Jul 24, 2023

Aiven Privacy Policy

Personal Data File and Controller

This Privacy Policy (referred to as "Privacy Policy") informs why and how we process personal data about representatives of business customers and potential business customers and visitors using the website at aiven.io (referred to as "User" and jointly "Users").

Aiven Ltd as Data Controller

Aiven Ltd, Business ID: 2795743-5, as the data controller (referred to as "Aiven", "we" or "us") is responsible for ensuring that personal data is processed in compliance with this Privacy Policy and applicable data protection laws.

We have also designated a Data Protection Officer (“DPO”) to oversee our data protection related matters. If you have any questions or concerns about the way we use your data, you may contact our DPO by email at dpo@aiven.io.

What personal data do we process?

We collect personal data through different means, which are explained below in more detail. Personal data is mainly collected directly from the User in connection with the customer relationship or website activity.

Customer data

The following personal data is processed in connection with the customer relationship:

  • Information of the users of the services provided by us, such as full name, email address, job title, company name;
  • Customer relationship details, such as the contract between Aiven and the customer, start and end date of customer relationship and services ordered;
  • Billing information, such as credit card details, bank account information, payments made, outstanding invoices, and invoices delivered;
  • Customer interaction, such as customer contacts, feedback and complaints
  • Interaction in the Aiven Community forum, such as messages sent in the Community forum; and
  • Marketing communications.

Prospect data

We may contact potential customers and provide them relevant information about our services. For this purpose, the following information will be processed:

  • User information, such as name, email address, job title, company name; and
  • Marketing communications.

Technical data

We collect some technical data automatically through the use of our website or services, which may be associated with Users. For this purpose, the following information will be processed:

  • User’s IP address
  • Type and device ID
  • Browser type and version
  • Geographical location based on the IP address
  • Service access times
  • Statistics on page views and time spent on pages
  • Any other automatically collectible information

Special categories of personal data

We do not process special categories of personal data about our Users.

For what purpose and with what legal basis do we process personal data?

We process personal data for the following purposes:

Service provision based on contractual relationship with us

We process personal data when this is necessary under our contract with our customers and Aiven Community forum members, to provide our services , and specific features selected by the customer, and to manage and maintain the customer relationship between us. In this case, the processing is based on the performance of the customer contract.

Marketing

We process personal data for marketing purposes as follows:

  • We send direct marketing via email based on our legitimate interest to provide Users with relevant information as part of our services and to promote our services. A User may unsubscribe from marketing emails at any time by clicking on the "unsubscribe" link located on the bottom of emails or by contacting us at privacy@aiven.io.
  • We (or our service providers on our behalf) may collect and create user group profiles or segment data about the use of our website and services and provide targeted advertising to Users.  We use cookies and other similar technologies to display advertising. This may involve delivering marketing through our website or on third party website or platforms (including social networks). We seek consent when we place cookies and use similar technologies in accordance with our Cookie Policy. For more information, please see our Cookie Policy.

Personal data is not processed for automated decision-making.

Our legitimate interest

We process personal data to the extent this is necessary to fulfil our legitimate interests, which include our interests to:

  • Effectively manage our relationship with our customers, including responding to queries, resolving technical issues, providing customer support and sending necessary information relating to our services.
  • Improve our services by seeking feedback and performing data analytics on the usage of our website and services, and creating user group profiles and anonymous, aggregated statistics about the use of our website and services.
  • Protect the security, availability and integrity of our services and information systems, including by using authentication mechanisms and other security measures, monitoring our systems for security threats, keeping back-ups, and carrying out system maintenance services.
  • Protect our legal rights, including by handling complaints and exercising or defending legal claims.
  • Share personal data with our subsidiaries to the extent necessary to provide our services and to manage and organize customer service, marketing as well as information security measures within the group in an appropriate and practical way and use shared IT systems within the group.

