Marketing Register Privacy Statement

Controllers

Reputation and Trust Analytics Oy (1099844-1) 
Keilaranta 1 
02150 Espoo 
Finland 

Reputation and Trust Analytics Sweden AB (559464-1895) 
Kungsgatan 9 
SE-111 43 Stockholm 
Sweden 

Division of responsibilities between the companies: Reputation and Trust Analytics Oy is responsible for managing Finnish marketing communications, and Reputation and Trust Analytics Sweden AB is responsible for managing Swedish marketing communications. The companies use a shared technical platform (HubSpot).

Contact person responsible for the register

Eila Lahti, Data Collection Manager, DPO
eila.lahti@reptrust.com

Register name

Reputation and Trust Analytics’ marketing register

Legal basis and purpose of processing personal data

The processing of personal data is based on the legitimate interest of the data controller (Article 6(1)(f) of the EU General Data Protection Regulation). 

The legitimate interest consists of B2B marketing, sales communications, and the development of customer relationships directed at representatives and decision-makers of organisations who may be considered to have a professional interest in the reputation and trust measurement and analytics services offered by the data controller. 

The data controller has assessed that the processing is proportionate and that the fundamental rights and freedoms of the data subject do not override the legitimate interest of the data controller, as the processing primarily concerns contact details related to the data subjects’ professional roles and professional communications. 

The data contained in the register may be used for marketing, sales communications, customer relationship management, and the establishment of potential customer relationships via email, telephone, and other customary forms of business communication. 

The data controller may use analytics, tracking, and customer relationship management tools, such as the tracking and analytics features of the HubSpot service, to measure the effectiveness of email communications and to develop marketing and customer communications.

Data content of the register

More specifically, the following data is collected about individuals: 

  • name;  
  • email address;  
  • phone number;  
  • organisation, job title, and position within the organisation;  
  • organisation contact details;  
  • information regarding communications and contacts between the data subject and the data controller;  
  • information regarding marketing permissions, opt-outs, and consents;  
  • information regarding event participation, meetings, website inquiries, or downloaded materials;  
  • other information necessary for customer relationships, marketing, or business contacts. 

Regular data sources


Personal data is collected directly from the data subject, from public business and contact information sources, website forms, events, customer meetings, professional social media networks (e.g. LinkedIn), and commercial providers of contact information services. The data collected primarily relates to the data subjects’ professional roles and job responsibilities. The Leadoo service is used in online services for lead generation.

Register data protection principles and disclosure


Access to the data is restricted to the persons employed by Reputation and Trust Analytics and its subcontractors whose tasks require processing the data. The data are protected with appropriate safeguards: all computers and information systems are protected with technical measures. The data is not disclosed to third parties.

Transferring the data outside the European Union or the European Economic Area

We use the MailChimp service for sending out our newsletter, and the data within the service may be transferred outside the EU or EEA. More 

information about the MailChimp service’s data protection: mailchimp.com/legal.  

MailChimp ensures the protection of personal data in compliance with the Personal Data Act and the General Data Protection Regulation. At any time, you can edit your information or end your subscription through the link included at the bottom of the newsletter sent by e-mail. 

Reputation and Trust Analytics uses the HubSpot service for the purpose of keeping the marketing data register. HubSpot is active outside the EU in the United States, but it is listed on the list of Privacy Shield companies certified by the EU and the US and it complies with the EU’s General Data Protection Regulation. The data on the users specified in section 5 are stored in the HubSpot service. The privacy policy of HubSpot can be accessed on the company’s website: legal.hubspot.com/privacy-policy.  

Marketing register data may be processed with the assistance of artificial intelligence as part of marketing relationship management, communications, or analytics. For these purposes, we use the Anthropic Claude service and the Microsoft Copilot service under enterprise licenses. Service providers may process personal data outside the EU/EEA, including in the United States. The enterprise licenses and contractual arrangements used have been selected to ensure that data entered into the services is not used by the service providers for training AI models. AI services are used primarily to support employees’ work and not for autonomous decision-making concerning customers. You can review with the service providers’ privacy settings on the companies’ websites: Anthropic https://privacy.claude.com/ and Microsoft:  https://www.microsoft.com/privacy/privacystatement.  

For transfers of personal data, we use data transfer mechanisms approved by the European Commission, such as the EU–US Data Privacy Framework (DPF) and, where necessary, Standard Contractual Clauses (SCCs).

As a rule, personal data is not transferred outside the EU and the European Economic Area except in connection with the use of the services described above.  

Personal data is not transferred outside the EU and the European Economic Area except in connection with the use of the services described above.

Rights of the data subject

According to the applicable data protection law, at any time, data subjects have the right to:

  • receive information about the processing of their personal data;  
  • inspect what personal data concerning them has been stored in the register; 
  • request the rectification or completion of inaccurate, incomplete, or incorrect personal data;  
  • request the deletion of their personal data to the extent that the processing of personal data is not based on a contractual relationship, legal obligation, or another applicable legal basis for processing;  
  • object to the processing of their personal data where the processing is based on the legitimate interest of the data controller (Article 21 of the EU General Data Protection Regulation), including the right to object to direct marketing;  
  • lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, and in Sweden the Integritetsskyddsmyndigheten (IMY). 

In order to exercise their aforementioned rights, data subjects must submit a related request by e-mail or in other written form to the company. The controller has the right to refuse to act on the request on grounds related to applicable law.

Data retention period

Personal data contained in the register is retained for as long as necessary to fulfill the purposes of the processing of personal data or to comply with the statutory obligations of the data controller. 

The data subject has the right to request the deletion of their personal data or to object to the processing of their personal data in accordance with applicable data protection legislation. 

Individuals who unsubscribe from newsletters or other marketing communications are removed from active marketing communications without undue delay. 

However, data may be retained to a limited extent for the implementation of marketing opt-outs and to fulfill statutory obligations. 

Data contained in the register is deleted on a regular basis, for example in the following situations: 

  • the data subject requests the deletion of their data;  
  • contact details are found to be incorrect or communications are  repeatedly returned as undeliverable;  
  • the data subject has not responded to communications and there has  been no activity related to the customer relationship or business  relationship for five years;  
  • there is no longer a business-related or statutory basis for retaining the  personal data.    

The accuracy and necessity of the data contained in the register are assessed regularly as part of normal business and marketing activities.

Deleting data

The data stored in the register can be erased according to a request. The request can be made by e-mail to the e-mail address specified below or submitted in other written form to the company. 

If you want to erase your data in our marketing register, please send a request by e-mail to: tutkimus@reptrust.com.

Changes to this privacy statement

Reputation and Trust Analytics reserves the right to make changes to this privacy statement and related information. Reputation and Trust Analytics recommends data subjects to check this privacy statement regularly in order to learn about any changes to it.   

This privacy statement was last updated on 17 June 2026.