Sievo Trust Center
We strive for the highest standards in security, compliance and governance.
Updated: Oct 28, 2024
Introduction
Sievo Oy and its subsidiaries Sievo, Inc. and Sievo Procurement Analytics SRL provides procurement analytics solutions that help enterprise businesses analyze and control procurement spending. When we refer to “Sievo” or use the terms “we”, “us” or “our” in this Privacy Policy (“Policy”), we may mean either one or all of the Sievo entities identified above. Each of the sections below begins with an identification of the relevant Sievo entity or entities to which the contents of the section apply.
Sievo is committed to complying with the European Union’s General Data Protection Regulation “GDPR” and other applicable data privacy legislation across our products and solutions and in any other contexts in which we process personal data.
This Policy describes how Sievo as a controller collects, uses, shares, and otherwise processes your personal data on our website, online platforms, and our digital communications as well as in relation to our sales and marketing activities.
This Policy applies when you engage in the following activities:
-
visit our website sievo.com and our online social media pages,
-
register and/or attend events hosted by Sievo,
-
do business with us or communicate with us on behalf of a business,
-
explore and engage in career opportunities at Sievo.
Sievo’s solutions are designed primarily for businesses and are not intended for personal or household use. The information we provide on our website sievo.com is aimed for professionals in a business context, so we view information about any visitors to this website as individuals acting on behalf of businesses.
If you have questions, complaints, or concerns about how your personal data is processed you can reach out to Sievo's Data Privacy Officer Jussi Latola over email privacy@sievo.com or via the post: Attention of Jussi Latola, Data Privacy Officer, Sievo Oy, Mikonkatu 15A, 00100, Helsinki, Finland.
Use of Cookies on our website and in marketing
Sievo uses cookies and other similar technologies (all referred to as “cookies” in this Policy) on its website sievo.com. A ”cookie” is a small text file that is placed on a web browser or internet-enabled device to record information related to how a website is used.
We use cookies firstly to improve the visitor experience on our website sievo.com. The cookies provide information about your computer or mobile device to inform us what web pages you visit, and if you are a repeat visitor. Website tracking cookies we use are from the following service providers: Google, Hubspot, Vimeo, and ZoomInfo.
In addition, we use cookies to improve the relevance of our marketing communications. Our marketing communications partners Facebook, Google, Hubspot, Twitter, and LinkedIn use non-personally identifiable cookies to serve relevant advertisements. We only partner with online advertising networks that comply with the strictest common online advertising standards.
All visitors to sievo.com are provided the ability to opt-out of website tracking cookies through a cookie banner highly visible when you first visit our website.
A list of cookies we use is available at the end of this page: List of cookies used on the website
HELPFUL ADVICE ABOUT COOKIES
Most web browsers let you remove or reject cookies, including the cookies we use for tracking website visits. In addition, online advertising platforms like Facebook, Google, and LinkedIn provide the ability to opt-out use of your information in advertising. For more information about cookies, visit: https://www.allaboutcookies.org/
Email Marketing Lists and Opt-Out
Sievo sends email communications to customers, relevant business decision-makers, and contacts who have shown interest in Sievo’s software and solutions on our website.
We only send emails to contacts in relation to whom we have a legitimate interest in processing personal data. These are common ways you may get an email from Sievo:
-
you are a customer or work in a partner organization of Sievo and we communicate to you product and service updates,
-
you have opted into receiving information from Sievo on our website or through marketing content we have provided in partner services (online or in-person events, social media.)
-
you have shared your professional contact details and opted-in to being contacted in business matters through business-to-business databases services such as Zoom-Info or LinkedIn. You can remove your contact details from these services following these guidelines: ZoomInfo, LinkedIn.
We only use your contact details to provide you with information on us and our products. You can unsubscribe at any point through a link provided in all of our email communications. We never sell your personal data to any third party.
We treat your personal data as confidential and apply best practice information security practices to protect it. We adhere to applicable laws regarding personal data protection.
If you have any comments regarding our email communications, you can contact privacy@sievo.com.
Processing of Personal Data on our website
Sievo Oy operates the website sievo.com on which you are able to share personal data with Sievo in order to engage in business conversations and opt-in to learn about our solutions. The controller for personal data collected through our website is Sievo Oy.
Personal data collected: first name, last name, company, email address, phone number, and any other data you include in the message or website form submission you post.
Purpose of processing: your data is collected, used, stored, and processed for the purpose of contacting the customers and prospective customers of Sievo, as well as analyzing and managing relationships with customers and prospective customers of Sievo. The information you provide may be used for direct marketing, including email and telephone communications.
