Privacy policy for user

This privacy policy is based on the requirements of the EU General Data Protection Regulation. Last updated: 29th October 2019.

Data controller

Name: Kivra Oy

Business ID: 2918721-9

Visiting address: Miestentie 9 C, 02150 Espoo, Finland

Contact person for the register

Kivra Oy, tietosuoja@kivra.fi

Name of the register and data subjects

Kivra Oy’s user register.

Kivra’s user register is used in connection with Kivra’s services (electronic mailbox and any Additional Services).

For the sake of clarity: Kivra serves as the controller for data concerning the Users of the Service. The sender organisation serves as the controller with regard to the creation of electronic documents and their transmission to the User. In such cases, the sender organisation is responsible for personal data processing. Kivra serves as the personal data processor on behalf of the sender and processes personal data in accordance with the instructions provided by the sender organisation.

What is personal data?

Personal data includes all data that can be connected to a live natural person directly or indirectly. Examples of personal data include name, email address, telephone number, postal address, personal identity code and IP address. The register consists of personal data.

Legal basis and purpose of personal data processing
Personal data content of the register:
  • Personal identity code
  • Email address
  • Mobile phone number
  • Name
  • Postal address
  • IP address
  • Device ID
  • Information collected about the use of services (such as sign-in information)
Data source:

The data source for personal data are Telia Identification – strong digital authentication, Population Information System of the Population Register Centre and User self when entering data and using the Service. Also Kivra can be the data source in connection with using the Service and sending email to Kivra and in connection with each sign-in. 

Kivra may continuously update the User’s personal identity code, name and postal address by checking it against the Population Information System of the Population Register Centre to ensure that the personal data is up to date and accurate.

Purpose:

The purpose to process personal data is to identify the User unequivocally as the User of the Service.  Unambiguous identification of the user is important to ensure that electronic documents are delivered to the right person, which is essential for privacy protection. This means that Kivra and the Sender use personal data to identify the recipients of electronic documents. Identification takes place by Kivra comparing Users’ personal data and to the personal data of the recipients of documents transmitted by the Sender’s. Also Sender can do this identification by comparing the personal data of the document’s recipient with a list of some personal data element of Kivra’s Users.

Personal identity code is used to request your name and address information from the Population Register Centre.

Personal data may be also used to verify that the data subject is who they claim to be, to implement security questions and other security measures, for example.

Your email address serves as your user ID and is used to identify you when you sign in to the Service. Your mobile phone number is used to send you a one-time password each time you sign in to the Service. This is called two-factor authentication, and its purpose is to ensure the security of your user account.

Kivra may use email address and mobile phone number when informing the User about important matters related to the Service, such as new electronic documents and terms and conditions. In terms of security, it is necessary for Kivra to have connection to both email address and mobile phone number so that Kivra can inform the data subjects when they have new documents to process in the Service (however, the data subjects can opt out of email notifications about unread documents and unprocessed payments through the Service). Please note that some of the communication related to the Service, such as amendments to the terms and conditions, cannot be refused.

Names are used in communication to make Kivra’s services more personal. This means, for example, addressing the recipient at the beginning of the message: “Hello, X”.

IP addresses are stored in log files in Kivra’s system for 45 days to ensure that Kivra can perform the necessary troubleshooting, defend against attacks and dangerous situations and further develop the Service (mainly in terms of security).

We need your device ID to send push notifications to your mobile device. The device ID is used for fingerprint login. The device ID may be used for product development related to the Service (mainly in terms of security).

Other information collected about the use of services (such as sign-in information) is processed to maintain and further develop the Service.

Legal basis:

The legal basis is the agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions) and legitimate interest ( motivated by Kivra’s strong need to defend against attacks and dangerous situations and to continuously improve the Service and its security and Kivra’s strong need to notify the User that they will receive electronic documents sent to the Service by a new Sender). The processing of personal identity code is based on the User consent on processing comparable to the activities referred to in section 29 (2) of the Data Protection Act.

Personal data protection

Kivra’s employees have been provided with basic information about data protection, and Kivra seeks to ensure, through its operations, that personal data is processed appropriately. The databases in which personal data is stored are protected by means of firewalls, passwords and other technical measures. Backup copies of the databases are made on a regular basis. The databases and their backup copies are stored in locked and guarded facilities. The databases can be accessed only by employees whose duties require access to personal data. The employees processing personal data are bound by a non-disclosure obligation.

How long will personal data be stored?

Kivra has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.

For some of the personal data that will be processed, the storage periods are affected by statutory regulations and security considerations.

Agreement:

Personal data for which the legal basis is an agreement will be processed for as long as you use the Service.

