Privacy Policy

Privacy Policy for the Commerce Index by Crasman Effective Date: 06.02.2025 1. Introduction This Privacy Policy explains how Crasman Oy ("we," "us," "our") collects, uses, stores, and protects personal data in connection with the Commerce Index digital commerce audit service. We are committed to ensuring the privacy and security of our users' personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR). 2. Data Controller Crasman Oy is the data controller for the personal data processed under this policy. Contact Information: Crasman Oy Perämiehenkatu 12 E 00150 Helsinki, Finland Business ID: 1045259-6 Email: crasman@crasman.fi 3. What personal data we collect We may collect the following categories of personal data when you use the Commerce Index: - Identification data: name, email address, company name, job title, and other contact details. - Usage data: information about your interactions with the Commerce Index, such as login details, browsing behavior, and audit activity. - Technical data: IP address, device type, browser type, operating system, and cookies (if applicable). - Customer communications: messages, inquiries, and feedback sent to us. 4. How we collect data We collect data through: - Direct interactions: when you sign up, request an audit, or contact us. - Automated technologies: through website analytics, cookies, and tracking tools. - Third-party sources: if applicable, we may receive business contact details from trusted partners or publicly available business directories. 5. Purpose and legal basis for processing personal data We process personal data for the following purposes: Purpose | Legal basis -Operating and providing the Commerce Index service | Legitimate interest (ensuring service functionality) -Service improvement and analytics | Legitimate interest (enhancing user experience) -Marketing and communications | Consent (or legitimate interest for B2B marketing) -Security, fraud prevention, and compliance | Legitimate interest (and legal obligation where applicable) 6. Data sharing, third parties, and transfers outside the EU/EEA We do not sell or rent personal data. However, we may share personal data with: - Service providers, such as cloud storage, analytics, and audit automation partners that process data on our behalf. - Legal and regulatory authorities. When required by law or to protect our legal rights. - Business transfers. If the company undergoes a merger, acquisition, or asset sale, personal data may be transferred to the new entity. - Transfers Outside the EU/EEA. Personal data may be transferred outside the European Union (EU) and European Economic Area (EEA) in compliance with applicable data protection laws. When transferring data to the United States, we ensure an adequate level of protection by relying on the recipient’s certification under the EU-U.S. Data Privacy Framework (DPF). If the recipient is not certified under the DPF, we use Standard Contractual Clauses (SCCs) approved by the European Commission. - Implementing supplementary safeguards where necessary to protect the security and confidentiality of the data. 7. Data storage and retention We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law. When retention is no longer necessary, we securely delete or anonymize the data. 8. Security measures We apply appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or misuse. These measures include: - Encryption of sensitive data. - Access controls and role-based permissions. - Secure storage practices and regular security audits. 9. Your rights under GDPR As a data subject, you have the following rights under GDPR: - Right to access – Request a copy of your personal data. - Right to rectification – Request corrections to inaccurate data. - Right to erasure ("right to be forgotten") or the right to request deletion of your data. - Right to restrict processing. Limit how we use your data in certain cases. - Right to object. Opt out of certain data processing activities. - Right to data portability. Receive your data in a structured format. - Right to withdraw consent. If processing is based on consent, you may withdraw it at any time. To exercise your rights, please contact us at crasman@crasman.fi. 10. Cookies and tracking technologies We may use cookies and tracking technologies to enhance user experience and analyze site traffic. You can manage cookie preferences in your browser settings. 11. Changes to this Privacy Policy We may update this Privacy Policy from time to time. Changes will be posted on this page with the updated effective date. We encourage users to review this policy periodically. 12. Contact Information For privacy-related inquiries, please contact: Crasman Oy Perämiehenkatu 12 E 00150 Helsinki, Finland Email: crasman@crasman.fi https://www.crasman.fi/tietosuojaseloste ---------------------------------------- Crasman – Ensuring transparency, security, and trust in digital commerce audits.