Database Privacy Statement

Latest update: 8th of April, 2024

Privacy is important to us, and we are committed to protecting the personal information that is processed in our database product and service (hereinafter referred to as “Service”). This database privacy statement explains our purposes, legal basis for collecting information about data subjects, sources of information, and how the information is processed.

What personal data is included in the Service?

Most of the data processed in the Service consists of information about legal entities, such as companies' key figures, the area of business, and other data related to companies. Besides company-related data, Vainu collects and processes certain personal data, which has been publicly disclosed by the company or is otherwise available and freely accessible in the public domain. The collection and processing of such personal data is related to data subjects’ public role in the company’s business.

How is the data collected?

The Service is a software-based database, using intelligent data collection technology and machine learning algorithms. The software searches open and public data constantly, extracts, and indexes the data and populates the fields of companies with the help of named-entity recognition. Additionally, the Service may include manually collected data obtained by Vainu’s data research team. The collected data consists of data in the public domain, such as public officials, Patent and Registration offices, company websites, press releases, and other source material made available to the public by the company or its representatives. The Service may also provide links to external websites, where company-related information is published.

How is personal data processed?

Vainu processes only publicly available personal data that is directly related to the person’s role in the company. Our Service is designed not to collect or process any personal data in the Service in excess of what is directly relative to the company information. Processing is limited to have a minimal privacy impact and the processing of personal data is not extended beyond what the data subjects could reasonably expect (names and contact details of company representatives, as available in the original public source). Our intelligent data collection technology constantly re-searches and updates the information we collect and process, which ensures that no inaccurate or obsolete personal data related to Companies is stored in the Service beyond a reasonable time. If the original source is updated or removed, the personal data in the Service will also be updated or removed after a short period of time.

Additionally, we have validation mechanisms in place to ensure that only business-relevant personal data is stored in our database.

How do we ensure the legitimacy of our personal data processing?

The processing of the company-related personal data in our Service is based on our legitimate interest to freely conduct business and maintain our Service in accordance with European Union law and national laws. We limit the processing to data that is only available in the public domain, such as public officials, Patent and Registration offices, and company websites made available to the public. This personal data is based on the individual’s public role in the company’s business, which has been publicly disclosed in their role as the company’s representative or is otherwise available and freely accessible in the public domain. 

Who owns the information?

Vainu operates an intelligent database reflecting the information available in public sources and the internet. While we index and store data, we control what data is gathered and how we process it. Our processing is uniquely filtering data that is already available, and we do not use it for any other purpose than making it further available to our customers.

When we make the data accessible to our customers, the customer may use our tool to browse through the data we have indexed, and they may choose to import the data into their systems. In doing so, our customers assume control over the data and process personal data in accordance with their privacy policies. We require our customers to commit to the lawful use of the data provided by us.

Detailed information about the Vainu Database Record

1. Name of the record

The name of the personal data record is Database Record of Vainu (“Record”). Data subjects of the Record are decision-makers of legal entities, business people, company management, and other similar data subjects that are considered to fulfil a role in public life and/or might be in the public interest.

2. Controller

Vainu. io Software Oy. All subsidiaries of Vainu Group also apply the principles and policies described herein.

Siltasaarenkatu 8-10
FI-00530 Helsinki
Finland

3. Contact Information

Contact Us
https://www.vainu.com/about-us/
Siltasaarenkatu 8-10
FI-00530 Helsinki
Finland

Data Privacy Officer
Sami Kekäläinen
Siltasaarenkatu 8-10, 00530 Helsinki, Finland
dpo@vainu.io

4. Purpose and legal basis of processing personal data

Processing of a limited amount of personal data is based on our legitimate interest to freely conduct business and maintain our Service in accordance with Union law and national laws. Processing is limited to persons holding a role in public life such as business people, company management, representatives and personal data available in the public domain or which is in the public interest.

In accordance with the statement by the Article 29 Working Party (an independent advisory body established under the EU’s Data Protection Directive (95/46/EC)), business people, company management and representatives can usually be considered to fulfil a role in public life.

