Data Protection Policy

How we collect and process personal data

NayaDaya Analytics Inc. is collecting, analyzing, publishing, and distributing emotion and behavior data in the contexts of employers, transformations, M&A processes, projects, sustainability, brands, news, and phenomena among employees, customers, consumers, and citizens, for example. We follow the General Data Protection Regulation (EU) 2016/679 (“GDPR”) in processing of personal data.

NayaDaya Analytics’s service People Impact Analytics® is designed so that the analytics service does not collect, process, or store personal data. Accordingly, in relation to the analytics service itself, NayaDaya Analytics does not act as a controller of personal data for its clients.

1. Controller

Name: NayaDaya Analytics Inc.
Business ID: 2775123-4
Address: Åkerlundinkatu 8, 33100 Tampere, Finland
E-mail: petri.jarvinen@nayadaya.com

2. Contact person for registration matters

Name: Petri Järvinen
Address: Åkerlundinkatu 8, 33100 Tampere, Finland
Phone number: +358 45 238 5537
E-mail: petri.jarvinen@nayadaya.com

3. The personal data processed, purpose of data processing, legal basis and sources of information

As a controller NayaDaya Analytics processes the following personal data of its clients and potential clients:

The personal data processed

Purpose of personal data processing

Legal basis of personal data processing

Sources of information

Name and contact information of the data subject (e.g. address, phone number and e-mail address)

Fulfilling of the contractual obligations, service delivery, management and development of customer relationship, service development, sales, marketing, customer acquisition

A legitimate interest of the controller (a right to keep a client register, a right to aspire to develop, sell and market their services, responsibility to fulfill contractual obligations)

A data subject themselves, an organisation represented by the data subject, public sources, commercial B2B data sources, social media, websites

Professional title and the represented organization by the data subject

Fulfilling of the contractual obligations, service delivery, management and development of customer relationship, service development, sales, marketing, customer acquisition

A legitimate interest of the controller (a right to keep a client register, a right to aspire to develop, sell and market their services, responsibility to fulfill contractual obligations)

A data subject themselves, an organisation represented by the data subject, public sources, commercial B2B data providers, social media, websites

Contact information of the represented organization by the data subject

Fulfilling of the contractual obligations, service delivery, management and development of customer relationship, service development, sales, marketing, customer acquisition

A legitimate interest of the controller (a right to keep a client register, a right to aspire to develop, sell and market their services, responsibility to fulfill contractual obligations)

A data subject themselves, an organisation represented by the data subject, public sources, commercial B2B data providers, social media, websites

Marketing authorisations and bans given by the data subjects

Marketing, customer acquisition

A legitimate interest of the controller (a right to aspire to develop, sell and market their services, obligation to lawful marketing)

A data subject themselves

Information related to the customer relationship, e.g. information regarding service and order, payment details, invoicing information and information regarding communication

Fulfilling of the contractual obligations, invoicing, service delivery, management and development of customer relationship, development of service and products, sales, marketing, customer acquisition

A legitimate interest of the controller (a right to keep a client register, a right to aspire to develop, sell and market their services, responsibility to fulfill contractual obligations)

A data subject themselves, an organisation represented by the data subject, public sources, websites, data received or generated during customer relationship

User information of the data subject using a real-time reporting service (e-mail address and username

Fulfilling of the contractual obligations, service delivery, management and development of customer relationship, development of service and products

A legitimate interest of the controller (in cases of necessary precondition for service delivery)

A data subject themselves, an organisation represented by the data subject

4. Storage of personal data

While People Impact Analytics® service does not collect, process, or store personal data, NayaDaya Analytics uses personal data for other purposes, mostly related to marketing and sales functions, and managing service delivery, as the table above describes.

Personal data of the customers is stored for the duration of the actual or pursued customer relationship and for three years after its termination, after which the data will be filed, unless there is a legal obligation for a longer storage period.

For the purpose of marketing and sales, the data of the data subjects shall be reviewed on an annual basis and the data that is not necessary to store shall be deleted.

5. Controllers of personal data

The controller may use sub-controllers to support their business and to provide their goods and services. In relation to sub-controllers, the contractual obligations under the GDPR shall be applied.

The controller shall provide information of the used sub-controllers, if necessary.

6. Transfers and disclosures of the personal data

We primarily store the personal data in European Union. We will only forward your data to providers or storage locations in countries outside the European Union to the extent that such is necessary to process orders and fulfill contractual obligations. If personal data is transferred outside the EU/EEA, we ensure that the personal data is transferred in accordance with the applicable law, for example by ensuring that the recipient of the data participates certification schemes (including the EU-US Privacy Shield).

7. Principles of protection of the personal data

Only employees who are authorized to process personal data on behalf of their work are entitled to access the customer data system. Access to workspaces is restricted. The data are transported using TLS (Transport Layer Security), collected to documents in a technical environment protected by firewalls, passwords, and MFA (Multi-Factor Authentication). The data at rest use AES 256-bit encryption and they are regularly backed up to a cloud-service protected with access control and firewalls.

8. The rights of data subjects

A data subject has the right to verify the data concerning the data subject herself/himself that is stored in the filing system. Contacts concerning the right to verify must be submitted in writing and signed. Contact information concerning the request are given in section 1.

A data subject has the right to request correction of the data concerning her/him that is stored in the filing system, if the data is incorrect. The request for correction must be submitted in writing and signed. Contact information concerning the request are given in section 1.

A data subject has the right to forbid the controller from processing the data concerning her/him for direct advertising, distance selling and other direct marketing as well as market and opinion poll or other purposes. Contact information concerning the ban are given in section 1. The controller has the right to refuse such request, if it would prevent the delivery of the goods and services of the controller.

A data subject has the right to request that personal data concerning her/him is deleted from the filing system. Contact information concerning the ban are given in section 1. The controller has the right to refuse to execute the data deletion, if it would prevent the delivery of the goods and services of the controller or if it would be unlawful.

A data subject always has the right to make a complaint to the data protection authority, which in Finland is Data Protection Ombudsman.

9. Use of client-side storage and personal data in connection with NayaDaya Analytics’ services (People Impact Analytics®)

People Impact Analytics® cloud survey application saves user preferences (language) and survey completion-related information in client-side storage. The variables will be stored in the client’s browser localStorage to be loaded when a client returns to the service. None of the data stored in the system is linked to pre-existing personal data nor generated using data acquired from client’s device or network information. The survey completion status of a respondent is controlled with a respondent token which is created in runtime using a random UUID (Universally Unique Identifier) generator.

The underlaying cloud system automatically collects certain technical information when you use the service, such as your IP address, request timestamps, URLs accessed, operating system type, and browser information (type and version). These data are stored in server logs for compliance, security, debugging, and service reliability purposes and are not linked to any other client information nor any client survey data, and not shared with our clients. The system logs are being located in EU region and stored for 30 days, after which they are automatically deleted.

10. Google Analytics

NayaDaya Analytics also uses Google Analytics service to collect general information i.e. operating time of websites, keystrokes of links, geographical locations, browsers and operating systems (using ”The Google Analytics tag” integration). Google Analytics may use IP addresses. Data of the Google Analytics is used to common monitoring and developing of the NayaDaya Analytics application. Data of the Google Analytics cannot be connected to any surveyed response data.