Legal basis for data processing: your data is processed based on our legitimate interest. Sievo has the legitimate interest to process your data to be able to communicate with you in the way specified above and to promote our solutions to our customers and prospective customers.
Sources of data: electronic forms available on our website sievo.com. We may combine this data with other data available to Sievo based on a business relationship with your company or with data from public sources.
Retention policy: your data will be processed as long as is necessary for the purpose specified above and as long as Sievo has a legitimate need to keep the data. You can ask us to remove your data at any time.
For information on how we may share your personal data as well as information on your rights, please refer to the relevant sections below in this Policy.
Processing of Personal Data for business relation management
Each Sievo entity collects personal data of representatives of its customers, suppliers, and other business partners from different sources in order to run its business. Each Sievo entity is the controller for the personal data of the representatives of such customers, suppliers, and other business partners with which it has concluded an agreement.
The need for the provision of personal data in the manner described below is partially based on the contract between us and the organization you represent, and Sievo needs this data in order to enter into and to manage the business relation. The non-delivery of personal data may prevent us from performing our contractual or other obligations or commitments towards the organization you represent, which may lead to impediments to our business relation with the organization.
Personal data collected: the personal data collected and processed by us include your name, address, email address, phone number, details related to any meetings or communications through different channels between you as a representative of the organization and us, including meeting recordings if you have consented to have the meeting recorded and any other information you choose to provide to us as a representative of an organization. The data also includes information related to the business relation between us and the organization you represent, such as the name of the organization, information related to the contract between us and the organization, and your association with the contract, invoicing, and payment details, as well as your title.
Purpose of processing: we mainly use your personal data for the purposes directly arising from the contractual or business relation between us and the organization you represent. These purposes include entering into a contract and performing our obligations based on the contract we have concluded with the organization you represent; taking care of, managing, and developing our business or other relation with the organization; and invoicing and keeping track of the accuracy of invoicing.
Legal basis for data processing: the legal basis for processing is our legitimate interest to conduct our business and your relation to the organization with whom we conduct our business. The legitimate interest to process your data may also be other legitimate business interest, such as ensuring and improving data security or the security of our premises and data network; protecting our property; preventing and investigating suspected malpractices; analyzing and compiling statistics for business purposes and to develop our business, products, and solutions. We may also process your personal data to comply with a legal obligation based on e.g. tax or accounting-related legislation or based on other legal obligations to which we are subject.
Sources of data: we primarily obtain your personal data directly from you. You may provide us personal data for instance by sending us emails, through phone conversations or meetings with us, or through documents you provide to us. We may obtain personal data relating to you also from other representatives of your organization. We may collect and update personal data also from publicly available sources, or registers of authorities and companies providing services related to personal data.
Retention policy: your data will be processed as long as is necessary for the purpose specified above and as long as Sievo has a legitimate need to keep the data. The retention period of your personal data is ultimately tied to the term of the business relation between us and the organization you represent. We may however continue to store your personal data after the end of the business relation to the extent necessary for certain legitimate business interests or if the data is necessary for purposes of protecting our rights.
For information on how we may share your personal data as well as information on your rights, please refer to the relevant sections below in this Policy.
Processing of Personal Data for Recruitment
On our website sievo.com you are able to share personally identifiable data with Sievo in order to apply for career opportunities and share your interest in working for Sievo. Each Sievo entity is the controller for the personal data of its own job applicants.
Personal data collected: first name, last name, email address, and phone number. The collected data may include also information relating to your suitability for the open position, such as information on work experience, qualification data, and information relating to education, results of personal and aptitude assessment, or other suitability assessment data (those candidates that are, on the basis of the first interview, suitable for the position, may be required to participate to a personal and aptitude assessment). The data may also contain other information obtained from you, such as job application and possible appendices of the application, other information accumulated during the recruitment process, such as notes made by the interviewers, communications between you and us, and to the extent permitted by applicable law, drug test certificate or data included in it in order to establish your performance and ability to work, or your personal credit information in order to establish your reliability. If you are a job applicant for Sievo, Inc., we may perform a background check in the context of which we may process data relating to criminal convictions and offenses.
Purpose of processing: your data is collected, used, stored, and processed for the purpose of contacting you in relation to career opportunities at Sievo and for other purposes related to the recruitment process.
Legal basis for data processing: the processing is necessary in order to take steps at your request prior to entering into an employment contract between you and us. The processing may also be based on our legitimate interest, such as maintaining a CV database, or other legitimate interests, such as ensuring and improving data security or the security of our premises and data network; protecting our property; preventing and investigating suspected malpractices; analyzing and compiling statistics for business purposes and to develop our business. To the extent you provide us with sensitive personal data during the recruitment process, the processing of such data is based on your explicit consent.
