This privacy statement (“Statement”) explains how the personal data of actual or potential clients of Upheat Solutions Oy (“Upheat”), and website visitors at upheat.com (“Website”) is processed. It is intended to cover all personal data processing by Upheat, except for purely internal processing (such as for internal HR, production or other internal purposes).
This document contains the following information:
1. Overall description of our data processing practices
2. Who processes personal data, what data is processed, for what purpose, and how long is it stored
3. What data is processed
4. Data transfers
5. What are your rights
6. Changes to the Privacy Statement
1. Overall description of our data processing practices
Upheat as the data controller, collects and processes personal data under this Statement and in accordance with the General Data Protection Regulation. The term “personal data” refers to personal identifiable information that directly or indirectly identifies you, such as your name, physical address, e-mail address, IP number or other contact details. Personal data processing refers to any action that we or a third party that we have engaged takes with the personal data, such as collection, registration and storage. We aim to process personal data that is adequate, relevant and not excessive in relation to the purpose for which it has been collected. We only collect and process personal data where we have lawful grounds to so.
2. Who processes personal data, what data is processed, for what purpose, and how long is it stored
Responsible data controller
For the data referred to in this Statement, the data controller is Upheat (Upheat Solutions Oy, business ID 3415262-7, domicile Nuutisarankatu 12, 33900 Tampere, Finland). For inquiries relating to personal data processing, please contact: contact@upheat.com.
Data processors
The following external parties process the personal data on the basis of data processing agreements with Upheat:
-A hosting provider for the Website and the contact form on the Website, currently Hetzner Finland Oy
-Upkeep and development partners for the Website, currently MakeItSimple Oy and Zesty Oy
-A CRM provider for sales and marketing data of potential and actual clients of Upheat, currently Pipedrive Oü
-Provider for user authentication and other integrated office 365 functionalities for the CRM, currently Microsoft/Azure
3. What data is processed
Data processing relating to Website visitors
| Category of personal data | Legal basis | Purpose of processing | Duration of processing |
|---|---|---|---|
| Contact form: Name, e-mail address, phone number of website visitor | Performance of contract between Upheat and visitor (GDPR Article 6(1)(b) | Answering contact forms, generating lead in CRM (see below) | Information is either deleted (in the event the contact form does not lead to a sales lead or client relationship), or moved to the CRM system (see below) within two weeks |
| IP address of website visitor | Legitimate interests of Upheat (GDPR Article 6(1)(f) | Logging IP address to direct website traffic, to detect and remedy errors, and to detect and prevent malicious activity like DDoS attacks | Information is automatically deleted after 365 days. |
Data collected through the contact form is collected directly from Website visitors, whereas some data is collected simply through visiting and browsing the Website. Use of the contact form requires providing personal data, in particular the visitor’s name and contact information.
Data processing for customer relationship management (CRM) purposes – sales and marketing/potential clients
| Category of personal data | Legal basis | Purpose of processing | Duration of processing |
|---|---|---|---|
| Name, contact details of representatives of potential clients of Upheat | Legitimate interests of Upheat (GDPR Article 6(1)(f) | Identifying interesting marketing/sales leads and contacting them about Upheat goods and services | If the lead becomes an actual client, data is retained as explained below for clients; if the lead becomes inactive or the sales process is stopped, data is removed within 6 months |
| Individual ID number associated with lead, representative’s IP address | Legitimate interests of Upheat (GDPR Article 6(1)(f) | Ensuring that data in Upheat systems is associated with the correct lead | |
| Various personal information included in internal notes or comments associated with the lead/representative | Legitimate interests of Upheat (GDPR Article 6(1)(f) | Identifying interesting marketing/sales leads and contacting them about Upheat goods and services |
Data processing for customer relationship management (CRM) purposes – clients
| Category of personal data | Legal basis | Purpose of processing | Duration of processing |
|---|---|---|---|
| Name, contact details of representative of client | Performance of contract between Upheat and client (GDPR Article 6(1)(b) | Providing quotes to potential client and other correspondence, customer relationship management, handling support tickets | Within 6 months of the client the representative is associated with ceasing to be a client of Upheat |
| Individual ID number associated with client | Performance of contract between Upheat and client (GDPR Article 6(1)(b) | Ensuring that data in Upheat systems is associated with the correct lead/customer | |
| Various personal information included in support tickets or other correspondence with representative | Performance of contract between Upheat and client (GDPR Article 6(1)(b) | Handling support tickets/providing support to the client | |
| Possible personal data entered into notes about clients, such as notes concerning meetings or discussions with clients | Performance of contract between Upheat and client (GDPR Article 6(1)(b) | Customer relationship management |
Data collected into the CRM system is partly collected directly from representatives of actual or potential clients, and partly from either public sources or systems such as Office 365.
4. Data transfers
For data subjects in the EU/EEA/UK, the servers will be hosted in the EU. However, personal data may be accessed (and therefore processed) from outside the EU/EEA/UK or in some cases transferred outside the EU/EEA/UK. All transfers/processing of personal data outside the EU/EEA are carried out on the basis of an adequacy decision by the EU commission (GDPR Article 45), or subject to standard contractual clauses (GDPR Article 46), complemented by sufficient supplementary safeguards in order to ensure that the rights of data subjects can be fulfilled. You can request a copy of the standard contractual clauses, including a description of the transferred data, by using the contact details provided for Upheat above.
5. What are your rights
Since we process your personal data you can exercise certain rights during specific circumstances under the applicable data protection legislation as follows:
• Right to access and rectification: You have the right to request access to the personal data relating to you. This includes e.g. the right to be informed whether or not personal data about you is being processed, what personal data is being processed, and the purpose of the processing. You also have the right to request that inaccurate or incomplete personal data be corrected.
• Right to restriction of processing: You are entitled to restrict the processing of personal data in certain situations.
• Right to be forgotten: You may also request that your personal data be erased if e.g. the personal data is no longer necessary for the purposes for which it was collected, the processing is unlawful, or the personal data has to be erased to enable us to comply with a legal requirement.
• Right to Data Portability: If personal data about you that you yourself have provided is being processed automatically with your consent or in accordance with a contract between you and Upheat, you may request that the data is provided in a structured, commonly used and machine-readable format and you may also request that the personal data is transmitted to another controller, if this is technically feasible.
• You are also entitled, at any time, to lodge a complaint with the relevant supervisory authority if you consider that your personal data has been processed in contravention of applicable data protection legislation. The supervisory authority for Upheat’s domicile is the Finnish Data Protection Ombudsman: https://tietosuoja.fi/en/home
6. Changes to the Privacy Statement
Upheat reserves the right to amend this Privacy Statement from time to time. We will post any changes to on this page and, where appropriate, notify you by e-mail. Please check back regularly to see any updates or changes to our Privacy Statement.
Revised 12.09.2025
