In connection with its business operations, GapHook (“GAPHOOK”, “we”) may collect and process personal data of various individuals (“Data Subjects”). This Privacy Policy applies to personal data of Data Subjects we collect through our websites and the GAPHOOK online service (collectively, the “Services"), as well as from other sources.

This Privacy Policy explains what data we process, how we do that and how the Data Subjects may use their rights (e.g. right to object, right of access).

This Privacy Policy may be updated if required in order to reflect the changes in data processing practices or otherwise. The current version can be found on our website at https://gaphook.com/privacy-policy. We will not make substantial changes to this Privacy Policy or reduce the rights of Data Subjects under this Privacy Policy without providing a notice thereof.

This Privacy Policy only covers data processing carried out by GAPHOOK when and to the extent GAPHOOK is the controller of the personal data under applicable data protection laws. The Privacy Policy does not address, and we are not responsible for, the privacy practices of any third parties. GAPHOOK disclaims all responsibility for the processing carried out by third parties, also in cases where Services include hyperlinks to third parties’ websites. Please note that personal data inserted into GAPHOOK online service in connection with the Data Subject’s use of the GAPHOOK online service is collected by the customer organization represented by the Data Subject and GAPHOOK has no control over the data, and therefore processes such personal data on behalf of the customer organization as a data processor. In this case, the relevant customer organization shall be considered to be data controller for said personal data and these processing activities are subject to customer organization’s privacy policy.

Privacy, security and online safety are important for us, and we process all personal data with due care and in accordance with applicable laws and regulations.

1. GAPHOOK’ Contact Details

Name: Sofokus Oy

Company ID in Finnish trade register: 1604545-7

Correspondence address: Juhana Herttuan Puistokatu 3, 20200 Turku, FINLAND

E-mail address: info@sofokus.com

www.sofokus.com

2. Personal Data Processed and Sources of Data

We collect two types of information of the Data Subjects: (i) Profile Data; and (ii) Technical Data. Although we do not normally use Technical Data to identify individuals, sometimes individuals can be recognized from it, either alone or when combined or linked with Profile Data. In such situations, Technical Data can also be considered to be personal data under applicable laws and we will treat the combined data as personal data.

GAPHOOK may collect and process for example the following Profile Data: (i) first and last name; (ii) address details, (iii) telephone number, (iv) e-mail address, (v) credit card and other payment details, (vi) professional details such as employment history, job title, areas of expertise and professional interest, (vii) information that Data Subjects provide when rating our Services or giving feedback on our Services, (viii) information about the Data Subjects’ interaction with us and our Services; (ix) other personal data Data Subjects provide themselves; (x) other personal data we may receive from authorities, publicly available sources, and other third parties.

The specific kind of Profile Data collected will depend on the Services used, and on other interaction between us and the Data Subject. As a rule, Profile Data is received directly from Data Subjects. We may also receive, collect and update personal information for the purposes described below from authorities, publicly available sources and information gained from other third parties, within the limits stipulated in the applicable law.

Technical Data may include for example the following data (i) the Data Subject’s IP address; (ii) browser type and version; (iii) preferred language; (iv) geographic location using IP address or the GPS, wireless, or Bluetooth technology on Data Subject’s device; (v) operating system and computer platform; (vi) the full Uniform Resource Locator (URL) clickstream to, through, and from our Services, including date and time; (vii) products or services Data Subject viewed or searched for while using our Services; and (viii) areas of our Services the Data Subject has visited.

Cookies

We use various technologies to collect and store Technical Data and other information when Data Subjects visit our Services, including cookies. Cookies allow us to calculate the aggregate number of people visiting our Services and monitor the use of the Services. This helps us to improve our Services and better serve the Data Subjects using our Services. We may also use cookies that make the use of the Services easier, for example by remembering usernames, passwords and preferences. We may use tracking and analytics cookies to see how well our Services are being received by the Data Subjects.

Please note that some parts of our Services may not function properly if use of cookies is refused.