Our use, processing, and maintaining such public data in the database record is limited to have a minimal privacy impact, and the processing of personal data is not extended beyond what the data subjects could reasonably expect during the period that the data subject is in the position at the legal entity, and the same information is available and freely accessible by the public in the public domain.

Personal data in the Vainu database record may be processed for the following purposes:

  • Presenting the personal data in connection with the legal entity, which is connected to the data subject,
  • Statistical analyses on Companies based on pseudonymized or anonymized data, and
  • Fulfil the obligations based on the law and orders of the authorities.

5. Regular sources of Personal Data

Vainu collects personal data from open and public data of legal entities, which is available in the public domain or has been made available to the public by the legal entities. Regular sources include national Patent and Registration offices (or their equivalents), public officials, company websites, press releases, and other source material made available to the public by the company or its representatives. All personal data in our database is linked to the source where it was acquired.

6. Content of Personal Data in the Record

The Record contains personal data which is directly linked to the data subjects’ role in the legal entity. Other personal data is not included in the Record.

The Register may contain the following personal data in connection with the legal entity:

  • Basic information (name, title, position, company department, country),
  • Contact information (work phone, work email address),
  • Date of birth (only for board members, auditors, CEOs and other officially registered representatives of a company)

7. Recipients of Personal Data

Service users and Vainu’s customers have access to the personal data in relation to the Companies they search for, where such data is available in the Service. A limited amount of company information and relative personal data is also available through the search engine on our website, which may be used without a customer relationship with Vainu.

All personal data that is available to the users and customers of our Service is freely accessible in the public domain, or otherwise available to the public in the same manner and similar format as is provided in our Service. Vainu’s customers may export or receive data from the service. When our customers use this export feature or otherwise receive personal data via automated or manual process, they will become data controllers with respect to personal data, in which case the customer’s privacy notice will apply to the data processing they might carry out. In cases where personal data is disclosed to our Customer, we require the Customer to commit to appropriate data processing practices through contractual means.

Besides personal data that is available to the users and customers of our Service, we store certain background data which supplements company data and it is processed for analytics and context, and is not available for Vainu users and customers. This background data includes for example birth records from board members, CEOs and other officially registered representatives of a company.

8. Transfers and handling of Information

The data that Vainu collects from data subjects may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers (e.g. if our service provider or supplier is located outside EEA).

Vainu will only disclose personal data based on a contract to third parties operating outside EU/EAA, which have taken steps to ensure that adequate data protection arrangements are in place in accordance with the data protection regulation. These may include, but are not limited to, Data Protection Agreements or standard contractual clauses provided by the European Commission.

Additionally, our Service may be used by our customers and other users at a location outside the EEA. As part of the use of the Service, our customers access the database through searches and filters and choose to import data from our database into their systems. We require our customers to commit to the lawful use of the data provided by us, including the lawfulness of any data transfer. By using the Service our customers and users independently evaluate whether they choose to collect and process the personal data which is available in the Service for its purposes.

Personal Data may be disclosed to authorities in cases required by the mandatory local legislation or court order. Data may also be disclosed if the disclosure is permitted by applicable law or regulation.

9. Retention of Personal Data

Personal data will be stored in the database only as long as and only to the extent that is necessary to provide timely and accurate information on company decision-makers as part of providing information on Companies included in the Vainu database, as designed in the Service. When such requirements no longer exist, personal data will be deleted. The requirement is deemed to exist during the period that the data subject is in the position of the legal entity, which has been recorded in the original source. The retention periods for personal data in Vainu have been designed to reflect the retention period of the original data source. The database is automatically and manually updated regularly, and personal data will not be stored beyond a reasonable time after it has been removed from the original source.

10. Data Protection Principles

The information security of personal data and processing and confidentiality, integrity, and usability are ensured with appropriate technical and administrative measures in accordance with Vainu's information security principles. The employees of Vainu have bound themselves to comply with professional secrecy and concealment regarding the information they receive during the processing of personal information. Privacy and security guidelines have been communicated to employees and strictly enforce privacy safeguards within the company.

