No Bullshit Privacy Policy
Last updated: April 8, 2023
This is a privacy policy that is required by the EU General Data Protection Regulation (GDPR). However, this is not just an ordinary privacy policy. Because we noticed that no one doesn’t really know what kind privacy policy you have to write if you want to be GDPR compliant, and we didn’t want to pay thousands of euros to clueless consultants, we decided to write our own “No Bullshit Privacy Policy”.
This privacy policy identifies every bit of information that we have from our customers. In other words, after you have read this privacy policy, you should know exactly what information we save to our database, what kind of backups do we take, and what information is transferred to third parties.
Also, keep in mind that we update this privacy policy from time to time. If you are a student of the Test With Spring course, we will notify you about these updates by sending an email to the email list of the Test With Spring course.
Note that our cookie policy is also a part of this privacy policy.
Table of Contents:
- TL;DR
- Who Collects Your Data?
- The Person in Charge of the Collected Data
- The Data Sources of the Collected Data
- Data Collected by the testwithspring.com Website
- The Data Collected by Our Sales Reporting Software
- The Data Stored in Backups
- Regular Transfer of Data
- Transfer of Data Outside the EU or EEA
- The Principles of Protecting the Collected Data
- Individual Rights
TL;DR
We know that this privacy policy is quite long, and that’s why it takes a lot of time to read the entire document. Therefore, we decided to write this section that gives you a quick overview of the data that is collected by this website. This section also provides links to the other sections of this privacy policy. These links allow you to take a closer look at the information that is collected by this website and transferred to other services.
This website collects the following data:
Analytics. We use two products that gather information about the visitors of this website: Youtube and Wistia.
- We use Youtube for broadcasting our live webinars. When a user watches a live webinar or a webinar replay, Youtube gathers analytics data about the user’s activity.
- We use Wistia as our video platform. When a user watches a lesson, Wistia gathers analytics data about the user’s activity. Because we use Wistia’s privacy mode, Wistia won’t collect any personally identifying viewer data. This means that Wistia player anonymizes IP addresses, and disables both session and cookie tracking.
Backups. We take regular backups because we want to be able to recover from incidents that lead into loss of data. These backups contain all files of the website and the full content of its database. All backups are stored in encrypted hard drives.
Comments. Students can publish comments on this website. When a student publishes a new comment on this website, WordPress collects the IP address, username, and email address of the student. Also, WordPress saves the comment text and a creation timestamp to the database. When a user submits the comment form, he/she gives us his/her consent to collect this information and save it to our database. All comments are stored indefinately.
Email. We use two different email services: Drip and Mailgun.
- If you subscribe to the course’s newsletter, we save your information to the database and transfer it to Drip. Drip allows us to send email newsletters to our subscribers and it gathers statistics about the email activity of our subscribers.
- We use Mailgun for sending all emails which are sent by this website. When this website sends an email with Mailgun, this website writes information to the email log.
Payments. When you purchase this course, the information you provide on the Checkout page is transferred to Stripe and Taxamo. Keep in mind that your credit card information (number, expiration date, and CVC) is transferred only to Stripe.
- Stripe is a payment gateway and we use it for processing credit card payments. It will also provide security measures that protect people from becoming a victim of credit card fraud.
- Taxamo allows us to determine the correct VAT that must be paid to the EU member country where the course is consumed. It will also collect the evidence that’s required by the EU VAT rules.
Security. We use the Wordfence WordPress plugin that provides additional protection for this website. This plugin analyzes all incoming HTTP requests (including login attempts) and collects data that is required to identify and block malicious traffic. Also, we log all incoming HTTP request to a so called access log.
Testimonials. A student who have purchased this course can give us a testimonial which helps us to market this course. If a user decides to so, his/her testimonial is saved to the database of this website. We can use this testimonial in our marketing efforts after the student has given us his/her permission to do so.
User account. When you purchase this course, you have to create a user account and your order is saved to the database (we don’t save or log your credit card information). Also, we use Learndash as a learning management system (LMS), and it collects the information that helps you to track your progress and ensures that you can consume the content of the purchased package.
Who Collects Your Data?
Your data is collected by Koodikupla Oy. Koodikupla is a limited liability company that is owned by Petri Kainulainen. Its address is:
Koodikupla Oy (Business ID: 2748994-2)
Arkkitehdinkatu 34 C 27
33720 Tampere
Finland
The Person in Charge of the Collected Data
The person who is in change of the collected data is Petri Kainulainen. His contact information is given in the following:
Petri Kainulainen
Arkkitehdinkatu 34 C 27
33720 Tampere
Finland
Email address: petri.kainulainen@koodikupla.fi
The Name of the Register
The customer and student register of the Test With Spring Course.
