Personal Data File and Controller
Aiven Ltd as Data Controller
We have also designated a Data Protection Officer (“DPO”) to oversee our data protection related matters. If you have any questions or concerns about the way we use your data, you may contact our DPO by email at email@example.com.
What personal data do we process?
We collect personal data through different means, which are explained below in more detail. Personal data is mainly collected directly from the User in connection with the customer relationship or website activity.
The following personal data is processed in connection with the customer relationship:
- Information of the users of the services provided by us, such as full name, email address, job title, company name;
- Customer relationship details, such as the contract between Aiven and the customer, start and end date of customer relationship and services ordered;
- Billing information, such as credit card details, bank account information, payments made, outstanding invoices, and invoices delivered;
- Customer interaction, such as customer contacts, feedback and complaints
- Interaction in the Aiven Community forum, such as messages sent in the Community forum; and
- Marketing communications.
We may contact potential customers and provide them relevant information about our services. For this purpose, the following information will be processed:
- User information, such as name, email address, job title, company name; and
- Marketing communications.
We collect some technical data automatically through the use of our website or services, which may be associated with Users. For this purpose, the following information will be processed:
- User’s IP address
- Type and device ID
- Browser type and version
- Geographical location based on the IP address
- Service access times
- Statistics on page views and time spent on pages
- Any other automatically collectible information
Special categories of personal data
We do not process special categories of personal data about our Users.
For what purpose and with what legal basis do we process personal data?
We process personal data for the following purposes:
Service provision based on contractual relationship with us
We process personal data when this is necessary under our contract with our customers and Aiven Community forum members, to provide our services , and specific features selected by the customer, and to manage and maintain the customer relationship between us. In this case, the processing is based on the performance of the customer contract.
We process personal data for marketing purposes as follows:
- We send direct marketing via email based on our legitimate interest to provide Users with relevant information as part of our services and to promote our services. A User may unsubscribe from marketing emails at any time by clicking on the "unsubscribe" link located on the bottom of emails or by contacting us at firstname.lastname@example.org.
Personal data is not processed for automated decision-making.
Our legitimate interest
We process personal data to the extent this is necessary to fulfil our legitimate interests, which include our interests to:
- Effectively manage our relationship with our customers, including responding to queries, resolving technical issues, providing customer support and sending necessary information relating to our services.
- Improve our services by seeking feedback and performing data analytics on the usage of our website and services, and creating user group profiles and anonymous, aggregated statistics about the use of our website and services.
- Protect the security, availability and integrity of our services and information systems, including by using authentication mechanisms and other security measures, monitoring our systems for security threats, keeping back-ups, and carrying out system maintenance services.
- Protect our legal rights, including by handling complaints and exercising or defending legal claims.
- Share personal data with our subsidiaries to the extent necessary to provide our services and to manage and organize customer service, marketing as well as information security measures within the group in an appropriate and practical way and use shared IT systems within the group.
We process personal data to comply with legal requirements under applicable laws (e.g. tax and accounting obligations) and with court orders and requests by competent regulatory and governmental authorities.
What personal data do we disclose?
We disclose personal data to third parties as follows:
- to our subsidiaries for the purposes listed under Our legitimate interest heading above;
- to our third party service providers, including but not limited to hosting service providers, technology service providers, payment service providers and marketing providers;
- as required or permitted to comply with legal obligations, requests by competent authorities and courts and related legal proceedings;
- as required to establish, exercise or defend or to protect against legal claims; and
- to prospective sellers or buyers if we are involved in a merger, acquisition, or sale of all or a portion of our assets.
Do we transfer personal data outside the EU/EEA?
We store personal data on servers located in the European Union ("EU") provided by Google and Amazon Web Services.
We transfer personal data to our subsidiaries and third party service providers overseas, which may involve the transfer of personal data to countries outside the European Economic Area ("EEA") which have different data protection standards to those which apply in the EEA. For a list of the countries in which our subsidiaries and service providers operate, please see: aiven.io/subprocessors.
To the extent personal data is transferred to a country outside of the EU/EEA, we will use the required established mechanisms that allow the transfer to our subsidiaries and service providers in those countries, such as the Standard Contractual Clauses approved by the European Commission.
Please email us at email@example.com if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA or to obtain a copy of any contractual clauses in place. Please note, however, that some details may be redacted for confidentiality reasons.
How long will we retain personal data?
- We retain personal data for the duration of customer relationship and after that as required by legal obligations (e.g. accounting laws) or our contractual rights or obligations (e.g. for invoicing purposes).
- If a dispute arises or a customer fails to make payment for our services, we may retain relevant information until such dispute is resolved or until such payment is made.
- Where we process personal data for marketing purposes, we will delete or anonymise the data after one (1) year has lapsed from last contact between us to the User or when the User asks us to stop marketing and for a short period after this (to allow us to implement the request). From the below User Rights heading the User may find more information regarding data retention for marketing purposes and what rights the User has in this respect.
What rights does the user have?
Users have the following rights:
- The right to request access to personal data about himself/herself;
- The right to object processing, that is based on legitimate interest;
- The right to object processing for marketing purposes and the right to prevent from receiving future direct marketing;
- If processing of personal data is based on consent, the User has the right to withdraw consent at any time. The withdrawal will not affect the lawfulness of the processing carried out before the withdrawal; and
- The right to data portability, meaning the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies for personal data processed based on contract or the User's consent.
Should the User wish to exercise his/her above mentioned rights, please send a request to us at firstname.lastname@example.org.
Clauses for Users in California
Users that are California Residents have specific rights to control their personal information. To read more about these rights based on the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (CPRA) please see our Privacy Notice for California Residents.
What Security measures have we taken?
We have carried out reasonable technical and organizational measures to secure the personal data processed against unauthorized access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. For instance, any physical data is stored in locked facilities and access to automatically processed data is limited by user rights and passwords within our organization.
Please be aware that, although we endeavor to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.