ZEF Oy Privacy Policy

Version 22 March 2018


ZEF Oy (“ZEF”) respects the privacy of individuals and thereby we want to give individuals using our services information concerning our data processing activities in a transparent manner. This Privacy Policy describes how ZEF collects, uses, stores, shares and protects your information under ZEF’s services and on our website and . (collectively, the ‘ZEF’s services’). To achieve this goal, the information presented in this ZEF Privacy Policy is provided using as clear and plain language as possible. However, should you have any inquiries or questions regarding our data processing activities or the information presented in this Privacy Policy, please feel free to contact us at the “Contact Us” page on our website or by sending an email to

This Privacy Policy does not apply to third parties and their actions that ZEF does not own or control, including, but not limited to, any third-party websites, services and applications that you access through ZEF’s service or website.

This Privacy Policy has been prepared in order to meet the requirements set out in the EU General Data Protection Regulation (“GDPR”), which is directly applicable in all Member States in the European Union as of 25 May 2018. ZEF is committed to comply with the obligations related to processing of personal data under the applicable data protection legislation.

Data processing activities related to ZEF’s services are described in part 2.1 of this Privacy Policy.

When ZEF is providing ZEF’s services, ZEF has a dual role under the applicable data protection legislation:

ZEF as a data controller - Users

ZEF acts as a data controller within the meaning of the GDPR when it processes personal data related to individuals who have used and accessed ZEF’s services on behalf of ZEF’s Customer. Such individuals are data subjects within the meaning of the GDPR and are called Users in this Privacy Policy. Customer is an entity with whom ZEF has a contractual relationship.

ZEF’s data processing activities pertaining to User Data are described in part 2.2 of this Privacy Policy.

ZEF as a data processor – Respondents

ZEF acts as a data processor within the meaning of the GDPR when it processes personal data related to individuals who respond to surveys created by Users using ZEF’s services. Such individuals are data subjects within the meaning of the GDPR and are called Respondents in this Privacy Policy. The Customer is a data controller under this processing scenario. As a data controller, the Customer is solely responsible for determining what personal data is collected, of whom such personal data is collected and how surveys are made available to Respondents.

Should you have a question about a specific survey determined by ZEF’s Customer, please contact directly the Customer entity in question.

ZEF’s data processing activities pertaining to Respondent Data are described in part 2.3 of this Privacy Policy.


2.1 ZEF’s services - general description of processing of personal data

ZEF uses personal data to perform ZEF’s services, in particular:

- to review, investigate, research and analyze how to improve and develop ZEF’s services

- to perform statistical analysis on personal data, to understand how individuals use ZEF’s services

- to test ZEF’s services, for the purpose of improving security and troubleshooting

2.2 Processing of User Data
2.2.1 Collection of User Data

When a User registers to ZEF’s services, User provides the following information to ZEF:

- Email address

- First name and last name

- Picture (optional)

- Facebook page (optional)

- LinkedIn page (optional)

- Twitter page (optional)

- Telephone number (optional)

- Name of the organization or company (Customer) (optional)

- Company website (optional)

- Company’s LinkedIn page (optional)

- Company’s Facebook page (optional)

- Company’s Twitter page (optional)

- Company’s logo or other picture (optional)

- Payment related information (for paid license plans)

○ Credit card number

○ Name on credit card

○ CVC number on credit card

○ Country

○ Postal code (for USA payment cards)

○ VAT / company ID (when paying with an invoice)

○ International Bank Account Number (IBAN) (when paying with an invoice)

During the use of service, ZEF also processes the following information related to User:

- Information that is collected indirectly or passively when User interacts with ZEF

- ZEF collects usage data whenever User interacts with ZEF’s services

- IP address, browser type, operating system, geographic location

- ZEF collects User Data from third parties if the User gives permission to those third parties to share such information with ZEF

ZEF uses this information to identify User within Customer organization within ZEF’s services. ZEF requires this User Data to verify which individuals use ZEF’s services on behalf of the Customer in accordance with the agreement between ZEF and the Customer. ZEF’s services allow User to access and edit, update or delete their User Data.