Sources of data: electronic forms available on our website sievo.com and/or within job profiles published on data processor website jobylon.com, as well as possible communications and meetings between you and us.
Retention policy: your data will be processed as long as is necessary for the purpose specified above and as long as Sievo has a legitimate need to keep the data. Our standard policy is to remove personal data of candidates in our recruitment register after a recruitment process has been concluded, or after one year has passed from the relevant recruitment decision.
For information on how we may share your personal data as well as information on your rights, please refer to the relevant sections below in this Policy.
Sharing of personal data and transfers outside the EU
Each Sievo entity may share personal data as described below in this section.
We may transfer your personal data to our service providers, including but not limited to suppliers and sub-contractors working on our behalf for the purposes of completing tasks and providing services to us.
When transferred to an entity processing personal data on behalf of us (i.e. processors), we have, including by contractual arrangements ensured that personal data is processed only under the instructions provided by us and for the purposes specified in this Policy. The processing carried out by processors may include in particular the provision of data systems and other such services to us.
Sievo entities may disclose personal data to other Sievo entities for purposes that are consistent with this Policy. For example, we may disclose your contact information to facilitate communication between you and another Sievo entity or to facilitate the provision of services to or contract negotiations between the organization you represent and another Sievo entity.
We may disclose your personal data within the limits permitted or required by the applicable laws, for example to authorities, external advisors, or other third parties. We may disclose personal data to law enforcement authorities including where such disclosure is necessary for compliance with a legal obligation to which we are subject, or for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative procedure. We may also disclose personal data to data analytics providers to compile and analyze statistics relating to the usage of our services, to marketing partners, including advertisement networks and social media service providers, as well as to other service providers such as a debt collection agency for purposes of debt collection, but only to the extent that the fulfillment of their tasks requires the disclosure of personal data. If we are involved in a merger, sale of assets or other business transaction or reorganization, we may disclose limited amounts of personal data to the purchaser candidates and their representatives in accordance with the applicable law.
Sievo Oy and Sievo Procurement Analytics SRL are EU-based companies, but Sievo, Inc. is based in the United States. In addition, some of our service providers to whom we transfer personal data are located or may store personal data outside the EU or the European Economic Area (EEA), and therefore to the extent necessary, personal data may be transferred to countries outside the EU or the EEA. In such cases, we will ensure an adequate level of data protection. Information on transfers of personal data outside the EU or EEA area and on the appropriate safeguards, such as EU Standard Contractual Clauses, applied thereto from time to time is available from the contact person mentioned in the beginning of this Policy.
Your rights
In this section, we have summarized the rights that you as a data subject have under the GDPR. Some of the rights are complex and are subject to certain exceptions, and to keep this Policy concise, not all of the details have been included in the below summaries.
If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
You have the following rights:
-
Right of access: You have the right to obtain from us confirmation as to whether personal data related to you is processed, and, where that is the case, to access such personal data as well as certain information about our processing of it and your rights in relation to it.
-
Right to rectification: You have the right to obtain from us rectification of any inaccurate personal data we hold about you.
-
Right to be forgotten: In certain circumstances, you have the right to obtain the erasure of the personal data we hold about you, subject to certain exceptions.
-
Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of our processing of your personal data or to object to us processing your personal data. If you object, we will stop processing your personal data unless certain exceptions apply.
-
Right to data portability: Where the legal basis for processing your personal data is your consent or an agreement directly entered between you and us, and we process your data by automated means, you may have the right to be provided with the personal data we hold about you in structured, commonly used and machine-readable format and to transmit the data to another controller.
-
Right to object and opt-out from marketing: If you wish us to stop processing your personal data for marketing purposes, we will stop processing your personal data for this purpose. When we collect your data, you may be provided the possibility to choose whether or not you wish to receive marketing communications from us. If you wish to stop receiving marketing communications, you can opt-out at any time by clicking the unsubscribe link at the bottom of one of our emails or by contacting us by other means.
To exercise any of these rights, reach out to the contact person mentioned in the beginning of this Policy.
If you consider that our processing of your personal data infringes the data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do this in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement. The website of the Finnish competent authority, the Office of the Data Protection Ombudsman, is available here.
Updates to the Policy
Each time you visit our website or use our products you will have access to the latest version of our Policy. We encourage you to review this Policy regularly if you use our services or otherwise interact with us. You can see the last date updated at the top of this Policy.
Sievo as a processor
The GDPR and data protection laws of some other countries differentiate between “controllers” and “processors” of personal data. A “controller” determines the purposes and means (or the why and the how) of processing personal data. A “processor”, which is sometimes referred to as a “service provider,” processes personal data on behalf of a controller under contract concluded between the two and subject to restrictions set out in such contract.
