Hycamite TCD Technologies Privacy Policy on Customer Data

DATA CONTROLLER AND THE CONTACT INFORMATION FOR MATTERS CONCERNING THE REGISTER


Hycamite TCD Technologies Oy
Customer Care
Kemirantie 15, 67900 KOKKOLA
Business ID: 3108281-1
Telephone: +358 40 728 6101
Email: info(at)hycamite.com

WHAT DATA DO WE PROCESS


We process the following personal data relating to customers:

Basic customer information:
- name
- address
- company name
- title/position
- user IDs and customer identifiers
- the language of service
- telephone numbers
- email addresses
- areas of interest related to Hycamite products

Purchase transaction details
- Receipt information
- Purchase accumulation data
- Order, delivery and return data
- Information on the sending and receipt of enquiries following a service or purchase transaction and the answers given by the customer

Data relating to the use of services
- Service usage data across
- Data necessary and collected from the customer to provide the service, such as, for example, quality of carbon products
- Data related to online behaviour on Hycmite websites and services, technical data and cookies sent to the user's browser and related data.

Data related to the provision of customer service
- Customer messages and message content, as well as data related to the categorisation of requests necessary for the provision of the service
- Data relating to customer feedback and response
- Data relating to the refunds and compensation claimed, such as the reason, amount and bank details
- Post-service enquiry transmission and receipt data and customer responses

Data related to marketing communications
- Marketing authorisations by channel: e-mail, direct marketing ban
- Information on messages sent and, in the case of electronic messages, their opening and click-through rates
- Information on event invitations sent and participation details
- Information on telemarketing campaign membership and participation data

Data relating to customer surveys
- Information on opt-outs from receiving surveys
- Information relating to the sending and receiving of surveys and the responses given by the customer

Customer analysis and grouping of data
- Information provided by the customer to personalise the service and facilitate the transaction, such as interests
- Customer grouping data generated by Hycamite


Credit-related information
- Customer name, address and contact information, purchase data at line and purchase amount level, refunds, payment method selection, credit information, possible payment defaults and other reasons for a negative credit decision, payment behaviour information, bank contact information, information required for authentication, billing information, service information, transaction and contact information, customer consents and denials.


PURPOSES FOR WHICH PERSONAL DATA ARE PROCESSED


Personal data of customers are processed for the following purposes:

Provision of sales and services
- Targeting benefits correctly in sales situations, for example, about e-commerce product recommendations
- Delivering, developing and monitoring Hycamite services and customer service
- Developing Hycamite services
- Customer relationship management, including service communication, customer relationship development and personalisation of services
- Payment transaction information

Grounds for processing: contract performance for Hycamite customers and legitimate interest for other customers

e-commerce, reservations and orders
- Processing of orders, purchases and returns.
- Invoicing and crediting
- Collection

Grounds for processing: performance of the contract and legal obligation

Customer service
- Processing and responding to customer feedback and service requests (legitimate interest)
- Processing, responding to and paying requests for compensation and claims (legal obligation)

Grounds for processing: legitimate interest and legal obligation

Customer communication and marketing
- Customer communication and marketing through the marketing channels used by Hycamite, such as direct mail, email and social media
- Analysis and categorisation of customer base data for better-targeted communication

Grounds for processing: contract performance for Hycamite customers and legitimate interest for other customers; customer consent for newsletters and SMS messages

Customer surveys and analyses
- Targeting of surveys, e.g. after a sales or service transaction
- Gathering customer opinions and views for development purposes
- Customer data is also used for analysis, reporting and system development for Hycamite's business development

Grounds for processing: legitimate interest

Legal obligations and administrative measures
- Accounting
- Crime prevention and detection
- Preparing, defending and responding to legal claims, e.g. in criminal and consumer cases
- Enforcement of the seller's liability for defects in consumer sales, enforcement of product liability obligations
- Recall of dangerous products

Grounds for processing: legal obligation and protection of vital interests


DATA RETENTION PERIOD


Data processing periods are designed to limit the processing to the data necessary for the purposes for which they are intended. The processing times and the criteria for determining them are set out below.