Legal obligations

We process personal data to comply with legal requirements under applicable laws (e.g. tax and accounting obligations) and with court orders and requests by competent regulatory and governmental authorities.

What personal data do we disclose?

We disclose personal data to third parties as follows:

  • to our subsidiaries for the purposes listed under Our legitimate interest heading above;
  • to our third party service providers, including but not limited to hosting service providers, technology service providers, payment service providers and marketing providers;
  • as required or permitted to comply with legal obligations, requests by competent authorities and courts and related legal proceedings;
  • as required to establish, exercise or defend or to protect against legal claims; and
  • to prospective sellers or buyers if we are involved in a merger, acquisition, or sale of all or a portion of our assets.

Do we transfer personal data outside the EU/EEA?

We store personal data on servers located in the European Union ("EU") provided by Google and Amazon Web Services.

We transfer personal data to our subsidiaries and third party service providers overseas, which may involve the transfer of personal data to countries outside the European Economic Area ("EEA") which have different data protection standards to those which apply in the EEA.  For a list of the countries in which our subsidiaries and service providers operate, please see: aiven.io/subprocessors.

To the extent personal data is transferred to a country outside of the EU/EEA, we will use the required established mechanisms that allow the transfer to our subsidiaries and service providers in those countries, such as the Standard Contractual Clauses approved by the European Commission.

Please email us at privacy@aiven.io if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA or to obtain a copy of any contractual clauses in place. Please note, however, that some details may be redacted for confidentiality reasons.

How long will we retain personal data?

We will only retain personal data for as long as necessary to fulfil the purposes defined in this Privacy Policy. The main retention periods are as follows:

  • We retain personal data for the duration of customer relationship and after that as required by legal obligations (e.g. accounting laws) or our contractual rights or obligations (e.g. for invoicing purposes).
  • If a dispute arises or a customer fails to make payment for our services, we may retain relevant information until such dispute is resolved or until such payment is made.
  • Where we process personal data for marketing purposes, we will delete or anonymise the data after one (1) year has lapsed from last contact between us to the User or when the User asks us to stop marketing and for a short period after this (to allow us to implement the request). From the below User Rights heading the User may find more information regarding data retention for marketing purposes and what rights the User has in this respect.

What rights does the user have?

Users have the following rights:

  • The right to request access to personal data about himself/herself;
  • The right to request rectification, restriction or erasure of personal data. However, certain information is strictly necessary in order to fulfil the purposes defined in this Privacy Policy and may also be required by law. Thus, it may not be possible to remove such personal data.
  • The right to object processing, that is based on legitimate interest;
  • The right to object processing for marketing purposes and the right to prevent from receiving future direct marketing;
  • If processing of personal data is based on consent, the User has the right to withdraw consent at any time. The withdrawal will not affect the lawfulness of the processing carried out before the withdrawal; and
  • The right to data portability, meaning the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies for personal data processed based on contract or the User's consent.

Should the User wish to exercise his/her above mentioned rights, please send a request to us at privacy@aiven.io.

If you consider the way we are processing your personal data is conducted in an unlawful way or violates this Privacy Policy, you have a right to file a complaint to your national data protection authority in the EU/EEA. You may also file a complaint to the data protection authority in any other EU country where you live, work, or where you consider the alleged violation has occurred.

Clauses for Users in California

Users that are California Residents have specific rights to control their personal information. To read more about these rights based on the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (CPRA) please see our Privacy Notice for California Residents.

What Security measures have we taken?

We have carried out reasonable technical and organizational measures to secure the personal data processed against unauthorized access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. For instance, any physical data is stored in locked facilities and access to automatically processed data is limited by user rights and passwords within our organization.

Please be aware that, although we endeavor to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.

Changes to this Privacy Policy

We may change this Privacy Policy from time to time. If we make any changes to this Privacy Policy, we will actively bring it to the attention of the Users by using communication channels available to us. The most recent version of this Privacy Policy can be found at aiven.io/privacy