Privacy Policy

Onpane ("we," "us," or "our") operates the Onpane website announcement service accessible at onpane.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or use our Service. Onpane is operated from Finland and is subject to the General Data Protection Regulation (GDPR) and applicable Finnish data protection legislation.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

We collect the following categories of personal data in connection with providing the Service:

• Account Data: When you create an account, we collect your email address, name, and authentication credentials. If you choose to sign in via a third-party provider, we receive the profile information made available by that provider.
• Website and Project Data: We store information about the websites and projects you register with the Service, including announcement configurations, display settings, and scheduling preferences.
• Payment Information: Payment transactions are processed by our third-party payment processor. We do not directly collect or store your full credit card number, bank account details, or other payment instrument data. We receive limited information from our payment processor, such as the last four digits of your card, card type, and billing address, for the purpose of maintaining your account and transaction records.
• Usage and Analytics Data: We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, device information, IP address, and referring URLs.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, and collect analytics data. See Section 5 below for further details.

2. How We Use Your Information

We use the personal data we collect for the following purposes:

• Provide and Maintain the Service: To operate, deliver, and improve the functionality of the Service, including managing your account, processing your announcement configurations, and delivering the widget to your websites.
• Process Payments: To facilitate subscription billing and payment processing through our third-party payment processor.
• Send Service Communications: To send you transactional emails related to your account, such as password reset notifications, billing confirmations, and important service updates.
• Improve the Service: To analyze usage patterns, diagnose technical issues, and develop new features and enhancements.
• Comply with Legal Obligations: To fulfill our obligations under applicable laws, regulations, and legal processes.

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your personal data on the following lawful bases:

• Performance of a Contract (Article 6(1)(b)): Processing of your account data and website/project data is necessary for the performance of the contract between you and Onpane, namely the provision of the Service as described in our Terms of Service.
• Legitimate Interests (Article 6(1)(f)): We process usage and analytics data based on our legitimate interest in understanding how the Service is used, improving its functionality, ensuring its security, and preventing fraud. We have assessed that these interests are not overridden by your fundamental rights and freedoms.
• Consent (Article 6(1)(a)): Where required, we obtain your consent for the use of non-essential cookies and for marketing communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legal Obligation (Article 6(1)(c)): We process certain data, including payment records and tax-related information, to comply with applicable legal requirements, such as tax reporting and accounting obligations under Finnish law and EU regulations.

4. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. We may share your data with the following categories of recipients solely for the purposes described in this Privacy Policy:

• Payment Processors: We share necessary billing information with our third-party payment processor to facilitate subscription payments and manage your billing account.
• Analytics Providers: We may use third-party analytics services to help us understand usage trends and improve the Service.
• Hosting and Infrastructure Providers: We use third-party hosting and cloud infrastructure services to operate and deliver the Service.

All third-party service providers are contractually obligated to process your data only on our behalf and in accordance with our instructions. Where required, we have entered into data processing agreements that comply with the requirements of the GDPR.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: These cookies are strictly necessary for the operation of the Service. They include session cookies and authentication tokens that enable you to log in and use your account securely. These cookies cannot be disabled.
• Analytics Cookies: These cookies help us understand how visitors interact with the Service by collecting information about pages viewed, time spent on the site, and navigation patterns. This data is used in aggregate to improve the Service.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, please note that blocking essential cookies may prevent you from using certain features of the Service. For information on how to manage cookies in your browser, consult your browser's help documentation.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: Retained for the duration your account remains active. Upon account deletion, your account data is permanently removed from our systems within a reasonable timeframe.
• Payment Records: Retained as required by applicable tax and accounting laws, typically for a period of six (6) years following the relevant transaction, in accordance with Finnish bookkeeping legislation.
• Analytics Data: Retained in aggregated or anonymized form for service improvement purposes. Identifiable analytics data is deleted or anonymized within a reasonable period.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights with respect to your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
• Right to Erasure: You have the right to request the deletion of your personal data, subject to certain legal exceptions.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one (1) month, as required by the GDPR. If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Finland, the competent authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).

8. International Data Transfers

Onpane is operated from Finland within the European Union. Your data is primarily stored and processed within the EU/EEA. However, some of our third-party service providers may process data in jurisdictions outside the EEA. In such cases, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or reliance on adequacy decisions, to ensure that your personal data receives an adequate level of protection as required by the GDPR.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, secure authentication mechanisms, access controls limiting data access to authorized personnel, and regular security assessments. While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

10. Children's Privacy

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe that we may have collected personal data from a child under 16, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email to the address associated with your account or by placing a prominent notice on the Service prior to the change becoming effective. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

12. Governing Law

This Privacy Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Finland, without regard to its conflict of law provisions. The provisions of the General Data Protection Regulation (EU) 2016/679 and other applicable EU data protection legislation shall apply to the extent they govern the processing of personal data described herein.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at: