  • the performance of a contract (to the extent that you yourself are in a contractual relationship with Groweo) (Article 6(1)(b));
  • a legal obligation, e.g. a legal obligation to keep accounts (Article 6(1)(c)); or
  • your consent, for e.g. direct marketing (Article 6(1)(a)).

When we process personal data based on our legitimate interests, we weigh our interests against your privacy and, for example, provide you with an easy way to opt out of our marketing communications. Where possible, we use pseudonymised data or non-personal data.

4. Categories of data subjects and categories of personal data

The category of data subjects includes users of the Service.

We process the following categories of personal data:

  • We collect information directly from you or our device, which may include direct identifiers, such as your name, address, email address, phone number, and online identifiers or indirect identifiers, such as your login account, login password, and marketing preferences.

With regard to the categories of personal data described above, Groweo and the Customer act as independent and separate data controllers and therefore determine the purposes and means of processing independently.

5. Regular sources of data

Personal data is obtained directly from you based on the information you provide in the Service and from the Groweo customer on whose behalf you are using the Service. In addition, the Service collects information about you as described in section 4.

You do not have to provide your personal data, but refusal may make it difficult or impossible for us to provide the Service.

6. Recipients of personal data and categories of recipients

As a rule, we do not share personal data with third parties outside our organisation. However, we may share personal data in the following situations:

We may share personal data with third parties outside our organisation if access to personal data is reasonably necessary: (i) to comply with applicable law, regulation and/or court order; (ii) to detect, prevent or otherwise address criminal offences and/or security threats.

We may share personal data with service providers who perform services on our behalf. Such service providers include, for example, our IT service providers.

If Groweo is involved in a merger, business transaction or other corporate restructuring, we may be required to disclose your personal data to third parties.

We use third-party data centres and servers to maintain our systems and, through them, your personal data. With these parties, we have entered into a data processing agreement that complies with the requirements of the GDPR to ensure the lawfulness of the processing.

We may share your personal data with third parties outside our organisation for reasons other than those mentioned above when we have your consent to do so. You have the right to withdraw such consent at any time.

7. Geographical limitations

We process personal data primarily within the European Union or the European Economic Area (EU/EEA), but it may also be processed outside the EU/EEA. If personal data is transferred outside the EU/EEA to a country for which the European Commission has not issued a decision on the adequacy of data protection, we will ensure the lawfulness of the transfer of personal data by means of an appropriate protection mechanism, such as by using the European Commission’s standard contractual clauses.

8. Security of the processing of personal data

We process personal data in a manner that ensures appropriate security and protection of personal data, including protection against unauthorised processing and accidental loss, destruction or damage. We use appropriate technical and organisational security measures to ensure this, such as firewalls, encryption techniques and secure facilities, appropriate access control and access management, and instructions for staff, subcontractors and other partners involved in the processing of personal data.

All our employees and partners who handle personal data are bound by confidentiality obligations in matters related to the processing of personal data, based on legislation or contractual confidentiality provisions.

9. Retention period of personal data

We retain personal data for as long as necessary to fulfil the purposes for which the data was collected, unless legislation requires Groweo to retain personal data for longer.

When personal data is no longer needed, we will delete it from our records.

For electronic direct marketing, we will retain the necessary personal data for an indefinite period, unless the recipient has withdrawn their consent to electronic direct marketing or prohibited electronic direct marketing.

We will provide further information on the retention periods for personal data upon request.

10. Your rights

You have rights under the GDPR. Please note that the exact application of your rights in each individual case depends on the purpose and context of the processing of personal data.

Right of access to personal data and right to obtain a copy of personal data (Article 15 of the GDPR)
You have the right to be informed about your personal data held by Groweo and the right to be informed about the processing of your personal data. 

Right to rectification (Article 16) and right to erasure (Article 17)

You have the right to request the rectification of inaccurate or incorrect personal data and the completion of incomplete data. You also have the right to request the erasure of your personal data in accordance with data protection legislation. Please note that if personal data is stored, for example, to comply with a legal obligation, the request for erasure cannot be accepted.

Right to restriction of processing (Article 18)

In certain circumstances, you have the right to request restriction of the processing of your personal data in accordance with data protection legislation. In addition, where personal data believed to be inaccurate cannot be corrected or deleted or there is uncertainty about the request for deletion, we will restrict access to the data.

Right to data portability (Article 20)

Under data protection legislation, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to request the transfer of your personal data to another data controller. Please note that the right to data portability applies in principle only to personal data processed on the basis of your consent or agreement and only when such data is processed automatically.

Right to object (Article 21)

You have the right to object to the processing of personal data based on legitimate interests. We may refuse a request if there is an important and legitimate ground for the processing which overrides the interests, rights and freedoms of the data subject, or if it is necessary for the establishment, exercise or defence of legal claims.

Right to withdraw consent (Article 7)

You have the right to withdraw your consent if the processing of your personal data is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

In addition, you have the right to withdraw your consent to electronic direct marketing, such as consent to receive newsletters and the right to prohibit electronic direct marketing. You can do this by clicking the “unsubscribe” link at the bottom of each newsletter, going to the unsubscribe page, or sending an email to privacy@groweo.com.

Exercising your rights

Requests regarding rights should be made by email or post. Contact details are provided in section 2 of this Privacy Policy.

We will respond to your request within a reasonable time and, where possible, within one month of the request being made and the identity of the person making the request being verified. If the request cannot be granted, we will notify the person making the request in writing.

Right to lodge a complaint with a supervisory authority (Article 77)

You have the right to lodge a complaint with the competent data protection authority if you believe that your personal data has been processed in breach of the law. However, please contact us in the first instance if you have any questions about the processing of your personal data.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (https://www.tietosuoja.fi). 

11. Changes and updates to the Privacy Policy

We are constantly developing our Service and may therefore need to change and update this Privacy Policy. Changes may also be based on changes in legislation. We recommend that you consult the contents of the Privacy Policy on a regular basis.

Updated: 20 December 2024