Privacy Policy

Privacy Policy for Program Applicants

The purpose of this Privacy Policy is to clarify and inform the applicants to our accelerator program (“Applicants”) on how their personal data is processed and stored.

This Privacy Policy may be updated if required in order to reflect the changes in data processing practices or otherwise. The current version can be found on our website. We will not make substantial changes to this Privacy Policy or reduce the rights of Applicants under this Privacy Policy without providing a notice thereof.

Privacy, security and online safety are important for us, and we process all personal data with due care and in accordance with applicable laws and regulations.

1. Controllers’s Contact details

Name: Nordic XR Startups Ltd
Company ID: 28312583

Correspondence address: Mechelininkatu 1 A 00180 Helsinki
E-mail address: info@nordicxrstartups.wpcomstaging.com

Website: https://nordicxrstartups.com

2. Personal data processed and sources of data

Accelerator program team applicants:

– Full names

– Contact information (phone numbers, email addresses, addresses)

– Roles and responsibilities in company

– Information regarding skills, education and professional background

– Any other information submitted or shared during the application process relating to the applicants, applications, company and team profile.

All information is provided by the applicants themselves.

3. Purposes and legal basis for processing of personal data

Purpose

The purpose of the processing is the evaluation and selection of potential applicant teams and key team members for the accelerator program run by the Controller.

The legal basis of the processing of personal data is the need to take steps at the request of the data subjects prior to entering in to a contract.

4. Transfer to countries outside Europe

Applications are submitted via third party service Typeform, which may transfer data outside of the EU/EEA.

We aim to ensure that Applicants’ personal data receives an adequate level of protection in the jurisdictions in which we process it. We provide adequate protection for the transfer of personal data to countries outside of the European Economic Area through agreements with our service providers based on the Standard Contractual Clauses or other similar arrangements.

More information may be obtained from the Typeform privacy policy: https://admin.typeform.com/to/dwk6gt

Applications from the previous year may also be stored in WordPress (run by Automattic Inc) https://automattic.com/privacy

5. Recipients

We only share personal data within the organisation of Controller if and as far as reasonably necessary to perform our Services.

We may however need to share information with our parent companies Nordisk Film Oy and gumi Inc for internal group reporting and communication purposes.

We do not share personal data with third parties outside of Controller’s organization unless one of the following circumstances applies:

It is necessary for the purposes set out in this Privacy Policy

To the extent that third parties need access to personal data to perform the Services, Controller has taken appropriate contractual and organisational measures to ensure that personal data are processed exclusively for the purposes specified in this Privacy Policy and in accordance with all applicable laws and regulations.

For legal reasons

We may share personal data with third parties outside Controller’s organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests, properties or safety of Controller, our Applicants or the public in accordance with the law. When possible, we will inform Applicants about such transfer and processing.

To authorized service providers

We may share personal data to authorized service providers who perform services for us (including data storage, sales, marketing and customer support services). Our agreements with our service providers include commitments that the service providers agree to limit their use of personal data and to comply with privacy and security standards at least as stringent as the terms of this Privacy Policy. Please bear in mind that if you provide personal data directly to a third party, such as through a link on our website, the processing is typically based on their policies and standards.

For other legitimate reasons

If Controller is involved in a merger, acquisition or asset sale, we may transfer personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all Applicants concerned when the personal data are transferred or become subject to a different privacy policy as soon as reasonably possible.

With explicit consent

We may share personal data with third parties outside Controller’s organization for other reasons than the ones mentioned before, when we have the Applicant’s explicit consent to do so. The Applicant has the right to withdraw this consent at all times.

6. Storage period

Controller does not store personal data longer than is legally permitted and necessary for the purpose specified in Section 3.

Typically, we will store Applicant’s personal data for as long as reasonably necessary for internal reporting and documenting purposes and delete it within reasonable time after the relevant Application round has ended or when the Applicant makes a request regarding deletion of Applicant’s personal data.

Due to the frequency of same teams re-applying for the program, data may however be stored for applicants from the previous year to enable easier re-application. For Applicants accepted to take part in the program the data is stored for the duration of the program and as reasonably necessary afterwards for internal reporting and documenting purposes.

