Customer Register Privacy Statement

Controllers

Reputation and Trust Analytics Oy (1099844-1)
Keilaranta 1
02150 Espoo
Finland

Reputation and Trust Analytics Sweden AB (559464-1895)
Kungsgatan 9
SE-111 43 Stockholm
Sweden

Division of responsibilities between the companies: Reputation and Trust Analytics Oy is responsible for managing Finnish customer relationships, and Reputation and Trust Analytics Sweden AB is responsible for managing Swedish customer relationships. The companies use a shared technical platform (HubSpot).

Contact person responsible for the register

Eila Lahti, Data Sourcing Manager
eila.lahti@reptrust.com

Register name

Reputation and Trust Analytics’ customer register

Legal basis and purpose of processing personal data

The processing of personal data is based on Reputation and Trust Analytics’ legitimate interest. The data collected on customers is used for the purpose of managing customer accounts and marketing.

The data controller may use analytics, tracking, and customer relationship management tools, such as the tracking and analytics features of the HubSpot service, to measure the effectiveness of email communications and to develop marketing and customer communications.

Data content of the register

The data collected on customers include data necessary for managing customer accounts and marketing purposes, such as the names and contact details of contact persons and data related to orders and invoicing.

More specifically, the following data on customers and their contact persons are collected:

job title, position, and role within the organisation;
organisation name and other organisational details;
Business ID / organisation number (Org.nr);
the organisation’s billing and contact details;
information related to orders, agreements, and the use of services;
quotation, order, and delivery information;
billing and payment information;
contacts, communications, and customer service events related to customer relationship management;
notes related to customer relationship management and service delivery;
any direct marketing consents and opt-outs;
other information necessary for managing the customer relationship.

In addition, the customers’ contact information is collected in a marketing register where data concerning companies and their contact persons are also stored.

Regular data sources

Contact and customer relationship data contained in the register is collected when the customer relationship is established and during the course of the customer relationship. Personal data is collected directly from the data subject, for example through website forms, contacts, customer meetings, events, orders, and other interactions.

Personal data may also be collected and updated from publicly available sources, organisations’ websites, professional networks such as LinkedIn, and commercial providers of business and contact information services. The data collected primarily relates to the data subjects’ professional roles and job responsibilities.

Register data protection principles and disclosure

Access to the data is restricted to the persons employed by Reputation and Trust Analytics, its subsidiaries and subcontractors maintaining customer accounts (e.g. accounting, invoicing, postal service providers) whose tasks require processing the data. We have ensured that all of our service providers comply with the Data Protection Act. All employees processing the data of the customer register are bound by an obligation of professional secrecy.

The data is protected with appropriate safeguards: all computers and information systems are protected with technical measures. The data is not disclosed to third parties.

Transferring the data outside the European Union or the European Economic Area

Reputation and Trust Analytics use the HubSpot service for the purpose of keeping the customer data register. HubSpot is active outside the EU in the United States, but it is listed on the list of Privacy Shield companies certified by the EU and the US, and it complies with the EU’s General Data Protection Regulation. The data on the users specified in section 5 is stored in the HubSpot service. The privacy policy of HubSpot can be accessed on the company’s website: legal.hubspot.com/privacy-policy.

Customer register data may be processed with the assistance of artificial intelligence as part of customer relationship management, communications, or analytics. For these purposes, we use the Anthropic Claude service and Microsoft Copilot service under enterprise licenses. Service providers may process personal data outside the EU/EEA, including in the United States. The enterprise licenses and contractual arrangements used have been selected to ensure that data entered into the services is not used by the service providers for training AI models. AI services are used primarily to support employees’ work and not for autonomous decision-making concerning customers. You can review the service providers’ privacy settings on the companies’ websites: Anthropic https://privacy.claude.com/ and Microsoft: https://www.microsoft.com/privacy/privacystatement.

For transfers of personal data, we use data transfer mechanisms approved by the European Commission, such as the EU–US Data Privacy Framework (DPF) and, where necessary, Standard Contractual Clauses (SCCs).

As a rule, personal data is not transferred outside the EU and the European Economic Area except in connection with the use of the services described above.

Personal data is not transferred outside the EU and the European Economic Area except in connection with the use of the services described above.

Rights of the data subject

According to the applicable data protection law, at any time, data subjects have the right to:

receive information about the processing of their personal data;
inspect what personal data concerning them has been stored in the register;
request the rectification or completion of inaccurate, incomplete, or incorrect personal data;
request the deletion of their personal data to the extent that the processing of personal data is not based on a contractual relationship, legal obligation, or another applicable legal basis for processing;
object to the processing of their personal data where the processing is based on the legitimate interest of the data controller (Article 21 of the EU General Data Protection Regulation), including the right to object to direct marketing;
lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, and in Sweden the Integritetsskyddsmyndigheten (IMY).

In order to exercise their aforementioned rights, data subjects must submit a related request by e-mail or in other written form to the company. The controller has the right to refuse to act on the request on grounds related to applicable law.

Data retention period

Personal data is retained for as long as the customer relationship remains in effect and thereafter only for as long as retention is necessary due to contractual obligations, statutory obligations, or other justified processing needs. Data is deleted on a regular basis once there is no longer a legal basis for retaining it.

Deleting data

Data subjects have the right to prohibit the controller from processing their personal data for the purpose of keeping the marketing register. Such prohibitions can be made by e-mail to tutkimus@repturst.com or submitted in other written form to the company.

The data stored in the register can be erased according to a request insofar as storing the data is not based on a contractual relationship or statutory obligation. The request can be made by e-mail to tutkimus@reptrust.com or submitted in other written form to the company.

Changes to this privacy statement

Reputation and Trust Analytics reserve the right to make changes to this privacy statement and related information. Reputation and Trust Analytics recommends data subjects to check this privacy statement regularly in order to learn about any changes to it.

This privacy statement was last updated on 17 June 2026.