Where your personal data is processed based on consent, we will stop processing the data once consent is withdrawn. This applies, for example, to newsletter subscription data, which we will delete without delay if you notify us that you have unsubscribed to the newsletter.

Data relating to purchase transactions, returns and invoicing are kept as part of Hycamite's accounting material for the period defined in the Accounting Act, which is six years from the end of the calendar year in which the financial year ends. Data relating to recoveries are kept for an average of four years after the end of the recovery. Data necessary for dealing with feedback and complaints, as well as data relating to legal claims, are kept for the period required to deal with the case, which typically does not exceed five years. For the protection of vital interests, such as product recalls, data are deleted without delay after the recall has been carried out, as instructed by the authorities. Information on the sending of customer surveys, the response to such surveys and the answers provided by the customer to Hycamite will be stored in the customer file and retained for a maximum period of five years. Data on the exercise of data subjects' rights and responses to them will be kept for one year after the request is answered; responses to requests for verification will be held for three months after the response is sent.


Where the processing of your data is based on your consent, you may withdraw your consent at any time. For example, suppose you have given your consent to direct marketing by electronic means. In that case, you can withdraw your consent by contacting customer service or by withdrawing your consent to electronic direct marketing via our website.

Suppose you do not consent to direct marketing by electronic means and opt out of direct marketing by post and telephone. In that case, we will only send you customer relationship communications necessary for providing the services you have subscribed to or for which you have opted in and managing your customer relationship.

INFORMATION ABOUT YOUR OTHER RIGHTS


You have the right to know whether Hycamite is processing your data at your request. If we process your data, you have the right to receive a copy of the data we process. If we do not process your data, you also have the right to obtain confirmation of this.

You have the right to correct or complete your data that is inaccurate or incomplete for processing purposes.

You may have the right to have your data erased in certain circumstances referred to in the Regulation. We will delete your data at your request if the criteria set out in the legislation are met.

You may have the right to restrict the processing of your data. We will restrict processing at your request if the situations specified in the legislation apply.
In certain circumstances, you have the right to transfer your data held by us to yourself or another controller. This right applies to personal data you have provided to us, which we process based on your consent or to perform a contract to which you are a party. This right applies to data processed by automated means. Some data may be paper copies, and the right does not apply to such documents.

You may have the right to object to processing your personal data. We will stop processing your data at your request in the circumstances specified by law.

HOW TO EXERCISE YOUR RIGHTS


If you wish to exercise your rights as described above, you can send a request to Hycamite Customer Care, whose contact details are on the front page of this Privacy Policy.

If your data is included in the response, we will provide it in encrypted electronic form or by post by personal registered mail, as appropriate. The letter cannot be acknowledged as answered by anyone other than the person who has indicated that they are the addressee. This is to ensure the confidentiality of the information of the correct recipient of the letter.

INFORMATION ON THE RECIPIENTS OF PERSONAL DATA


Personal data are processed by employees of Hycamite or Hycamite's partners whose job duties require processing such data. The processors of personal data are bound by confidentiality.

Customer register data will not be disclosed outside Hycamite except in the situations described below, where required by law, in connection with a business transaction or arrangement, and matters relating to debt collection.

CUSTOMER DATA MAY BE DISCLOSED TO PARTNERS IN THE FOLLOWING SITUATIONS:


- Customer data may be disclosed to payment service providers, such as banks, credit institutions and other payment service providers, to the extent necessary for the provision of the service.

- The customer's name and contact details, as well as information related to the service referral, can be shared with the service company when servicing a product. The service provider is not entitled to use the information for any purpose other than providing the service to the customer.

In addition to Hycamite, customers' personal data is processed by Hycamite's service providers and partners on Hycamite's behalf and per Hycamite's instructions. Such subcontractors include, for example, IT service providers who, among other things, provide technical maintenance of systems and partners who participate in the delivery process of Hycamite's products and services.

