Privacy Policy
Centro Cloud Oy
1. General
This Privacy Policy describes how Centro Cloud Oy ("Centro Cloud", "we") processes personal data when providing its services.
Centro Cloud provides a web-based software service for managing business operations such as invoicing, customer relationships, and financial administration. In connection with these services, Centro Cloud processes personal data both as a data controller and as a data processor on behalf of its customers.
Centro Cloud complies with applicable data protection legislation, including the EU General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Roles and Responsibilities
As Data Processor
Centro Cloud processes personal data on behalf of its customers (the "data controllers") in order to provide the service. In this role:
- the customer determines the purpose and means of processing
- Centro Cloud processes data only according to the customer's instructions and agreements
As Data Controller
Centro Cloud acts as a data controller when processing personal data related to:
- its own customers and potential customers
- marketing and sales activities
- service usage analytics and development
3. Purpose of Processing
Personal data is processed for the following purposes:
Customer relationships
- service delivery and maintenance
- invoicing, payment processing, and financial administration
- customer support and communication
- development of services and business
Marketing and sales
- marketing Centro Cloud services
- managing potential customer relationships
Service usage
- maintaining and improving service functionality
- monitoring performance and resolving issues
- preventing misuse and ensuring security
- analyzing trends and usage
4. Categories of Personal Data
Centro Cloud may process the following personal data:
Basic information
- name
- email address
- phone number
- address
Customer and account data
- user credentials (encrypted password)
- user roles and permissions
- user preferences (e.g. language)
- billing and payment information
Technical and usage data
- IP address
- timestamps (date and time)
- browser, device, and operating system information
- usage logs and activity within the service
Additional data (where applicable)
- personal identity number (if required for specific use cases)
5. Sources of Personal Data
Personal data is collected from:
- the customer or user directly
- use of the Centro Cloud service
- public sources (for potential customers, where applicable)
6. Legal Basis for Processing
Centro Cloud processes personal data based on:
- Contract – to provide the service
- Consent – where required (e.g. certain marketing or user-provided data)
- Legitimate interest – such as service development, security, and B2B marketing
- Legal obligation – e.g. accounting requirements
7. Data Sharing and Sub-processors
Personal data is accessible only to Centro Cloud personnel who need it to perform their duties.
Centro Cloud uses trusted sub-processors to deliver its services. These may include providers for:
- hosting and infrastructure
- email delivery
- payment processing
- financial administration
- identity and business verification
All sub-processors are contractually bound to comply with data protection requirements equivalent to those of Centro Cloud.
Current sub-processors include:
- Akamai
- Postmark
- Stripe
- Procountor
- Signicat
- Dun & Bradstreet
8. International Data Transfers
Personal data is primarily processed within the EU/EEA.
If data is transferred outside the EU/EEA, Centro Cloud ensures appropriate safeguards, such as:
- European Commission standard contractual clauses
9. Data Security
Centro Cloud implements appropriate technical and organizational measures to protect personal data, including:
- encryption and pseudonymization where applicable
- ensuring confidentiality, integrity, availability, and resilience of systems
- access control and role-based permissions
- system monitoring and logging
- backup and recovery mechanisms
Backups are used only for recovery purposes and are retained for a limited time.
10. Data Retention
Customers
Personal data is processed for the duration of the customer relationship. After termination:
- data is retained for up to 180 days
- after which it is permanently deleted, unless legal obligations require longer retention
Potential customers
Data is reviewed and unnecessary data is deleted at least every 6 months.
Service users
Data is processed as long as the user account is active.
Log data containing personal identifiers may be retained for up to 2 years for security and forensic purposes.
11. Data Subject Rights
Data subjects have the right to:
- access their personal data
- request correction of inaccurate data
- request deletion of data
- restrict processing
- object to processing
- withdraw consent (where applicable)
- receive their data in a portable format
- lodge a complaint with a supervisory authority
Requests should primarily be directed to the relevant data controller (e.g. the customer organization). Centro Cloud assists its customers in fulfilling these requests where required.
12. Data Breaches
Centro Cloud will notify the relevant customer without undue delay of any personal data breach and, where possible, within 72 hours.
The notification includes:
- description of the breach
- affected data and individuals
- likely consequences
- measures taken
The customer is responsible for any required notifications to authorities or data subjects.
13. Confidentiality
All personal data is treated as confidential.
Access is restricted to authorized personnel who are bound by confidentiality obligations.
14. Supervisory Authority
Finnish Data Protection Ombudsman
Address: Ratapihantie 9, 6th floor, 00520 Helsinki
Post: PL 800, 00521 Helsinki
Phone: +358 29 56 66700
Email: tietosuoja@om.fi
15. Cookies
Centro Cloud services do not use cookies.
16. Changes to This Policy
Centro Cloud may update this Privacy Policy from time to time.
Questions about our privacy practices?
If you have any questions about how we handle your data, please contact us.