# Privacy Policy for Badrap Oy

We at Badrap Oy provide badrap.io service for consumers, and related commercial products for businesses. If you are a badrap.io user, the relevant privacy policy is here. This privacy policy explains why and how we, as a data controller, process our business users' personal information for legitimate business interests.

# Data controller contact details

Company name: Badrap Oy
Address: Teknologiantie 11
90590 Oulu
Email: contact@badrap.io
Business ID: 2846254-9

# Types of data collected

When discovering leads, we may collect your name, company, email address, and phone number. Our hosting, content delivery and analytics services collect visitor information in the form of IP addresses and cookies automatically submitted by your web browser.

We process your personal information for purposes of focusing and localizing marketing content, generating leads for our sales, distributing factual information and news related to our company and products and measuring and improving the website user experience.

Legal basis for processing personal information is our legitimate business interests. Initially, we use it to contact you to discover if you are interested in purchasing our services. When we contact you, you can opt-out from future contact attempts. Any follow-ups after a successful contact is made are based on your consent.

# Data sources

# Hosting and content delivery

We use Github, Github pages, and Netlify to deliver our website and relevant content to you. We also use HubSpot for sending email to you in few cases: 1) we have identified you might be interested in our products, 2) you have opted into our newsletter, or 3) your employer has subscribed to our services which require email communication beyond the communication badrap.io service itself sends. In order to work as efficient content delivery platforms, they may collect and use information that web browsers expose automatically, such as the browser version, IP address, site-specific cookies, device identifiers, language preference, referring site, the time of access and user’s operating system. These services should collect only minimal information required to deliver the content and we don’t use these services to collect any information for processing. Some of these services may provide you an option to register directly as their user to improve the user experience. If you have directly registered to any of these services, we advise you to study their respective privacy policies.

# Analytics

We use Plausible.io to collect information about our website visitors and their behaviour while on the website. Plausible.io is a privacy-focused website analytics provider that collects anonymous statistics and does not use cookies. You can review the Plausible.io data policy (opens new window) to see how their analytics service works.

# Marketing and customer relationship management (CRM)

We search for publicly available data to discover leads. We use Linkedin, RocketReach and Alma Talent company search to identify people in roles implying they may be interested in our products. We also use online forms to collect product inquiries and subscriptions from leads and customers. We use HubSpot, Stripe and DepositFix to record their contact information. We record the company name and optionally email, your name, VAT number, payment details and phone number, depending on what information is available or provided. We use this information to contact you if you are interested in purchasing our services or to provide you the services you have subscribed to. Further contacts are based on your consent.

# Customer Success and Support Emails

We use Google Workspace, Microsoft Office 365 and Hubspot for email communications with customers. This includes support requests, customer success discussions, general inquiries and sales discussions. When you contact us, you consent and acknowledge that we will be processing any personal data you may include in your email with the aforementioned third-party services.

# Customer Meetings

We use Google Calendar and Microsoft Office 365 to book customer meetings, and Google Meet and Microsoft Teams for conducting online meetings. We may also offer you the chance to book meetings with our personnel using Hubspot's Meetings tool, which is connected to our Microsoft or Google calendars. Hubspot's Meetings tool may be offered as an option for booking a meeting e.g. inside selected playbooks, on the web site or in our email signatures. Please note that your usage of the Hubspot Meetings tool is based on your own explicit and unambiguous consent, and it is covered by Hubspot's own privacy policy.

# Embedded Content

We may sometimes embed media content such as videos onto our playbooks and web pages. This embedded media content may reside at an external hosting provider, such as Youtube. When we embed media content, we do it in a way that will share as little user information as possible with the content hosting provider. When viewing embedded content hosted at a third-party service provider, your viewing and interactions with the content are covered by the hosting provider's privacy policy. This means that you may have to review their privacy policy and to provide consent in order to view or interact with the embedded media.

# Playbooks

We use ActiveCampaign for automating playbooks, such as Employee Cyber Hygiene online training and trials. Customers provide their email address or email addresses for us. Participants may submit further information via forms. Playbook automation requires us to track the progress of the users. Sometimes we also provide progress statistics to the playbook customers.

# Your rights as a data subject

You have the following rights according to GDPR regarding the processing of your personal data. You can exercise your rights by contacting us by email.

Right of access: You have the right to check at any time, what personal information we have stored about you.

Right to object: You have the right to object to our processing of your personal data, if you think that our processing does not happen according to the GDPR or if you think we have no lawful basis for processing your data.

Right to erasure: You have the right to remove your personal data at any time.

Right to data portability: You have the right to request a machine-readable summary of your personal data from us, so that you can transfer them to another service provider.

Right to lodge a complaint: You have the right to complain to the supervisory authority if you think we are in violation of your rights, in violation of GDPR, or the Finnish law regarding personal data protection. The supervisory authority in this case is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) in Finland.

Right to object to direct marketing: You have the right to object to using your personal data for direct marketing purposes.

# Duration of processing

Email addresses submitted by the users are retained until the user unsubscribes. If a subscriber requests a permanent opt-out from any future marketing, then that opt-out address is retained until the person in question requests to be removed from the opt-out list.

# Data recipients

Visitor information is processed only by named employees of Badrap Oy, who are responsible for developing and maintaining the website. Email addresses and subscriptions are processed by our sales and marketing personnel. Currently we employ no subcontractors or other third parties to process any personal information.

# Data transfers outside of EU

Content delivery services utilize geographically distributed servers in order to deliver the content efficiently, making it difficult to determine the actual location where short-lived visitor data automatically submitted by the web browsers is stored.

External services used by us for content delivery and marketing collect and process data outside of the EU. Where possible we have configured these services to anonymize collected IP addresses. We use only service providers that comply with an adequate level of data privacy as required by the GDPR and that are committed to following relevant EU regulations.

# Automated individual decision-making

Your personal data is not used for automated individual decision-making or profiling.

# Data protection principles and measures

We don’t collect or ask you for personal information unless we truly need it. We control and keep track of who has access to the services used to process the data. We use transport layer encryption (TLS) to protect your interaction with our website. We occasionally review the implementation of our website and the related services we rely on against this privacy policy.