This Privacy Notice explains how Nosto processes personal data when it acts as a controller, in particular personal data relating to our business contacts and prospects, visitors to nosto.com, and users of the Nosto platform.

Our processing of personal data as a processor on behalf of our customers, when providing our Services, is outside the scope of this Privacy Notice.

Nosto Solutions Oy
Bulevardi 21, 00180 Helsinki
Finland
legal@nosto.com

(hereafter “we” or “Nosto”)

Nosto Solutions Oy
Legal Department
Bulevardi 21, 00180 Helsinki
Finland
legal@nosto.com

We process personal data on one or more of the following legal bases, depending on the situation:

Where we rely on consent, you can withdraw it at any time.

We process personal data for the following purposes:

We use cookies and similar technologies on our website, including for basic analytics. For more information, please see our Cookie Notice.

We may process the following categories of personal data relating to you:

We collect most personal data directly from you, for example when you contact us, sign up for our communications, use the Nosto platform, or attend our events. We may also obtain and update data from third parties, such as our partners, contact-information providers and from other similar reliable sources.

When users access and use the Nosto platform, we process information they provide to us directly and logs relating to how they use the platform. We use this information to provide, secure, support and improve our products and Services.

When a merchant connects to the Nosto Services through a platform or app, we also receive account and contact information about the merchant and the people who administer or use the Nosto platform on its behalf. We act as a controller for this data and use it to create and administer accounts, authenticate users, and provide, secure and support our products and Services.

To the extent we process personal data as a processor on behalf of our customers, that processing is governed by the Data Processing Addendum (DPA) between Nosto and the relevant customer, who is the controller. If you wish to exercise your data protection rights in relation to that data, please contact the relevant controller in the first instance.

We provide certain services that enable connections with and data ingestion from Social Networks. These Additional Product Terms detail Social Network–related data processing and are incorporated into this Privacy Notice as applicable.

We do not sell your personal data. We may share it with service providers (processors) that process personal data on our behalf, for example for hosting, IT and marketing operations. They may only process the data on our instructions and under appropriate contractual and security safeguards.

We may also share personal data with our partners, such as resellers, technology and integration partners, and co-marketing partners, where this is necessary for the purposes described in section 3. Where a partner determines how and why the data is processed, it acts as a separate controller and its own privacy notice applies to that processing.

We may transfer personal data outside the EU/EEA. Where we do, we ensure appropriate safeguards are in place. We rely primarily on the European Commission’s Standard Contractual Clauses, together with any additional measures required, and, where applicable, on an adequacy decision or another transfer mechanism approved under applicable law. You can request more information about these safeguards using the contact details in section 2.

We use appropriate technical and organisational measures to protect personal data. Access is limited to personnel who need it for their work. Our service providers are likewise required to maintain appropriate security measures.

We store personal data only for as long as is necessary for the purposes described in this notice. The retention period depends on the type of data and the purpose, and we may retain data for longer where necessary to comply with legal obligations (such as accounting requirements) or to establish, exercise or defend legal claims. Marketing contact data is reviewed periodically and deleted when no longer needed.

We regularly assess our retention needs in light of applicable law. We also take reasonable measures to ensure that the personal data we hold is accurate, complete and up to date for the purpose of the processing, and we rectify or delete inaccurate data without delay.

Subject to the conditions and exceptions set out in applicable data protection law (including the GDPR), you have the right to:

You can object to the processing of your personal data for direct marketing at any time.

To exercise any of these rights, please contact us at legal@nosto.com.

This US Notice is for individuals residing in certain US states and is designed to help you better understand how we collect, use, and disclose your Personal Data and how to exercise available rights under various applicable privacy laws in the US, such as in California, Colorado, Connecticut, Utah and Virginia.

The categories of Personal Data we collect, our sources, and our purposes are described in sections 4, 5 and 3 of this notice.

You can manage and review how we collect and share your personal data in our Privacy Preference Center.

In several US States, you may have the specific rights to access, correct, delete, and obtain a copy of your Personal Data, to opt out of targeted advertising and certain profiling. To make a request, email legal@nosto.com; we will verify it against the information we hold. Where your state’s law gives you a right to appeal a decision on your request, we will tell you how to do so. You will never be treated differently for exercising these rights.

We may update this Privacy Notice from time to time, for example to reflect changes in our processing or in legal requirements. The current version is always available on our website. If a change is significant, we may also notify you by other appropriate means.