7. Applicants’ rights

Right to access

Controller offers access for the Applicants to the personal data processed by Controller. This means that Applicants may contact us and we will inform what personal data we have collected and processed regarding the said Applicant and the purposes such data are used for.

Right to withdraw consent

In case the processing is based on a consent granted by Applicant, Applicant may withdraw the consent at any time. Withdrawing a consent may lead to fewer possibilities for us to process the team application.

Right to correct

Applicants have the right to have incorrect, imprecise, incomplete, outdated, or unnecessary personal data we have stored about the Applicant corrected or completed.

Right to deletion

Applicants may also ask us to delete the Applicant’s personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data. We may not immediately be able to delete all residual copies from our servers and backup systems after the active data have been deleted. Such copies shall be deleted as soon as reasonably possible.

Right to object

Applicants may object to certain use of personal data if such data are processed for other purposes than purposes necessary for the performance of our Services to the Applicant or for compliance with a legal obligation.

Applicants may also object any further processing of personal data after prior given consent. If Applicant objects the further processing of personal data, this may lead to fewer possibilities to use our Services.

Notwithstanding any consent granted beforehand for the purposes of direct marketing, Applicant has the right to prohibit us from using Applicant’s personal data for direct marketing purposes, market research and profiling by contacting us on the addresses indicated above or by using the functionalities of the Services or the unsubscribe possibility offered in connection with any direct marketing messages.

Right to restriction of processing

Applicants may request us to restrict certain processing of personal data, this may however lead to fewer possibilities to use our Services.

Right to data portability

Applicants have the right to receive their personal data from us in a structured and commonly used format and to independently transmit those data to a third party.

How to use the rights

The rights mentioned above may be used by sending a letter or an e-mail to us on the addresses set out above, including the following information: name, address, phone number and a copy of a valid ID. We may request the provision of additional information necessary to confirm the identity of the Applicant. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.

8. Lodging a complaint

In case Applicant considers our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection.

9. Information security

We will take all reasonable and appropriate security measures to protect the personal data we store and process from unauthorised access or unauthorised alteration, disclosure or destruction. Measures include for example, where appropriate, encryption, firewalls, secure facilities and access right systems.

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, and availability. We regularly test our websites, data centres, systems, and other assets for security vulnerabilities.

Should despite of the security measures, a security breach occur that is likely to have negative effects to the privacy of Applicants, we will inform the relevant Applicants and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as reasonably possible.

Privacy Policy for Direct Marketing Contacts

The purpose of this Privacy Policy is to clarify and inform our contacts (“Contacts”) on the way Nordic XR Startups Ltd (“Controller”) collects and uses personal data for direct marketing purposes.

This Privacy Policy may be updated if required in order to reflect the changes in data processing practices or otherwise. The current version can be found on our website. We will not make substantial changes to this Privacy Policy or reduce the rights of Contacts under this Privacy Policy without providing a notice thereof.

This Privacy Policy only covers data processing carried out by Controller. The Privacy Policy does not address, and we are not responsible for, the privacy practices of any third parties. Controller disclaims all responsibility for the processing carried out by third parties, also in cases where Services include hyperlinks to third parties’ websites. Privacy, security and online safety are important for us, and we process all personal data with due care and in accordance with applicable laws and regulations.

1. Controllers’s Contact details

Name: Nordic XR Startups Ltd
Company ID: 28312583

Website: https://nordicxrstartups.com

2. Personal data processed and sources of data

Contacts have subscribed to receive the newsletter of Controller. All information is provided by the Contact themselves.

Information may include:

-Name

– Title

– Email address

– Company

– Phone number

– Any other information provided by Contact in connection with the subscription.

3. Purposes and legal basis for processing of personal data

Purpose

The purpose of the processing is the management of direct marketing contacts for the sending of newsletters and similar electronic marketing information to recipients who have subscribed or otherwise opted in to receiving such material. The legal basis of the processing is the legitimate interest of the Controller or an ongoing contract and, for newsletter subscribers, consent.