2.2.2 Purposes of processing of User Data

ZEF collects User Data to allow Users to have access to, and gain full benefit of, ZEF’s services. ZEF will use User Data for the following purposes:

(i) to process any orders, inquiries, requests or feedback the User or the Customer may have provided to ZEF

(ii) to contact User based on User’s contact under point (i) above, for customer support, as well as to provide User with invoicing information

(iii) to inform Users about ZEF’s services, such as software updates and upgrades, security patches, system enhancements, new software versions, as well as other information regarding ZEF’s services.

(iv) if User has given his/her consent to receive ZEF’s electronic marketing material, ZEF may send such material to User

(v) to meet contractual obligations ZEF has with the Customer

(vi) to comply with applicable regulatory and authoritative requirements

2.2.3 Legal basis for the processing of User Data

Legal basis for the processing of User Data is consent from the User. Before submitting any personal data to ZEF, the User is asked to give his/her voluntary, informed and explicit consent to the processing of personal data during the Sign-Up process, as well as a link to visit this Privacy Policy for further information.

User is not required to provide any personal data to ZEF unless User chooses to access features of ZEF’s services that require such personal data. If you do not agree with the terms of this Privacy Policy or ZEF’s Terms of Use related to ZEF’s services, then we ask you not to provide us with your personal data.

By signing-up to ZEF’s services, the User expressly consents to ZEF’s collection, use, disclosure and storage of User Data as described in this Privacy Policy.

As a data subject the User has the right to withdraw his or her consent at any time. User may easily withdraw his or her consent by choosing to do so in ZEF’s service.

2.2.4 Rights of User as Data Subject

As a data subject the User has the right to access, rectify, cancel, and object to the processing of his/her personal data by directing any such requests to ZEF. ZEF allows Users to exercise these rights by submitting a data subject request through ZEF’s services.

Furthermore, you have the right to lodge a complaint with a data protection supervisory authority.

2.2.5 Storage and deletion of User Data

As a basic principle, ZEF will not store User Data any longer than is necessary to fulfill the purposes for which the User Data was collected, unless longer storage is required by applicable laws or regulations.

ZEF’s current storage practice for User Data is that such personal data will be deleted after the realization of the User’s account resignation, unless longer storage period is required by applicable law.

2.3 Collection and Processing of Respondent Data
2.3.1 Collection of Respondent Data

As a data controller, the Customer in question determines the means and purposes of processing Respondent Data. As ZEF’s services are being used by many Customer entities, these purposes may vary depending on the survey determined by the Customer in question. The Customer is responsible for ensuring that the collection and processing of Respondent Data is carried out in accordance with the applicable legislation and the GDPR.

ZEF will not process Respondent Data for any other purposes or by other means than those instructed by the Customer in question.

2.3.2 Processing of Respondent Data

Although the Customer determines the types of personal data collected, Respondent Data which ZEF processes on behalf of the Customer typically includes following types of personal data:

- Name

- Email address

- Home address

- Phone number

- Age

- Date of birth

- Employment details

- Education and qualification

- Business contact details

- Other survey-specific information provided by the Respondent and determined by the Customer

The Customer may also choose to conduct a survey without any personal data being provided from the Respondents. In this event no personal data listed above will be collected and processed.

ZEF also collects personal data about the Respondents in following situations:

- Usage data about the Respondent whenever he/she interacts with ZEF’s services

- IP address and browser type for the purposes of solving technical issues for a maximum period of 31 days at a time

- ZEF collects Respondent Data from third parties if the Respondent gives permission to those third parties to share such information with ZEF

- Email address if the Respondent provides it to ZEF in order to send the Respondent an invitation email to answer to a survey through ZEF’s services

2.3.3 Legal basis for the processing of Respondent Data

The Customer is responsible for ensuring that a legal basis under the GDPR is established prior to collecting any Respondent Data. For the purpose of using ZEF’s services (surveys), the relevant legal basis is typically consent from the Respondent. In this case the Customer is required to obtain the Respondent’s consent before any collection or processing of personal data is carried out on ZEF’s services. The Customer must also comply with the relevant provisions of the GDPR concerning consent (or other legal basis for processing, if applicable).

