Our Privacy Policy

v2.0 18 May 2018

Who are we

We are Contract Mill, a Finnish company developing a document automation platform for lawyers. We respect your privacy and we are committed to protect it. If there is anything you want to ask about your privacy, please email us at info@contractmill.com.

Our official data: Contract Mill Oy Business ID: 2776605-7 Address: Kampinkuja 2, 00100 Helsinki Contact person: Hannele Korhonen hannele@contractmill.com +358 50 514 7776

We as data controller and data processor

If you are reading this, you are probably either

our client
user of our service
website visitor or
you are receiving marketing communication from us

This privacy policy explains how we process your personal data as a data controller. We also process personal data as a data processor when we process contracts or other legal documents submitted to our service and those documents include personal data. In this case the data controller is the client who submitted the documents to our service, and we process such personal data in accordance with a contract we have with our client.

We collect and process the following data

Data you give	Data we collect	Why the data is needed	Legal basis	Our role
Browsing in our website			Legitimate interests: our interest in being able to provide a smooth user experience on our website as well as being able to improve the service further.	Data controller
	Latest IP address	To maintain and improve services
	Information on your OS and browser	To maintain and improve services
	Information on your use of CM website	To maintain and improve services
Request of demo / registration			Contract, Consent, Legitimate interests: our interest in sending information regarding our service to those who specifically express that they are interested in the service.	Data controller
Name		To provide the requested service
Email address		To provide the requested service
Title		To provide the requested service
Phone number		To provide the requested service
Organisation details		To provide the requested service
Opt-in to marketing		To send you our newsletter and other updates
Information relating to you or your organisation which you may provide us when communicating with us		To provide the requested service and manage the business relationship
Using Contract Mill			Contract, Legitimate interests: our interest in being able to improve the service further and provide relevant content to interested clients
Email addresses of users in your organisation	Latest IP address	To provide the requested service		Data controller
Personal data in your contracts		To provide the requested service		Data processor
Email addresses when sending Self-Check-In or Do-It-Yourself Documents		To provide the requested service		Data processor
	Information on your OS and browser	To provide the requested service		Data controller
	Contract data that is anonymised	To develop and provide the requested service		Data controller
	Information on your use of Contract Mill service	To provide the requested service		Data controller
Information relating to you or your organisation which you may provide us when communicating with us		To provide the requested service and manage our business relationship with you		Data controller

If you are our client and opt-out from our marketing communications, we may still send you non-promotional information, such as emails about your subscription.

Marketing: We collect and process the following data

Data you give	Data we collect	Why the data is needed	Legal basis	Our role
Subscribe to our newsletter			Consent	Data controller
Name		To send you our newsletter and other updates
Email address		To send you our newsletter and other updates
Phone number		To send you our newsletter and other updates
Opt-in to marketing		To send you our newsletter and other updates
Outbound marketing			Legitimate interest: our interest in extending our network and sending information about our service to those we think will be interested	Data controller
	Name	To send or target marketing to you
	Email address	To send or target marketing to you
	Role in the organisation	To send or target marketing to you
	Organisation details	To send or target marketing to you
Information relating to you or your organisation which you may provide us when communicating with us		To communicate with you and manage our business relationship with you

Sources from where we get your data

From you	when you subscribe to our newsletter when you request for demo or sign up when you import or type in personal data in your templates or documents when you send emails from Contract Mill when you communicate with us using different communication channels
From your use of services	when you browse our website when you use Contract Mill service
From third parties	public company registers company directories

Third parties processing your data

Your data may be shared with some of our third party service providers. Your data is shared only when necessary and in strict compliance with our privacy policy and the applicable data protection regulations.

	Service provider	Purpose	Location
Infrastructure	Heroku	Used for web hosting	EU and US (Privacy Shield)
	Amazon Web Services	Used for web hosting	EU
	Google G-suite	Our email accounts and document management	EU and US (Privacy Shield)
Analytics	Google Analytics	Used for website analytics	EU and US (Privacy Shield)
Communications	Mailgun	Used for email deliverability	US (Privacy Shield)
	Pipedrive	Used for client relationship management (CRM)	EU and US (Privacy Shield)
	Mailchimp	Used for our newsletter	US (Privacy Shield)
	Netvisor	Used for invoicing	EU
	Hubspot	Used for target marketing	US (Privacy Shield)
	Calendly	Used for meeting scheduling	US (EU Commission Standard Contractual Clauses)
Subcontractors	Kisko Labs Oy	Software development	FI
	Difogic Oy	Software development	FI

Cookies

What?	Cookies are strings of information that may be stored on your computer to recognise and track visitors. Information collected based on cookies can be connected to individual website visitors only based on the IP address, which we as such cannot (and do not want to) use to identify any specific persons.
Why?	We use only necessary cookies to run and improve our services
How?	For this purpose we use Google Analytics, which is a service provided by Google, Inc. For an overview of Google Analytics, please visit https://www.google.com/analytics
Your rights	You can turn off cookies by changing your browser settings

For how long do we process your personal data

Client data	We keep the personal data for the duration of the contract and max 2 years after that.
Marketing data	We keep the personal data of non-clients for marketing purposes max 2 years after collecting the personal data. If you use your right to opt-out from receiving marketing messages, we will delete your personal data from our marketing database without delay.
Website users	We keep the personal data of website users max 1 year after collecting the data.

How we protect your data

Secure communication	All connections between you and our service is secured over HTTPS using certificates from an established and reliable independent CA.
Secure infrastructure	Our service runs on Amazon EBS and contract data is stored in Amazon S3. Data integrity and database backups are handled by Heroku. Our service has built-in protection for CSFR attacks.
Document security	Your documents can be accessed by only such users of your organisation with an active authenticated session. The authoritative authentication store is managed by the application and is not accessible by any other application. User-inputs are technically prevented from injecting malicious code-scripts to our service.
Access to the personal data requires username and password	User credentials are stored only using industry standard cryptographic hashes and has salting.
Users of the personal data bound by confidentiality obligations	Only authorised staff that are committed to the strict confidentiality obligations can access the data.

However, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot warrant the security of the data you transmit to or store in our service.

Your rights

Right to access	You have the right to access your personal data.
Right to correct	You have the right to have any inaccurate information about you corrected.
Right to object	You have the right to object to processing of personal data which is based on our legitimate interest.
Right to restriction	You have the right to request the restriction of processing for example when you think that the personal data we process about you is not accurate.
Right to opt-out	You have the right to opt-out of any marketing communication from us.
Right to be forgotten	You have the right to request deletion of your personal data at any time.
Right to complain	You have the right to lodge a complaint with a supervisory authority.
Right to data portability	You have the right to port your data to another service.

If you wish to make a request, or if you have any questions relating to your rights or this privacy policy, please contact us at info@contractmill.com.