Our customers rely on our services to help them manage and process large amounts of data, which may include also personal data. We refer to this type of data and personal data as “Customer Data.” When we process Customer Data, we generally act as a processor and our customers as controllers. This means we process Customer Data on behalf of our customers subject to restrictions set forth in our contracts with them.
This Policy does not cover or address how we or our customers process Customer Data. In addition, we are generally not permitted to respond to individual data subject requests relating to Customer Data. As a result, we recommend referring to the privacy notice of the customer with which you have a relationship for information on how they process personal data as a controller and on how they engage processors, like us, to process Customer Data on their behalf.
List of cookies used on the website
The specific types of first and third-party cookies served through our website and the purposes they perform are described in the table below (please note that the specific cookies served may vary depending on the specific Online Properties you visit). You can revoke permissions and update your cookie settings on this page.
Essential website cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features, such as access to secure areas.
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: hsforms.net
Expires In: Session
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: vimeo.com
Expires In: 30 minutes
Name: _cfuvid
Purpose: This cookie is used to apply rate limits to traffic. It allows the Cloudflare WAF to distinguish individual users who share the same IP address.
Provider: vimeo.com
Expires In: Session
Name: hs_ab_test
Purpose: Used to consistently serve visitors the same version of an A/B test page they’ve seen before
Provider: sievo.com
Expires In: Session
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: hubspot.com
Expires In: 29 minutes
Name: __hs_do_not_track
Purpose: Prevents the tracking code from sending any information to HubSpot
Provider: sievo.com
Expires In: 179 days
Name: NID
Purpose: This cookies is used to collect website statistics and track conversion rates and Google ad personalisation
Provider: google.com
Expires In: 182 days
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: sievo.com
Expires In: 29 minutes
Name: __cfruid
Purpose: Used by the content network, Cloudflare, to identify trusted web traffic.
Provider: sievo.com
Expires In: Session
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: t.co
Expires In: Session
Name: __hs_cookie_cat_pref
Purpose: The HubSpot Cookie Banner's consent preferences cookie.
Provider: sievo.com
Expires In: Session
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: hsforms.com
Expires In: Session
Name: __cf_bm
Purpose: Cloud flare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.
Provider: apollo.io
Expires In: Session
Performance and functionality cookies
These cookies are used to enhance the performance and functionality of our Websites but are non-essential to their use. However, without these cookies, certain functionality (like videos) may become unavailable.
Name: VISITOR_INFO1_LIVE
Purpose: Tries to estimate the users' bandwidth on pages with integrated YouTube videos.
Provider: youtube.com
Expires In: 179 days
Name: mid
Purpose: This is an Instagram cookie that enables social media functionality within the site.
Provider: instagram.com
Expires In: Session
Name: test_cookie
Purpose: This cookie is set by DoubleClick (which is owned by Google) to determine if the website visitor's browser supports cookies.
Provider: doubleclick.net
Expires In: 14 minutes
Name: AnalyticsSyncHistory
Purpose: Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
Provider: linkedin.com
Expires In: 29 days
Analytics and customization cookies
These cookies collect information that is used either in aggregate form to help us understand how our Websites are being used or how effective our marketing campaigns are, or to help us customize our Websites for you.
Name: ar_debug
Purpose: This cookie is used by DoubleClick to debug ads.
Provider: google-analytics.com
Expires In: 89 days
Name: YSC
Purpose: Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
Provider: youtube.com
Expires In: Session
Name: VISITOR_PRIVACY_METADATA
Purpose: Used to track and enrich the users privacy settings on the Youtube platform
Provider: youtube.com
Expires In: Session
Name: vuid
Purpose: This first party cookie created by Vimeo is used to assign a Vimeo Analytics unique id.
Provider: vimeo.com
Expires In: 400 days
Name: _ga_6GSXTP15JK
Purpose: Used to persist session state
Provider: sievo.com
Expires In: 399 days
Name: li_sugr
Purpose: Used to make a probabilistic match of a user's identity outside the Designated Countries
Provider: linkedin.com
Expires In: 90 days
Name: _ga
Purpose: ID used to identify users
Provider: sievo.com
Expires In: 399 days
Name: __hssrc
Purpose: Used to determine if a session is a new session
Provider: sievo.com
Expires In: Session
Name: __hssc
Purpose: Analytics session cookie
Provider: sievo.com
Expires In: 29 minutes
Name: __hstc
Purpose: Analytics tracking cookie
Provider: sievo.com
Expires In: 179 days
Name: hubspotutk
Purpose: Contains visitor's identity
Provider: sievo.com
Expires In: 179 days