Privacy Policy for Eurostep Digital Platform

Last updated on: 04.12.2020 

This Privacy Policy is adopted by Eurostep Digital OÜ, a private limited company, incorporated under the laws of Estonia, registration code 14248577, registered address Telliskivi tn 60/1-20, 10412, Tallinn, Estonia (hereinafter “Eurostep Digital”, “we”, “us” or “our”). Eurostep Digital operates the website eurostepdigital.com, its subdomains (our “Web Site”) and all the software, databases, interfaces, associated media, documentation, updates, new releases and other components or materials (collectively “Platform”). 

This Privacy Policy describes our privacy practices and how we process personal data.  

If you have any questions about how we process your personal data or if you wish to submit an application for exercising your rights related to processing your personal data, please contact us through the contact information provided in the section “Contacts” below. 

  1. DEFINITIONS 
Personal data” Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of such a record as the name, personal identification code, place of location information or network identifier, or on the basis of one or more physical, physiological, genetic, mental, economic, cultural or social identities.  
“Data subject”  Any natural person who uses Eurostep Digital Services or whose personal data is processed by Eurostep Digital. 
“Customer” Person (natural person or legal person) who uses Eurostep Digital Services and has thereby entered into service agreement with us.  
Processing” Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
Data Controller” Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 
Data Processor” Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
Service” or “Services” Any service made available by Eurostep Digital via the Platform, including the distribution of Customer Newsletters, IR Releases, facilitating the performance of corporate actions and as otherwise described in our Terms of Service.  
  1. STATUS OF EUROSTEP DIGITAL UPON DATA PROCESSING  
  1. In providing our Services and the Platform we act as both a Data Controller regarding certain personal data that we process  and as a Data Processor.   
  1. Data Processor. We act as an intermediary between our Customers and their various Stakeholders (shareholders, investors, directors, employees, etc.). Our Services provide the tools that allow our Customers to easily communicate with these different groups. To effectively use these tools, and therefore the Services, and to ensure their Stakeholders obtain the information that our Customer wants to send them (such as their Newsletters), our Customers provide the Platform with certain types of personal data (See Section 3, below). The Customer is the Data Controller in relation to the personal data they process in order to benefit from the Services, and we act as their Data Processor. Our processing activities are governed by specific contractual terms that regulate how we may process your data, in compliance with European and national data protection laws. 
  1. Data Controller. In addition to providing the Services, we also process personal data for our own purposes (described below in Section 4). For these purposes, we act as a Data Controller.   
  1. WHAT TYPES OF PERSONAL DATA DO WE PROCESS 

We process the following types of personal data: 

  • Name, job title, email address, phone number, other work and company related information that is disclosed by the Customer about the Data subject(s) on the Platform; 
  • Data concerning the use of the Platform (for example log files and related analytics concerning the use of the Platform); 
  • Cookie data may include personal data (see Section 8, below, for more information). 
  1. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA 
  1. When acting as a Data Controller, we process personal data for the following purposes: 
Purpose of processing Types of personal data  How have we obtained personal data Retention period 
Enabling & supporting the creation of user account on the Platform to the data subject. First name, last name, e-mail address, name of the company the data subject represents, password selected for the user account. Directly from each data subject. During the term of the contract with the data subject under Eurostep Digital Terms of Service.  After the termination of the contract with the data subject under Eurostep Digital Terms of Service 3 years based on our legitimate interest until the end of the limitation periods under applicable law. 
Enabling the use of the Services via Platform to the data subject. Any information submitted by data subject concerning him/her to us upon the use of the Services via Platform.  Directly from each data subject. During the term of the contract with the data subject under Eurostep Digital Terms of Service.  After the termination of the contract with the data subject under Eurostep Digital Terms of Service 3 years based on our legitimate interest until the end of the limitation periods under applicable law. 
Provision of marketing content via Platform to data subject. First name, last name, phone number, e-mail address. Directly from each data subject. Until the withdrawal of the consent. 
Answering the inquires of the data subject. Name, e-mail and other personal data that is submitted to us directly by you also if you contact us with a query or question via Platform or via any other channel (by sending an e-mail, for example).  Directly from each data subject. Until the end of the limitation period of the claim related to which the inquiry is submitted. Generally, such term is 3 years. 
Recruitment of employees. First name, last name, e-mail address, information disclosed in CV and motivational letter as well as any other information submitted by data subject concerning him/her to us during the recruitment process. Directly from each data subject. During the recruitment process.  If the contract is not concluded with the data subject, then 1 year as of making the recruitment decision based on our legitimate interest until the end of the limitation period under applicable law. 
E-mail interaction tracking. We track emails sent via our Platform and track whether the e-mail is delivered to the addressee, if the e-mail was viewed by the addressee, if the addressee downloaded content from the e-mail, activated the account based on call to action click in e-mail and if the addressee viewed the document sent with each e-mail.  Through web beacons techniques. Until the withdrawal of the consent. 
Online user log data. Log files of all the basic actions of the user (start of new document, publishing of document, viewing of document, changing the settings, etc.) for troubleshooting purposes as part of provision of the Services.  Automatically through your use of the Services. During the term of the contract with the data subject under Eurostep Digital Terms of Service.  After the termination of the contract with the data subject under Eurostep Digital Terms of Service 3 years based on our legitimate interest until the end of the limitation periods under applicable law. 