If the use of the Service is interrupted or discontinued, all personal data that Kivra has collected concerning you will be removed from the Service forty-five (45) days after you have closed the Service (see the general terms and conditions for the Service). This time period has been selected to enable the User to transfer and store their documents elsewhere and to give them time to have their documents sent to another channel.

Customer service:

Personal data that Kivra processes concerning the data subject in connection with customer service will be stored for up to 180 days. This data storage is necessary for Kivra to be able to help the data subject and to monitor matters related to customer service.

Population Information System log data:

Personal identity codes that Kivra processes in connection with services will be stored in the Population Information System log data for five (5) years. This data storage is necessary for Kivra to be able to detect, monitor, manage and rectify security measures related to personal data.

Application log:

Personal data processed in connection with services will be stored in application logs for forty-five (45) days after the Service has been closed. Application logs are used only internally at Kivra.

Who has access to personal data?

We process personal data with utmost accuracy and care. We respect everyone’s right to personal data protection. Kivra never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, Kivra does not disclose or otherwise use personal data for purposes other than those mentioned above.

Personal data is processed only by employees whose duties require them to process personal data

Kivra implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns Kivra internally, in addition to third parties with whom Kivra cooperates. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.

Kivra’s subcontractors and companies belonging to the same group of companies as Kivra

In providing the Service, Kivra may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide Kivra with information technology services, for example. Subcontractors and companies belonging to the same group of companies as Kivra may process personal data on behalf of Kivra. In such an event, Kivra is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that Kivra communicates to the data subject in accordance with the table above. The transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with Kivra regarding the lawful processing of personal data.

Population Registration Centre

Kivra may check your personal data against the state personal data register (Population Information System of the Population Register Centre) to ensure that the personal data Kivra stores about the data subject is up to date and accurate.

The authorities

Kivra may disclose personal data to the authorities, such as the police, if required by law to do so.

Where is the personal data processed?

Kivra usually processes personal data in Finland. In certain circumstances, however, the technical implementation of the Service may require personal data to be processed in another EU or EEA country and exceptionally even in a non-EU or non-EEA country. If Kivra needs to use a subcontractor in a non-EU or non-EEA country, Kivra ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.

Automatic decision-making

Kivra will not engage in automatic decision-making or profiling based on your personal data.

What are the data subject’s rights?

If you so wish, you may contact Kivra for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact Kivra at tietosuoja@kivra.fi.

Your rights concerning personal data processing:

You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.

You have the right to access your personal data, meaning that you are entitled to obtain confirmation from Kivra as to whether or not Kivra is processing personal data concerning you. You are also entitled to obtain a copy of the personal data Kivra has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to Kivra, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If Kivra is unable to provide you with the requested data, Kivra has the obligation to explain the justifications.

You have the right to request that your personal data be rectified. It is important that the personal data processed by Kivra concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.

In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if Kivra is required by law to store some of your personal data. If you request that your personal data be erased, Kivra will erase all personal data concerning you that can be erased. However, Kivra will erase your personal data without request once there no longer are legal or other obligations for its storage.

In certain circumstances, you have the right to request that Kivra restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.

In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.

In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.

Kivra will respond to your request within one (1) month of receiving it, unless Kivra has specific reasons to extend the response time. If necessary, Kivra may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. Kivra may refuse your request based on the applicable law.

Where can I file a complaint?

If you believe that Kivra is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact Kivra at tietosuoja@kivra.fi. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi.

Updating this privacy policy

Kivra reserves the right to make changes to this privacy policy at any time, since Kivra is developing the Service continuously. Updates may also be made in connection with amendments to laws. The changes will come into effect once the updated policy has been published. For this reason, we ask you to study this privacy policy at regular intervals. The newest version of the privacy policy can always be found on Kivra’s website.


Data controller

Name: Kivra Oy

Business ID: 2918721-9

Visiting address: Miestentie 9 C, 02150 Espoo, Finland


Contact person for the register

Kivra Oy, tietosuoja@kivra.fi


Name of the register and data subjects

Kivra Oy’s user register.

Kivra’s user register is used in connection with Kivra’s services (electronic mailbox and any Additional Services).

For the sake of clarity: Kivra serves as the controller for data concerning the Users of the Service. The sender organisation serves as the controller with regard to the creation of electronic documents and their transmission to the User. In such cases, the sender organisation is responsible for personal data processing. Kivra serves as the personal data processor on behalf of the sender and processes personal data in accordance with the instructions provided by the sender organisation.


What is personal data?

Personal data includes all data that can be connected to a live natural person directly or indirectly. Examples of personal data include name, email address, telephone number, postal address, personal identity code and IP address. The register consists of personal data.