Analytics and other tools

Our Services may use several web analytics services to compile Technical Data and reports on visitor usage and to help us improve our Services. Upon your option it may be possible to opt-out of such analytics and other services. More information regarding the analytic and other services included or used in connection with our Services can be obtained by contacting us on addresses mentioned in this Privacy Policy.

3 Purposes for Processing of Personal Data

There are several purposes for the processing of personal data by GAPHOOK:

To provide our Services and carry out our contractual obligations

We process personal data in the first place to be able to offer the Services to Data Subjects and to run, maintain and develop our business. In some cases, personal data may be processed in order to carry out our contractual obligations towards the Data Subject. We may use the data for example to offer essential functionalities of the Services and to provide access to the Services. If Data Subject contacts our customer service, we will use the provided information for answering questions and solving possible issues.

For customer communication

We may process personal data for the purpose of contacting Data Subjects regarding our Services and to inform Data Subjects of changes in our Services, and for other customer relationship management and marketing purposes. Data may also be used for research and analysis purposes in order to improve our Services.

For quality improvement and trend analysis

We may process information regarding the use of the Services to improve the quality of our Services e.g. by analysing any trends in the use of our Services. When possible, we will do this using only aggregated, non-personally identifiable data.

4. Legitimate Grounds for Processing of Personal Data

We process personal data to perform our contractual obligations towards Data Subjects and to comply with legal obligations. We also process personal data for our legitimate interest whilst fulfilling our contractual obligations towards our customer organization represented by the Data Subject. Furthermore, we process personal data to pursue our legitimate interest to run, maintain and develop our business.

In some parts of the Services, Data Subjects may be requested to grant their consent for the processing of personal data. In this event, Data Subjects may withdraw their consent at any time.

5. Transfer to Countries Outside Europe

We have operations, entities, and service providers in several geographical locations. As such, we and our service providers may transfer personal data to, or access it in, jurisdictions outside the European Economic Area or the Data Subject’s domicile. We will take steps to ensure that personal data of Data Subjects receives an adequate level of protection in the jurisdictions in which we process it. We provide adequate protection for the transfer of personal data to countries outside of the European Economic Area through a series of intercompany agreements and agreements with our service providers based on the Standard Contractual Clauses or other similar arrangements.

More information regarding the transfers of personal data as well as the data sub-processors can be obtained by contacting us on addresses mentioned in this Privacy Policy.

6. Recipients

We only share personal data within the organization of GAPHOOK if and as far as reasonably necessary to perform and develop our Services and business. We do not share personal data with third parties outside of GAPHOOK’ organization unless one of the following circumstances applies:

It is necessary for the purposes set out in this Privacy Policy

To the extent that third parties (such as our customer organizations represented by the Data Subject) need access to personal data in order for us to properly perform the Services, we provide such third parties with the Data Subject’s personal data.

For legal reasons

We may share personal data with third parties outside GAPHOOK’ organization if we have a goodfaith belief that access to and use of the personal data is reasonably necessary to:

(i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests, properties or safety of GAPHOOK, Data Subjects, or the public, in accordance with the law. When possible, we will inform Data Subjects about such transfer and processing.

To authorized service providers

We may share personal data to authorized service providers who take part in developing and maintaining the Services or who otherwise perform services on our behalf (including e.g. software development and maintenance, operations monitoring, data storage, sales, marketing and customer support services). Our agreements with our service providers include commitments that the service providers agree to limit their use of personal data and to comply with privacy and security standards at least as stringent as the terms of this Privacy Policy. Please bear in mind that if you provide personal data directly to a third party, such as through a link on our website, the processing is typically based on their policies and standards.

For other legitimate reasons

If GAPHOOK is involved in a merger, acquisition or asset sale, we may transfer personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all Data Subjects concerned when the personal data are transferred or become subject to a different Privacy Policy as soon as reasonably possible.

With explicit consent

We may share personal data with third parties outside GAPHOOK’ organization for other reasons than the ones mentioned before, when we have the Data Subject’s explicit consent to do so. The Data Subject has the right to withdraw this consent at all times.

