This privacy policy describes how Secapp Oy processes the personal data of its current and potential customers’ (“Customer”) contact persons in customer activities and marketing. This policy is written in accordance with the Finnish Data Protection Act (1050/2018) and the EU General Data Protection Regulation (GDPR) as a document for the purpose of informing the data subjects.

Secapp Oy sells the Secapp service which it delivers to different customers and user groups. Note: This policy describes only the data related to customer relationships, not data of the users of Secapp service. In the Secapp service, each Customer acts as the personal data controller for the Secapp service data in their customer account and there is a separate privacy policy on our web site regarding the Secapp service:

Prepared on 13.4.2022. Last updated 10.7.2023


The personal data controller responsible for the customer and marketing data described here is:

Secapp Oy
Business ID 2411828-1
Viitaniementie 21 E 47, 40720 JYVÄSKYLÄ, Finland


For more information about the personal data processing in marketing and customer relations, please contact either the data protection officer Antti Hämäläinen, or the marketing responsible person Samu Häkkinen.


The purpose of processing personal data is the customer communication, customer support and marketing related to offering the Secapp service.

The legal basis for the processing of personal data in accordance with the EU General Data Protection Regulation is the legitimate interest of Secapp Oy, based on fulfilling the agreement (Customer agreement) between the Customer and Secapp Oy, maintaining the customer relationship or marketing for the purpose of establishing a customer relationship.


The types of personal data and group of data subjects are as follows:

The contact persons of the Customer or a potential Customer subject to marketing (“Customer”):

– Contact information, such as for example Customer organization, name, job title, telephone number, email, address, and information of changes in this data
– Information about sent marketing communications and potential correspondence or information about restriction to marketing, including response statistics to communications such as opening marketing emails and clicking links within them– Communication to customer support by Customer’s users and related data, such as correspondence or chat discussion.
– Additionally, other data may be stored related to maintaining potential customer relationship, such as for example notes, information about newsletter subscriptions, contact requests, meetings, event participation or ordered services.

Customer’s main users and contract related contact persons, in addition to the above data:

– Data related to invoicing and collections of the organization
– Data related to the customer and contract relationship, such as products and services, opening and termination dates, data about the salespersons and data related to implementing communications
– User accounts and other authentication data of the Customer organization.
– Reference articles and comments agreed with the contact person may include images and video or audio recordings, if the person has participated in creating such recordings for this purpose.


Personal data is collected at the beginning of the customer relationship or registration, when the organization is using the service, or otherwise directly from the data subject.

Contact information to new Customers is also collected from public sources, such as for example the WWW site of the Customer’s organization, so that the job role of the Customer contact person is assumed to be related to decisions about the services sold by Secapp Oy.

Other information stored by Secapp Oy are acquired from the person representing Customer for example from data sent by WWW forms, email or over telephone, and from contracts, customer meetings and other situations, in which the Customer transfers their data to Secapp Oy.

Secapp Oy does not collect personal data from a commercial or third party with the exception of contact lists for organizations, which are a target group for Secapp services, for the purpose of marketing. This may include organizations identified based on a website visitors’s consent to tracking cookies.


Secapp Oy also does not transfer personal data to third parties, unless this is separately agreed with the Customer. Secapp Oy may, however, transfer personal data within the limits permitted and required by applicable legislation, e.g. when responding to requests for information from the authorities. Storing and processing of the data may be partially outsourced to third party service providers, and data related to customer relationships and marketing may be stored and processed on behalf of Secapp Oy. At the moment, such cloud services and platforms include e.g. the following for the following purposes:

  • Pipedrive CRM: data related to customer relationships
  • Google Workspace: correspondence, calendar entries and files related to customer relationships
  • Docue: contract management, contact information related to customer agreements
  • Trustmary: articles, comments and possibly video and audio recordings made by reference customers
  • Netvisor: financial management system, contact information related to customer invoicing
  • Request Tracker (on Secapp Oy’s own servers): customer communications with the support service and related material 
  • Matomo and Dealfront: analysis of website visitor information, more information available in the Cookie settings link at the bottom of this page

Furthermore, Secapp Oy may itself in some cases use the Secapp service to store customer relationship data, such as when Secapp Oy customer support creates on its own account group chats with Customer’s main users.

Secapp Oy web pages are also using cookies, which the web page visitor is requested to accept or decline, and which are described in a separate document on the web pages.

Secapp Oy assures, that any possible outsourcing is done in accordance with the data protection legislation and the service providers do not use the personal data for their own purposes. In these situations Secapp Oy has made the necessary, appropriate agreements about the processing of personal data and ensured that the data is processed according to the personal data legislation.

For clarity we emphasize that this does not include any data stored in the Secapp service itself on behalf of Customers. Processing of that data is described in a separate document and is based on a separate agreement with Customers.


The personal data stored by Secapp Oy is protected by technical and organizational methods. The data is collected and saved to systems used by Secapp Oy using telecommunication connections. The connections required to use service providers’ systems are encrypted and the service provider systems are used with personal user accounts and passwords so, that only those people have access to the data, who require it for their work. Secapp Oy personnel has been instructed about the personal data processing related legislation and consideration of information security.

Secapp Oy shall process personal data as long as required for the purposes described here, and at least as long as the customer relationship exists or there is active communication with the Customer. Any data deemed to be unnecessary or expired will be erased. Some data, such as log data and data related to the ordering, delivery or invoicing of the service, may be stored for a longer period of time than other data, in order to ensure the legitimate interests, privacy and legal rights of Secapp Oy, Customer and data subjects, in ways allowed by the legislation.


The data subject has several rights under the EU’s general data protection regulation, including the right to inspect the personal data stored in the systems of Secapp Oy and the right to request rectification. The request to inspect may be done without charge once a year. The data subject also has the right to request erasing their data (“right to be forgotten”) from Secapp Oy systems, after the data is no longer required for the purposes it has been collected for. The data subject also has other rights based on the EU general data protection regulation, such as the right to restrict the processing in certain situations.

In order to prevent unwanted marketing, we recommend to inform Secapp Oy of a marketing ban instead of requesting full removal of data, because without such marketing ban, the erased contact person may later again become a target for marketing from public sources.

Requests related to data subject rights should be addressed to Secapp Oy in writing and signed using the above contact information, or electronically to the contact persons listed above under “Data controller”.

The controller will respond to the data subject within the time limit set by the EU Data Protection Regulation (generally within one month). Secapp Oy may need to identify the data subject or request for other additional information, in order to ensure the requestor has the right to the request. Secapp Oy wishes that any possible disagreement related to personal data processing will be primarily resolved amicably between the parties. The data subject also has the right to lodge a complaint about the processing of personal data with the supervisory authority.