Privacy Policy

XMLdation recognizes that your privacy is very important, and we take it seriously. In this privacy policy (“Privacy Policy”) we describe the collection, usage, storage and sharing practices of personal data.

The Privacy Policy covers the following:

  1. Controllers
  2. Contact information
  3. Name of register
  4. What is the legal basis for and purpose of the processing of personal data?
  5. What data do we process?
  6. From where do we receive data?
  7. To whom do we disclose data and do we transfer data outside EU or EEA?
  8. How do we protect the data and how long do we store them?
  9. How do we use cookies and for what purposes?
  10. What are your rights as a data subject?
  11. Who can you be in contact with?
  12. Changes in the Privacy Policy

1. Controllers

XMLdation Oy

Kalevantie 2



(hereafter ”we” or  ”XMLdation”)

and its following group companies:

XMLdation Ireland

2. Contact information for register matters

Any User having any question or request on this Privacy Policy or our privacy practices, can contact us

  • by mail at:

XMLdation Oy

Kalevantie 2



  • by email at:


3. Name of register


4. What is the legal basis for and purpose of the processing of personal data?

The basis of processing personal data is the performance of a contract and XMLdation’s legitimate interest (e.g. customer relationship management, invoicing, direct marketing).

The purposes of processing the personal data are:

  • the delivery and development of our products and services,
  • fulfilling our contractual and other rights, promises and obligations,
  • taking care of the customer relationship and communications with the customers,
  • organizing marketing events,
  • analyzing and profiling behaviour of a customer or other data subject such as a potential customer,
  • electronic and direct marketing,
  • targeting advertising in our and others’ online services.

We use automated decision-making (inc. profiling) to identify the data subjects’ online behavior and purchase habits and create profiles based on the information. We use this information to target marketing and develop our services.

Personal data of the following categories of data subjects are processed:

  • Customer contact persons
  • Newsletter subscribers
  • Potential customer contact customer

5. What data do we process?

We process the following personal data of our customers, their employees or other data subjects (like individuals participating in our trainings and events) in connection with the customer and marketing register:

  • Information of company and company’s contact persons such as name and Business ID of the company and names, contact details, gender, country of residence, language of use, role/title and professional interests of the contact persons;
  • Information related to the account and licenses of the data subject such as account identities, software license information, access rights data;
  • Information related to event participation and trainings such as the name, date and location of the event, dietary or allergy information (only collected with the consent of the data subject);
  • Information supplied by the data subject him-/herself to XMLdation such as web form submissions, online discussion forum posts and profile information, feedback;
  • Information related to the behavior of the data subject in the services and website, which is used for profiling purposes such us the sites and services visited, the duration of visits/use, actions taken on the sites and in services;
  • Technical information about the data subject’s end devices such as IP address, MAC address and operating system;
  • Other possible information supplied by the data subject him-/herself.

6. From where do we receive data?

We receive personal data concerning customers primarily from the following sources: from the data subject him-/herself, the customer company the data subject works for and our group companies.

We receive personal data concerning potential customers primarily from the following sources: from the data subject him-/herself, our group companies, search engines, newspapers and other news sources, professional social media networks, contact information providers and company websites.

For the purposes described in this privacy policy, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.

7. To whom do we disclose data and do we transfer data outside EU or EEA?

We process information ourselves and use subcontractors that process personal data on behalf of and for us e.g. providing support and maintenance to our customers, maintaining and hosting our cloud services, marketing services and IT environment as well as providing the hardware and network connections for our products and services.

We disclose personal data to group companies. Data may be disclosed to authorities under compelling provisions.

We transfer and disclose personal data related to customers outside EU/EEA, including but not limited to United States of America. We have implemented suitable safeguards for the transfers and disclosures. We use EU Commission standard contractual clauses or the Privacy Shield system.

8. How do we protect the data and how long do we store them?

Only those of our employees, who on behalf of their working duties are required to process customer data, have access to the systems containing personal data. Each user has a personal username and password to the system. The information is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are stored in locked premises and can be accessed only by certain pre-designated persons.

We store the personal data for as long as is necessary considering the purpose of the processing. Personal data about customers is processed and retained during the customer relationship and as long as we deliver services, and after the relationship or service provision has ended for three (3) years. Personal data about potential customers is deleted or updated when it is discovered to be outdated or the data subject is deemed unresponsive to the marketing.

We estimate regularly the need for data storage taking into account the applicable legislation. In addition, we take care of such reasonable actions of which purpose is to ensure that no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.

9. How do we use cookies and for what purposes?

XMLdation utilizes cookies and other tracking technologies to make its service more user-friendly and to provide enhanced and customized features during your visits to its website and products.

In certain areas of our online services, we use the Snoobi, Google Analytics and Hubspot tools to better understand how our users interact with our services.

Many web browsers present You with the option to prevent cookies provided by third parties. If enabled, the web browser will only allow cookies to be saved by the web service You are currently accessing. The option is accessible through the web browser’s settings (which option will prevent all third party cookies from functioning).

You can erase your web browser’s cookie cache through the web browser settings. Erasing a cookie will delete the unique identifier stored inside the browser cache along with the web usage profile attached thereto. Erasing cookie cache will not prevent the storage of new cookies in the future.

10. What are your rights as a data subject?

As a data subject you have a right to inspect the personal data conserning yourself, which is stored in the register, and a right to require rectification or erasure of the data. You also have a right to withdraw or change your consent, in cases where the processing of the data is based on your consent.

As a data subject, you have a right, according to EU’s General Data Protection Regulation (applied from 25.5.2018) to object to the processing or request restricting the processing of your personal data. Additionally, you have a right to request your data to be delivered to you in a standard format, in case where the processing of data is based on your consent or a contract between us.

You also have a right to lodge a complaint with a data protection authority in your jurisdiction or with the power to investigate processing concerning your personal data.

For specific personal reasons, you also have a right to object to profiling and other processing concerning you, when processing of the personal data is based on our legitimate interest. In connection to your claim, you should identify the specific grounds on which you object to the processing. We can refuse to act on such a request on the basis of the privacy legislation.

As a data subject you have the right to object to profiling in so far as it relates to direct marketing.

11. Who can you be in contact with?

All contacts and requests concerning this privacy policy shall be submitted in writing. Please see section two (2) for contact details.

12. Changes in the Privacy Policy

Should we make amendments to this privacy notice, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review this privacy notice from time to time to ensure you are aware of any amendments made.

Last updated: 24 May 2018