Effective: 4 September 2019
We practice privacy and security by design.
Please read our full document below to understand details between where we are a Data Controller (your Supermetrics account data, company information etc.) and where we are a Data Processor (when we process your data through our systems into Google Sheets, Google Data Studio, Microsoft Excel, Tableau etc.)
2. Privacy and security as data processor
This section summarizes our commitments to you where we are a Data Processor (when we process your data through our systems into Google Sheets, Google Data Studio, Microsoft Excel, Tableau etc.)
- When it comes to being a data processor, the data is never stored permanently on our systems. In the majority of cases, we process your data in real time. To improve performance, we may cache your query results on our servers as needed for the success of your query. Please note that any time we cache query results we strongly encrypt the data. Any caches are deleted once they are unnecessary or when you cease use of our systems.
- Our staff is trained regularly on handling data and our systems are monitored constantly. Our staff have access as needed. For any data we process, your data is extremely restricted and we will only access it at your written request or in the case where we need to debug and solve problems. In each case all such access is audited.
- We do not share the data you process with us with any party.
- In some cases you may be given the option and/or have chosen the option to have your data processed in specific region(s) or in specific data center(s). In such cases we will give you the guarantee such processing will happen in the specified manner and any changes will be communicated to you.
- Supermetrics tools only use official APIs (application programming interfaces) for accessing data.
- Data transfers are done using SSL encrypted HTTPS connections.
- For logging into most of the data sources, our tools use OAuth. This is a secure authentication method, which means that you never have to type your password into our tools, as the authentication happens on a webpage hosted by the data source (eg. Google, Facebook or Microsoft).
- Most other services we connect to also work with OAuth, and provide their own interface for revoking access rights.
- There are a few services that still require you to type your username and password, or API key, into our tools. Any tokens, keys or passwords are stored encrypted in our systems.
- Our data processing and storage happens in monitored and highly scalable, best-in-class data centers managed by Amazon, Microsoft and Google.
- Our security is audited annually by an external third party.
3. Privacy and security as data controller
This section relates to the personal data processed by us as a data controller for concluding the agreement with our customers and for other purposes as set out in more detail below.
We may also process personal data that is sent to our systems by our customers when providing our processing services to our customer (please see section 2. above). Such processing of personal data is governed by a data processing agreement entered into between us as the data processor and our customer as the data controller. We process such data only on the instructions of our customer. If you have any questions relating to such data processing, please contact directly the relevant data controller. The sections 3.1 – 3.11 that follow refer only to personal data provided to us by Supermetrics license holders (our customers) and/or visitors to our marketing web sites.
3.1 Controller of the processing of your personal data
Supermetrics Oy (“Supermetrics” or “We”)
Company ID: 2552282-5
Mikonkatu 700100 HELSINKI, Finland
Tel: +358 40 356 3260
Contact person in case of matters relating to the processing of personal data: Duleepa Wijayawardhana, CTO, email@example.com
3.2 Data processed and sources of personal data
When you sign up for our services, we may collect and process the following personal data about you: Your name; Address details; E-mail address.
We collect the above mentioned personal data directly from you when you sign up for the service. If you do not provide us with your above personal details, we may not be able to enter into an agreement with you. In addition we may collect technical data such as IP address, operating system, web browser, and browsing history on supermetrics.com and other Supermetrics web properties, prior to entry into the agreement. This data may be combined with your personal data so that we may create optimized and efficient workflows and provide further analysis to improve sales and delivery of our products.
3.3 Purposes of processing
We may process personal data for the following purposes:
- Concluding the agreement with you or the legal entity you represent;
- Maintaining a contractual relationship with you or the legal entity you represent, including:
- providing you with support for the services under the agreement;
Sending you or the legal entity you represent necessary updates regarding:
- the services under the agreement;
Statistical and analytical purposes.
- We use the personal data to generate reports and statistics regarding the use of our services.
- Where possible, we use anonymized data or non-personal data in these activities.
3.4 Legal grounds for the processing
If you are a natural person and have entered into an agreement with Supermetrics, we process personal data to the extent it is necessary for the performance of the agreement between you and Supermetrics as well as for the purposes of the legitimate interests pursued by us as the data controller.
If you represent a legal person (e.g. a company or another legal entity) which has entered into an agreement with Supermetrics, the legal grounds for the processing of personal data is that processing is necessary for the purposes of the legitimate interests pursued by us as the data controller.
To the extent we process the personal data (as defined in section 2) in connection of performance of the agreement between a legal person and Supermetrics, the legitimate interest pursued by us is the conclusion and performance of the agreement between your legal entity and Supermetrics. In such case we will process your personal data as necessary towards the mutual interest of concluding and maintaining a contractual relationship with the legal entity you represent.