4. Transfer to countries outside Europe

Data regarding Contacts is stored in databases which may transfer personal data to, or access it in, jurisdictions outside the European Economic Area or the Contact’s domicile.

We will take steps to ensure that Contacts’ personal data receives an adequate level of protection in the jurisdictions in which we process it. We provide adequate protection for the transfer of personal data to countries outside of the European Economic Area through intercompany agreements and agreements with our service providers based on the Standard Contractual Clauses or other similar arrangements.

More information regarding the transfers of personal data may be obtained by contacting us on addresses mentioned in this Privacy Policy.

5. Recipients

We only share personal data within the organisation of Controller if and as far as reasonably necessary to fulfill the purposes set out in Section 3. We also share information with our parent companies Nordisk Film Oy and gumi Inc for internal group reporting and communication purposes.

We do not share personal data with third parties outside of Controller’s organization unless one of the following circumstances applies:

It is necessary for the purposes set out in this Privacy Policy

For legal reasons

We may share personal data with third parties outside Controller’s organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests, properties or safety of Controller, our Contacts or the public in accordance with the law. When possible, we will inform Contacts about such transfer and processing.

To authorized service providers

For other legitimate reasons

If Controller is involved in a merger, acquisition or asset sale, we may transfer personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all Contacts concerned when the personal data are transferred or become subject to a different privacy policy as soon as reasonably possible.

With explicit consent

We may share personal data with third parties outside Controller’s organization for other reasons than the ones mentioned before, when we have the Contact’s explicit consent to do so. The Contact has the right to withdraw this consent at all times.

6. Storage period

Controller does not store personal data longer than is legally permitted and necessary for the purposes specified in Section 3.

Typically, we will store Contact’s personal data for as long as the Contact remains a registered subscriber to direct marketing content or for as long as we have another purpose to do so and, thereafter, for no longer than is required or permitted by law or reasonably necessary for internal reporting and reconciliation purposes.

In general, personal data of Contacts are deleted within a reasonable time after the Contact no longer subscribes to direct marketing content or when the Contact makes a request regarding deletion of Contact’s personal data.

7. Contacts’ rights

Right to access

Controller offers access for the Contacts to the personal data processed by Controller. This means that Contacts may contact us and we will inform what personal data we have collected and processed regarding the said Contact and the purposes such data are used for.

Right to withdraw consent

Contacts receiving direct marketing material such as newsletters on the basis of a subscription, may at any time unsubscribe via the unsubscribe button included in the newsletters, or by contacting us.

In case the processing is based on consent, the Contact may withdraw the consent at any time. Withdrawing a consent may lead to fewer possibilities for us to inform you about our services.

Right to correct

Contacts have the right to have incorrect, imprecise, incomplete, outdated, or unnecessary personal data we have stored about the Contact corrected or completed.

Right to deletion

Contacts may also ask us to delete the Contact’s personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data. We may not immediately be able to delete all residual copies from our servers and backup systems after the active data have been deleted. Such copies shall be deleted as soon as reasonably possible.

Right to object

Contacts may object to certain use of personal data if such data are processed for other purposes than purposes necessary for the performance of our Services to the Contact or for compliance with a legal obligation.

Contacts may also object any further processing of personal data after prior given consent. If Contact objects the further processing of personal data, this may lead to fewer possibilities to use our Services.

Notwithstanding any consent granted beforehand for the purposes of direct marketing, Contact has the right to prohibit us from using Contact’s personal data for direct marketing purposes, market research and profiling by contacting us on the addresses indicated above or by using the functionalities of the Services or the unsubscribe possibility offered in connection with any direct marketing messages.

Right to restriction of processing

Contacts may request us to restrict certain processing of personal data, this may however lead to fewer possibilities to use our Services.

Right to data portability

Contacts have the right to receive their personal data from us in a structured and commonly used format and to independently transmit those data to a third party.

How to use the rights

We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.

8. Lodging a complaint

In case Contact considers our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection.

9. Information security

Should despite of the security measures, a security breach occur that is likely to have negative effects to the privacy of Contacts, we will inform the relevant Contacts and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as reasonably possible.