At Rainmaker, we take data protection seriously. The proper handling of personal data of our customers, potential customers, employees, and job applicants is important to us, and we are committed to operating as transparently as possible regarding data protection matters. This statement describes how we process the personal data of data subjects and explains their rights concerning the processing of personal data.
Data controller
Rainmaker Group Oy (business ID: 2707250-6), together with other companies belonging to the Group (hereinafter “Rainmaker”). A list of the Group companies: https://rainmaker.fi/ota-yhteytta/
Address: Piispanportti 11, 02240 Espoo
Contact person for data protection matters
Kati Helavirta, Data Protection Officer
firstname.lastname(@)rainmaker.fi
Personal data processed and purposes of processing
We collect and process the following data concerning data subjects:
- Data subject’s basic and contact information: name, phone number, email address, city/municipality,
- Information regarding the registered company and the contact persons of the company: company name, business ID, and contact persons’ names, phone numbers, and email addresses,
- Information concerning the customer relationship and agreements: information on past and current agreements and orders, communication with the customer,
- Billing information: billing basis, billing contact details, billing and payment history,
- Marketing call recordings,
- Marketing and website behavior: information concerning the data subject’s telecommunications connection and terminal device used when visiting the website (device ID or other device-specific identifier, geographical location, and cookies),
- Participation in campaigns and events,
- Information regarding a direct marketing ban by the data subject
- Any other data collected with the data subject’s consent, which is necessary for the performance of the agreed service.
Purposes of processing:
- Handling contacts,
- Managing and developing customer relationships,
- Fulfilling contractual responsibilities,
- Marketing and advertising services, including distance selling,
- Developing services,
- Profiling and behavior analysis: Personal data stored in the customer register is also used for analyzing customer or other data subject behavior and for profiling purposes. Profiling is performed by creating a unique customer ID or file (e.g., a cookie) for the data subject, which is stored on the data subject’s terminal device. This allows Rainmaker, or our subcontractors, to combine data concerning the data subject generated in connection with the use of the online service and create a profile describing the data subject’s behavior. The purpose of profiling is to refine customer behavior for marketing targeting and service development to better meet customer needs.
- If necessary, verifying the content of communications to ensure rights and obligations, internal staff training and service quality improvement, and service development using marketing call recordings. The recordings are not used for other purposes and are not disclosed outside of Rainmaker.
Legal basis for the processing of personal data
The purpose of processing personal data is to provide and develop Rainmaker’s services to better meet customer needs, fulfill contractual obligations and customer promises, manage customer relationships, and conduct electronic marketing. Accordingly, the legal basis for the processing of personal data is our legitimate interests (e.g., related to maintaining business customer relationships or electronic marketing), the data subject’s consent, the performance of a contract, and/or a legal obligation.
Regular sources of personal data
Personal data is primarily collected from the data subject themselves. In addition, we receive information from authorities, contact information service providers, and other similar reliable parties. We may also collect and update personal and company data for the aforementioned purposes from publicly available sources and based on information received from other third parties, within the limits of applicable law.
Regular disclosures of data and data processors
Rainmaker does not disclose personal data to external parties. However, data in the register may be disclosed internally to other companies belonging to the Rainmaker Group.
Rainmaker uses external service providers for personal data processing, such as system providers and outsourced IT management. External service providers process personal data in the role of a personal data processor on behalf of Rainmaker, in which case the processing of personal data is always under Rainmaker’s responsibility and control. In these situations where we outsource services to external service providers, we ensure through contractual arrangements that personal data is always processed in accordance with applicable data protection legislation and good data protection practices.
Transfer of data outside the EU/EEA
Rainmaker may transfer personal data outside the EU/EEA as part of its operations. If this is done, we ensure that personal data is transferred outside the EU/EEA only in accordance with data protection legislation procedures and that the data in question is adequately protected and as required by current data protection legislation
Principles of personal data protection and retention
The data is collected into databases that are protected by firewalls, passwords, and other necessary technical means. Access to the data is granted only to those Rainmaker employees who have the right and need to process customer data due to their work. Each user has personal user IDs and passwords. The databases and their backups are located in locked premises, and access to the data is restricted to certain pre-designated persons. Rainmaker requires its personnel and partners to commit to the confidentiality of personal data.
Rainmaker retains personal data for as long as it is necessary for the intended purpose. Personal data in both the customer and marketing registers is deleted when the data used is identified as outdated, irrelevant, or unreachable. Contacts and the information included with them are deleted within two years of the contact.
Data collected from websites using cookies is stored for a maximum of 400 days. Call recordings are stored for 180 days.
The necessity of data retention is regularly assessed, taking into account applicable legislation. In addition, we take reasonable measures to ensure that no incompatible, outdated, or inaccurate personal data is stored about data subjects and rectify or delete such data without delay.
Management of risks to data subjects
Efforts are made to minimize the risks to data subjects in the processing of personal data. Rainmaker’s risk management measures related to personal data include, among other things, regular staff training and ensuring data protection competence, regular risk observation and assessment, and impact assessments regarding personal data processing.
In the event of possible personal data security breaches, Rainmaker will act in accordance with the instructions of the data protection authorities, urgently assessing the possible risks to data subjects. If it is probable that a data breach will result in a high risk to the rights and freedoms of the data subject, the data controller will notify the data subject of the incident without delay.
Data subject’s rights
The data subject has the right to exercise the rights listed below. To exercise these rights, the data subject can contact the data controller (Rainmaker). The data controller’s contact person and contact information are stated at the beginning of this privacy policy.
The data subject has the right to inspect the personal data concerning them stored in the personal register and to demand the rectification or deletion of incorrect data. In this case, the data subject will be provided with a copy of the data concerning them. Personal data will be updated at the data subject’s request.
In certain situations, the data subject has the right to transfer the data they have provided to another system. Such a situation may arise when the data controller processes personal data based on consent or a contract.
The data subject also has the right in some situations to request the erasure of their data. This right may be limited, for example, by a legal obligation to retain the personal data in question. If the need for personal data processing ceases, the data will be erased without a separate request.
In accordance with the General Data Protection Regulation (from 25 May 2018), the data subject has the right to object to or request the restriction of the processing of their data. In connection with the request, the data subject must specify the particular situation on which they base their objection to the processing. The data subject has the right to object free of charge to processing insofar as it relates to direct marketing. Rainmaker may refuse to implement a request for objection only on grounds provided by law. The data subject also has the right to restrict the processing of their personal data, for example, in situations where they suspect the lawfulness of the processing of personal data or have objected to the processing of their personal data, but the matter is still under investigation.
The data subject has the right to avoid decisions based solely on automated processing that produce legal effects or other significant effects. In addition, the data subject may request that decisions based on automated decision-making be reviewed by a human before a final decision is made. At Rainmaker, we do not make decisions in the processing of the customer and marketing register that would be based solely on automated processing and that would have legal or other significant effects.
If a data subject believes that their data has been processed inappropriately or unlawfully, we encourage them to first contact Rainmaker so that we can investigate the matter together. The data subject also has the right to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose up-to-date contact information and contact channels can be found on the Office of the Data Protection Ombudsman’s website.
Changes to this statement
If changes are made to this statement, we will update the information on our website and add a note indicating the date of the update.”
Updated 20.1.2025