All databases and information systems are accessible only with individual and personal login information either via SSO by the customer's identity provider or with credentials  (username and password) granted by Vainu. The rights to access the master database are restricted so that the information can only be viewed and processed by persons who are legally admitted and required to do so. The customers and users of our Service may only have access to the personal data which is made available in the Service by Vainu.

11. Rights of the Data Subject

You as a Data Subject whose personal data is governed by the EU General Data Protection Regulation, have certain rights and this section of the database privacy notice is intended to provide you with information on your rights.

The EU General Data Protection Regulation grants you the below-detailed rights concerning your personal data to the extent that it has been recorded into the Database Record. In the use of your rights, we emphasize that the nature of our service is to collect, index, and filter public data, and all personal data in our Record is obtained from other public sources. If the data is modified or removed from the original source, it will also be modified or erased from our Service shortly.

For any of the below-detailed rights, please submit all requests and inquiries on data protection primarily to the following address privacy@vainu.io.

Information and access to personal data

The data subject has the right to receive information; what data is being collected, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the recipients or categories of recipients of the personal data if any.

If your data is included in the Vainu database, its processing shall be governed by this Vainu Database Record.

Right of access by the data subject

The data subject has the right to obtain from Vainu confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

Vainu will confirm to you if your data is included in our Services, what is the data identifiable to you that we have gathered, and provide you with information about the original source of your personal data.

Right to rectification

The data subject shall have the right to obtain from Vainu, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

We will automatically update the personal data we gather about you when you change the information in the source of the data.

Right to erasure

The data subject has the right to request the erasure of personal data in the Register, if the legal basis for the processing of personal data has ceased. Despite the request for erasure, the data may not be erased if there is a legal basis for maintaining the data, or if Vainu is obliged to process personal data for the establishment, exercise, or defence of legal claims.

We will automatically delete the personal data we gather about you after the data is removed from its original public source. Some of the data may be of such nature that it can be preserved based on an exemption of the General Data Protection Regulation or related jurisprudence, such as personal data whose availability is in the public interest.

Right to lodge a complaint

You may also lodge a complaint to the supervisory authority if you consider that the processing of personal data violates the relevant data protection legislation in force. The national supervisory authority in Finland is the Data Protection Ombudsman (tietosuoja@om.fi).

12. Changes to Database Privacy Statement

Vainu has the right to change or update this Database Privacy Statement at any time, and we recommend that you read it from time to time.

13. Google Integration scope definitions

Currently, a user can be asked for these scopes when connecting Google Account to Vainu:
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/spreadsheets

Explanations of each scope and their usages: https://developers.google.com/gmail/api/auth/scopes


Gmail integration (https://www.googleapis.com/auth/gmail.metadata)

Gmail integration enables users to create a target group based on email contacts. Gmail integration is optional and the process is started when the user requests it from the user interface.

Only email sender domains are scanned from the email and no exact email data is saved to Vainu databases. This domain is matched to a company and if a company is found this company is saved to the user's Gmail target group in Vainu. A user can follow triggers/events by companies in this target group. This target group data can only be accessed by the user when he/she is logged in to Vainu. New email domains are scanned periodically from users' emails. A user can remove and delete the target group at any time from the user interface.

Google Spreadsheets (https://www.googleapis.com/auth/spreadsheets)

Google Spreadsheet scope is used to read and write back company-related data to a user-defined spreadsheet.

The authorization is prompted each time the user initiates the process from Vainu and OAuth 2.0 code flow is then used to get access/refresh tokens for a single run. Only spreadsheet scope is requested for these tokens.

Spreadsheet data is accessed via API calls using the official Python API client. A sheet is assumed to contain arbitrary company information (such as company names, business IDs, addresses, domains, etc.) and this data is matched against Vainu's database of companies. Matched data is then parsed and written back to the sheet using the API client.

Company data read from the sheet is only used at runtime and then discarded - no business information on the sheet is saved to our database. Sheet metadata is however stored for handling the process and allowing easier feedback for the user. This metadata includes sheet ID, name, ranges, and column names. No information about the process or spreadsheet contents is shared between users.