2.3.4 Storage and deletion of Respondent Data

Since the Customer as a data controller has control over determining the purposes for which Respondent Data is collected, as well as for the duration for which the Respondent Data is stored, the Customer is responsible for determining when to delete the Respondent Data.

After the end of provision of services under the agreement between ZEF and the Customer, ZEF commits to either delete or return all Respondent Data to the Customer, based on Customer’s choice. ZEF deletes existing copies of Respondent Data unless legislation requires storage of Respondent Data.


ZEF processes and stores Respondent Data within the European Union. However, User Data may be transferred, in compliance with applicable regulations, to the United States and/or other third countries that do not have similar laws providing protection for personal data or that have different legal rules on data protection. Should ZEF transfer personal data to such third countries, personal data will be protected as described in this Privacy Policy and in accordance with the applicable data protection law, such as the EU General Data Protection Regulation (679/2016).

ZEF will not sell personal data to third parties, nor make personal data available to them for other purposes than to enable use of the Services. ZEF may utilize third party processors to perform data processing on ZEF’s behalf. In this case, such third party service providers are required to comply with this ZEF’s Privacy Policy and any other appropriate technical and organizational measures. Should ZEF transfer any personal data collected or processed via ZEF’s services to any third party, ZEF will ensure at all times that the third party service provider will be bound by appropriate contractual guarantees with respect to such third party’s obligations in accordance with applicable data protection law, and ensuring all times that personal data will remain protected in accordance with at least the same standards as under this Privacy Policy.

To learn more about the third-party data processors used by ZEF, as well as transfers of User Data to third countries, please visit the following link.


ZEF ensures the confidentiality, integrity and availability of personal data processed via ZEF’s services. ZEF implements appropriate technical and organizational measures and procedures in such a way that ensures the protection of data subject’s rights, and always in accordance with applicable data protection law, as well as to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, access and other unlawful forms of processing. ZEF ensures that all persons processing personal data under its authority and supervision have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

In case of a data security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, ZEF will inform data subjects of the breach without undue delay, including a summary description of the potential impact and a recommendation on measures to mitigate the possible adverse effects of the breach.

ZEF ensures that personal data has been pseudonymized or anonymized wherever possible. ZEF’s services contain appropriate authorization mechanisms to avoid unlawful access, as well as effective encryption has been used to mitigate the risk of data security breaches. ZEF will inform when an updated version of the service is available, and if the update is security critical, users will be prevented from using the old version of the service.

Furthermore, ZEF recommends that data subjects take additional measures to protect information privacy, by keeping confidential account information and passwords.


ZEF uses cookies and other similar online technologies, such as your browser’s local data storage, to collect data from your device. Cookies are small text files that your browser saves in your device. Cookies often contain an anonymous individual identifier, which ZEF can use to measure how many different browsers are visiting our web sites, and how ZEF’s online services are being used.

You can prevent the use of cookies by changing your browser settings. Preventing cookies may have an impact as to how our services and website function.


ZEF may amend this Privacy Policy from time to time. Users may be required to accept the amended Privacy Policy upon logging in to ZEF’s services in order to keep using the services. ZEF will notify Users of any substantial changes to this Privacy Policy and processing activities, well before the effective date of the changes by sending an email or in another effective manner to give data subjects a reasonable notice period to assess the consequences of such changes. If you do not agree to such new version of this Privacy Policy, you may terminate use of ZEF’s services by notifying ZEF via the service or by sending an email to In this event, you will not be bound by the new version of this Privacy Policy.


Should you have any questions concerning this Privacy Policy or wish to know more about ZEF’s data processing activities, please feel free to contact us at the “Contact Us” page our website or by sending an email to

Business ID 0640379-1
Elektroniikkatie 6
90590 Oulu

Contact information of person in charge of ZEF’s GDPR matters:
Jaakko Alasaarela