7. Storage Period

GAPHOOK does not store personal data longer than is legally permitted and necessary for the purposes defined in this Privacy Policy. The storage period depends on the nature of the information and the purposes of processing. The maximum period may therefore vary per use. Typically, we will store Data Subject’s personal data for as long as the Data Subject or the customer organization the Data Subject represents is a registered subscriber or a registered user of our Services or for as long as we have another purpose to do so and, thereafter, for no longer than is required or permitted by law or reasonably necessary for internal reporting and reconciliation purposes. For instance, we may store certain essential Profile Data, such as contact and communication data as long as such processing is required by law or is reasonably necessary for our legitimate interest such as claims handling, bookkeeping, internal reporting, reconciliation or other legal action purposes. All of the Data Subject’s personal data is deleted within 10 years from the termination of subscription to the Services or from Data Subject’s last contact with us, unless processing is by way of exception necessary for example for legal actions.

Data Subject’s e-mail address collected for direct marketing purposes is stored for such purposes until further notice. If Data Subject later opts out of the direct marketing, we delete other information regarding the direct marketing, but will retain the information that Data Subject has opted out of the direct marketing to ensure compliance with the opt-out.

Personal data of Data Subjects may also be deleted when the Data Subject makes a request regarding deletion of the Data Subject’s personal data provided that we do not have a legitimate ground to continue processing the personal data in question.

8. Data Subjects’ Rights

Right to access

GAPHOOK offers access for the Data Subjects to the personal data processed by GAPHOOK. This means that Data Subject may contact us and we will inform what personal data we have collected and processed regarding the said Data Subject and the purposes such data are used for.

Right to withdraw consent

In case the processing is based on a consent granted by Data Subject, the Data Subject may withdraw the consent at any time. Withdrawing a consent may lead to fewer possibilities to use our Services.

Right to correct

Data Subjects have the right to have incorrect, imprecise, incomplete, outdated, or unnecessary personal data we have stored about the Data Subject corrected or completed.

Right to deletion

Data Subjects may also ask us to delete the Data Subject’s personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data. We may not immediately be able to delete all residual copies from our servers and backup systems after the active data have been deleted. Such copies shall be deleted as soon as reasonably possible.

Right to object

Data Subject may have the right to object our processing of the Data Subject’s personal data when that processing is based on our legitimate interest. We will comply with such objection unless we have a legitimate ground not to. If the Data Subject objects to the further processing of the Data Subject’s personal data, this may lead to fewer possibilities to use the Services.

Notwithstanding any consent granted beforehand for the purposes of direct marketing, Data Subject has the right to prohibit us from using the Data Subject’s personal data for direct marketing purposes, market research and profiling by contacting us on the addresses indicated above or by using the functionalities of the Services or the unsubscribe possibility offered in connection with any direct marketing messages. Please bear in mind that some parts of our Services may include messaging that are considered part of the Services and that cannot be unsubscribed from.

Right to restriction of processing

Data Subjects may request us to restrict certain processing of personal data; this may however lead to fewer possibilities to use our Services.

Right to data portability

Data Subjects have the right to receive their personal data from us in a structured and commonly used format and to independently transmit those data to a third party.

How to use the rights

The above mentioned rights may be used by sending a letter or an e-mail to us on the addresses set out above, including the following information: name, address, phone number and a copy of a valid ID. We may request the provision of additional information necessary to confirm the identity of the Data Subject. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.

9. Lodging a Complaint

In case Data Subject considers our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection.

10. Information Security

We will take all reasonable and appropriate security measures to protect the personal data we store and process from unauthorized access or unauthorized alteration, disclosure or destruction. Measures include for example, where appropriate, encryption, firewalls, secure facilities and access right systems.

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, and availability. We regularly test our websites, data centres, systems, and other assets for security vulnerabilities.

Should despite of the security measures, a security breach occur that is likely to have negative effects to the privacy of Data Subjects, we will inform the relevant Data Subjects and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as reasonably possible.