Inderes Oyj, the creator of Videosync service and the provider of the teleconference and event service (”Service”), is committed to protecting your privacy and personal data. This privacy statement (“Privacy Statement”) explains how Inderes Oyj and its authorised affiliates (“Inderes”) process personal data in connection with the Service. This Privacy Statement explains how we collect, use and disclose your personal data in the course of our business in connection with the Service. The term “personal data”, as used in this Privacy Statement, refers to any information about you which can be used to personally identify you, such as your name, address, telephone number, e-mail address, or any other personal information you might supply. Aggregated, statistical or de-identified information is not personal information. Information generated through your use of our websites, watching videos or listening to teleconferences is not deemed personal information unless we can combine it with other information that would identify you. Please, read this Privacy Statement carefully prior to using the Service and/or our website. We may update this Privacy Statement when necessary due to changes in the processing of the information or for any other reason. You must review this Privacy Statement from time to time for any amendments. CONTROLLER AND CONTACT INFORMATION Inderes Oyj, Business ID 2277600-2 Itämerentori 2, 00180 Helsinki Contact person: Janne Vainionpää +358 40 511 7557 janne.vainionpaa@inderes.fi Personal data What personal information does Inderes collect? Our primary goal in collecting information is to provide you with a friendly, customised and efficient experience. We collect the following types of information: INFORMATION YOU VOLUNTEER TO US Inderes collects certain identifying information when you use the Service. For example, we may require customers who use the Service to provide us with personal data such as their name, company name, phone number, and e-mail address. We may also ask for additional types of personal data, such as your title, department name, or other additional information in order to provide you with a more personalised experience. Information that you provide to us will be kept as a record of your interaction with our Service. AUTOMATICALLY COLLECTED INFORMATION When you visit our Service, Inderes collects your internet protocol (“IP”) addresses in order to track and aggregate information as you use the Service. In addition, Inderes automatically receives and stores certain traffic data on our server logs, including your IP address, data related to video playback quality (playtime, buffering time, packet losses, play errors) and your interactions on the Service. Playtime data can be connected to the Service user’s name given in connection with the Service registration. Inderes uses this data to provide the Service, for example, to diagnose technical problems, analyse trends and administer the Service. Inderes may provide aggregate statistics about its Service visitors/users, traffic patterns, and other related Service information to third parties, but these statistics do not include personally identifiable data. Purpose of and legal basis of processing personal data Inderes processes personal data in accordance with this Privacy Statement for the following purposes and the with the processing criteria mentioned here: To offer services (legal basis: enforcing the contract and, in some cases, legitimate interest). To handle and fulfill our legal obligations (legal basis: fulfillment of legal obligations). We may process data to fulfill our accounting obligations, for example, and to provide data to competent authorities such as tax authorities. Processing of claims and legal proceedings (legal basis: legitimate interest). Inderes may process personal data in the processing of claims and in connection with legal processes. We may also process personal data to prevent fraud and misuse of our Service, and to maintain the cyber security of the data we collect, the systems we use, and the data network. Customer communication and marketing (legal basis: legitimate interest). Inderes processes personal data to communicate with the Service users regarding issues related to providing the Service. Personal data can also be used in marketing the Service and other services we provide to the Service users. Improving the quality of the Service and compiling trend analysis (legal basis: legitimate interest). We may also use data about your Service use to improve the quality of our Service by, for example, analyzing changes in the way the Service is used. However, for these purposes, we only use composite data that does not identify individuals. To ensure that our Service meets the needs of a single Service user, personal data can also be used to carry out customer satisfaction surveys, for example. Transfers of personal data Personal data that the Service user has given in connection with the Service registration is transferred to Inderes’ clients (corporates or public sector organisations) that are using the Service to offer content for their target audience. Data is transferred only to the client that is offering the content that you have registered to view. Data will not be transferred to any other organization or person. Typically you will be able to detect this organisation from the first part of Service url that you are accessing, as the service url is typically formed as [clientname].videosync.fi/[event-url-slug]. Inderes’ authorised service providers (so-called sub-processors) may be used to process personal data on behalf of Inderes. Inderes and its service providers store personal data mainly within the European Economic Area. However, some of our service providers may transfer personal data or have access to such data in countries outside the European Economic Area. We will ensure that personal data is properly protected in all countries where they are processed. We provide adequate protection for the transfer of personal data to countries outside the European Economic Area through agreements with our service providers based on standard contractual clauses adopted by the EU Commission, or through other similar arrangements. Some parts of the Service requires using a third-party service provider called TurboBridge, which has the data location in US. Turbobridge provides a teleconference bridge for Videosync teleconferences. TurboBridge processes IP-addresses, name, company name, phone number of users calling to the teleconference by using phone or WebCall feature. TurboBridge has committed to the EU Standard Contractual Clauses ("EU SCC's"). All the data processed by TurboBridge will be permanently removed from TurboBridge storage when the teleconference bridge is removed, latest 1 month after the event has ended. Also, some parts of the Service requires using a third-party service provider called Daily, which has the data location in US. Daily provides real-time communication technology for Videosync breakout rooms and talkback functionality (way for audience to ask questions with their voice). Daily processes IP-addresses and names of users that are connecting to breakout room or talkback room Daily has committed to the EU Standard Contractual Clauses ("EU SCC's"). RECIPIENTS We will only share personal data within our organization and only as reasonably necessary for the purposes set out in this Privacy Statement. We