Legal basis and purpose of personal data processing
Personal data content of the registerData sourcePurposeLegal basis
Personal identity codeTelia
Identification – strong digital authentication
Your personal identity code is used to identify you unequivocally
as a User of the Service. We also use your personal identity code to request your name and address information from the Population Register Centre.
Unambiguous identification of the user is important to ensure that electronic documents are delivered to the right person, which is essential for privacy protection.
Kivra may continuously update the User’s personal identity code by checking it against the Population Information System of the Population Register Centre to ensure that the personal data is up to date and accurate.
User consent
The processing of a personal identity code is also based on processing comparable to the activities referred to in section 29 (2) of the Data Protection Act
Email addressUserYour email address serves as your user ID and is used to identify you when you sign in to the Service.
The email address is one of four ways by which to match documents with Users. This means that Kivra and the Sender can use email addresses to identify the recipients of electronic documents. Identification takes place by Kivra comparing Users ́ addresses to addresses of the recipients of documents transmitted by the Sender’s. Also Sender can do identification by comparing the email address of the document’s recipient with a list of the email addresses of Kivra’s Users.
Email addresses are used when, for example, sending information about new Senders to the User (the User may opt out of such emails using a link in the newsletters). Kivra has the right to inform the User when a new Sender starts sending documents to the Service.
Kivra may use email address when informing the User about important matters related to the Service, such as new electronic documents and terms and conditions. In terms of security, it is necessary for Kivra to have connection to both email addresses and mobile phone numbers so that Kivra can inform the data subjects when they have new documents to process in the Service (however, the data subjects can opt out of email notifications about unread documents and unprocessed payments through the Service). Please note that some of the communication related to the Service, such as amendments to the terms and conditions, cannot be refused.
Agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
Legitimate interest (motivated by Kivra’s strong need to notify the User that they will receive electronic documents sent to the Service by a new Sender)
Mobile phone numberUserYour mobile phone number is used to send you a one-time password each time you sign in to the Service. This is called two-factor authentication, and its purpose is to ensure the security of your user account.
The mobile phone number is one of four ways by which to match documents with Users. This means that Kivra and the Sender use mobile phone numbers to identify the recipients of electronic documents.
Identification takes place by Kivra comparing Users ́ numbers to numbers of the recipients of documents transmitted by the Sender’s. Also Sender can do identification by comparing the numbers of the document’s recipient with a list of the numbers of Kivra’s Users.
Kivra may use mobile phone numbers when informing the User about important matters related to the Service, such as new electronic documents and terms and conditions. In terms of security, it is necessary for Kivra to have access to both email addresses and mobile phone numbers so that Kivra can inform the data subjects when they have new electronic documents to process in the Service.
Agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
Legitimate interest (motivated by Kivra’s strong need to notify the User that they will receive electronic documents sent to the Service by a new Sender)
Name and postal addressPopulation Information System of the Population Register CentreName and address information is one of four ways by which to match documents with Users. This means that Kivra and the Sender use this information to identify the recipients of electronic documents.
Identification takes place by Kivra comparing Users ́ addresses and names to addresses and names of the recipients of documents transmitted by the Sender’s. Also Sender can do this identification by comparing the addresses and names of the document’s recipient with a list of the addresses and names of Kivra’s Users.
Agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
NamePopulation Information System of the Population Register CentreNames are used in communication to make Kivra’s services more personal. This means, for example, addressing the recipient at the beginning of the message: “Hello, X”.
Names may be used to verify that the data subject is who they claim to be, to implement security questions and other security measures, for example.
Kivra may continuously update the User’s name information by checking it against the Population Information System of the Population Register Centre to ensure that the personal data is up to date and accurate.
Agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
Postal addressPopulation Information System of the Population Register CentreKivra may continuously update the User’s address information by checking it against the Population Information System of the Population Register Centre to ensure that the personal data is up to date and accurate.Agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
IP addressKivra (in connection with using the Service and sending email to Kivra)IP addresses are stored in log files in Kivra’s system for 45 days to ensure that Kivra can perform the necessary troubleshooting, defend against attacks and dangerous situations and further develop the Service (mainly in terms of security).Agreement between the data subject and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
Legitimate interest (motivated by Kivra’s strong need to defend against attacks and dangerous situations and to continuously improve the Service and its security)
Device IDKivra (in connection with each sign-in)We need your device ID to send push notifications to your mobile device.
The device ID is used for fingerprint login.
The device ID may be used for product development related to the Service (mainly in terms of security).
Agreement between the data subject and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions)
Legitimate interest (motivated by Kivra’s strong need to ensure the functionality of the Service regardless of device type, to defend against attacks and dangerous situations and to continuously improve the Service and its security)
Information collected about the use of services (such as sign-in information)UserTo maintain and further develop the ServiceLegitimate interest (motivated by Kivra’s strong need to ensure the functionality of the Service regardless of device type, to defend against attacks and dangerous situations and to continuously improve the Service and its security)

Personal data protection

Kivra’s employees have been provided with basic information about data protection, and Kivra seeks to ensure, through its operations, that personal data is processed appropriately. The databases in which personal data is stored are protected by means of firewalls, passwords and other technical measures. Backup copies of the databases are made on a regular basis. The databases and their backup copies are stored in locked and guarded facilities. The databases can be accessed only by employees whose duties require access to personal data. The employees processing personal data are bound by a non-disclosure obligation.