4.2  As the Data Processor, we may process data about you pursuant to contract terms concluded with the Data Controller. Purposes of such data processing may include, but are not limited to, the purpose of enabling admin users to add more users in SME/Investor account, enabling the use of Newsletter function via the Platform, enabling IR Release function via the Platform, etc. Types of personal data we may process as a Data Processor depend on what information is made available to us by Data Controller, but generally includes (but might not be limited to) the following types of personal data: first name, last name, e-mail, phone number, position in company, role in the company,  information about the investments made to the company, number of shares owned in the company, information about the employment relationship with the company including location of the office,  information about the services you provide to the company such as legal services/accountant services, etc. 

  1. WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA 
  1.  Eurostep Digital relies on different legal bases for personal data processing.  
  1. We process your personal data to provide Services and the Platform to our Customers (please read Eurostep Digital General Terms for the Use of Eurostep Digital Platform and the Services). Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract 
  1. In certain specific situations we might also process your personal data where processing your personal data is necessary for the purpose of our legitimate interests, for example in relation to certain of our marketing activities, to protect the security of your data and our systems.  In addition, we might process and disclose personal data about you when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss; in connection with an investigation of suspected or actual fraudulent or other illegal activity, and in conjunction with (i) the making, management, or disposition of any of our investments, (ii) business continuity, or (iii) to successors in interest or entities that acquire all or part of our business in connection to a corporate sale, merger, reorganization, dissolution or similar event. Legal basis for such data processing is GDPR Article 6-1-(f). In such a case we shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment.  
  1. For certain specific purposes we may also process your personal data based on your consent, which  you can  always withdraw. Legal basis for such data processing is GDPR Article 6-1-(a). In those situations, we process your personal data on the terms as provided in the consent that you have granted to us.  
  1. Additionally, we might process your personal data when processing is necessary for compliance with a legal obligation to which we are subject, for example for accounting purposes under applicable accounting legislation, or to protect and defend our legal rights. Legal basis for such data processing is GDPR Article 6-1-(c). 
  1. WHEN DO WE SHARE YOUR PERSONAL DATA?  
  1. We may share your personal data with certain third parties service providers e.g. IT suppliers or other service providers. As of the date of this Privacy Policy, we use the following service providers: 
  1. Amazon Web Services, Inc. for data storage and data centre service. We use Amazon data centres located in EU, in Ireland. Privacy terms for Amazon Web Services are available here: https://aws.amazon.com/privacy/
  1. Sendgrid service by Twilio Ireland Limited, enable sending of emails without having to maintain email servers. Privacy terms for Twilio Ireland Limited are available here: https://www.twilio.com/legal/privacy;  
  1. Cloudflare, Inc. for web-infrastructure and website-security company providing content delivery network (CDN) services. Privacy terms for Cloudflare, Inc. are available here: https://www.cloudflare.com/privacypolicy/;  
  1. Livechat, Inc. for support and helpdesk functionality. Privacy terms for Livechat, Inc. are available here: https://www.livechat.com/legal/privacy-policy/;  
  1. Atlassian Corporation Plc for software development, project management and support tools. Privacy terms of Atlassian Corporation Plc are available here: https://www.atlassian.com/trust/privacy/gdpr#compliance
  1. Pipedrive OÜ for web-based Sales CRM and pipeline management solution. Privacy terms for Pipedrive OÜ are available here:  https://www.pipedrive.com/en/privacy
  1. Stripe, Inc. for payment services. Privacy terms for Stripe, Inc. are available here: https://stripe.com/en-ee/privacy
  1. We also share your personal data with third party payment service providers if your use of our services is subject to payment and you choose a payment method in the course of your use of the services. Please note that for processing you payment related data, the payment service provider shall be considered as controller of your data and privacy terms and other terms of conditions of such payment service provider apply.  
  1. We may also share your personal data with third parties if we are legally required to do so, for example if personal data is requested from us by any authority competent to ask such data, for example if the data is asked from us by the court or law enforcement agency.  