will not share personal data with third parties outside our organization unless one of the following situations prevail: Personal data is used for the purpose described in this Privacy Statement or is shared with an authorized service provider. To the extent that we need to give third parties access to the User’s personal data to enable us to provide our Service to Service users, we will provide such third parties with User data for processing on our behalf. In addition, we may share personal data with authorized service providers providing services to us (including data storage services, accounting services). Inderes has taken appropriate contractual and organizational measures to ensure that, when third parties process personal data on behalf of Inderes, they are used only for the purposes specified in this Privacy Statement and are processed in accordance with the laws and regulations in force and in accordance with our instructions, applicable secrecy obligations and necessary security measures. Data are used for legal purposes or in legal proceedings. We may share personal data with third parties outside Inderes if we believe that access to and use of personal data is reasonably necessary in order: (i) to comply with existing laws and regulations and/or with a court order; (ii) to detect and prevent misuses, criminal offenses, technical disruptions, and security problems; and/or (iii) to ensure the safety and property protection of Inderes and the Service Users and fulfillment of public interest. We will inform the User directly of such data processing, if possible, in the case in question. Other legitimate reasons. If Inderes is a party to a merger, business acquisition or other business transaction, we may transfer your personal data to a third party involved in the process. However, we will continue to ensure the confidentiality of all personal data we transfer. We will inform any registered Users separately whose personal data will be transferred in such a situation or whose personal data are transferred to be covered by another privacy statement. The data are used with your express consent. We may share personal data with third parties outside Inderes if we have explicit consent from the User to do so. The User has the right to withdraw their consent at any time. DATA SECURITY PRINCIPLES Data will be stored in a technically secure location. Physical access to the data is prevented by means of access control and other security measures. Access to the data requires sufficient rights and multi-phase identification. Unauthorized access is also prevented by means of e.g. firewalls and other technical protection measures. Data contained in the register can only be accessed by a file controller and separately named technical persons. Only the named persons have the right to process and maintain information contained in the register. These persons are bound by confidentiality obligation. Back-ups are made of the data contained in the register in a secure manner and the data can be re-stored where needed. The level of information security is audited regularly through either external or internal audits. MARKETING AUTOMATION Our Service may employ marketing automation programs from vendors operating on Inderes’ client’s behalf. In such a case, you may enter our Service with a URL that contains a unique ID that is used that the visitor entering is our Service is a specific person as identified in the third-part marketing automation system. Our Service collects this ID, and sends it back to our client’s marketing automation system, along with details regarding your visit in our Service (visiting time, number of times visited). Inderes does not sell, rent or give away personal data that identifies individuals to any external party, except to client affiliates who are using Inderes’ Service to offer video content to their target audience. By using this website, you consent to the processing of data about you in the manner and for the purposes set out above. STORAGE PERIOD Inderes does not store personal data for longer than is permitted by law and necessary for the purposes of this Privacy Statement. The length of the storage period depends on the nature of the personal data and the purpose for which it is processed. The maximum time may therefore vary depending on the purpose of use. YOUR RIGHTS Right to check data You have the right to have access or to receive a copy of the personal data we process about you. We may refuse to provide you with a copy of your personal data if such a procedure would jeopardize the rights and freedoms of others. Right to withdraw a consent If processing of your personal data is based on your consent, you may at any time withdraw your consent. The withdrawal of consent shall not affect the legality of the processing of personal data carried out prior to the withdrawal. Right to rectify data You have the right to correct or complement incorrect or incomplete personal data we have stored. Right to delete data You can also ask us to completely delete personal data about you from our systems. We will complete such a request unless we have a legal basis for not deleting the data. Right to object to processing of data You have, based on special personal circumstances, the right to object to the processing of your personal data on the basis of our legitimate interest. We will comply with your request unless we have a legal basis to act differently. When you object to further processing of your personal data, your ability to use the Service may be reduced. Right to restrict processing of data You may require us to restrict the processing of your personal data, for example, during the deletion or correction of your data and/or when we do not have a legal basis for processing your data. This can also reduce your ability to use the Service. Right to transfer data You have the right to receive all your personal data in a commonly used format. You then have the right to independently transfer this data to a third party. How to exercise your rights The above rights can be exercised by sending a letter or e-mail to the above-mentioned addresses that includes the following information: Full name, address, e-mail address and telephone number. We may request any additional information necessary to confirm your identity. We may reject requests that are too frequent, excessive or clearly appear unfounded or unreasonable. REFERRAL TO AN AUTHORITY If you believe our processing processes of personal data to be contrary to applicable data protection legislation, you can file a complaint with your local supervisory authority. CYBER SECURITY We take administrative, organizational, technical, and physical precautions to protect the personal data we collect and process. These measures include, where possible, e.g., encryption, pseudonymization, firewalls, safe storage facilities, and systems that are protected with restricted access rights. Our security is designed to ensure the continuous confidentiality, integrity, availability and fault tolerance of our processing systems, and the ability to recover data with appropriate security. If, despite our security efforts, there is a security breach that is likely to have a negative impact on your privacy, we will inform the relevant registered subjects as well as the appropriate authorities if required by applicable data protection regulations as soon as possible of the security breach.