Where possible, Hycamite will endeavour to ensure that personal data is processed primarily within the EU and the European Economic Area. Personal data is considered to be transferred outside the EU and EEA in connection with the provision of IT services where the personal data is accessible from a country outside the EU and EEA. Such a transfer is subject to an agreement with the service provider by standard contractual clauses established by the EU Commission, the recipient country has an adequate level of data protection as determined by the EU Commission, the company processing the data has Binding Corporate Rules, or there is another legal basis for the transfer, such as the EU-US Privacy Shield. Oracle and Microsoft may process Hycamite data worldwide.

Some public authorities also have the legal right to access data. These include police, customs, border guards and tax authorities.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY


Suppose you believe we are not processing onal per the EU General Data Protection Regulation. In that case, you can complain to a supervisory authority in the EU Member State where you are habitually resident or employed or where you believe a breach has occurred. In Finland, this authority is the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: P.O. Box 800, 00521 Helsinki
Telephone (switchboard): + 358 29 56 66700
Fax: + 358 9 56 66735
E-mail: tietosuoja(at)om.fi

INFORMATION ON AUTOMATED DECISION-MAKING AND PROFILING


We profile customers to target marketing and event invitations. We consider that the profiling described above does not have legal effects within the meaning of the Regulation or otherwise significantly impact the subject of the profiling.

As a data subject, you have the right to object to profiling based on the controller's legitimate interest based on a specific personal ground. You may also object to profiling to target direct marketing at any time.

YOUR DATA WILL NOT BE USED FOR OTHER PURPOSES WITHOUT YOUR KNOWLEDGE


We will not use your data for purposes other than this document. Suppose new uses are compatible with the purposes for which the personal data were initially collected. In that case, we will inform you of the new uses and the legal grounds for processing. We will ask for your consent to process your data for new purposes if necessary.

IMPACT OF THE PROCESSING OF PERSONAL DATA


Hycamite is committed to protecting the privacy of its customers and ensuring the secure processing of personal data by the requirements of the EU General Data Protection Regulation and other applicable legislation.

We protect the data of our premises, IT systems and users of the services we provide with appropriate technical and administrative security solutions and continuously improve our security methods. The rights of access and use for data processing are personalised, and the scope of these rights is determined by the tasks performed.

We take care to develop the skills of our staff in data protection matters. We also strive to ensure that our partners' staff understand the importance of confidentiality and secure processing of personal data.

We monitor events relating to processing personal data, react to any anomalies detected, and seek to prevent any damage resulting from such anomalies. Suppose, despite all our safeguards, your data falls into the wrong hands. In that case, it is possible, as with other services involving the processing of personal data, that an outside party may misuse your data. We will inform the appropriate authorities and data subjects of the breach as required by law.

You have the right under the Regulation to have your data deleted from our system if:
  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; or
  • you have withdrawn your consent on which the processing was based, and there is no other lawful basis for the processing; or
  • you object on personal grounds to processing necessary for the legitimate interests pursued by the controller or a third party, such as profiling; In this case, the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • personal data have been unlawfully processed;
  • the personal data must be erased to comply with a legal obligation under Union or Member State law to which the controller is subject;

You may restrict the processing of your data if:
  • you contest the accuracy of your data, in which case the processing will be limited for some time during which we can verify its accuracy;
  • the processing is unlawful, and you object to the erasure of the personal data and instead request the restriction of its use
  • as a controller, we no longer need the personal data concerned for the processing, but you need them for the establishment, exercise or defence of legal claims;
  • you have objected on personal grounds to the processing of personal data necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller or the legitimate interests of the controller or a third party. We await verification of whether the controller’s legitimate grounds override your objections.

Where the processing of your data is restricted, it may be processed, except for storage purposes, only with your consent or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or reasons of substantial public interest of the Union or a Member State.

You may object to the processing of your data:
  • for the legitimate interests pursued by the controller or a third party, such as profiling, based on your reasons; In this case, the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or where it is necessary for the establishment, exercise or defence of legal claims.
  • at any time, your data are processed for direct marketing purposes, including profiling related to such direct marketing.