How long will personal data be stored?

Kivra has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.

For some of the personal data that will be processed, the storage periods are affected by statutory regulations and security considerations.

Agreement:

Personal data for which the legal basis is an agreement will be processed for as long as you use the Service.

If the use of the Service is interrupted or discontinued, all personal data that Kivra has collected concerning you will be removed from the Service forty-five (45) days after you have closed the Service (see the general terms and conditions for the Service). This time period has been selected to enable the User to transfer and store their documents elsewhere and to give them time to have their documents sent to another channel.

Customer service:

Personal data that Kivra processes concerning the data subject in connection with customer service will be stored for up to 180 days. This data storage is necessary for Kivra to be able to help the data subject and to monitor matters related to customer service.

Population Information System log data:

Personal identity codes that Kivra processes in connection with services will be stored in the Population Information System log data for five (5) years. This data storage is necessary for Kivra to be able to detect, monitor, manage and rectify security measures related to personal data.

Application log:

Personal data processed in connection with services will be stored in application logs for forty-five (45) days after the Service has been closed. Application logs are used only internally at Kivra.


Who has access to personal data?

We process personal data with utmost accuracy and care. We respect everyone’s right to personal data protection. Kivra never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, Kivra does not disclose or otherwise use personal data for purposes other than those mentioned above.

Personal data is processed only by employees whose duties require them to process personal data.

Kivra implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns Kivra internally, in addition to third parties with whom Kivra cooperates. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.

Kivra’s subcontractors and companies belonging to the same group of companies as Kivra

In providing the Service, Kivra may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide Kivra with information technology services, for example. Subcontractors and companies belonging to the same group of companies as Kivra may process personal data on behalf of Kivra. In such an event, Kivra is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that Kivra communicates to the data subject in accordance with the table above. The transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with Kivra regarding the lawful processing of personal data.

Population Registration Centre

Kivra may check your personal data against the state personal data register (Population Information System of the Population Register Centre) to ensure that the personal data Kivra stores about the data subject is up to date and accurate.

The authorities

Kivra may disclose personal data to the authorities, such as the police, if required by law to do so.


Where is the personal data processed?

Kivra usually processes personal data in Finland. In certain circumstances, however, the technical implementation of the Service may require personal data to be processed in another EU or EEA country and exceptionally even in a non-EU or non-EEA country. If Kivra needs to use a subcontractor in a non-EU or non-EEA country, Kivra ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.


Automatic decision-making

Kivra will not engage in automatic decision-making or profiling based on your personal data.


What are the data subject’s rights?

If you so wish, you may contact Kivra for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact Kivra at tietosuoja@kivra.fi.

Your rights concerning personal data processing:

You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.

You have the right to access your personal data, meaning that you are entitled to obtain confirmation from Kivra as to whether or not Kivra is processing personal data concerning you. You are also entitled to obtain a copy of the personal data Kivra has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to Kivra, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If Kivra is unable to provide you with the requested data, Kivra has the obligation to explain the justifications.

You have the right to request that your personal data be rectified. It is important that the personal data processed by Kivra concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.

In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if Kivra is required by law to store some of your personal data. If you request that your personal data be erased, Kivra will erase all personal data concerning you that can be erased. However, Kivra will erase your personal data without request once there no longer are legal or other obligations for its storage.

In certain circumstances, you have the right to request that Kivra restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.

In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.

In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.

Kivra will respond to your request within one (1) month of receiving it, unless Kivra has specific reasons to extend the response time. If necessary, Kivra may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. Kivra may refuse your request based on the applicable law.


Where can I file a complaint?

If you believe that Kivra is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact Kivra at tietosuoja@kivra.fi. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi.


Updating this privacy policy

Kivra reserves the right to make changes to this privacy policy at any time, since Kivra is developing the Service continuously. Updates may also be made in connection with amendments to laws. The changes will come into effect once the updated policy has been published. For this reason, we ask you to study this privacy policy at regular intervals. The newest version of the privacy policy can always be found on Kivra’s website.