# Privacy Policy for the Badrap Oy

We at Badrap Oy provide badrap.io service for the consumers and related commercial products for businesses. If you are a badrap.io user, the relevant privacy policy is here. This privacy policy explains why and how we, as a data controller, process your personal information for legitimate business interests.

# Data controller contact details

Company name: Badrap Oy
Address: Teknologiatie 18 B
90590 Oulu
Email: support@badrap.io
Business ID: 2846254-9

# Types of data collected

When discovering leads, we may collect your name, company, email address, and phone number. Our hosting, content delivery and analytics services collect visitor information in the form of IP-addresses and cookies automatically submitted by your web browser.

We process your personal information for purposes of focusing and localizing marketing content, generating leads for our sales, distributing factual information and news related to our company and products and measuring and improving the website user experience.

Legal basis for processing personal information is our legitimate business interests. Initially, we use it to contact you to discover if you are interested in purchasing our services. When we contact you, you can opt-out from future contact attempts. Any follow-ups after a successful contact is made are based on your consent.

# Data sources

# Hosting and content delivery

We use Github, Github pages, and Netlify to deliver our website and relevant content to you. We also use HubSpot for sending email to you in few cases: 1) we have identified you might be interested in our products, 2) you have opted into our newsletter, or 3) your employer has subscribed to our services which require email communication beyond the communication badrap.io service itself sends. In order to work as efficient content delivery platforms, they may collect and use information that web browsers expose automatically, such as the browser version, IP address, site-specific cookies, device identifiers, language preference, referring site, the time of access and user’s operating system. These services should collect only minimal information required to deliver the content and we don’t use these services to collect any information for processing. Some of these services may provide you an option to register directly as their user to improve the user experience. If you have directly registered to any of these services we advise you to study their respective privacy policies.

# Analytics

We use Google Analytics and Google Tag Manager to collect information about our website visitors and their behaviour while on the website. We have configured these services to anonymize IP-addresses. Google provides the means to opt-out from Google Analytics data collection at https://tools.google.com/dlpage/gaoptout. Google's privacy policy can be found at https://policies.google.com/privacy.

# Marketing and customer relationship management (CRM)

We search for publicly available data to discover leads. We use Linkedin, RocketReach and Alma Talent’s company search to identify people in roles implying they may be interested in our products. We use HubSpot to record their contact information. We record company name, and optionally email, your name, and phone number, depending on what information is available. We use this information to be able to contact you to check if you would be interested in purchasing our services. Further contacts are based on your consent.

# Employee Cyber Hygiene Online Training

We use ActiveCampaign for running Employee Cyber Hygiene online training and trials. To provide the service, participants provide their email address and the name of their employer. Participants also give answers to quiz questions, which we collect. Finally, we track the progress of the users to provide statistics to the customer.

# Your rights as a data subject

You have the following rights according to GDPR regarding the processing of your personal data. You can exercise your rights by contacting us by email.

Right of access: You have the right to check at any time, what personal information we have stored about you.

Right to object: You have the right to object to our processing of your personal data, if you think that our processing does not happen according to the GDPR or if you think we have no lawful basis for processing your data.

Right to erasure: You have the right to remove your personal data at any time.

Right to data portability: You have the right to request a machine-readable summary of your personal data from us, so that you can transfer them to another service provider.

Right to lodge a complaint: You have the right to complain to the supervisory authority if you think we are in violation of your rights, in violation of GDPR, or the Finnish law regarding personal data protection. The supervisory authority in this case is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) in Finland.

Right to object to direct marketing: You have the right to object to using your personal data for direct marketing purposes.

# Duration of processing

Analytic services we use for the visitor information retain data for up to 26 months. Email addresses submitted by the users are retained until the user unsubscribes. If a subscriber requests a permanent opt-out from any future marketing then opt-out address is retained until the person in question requests to be removed from the opt-out list.

# Data recipients

Visitor information is processed only by named employees of Badrap Oy, who are responsible for developing and maintaining the website. Email addresses and subscriptions are processed by our sales and marketing personnel. Currently we employ no subcontractors or other third parties to process any personal information.

# Data transfers outside of EU

Content delivery services utilize geographically distributed servers in order to deliver the content efficiently, making it difficult to determine the actual location where short-lived visitor data automatically submitted by the web browsers is stored.

External services used by us for content delivery, analytics and marketing do collect and process data outside of EU. Where possible we have configured these services to anonymize collected IP-addresses. We use only service providers that comply with an adequate level of data privacy as required by the GDPR and that are committed to following relevant EU regulation

# Automated individual decision-making

Your personal data is not used for automated individual decision-making or profiling.

# Data protection principles and measures

We don’t collect or ask you for personal information unless we truly need it. We control and keep track of who has access to the services used to process the data. We use transport layer encryption (TLS) to protect your interaction with our website. We occasionally review the implementation of our website and the related services we rely on against this privacy policy.