  1. We may transfer your personal data to third countries, i.e. countries outside the EU/EEA area, for the purposes explained in this Privacy Policy. When transferring your personal data to third countries, we will ensure that the transfer is subject to appropriate safeguards under GDPR and that your rights are protected, such as the Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses), \. You may request a copy of the safeguards we have put in place with respect to the transfer of personal data by contacting us via contact details below. 
  1. HOW DO WE PROTECT YOUR PERSONAL DATA? 
  1. To protect your personal data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction, we use appropriate technical and organisational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents and buildings. 
  1. When choosing appropriate security measures, we aim to follow standards set by ISO / IEC 27001: 2013.  
  1. COOKIES 
  1. Our Platform and Services use cookies. This section incorporates our cookie policy (the Cookie Policy) that applies when you use Platform. 
  1. Cookies are small data files stored on your hard drive by a website. Cookies help us monitor and improve the functionality and usage of our Platform and your experience on Platform. We can use cookies to see which areas and features are popular and to count visits to our Platform to recognize you as a returning visitor and to tailor your experience of the Platform according to your preferences. We may also use cookies for targeting or advertising purposes.  
  1. We use following type of cookies on our Platform: 
  1. Strictly necessary cookies, that are essential in order to enable you to navigate and use the features of the Platform. 
  1. Functional cookies, that record information about choices you have made that allow us to tailor Platform to your needs. Functionality cookies remember choices you make. Functional cookie used by us stores email after login, so that if you log in to the platform with multiple emails we can suggest you to merge different platform accounts, which should simplify your processes.. 
  1. Statistics cookies, that record information about the way our Platform is used, to acquire knowledge on how often our Platform is visited, where on our Platform our visitors spend the most time, how often they interact with a page or part of a page, this allows us to make the structure, navigation, and content of our Platform as user-friendly as possible. 
  1. The specific cookies that Platform uses are the following:  
Cookie or similar function Description Duration Type 
__cfduid The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. 1 month Necessary 
_ga This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. 2 years Analytics 
_gid This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form. 1 day Analytics 
_gat_gtag_UA_130275624_1 Google uses this cookie to distinguish users. 1 minute Analytics 
__livechat This cookie is set by Livechat. Used to hide the user’s personal customization of LiveChat. 3 years Necessary 
platform_cookie_notice Cookie is set by the platform when user accepts the “Cookie Consent’ message. 2 days GDPR compliance 
username  Session storage variable stores the username and email used by you which we use to suggest to merge his accounts multiple emails are used for logging in. During the login time Functionality 
  1. You can delete or block cookies on Platform through your browser settings at any time. However, some cookies might be necessary for the functionality of Platform. Therefore, you understand that when blocking or deleting the cookies some features of Platform might not function correctly.  
  1. For more general information about cookies including the difference between session and persistent cookies please see www.allaboutcookies.org.  
  1. In case you have any question concerning Cookie Policy, you may contact us via contact details provided below.  
  1. YOUR RIGHTS 
  1. Eurostep Digital is dedicated ensuring that all data subject rights arising under applicable law are always guaranteed to you. In particular, any data subject has:  
  1. the right to access the personal data that Eurostep Digital processes about you; 
  1. the right to request that Eurostep Digital rectifies any inaccurate personal data about you; 
  1. the right to request Eurostep Digital to erases your personal data and/or restricts of processing of your personal data if we do not have valid legal basis for processing; 
  1. the right to receive your processed personal data in a structured, commonly used and machine-readable format and have the right to transmit your personal data to another controller; 
  1. the right to object to the processing of your personal data. 
  1. If you believe that your rights have been infringed, you may contact and lodge a complaint to the supervisory authority applicable for your jurisdiction (Data Protection Inspectorate in Estonia address Tatari 39, Tallinn 10134, [email protected] or other competent authority in your jurisdiction). 
  1. GOVERNING LAW AND JURISDICTION 

This Privacy Policy shall be governed by the laws of the Republic of Estonia. Any disputes arising from these Privacy Policy shall be settled in the Harju County Court in the Republic of Estonia, unless you have a right to turn to the court of your residence pursuant to statutory law. 

  1. CONTACTS 

If you have any questions about this Privacy Policy or Cookie Policy or if you have any concerns about how we use your personal or if you want to exercise your rights as described above, you may contact us via e-mail or in writing using the following contact information:  

Eurostep Digital OÜ 

e-mail: [email protected]  

address: Telliskivi tn 60/1-20, 10412, Tallinn, Estonia