To the extent we process the personal data with the aim to improve our services the legitimate interest pursued by us is the development of our business and processes. We strive to limit the use of personal data in this context to the minimum and will process your personal data (as defined in section 2) as necessary towards the mutual benefit of improving and optimizing our products.
3.5 Recipients of personal data
When processing your personal data for the purposes described above, we may transfer the personal data to the following third parties:
- Exponea, customer data analysis
- Google Analytics, customer and traffic analysis
- Google Adwords, advertising and marketing
- LinkedIn Ads, advertising and marketing
- Facebook Ads, advertising and marketing
- iDevAffiliate, tracking affiliate purchases
- OutreachPlus, customer marketing and outreach
- MailMerge, customer marketing and outreach
- HubSpot, customer relationship management
- Boomerang, customer relationship management
- Maxmind, geolocation
- Stripe, payments processing
- Paypal, payments processing
- Transferwise, payments processing
- Freshdesk, customer support
- Slack, customer support
- Mailgun, transactional email
- Greenhouse, job applicants tracking system
- Amazon Web Services, servers and infrastructure
- Google Cloud Platform, servers and infrastructure
- Microsoft Azure, servers and infrastructure
- Salesforce, sales and leads tracking
We may also transfer personal data to the relevant authorities in Finland or abroad where such authorities have a legal right to receive the information.
3.6 Transfer of your personal data to outside of the EU/EEA
If personal data is transferred outside the EU/EEA, we ensure that the personal data is transferred in accordance with the applicable law, for example, by using standard agreements approved by relevant authorities (where necessary) or by ensuring that the recipient of the data participates certification schemes (including the EU-US Privacy Shield).
3.7 How long do we store your personal data?
Your personal data will be stored only as long as it is necessary for the performance of the contract with you and for the purposes set out in section 3 above. We will delete the information once it is no longer needed for those purposes.
3.8 Your rights
3.8.1 Right of access
You may contact us and we will inform what personal data we have collected and processed regarding you and the purposes such data are used for. You have the right to have incorrect, imprecise, incomplete, outdated, or unnecessary personal data we have stored about you corrected or completed.
3.8.2 Right to object
You may object to certain use of personal data if such data are processed for other purposes than purposes the purposes set out above. If you object further processing of personal data, we may not be able to provide to you the services under the agreement.
3.8.3 Restriction of processing
You may request us to restrict the processing of your personal data. In such case, however, we may not be able to provide to you the services under the agreement.
3.8.4 Right to withdraw consent
If the processing of your personal data is based on your consent, you have the right to withdraw the consent at any time. If you wish to exercise the right to withdraw the consent, you may contact us at the contact details set out in section 1 above.
3.8.5 Right to data portability
You have the right to receive your personal data from us in a structured and commonly used format and to independently transmit those data to a third party.
3.8.6 Exercising your rights
You may contact us by mail or e-mail using the contact details set out in section 1 above with a request to exercise any of the above rights. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
3.9 Analytics, Online Advertising, and Remarketing
Supermetrics works with 3rd party providers to obtain the information regarding traffic on Supermetrics websites, including pages viewed and the actions taken when visiting supermetrics.com and other Supermetrics web properties; to serve our advertisements on other websites and elsewhere online; to provide us with information regarding the use of our websites and the effectiveness of our marketing efforts.
Above mentioned partners may collect certain information about your visits to and activity on Supermetrics websites, they may set and access their own tracking technologies on your device (including cookies and web beacons), and use that information to show you targeted advertisements.
We use Google AdWords Remarketing and other similar services (e.g. retargeting) to advertise Supermetrics across the Internet.
These services will display relevant ads tailored to you based on what parts of Supermetrics websites you have viewed by placing a cookie on your device. This cookie does not in any way identify you or give access to your computer. It helps us to customize our marketing to better suit your needs and only display ads that are relevant to you.
You can read here how Google is using your data when you are visiting Supermetrics websites
You can set up your browser to decline cookies, should you wish to do so.
However, this may prevent you from taking full advantage of Supermetrics websites. If you do not wish to participate in our Google AdWords Remarketing, you can opt out by visiting Google’s Ads Preferences Manager.
3.10 List of Cookies Stored
We store the following cookies from the following services when you use supermetrics.com properties.
- Session cookie used by the application to store state between page views (such as your current logged in information)
- Google Analytics and Adwords tracking cookies (typically “_ga” and “utm”) for tracking page views
- WordPress Cookies for settings while browsing the main supermetrics.com site (wp*, et*)
- Attribution and Affiliate data, stored by supermetrics.com to track any purchases through our supermetrics affiliates (attribution)
- Bing Ads tracking (MU*)
- Usage and performance tracking (Exponea*)
3.11 Lodging a complaint
You have the right to lodge a complaint regarding our processing of your personal data with the Finnish Data Protection Ombudsman at:
P.O. Box 800
+358 29 56 66700