The Data Sources of the Collected Data
The data that is collected by Koodikupla Oy or send to third parties, is either received from the user or determined from the data given by the user. The exact data sources of the collected data are described in the following sections.
Data Collected by the testwithspring.com Website
This section describes the data that is collected by the testwithspring.com website. If you want take a look at a specific subsection of this section, you can use the following links:
- Access Log
- Blocked IP Addresses
- Comments
- Course Data
- Email Log
- Live Traffic
- Login Attempts
- Opt-In Forms
- Orders
- Testimonials
- User Accounts
Access Log
We use the Apache HTTP server that logs all requests to processed by the server. These requests are written to a so called access log. The access log contains the following data:
- The timestamp of the HTTP request
- The IP address of the client
- The value of the User-Agent HTTP request header
- The value of the Referer HTTP request header
- The requested resource
- The request method
- The used HTTP protocol
- The returned HTTP status code
- The size of the returned HTTP response
The collected data is extracted mainly from the incoming HTTP request. Also, before the Apache HTTP server returns the response to the client, it will extract the returned HTTP status code and the size of the returned response, and write this information to the access log.
We collect this data because we have a legitimate interest to prevent abuse.
We store old access logs for one month.
Blocked IP Addresses
The Wordfence WordPress plugin provides additional protection for the testwithspring.com website. This plugin identifies malicious traffic and blocks IP addresses that send this traffic to this website. We can also block IP addresses manually by creating so called block rules.
A block rule contains the following information:
- The IP address
- The country of the IP address
- A reason that explains why the IP address is blocked
- The creation time of the rule
- The expiration time of the rule
- The timestamp of the last request send to this website
This data is extracted from the malicious HTTP request or given manually by an administrator. The country of the IP address is determined by using an IP location finder.
We collect this data because have a legitimate interest to prevent abuse.
If the block rule is created automatically by Wordfence, it is stored for 24 hours. If the block rule is created manually, it will be stored indefinitely.
Comments
The students of the Test With Spring course can add new comments to the lessons published on this website. When a user publishes a new comment on this website, WordPress collects the following data:
- The IP address of the student.
- The username of the student.
- The email address of the student.
- The comment text.
- The creation time of the comment.
This data is given by the student. When a student submits the comment form, he gives us his/her consent to collect this information and save this information to our database
All comments are stored indefinitely.
Course Data
We use Learndash as a learning management system (LMS). It collects the course data of each student. Learndash collects the following data:
- The packages purchased by the student
- Completed lessons
- Completed topics
- Completed packages
- The assignment answers
All information that is collected by Learndash is given by the students:
- When a student purchases a package of the Test With Spring course, Learndash saves this information to the database.
- After a student has finished a lesson or a topic, he/she can mark it as completed by clicking a button found from the user interface. A package is considered as completed if a student has finished all its topics.
- After a student has finished a lesson, he/she can answer to the assignments given to the student.
We collect this data because we have a legitimate interest to:
- Ensure that a student can access only to the lessons which belong to the purchased package.
- Help our students to track their progress.
- Provide assessment feedback to our students (add comments to their assignment answers).
This data is stored indefinitely.
Email Log
When this website sends an email with Mailgun, this website saves a line to the email log. This log contains the following information:
- The subject of the email
- The email address of the sender
- The email address of the recipient
- A timestamp which describes when the email was sent
We collect this data because we have a legitimate interest to ensure that emails send by this website are delivered to the inbox of the recipient.
This data is stored for one week.
Live Traffic
The Wordfence WordPress plugin provides additional protection for the testwithspring.com website. This plugin has a firewall that keeps track of the HTTP requests send to course’s website and blocks malicious HTTP requests.
Wordfence collects the following information:
- The timestamp of the HTTP address
- The IP address of the client
- The host name of the IP address
- The geolocation of the IP address (country)
- The value of the User-Agent HTTP request header
- The type of the HTTP request (human, bot, warning, blocked)
- The requested resource
- The returned HTTP status code
This data is extracted mainly from the incoming HTTP request. The country of the IP address is determined by using a local database. Also, the returned HTTP status code is extracted from the returned HTTP response.
We collect this data because we have a legitimate interest to identify and block malicious traffic.
This data is stored for one week.
Login Attempts
The Wordfence WordPress plugin provides additional protection for the testwithspring.com website. This plugin keeps track of login attempts and blocks login attempts if it suspects that someone is trying log in by using a brute force attack.
Wordfence collects the following data:
- Timestamp
- The IP address of the client
- Username
- A boolean which is true if the user is an existing user and false otherwise.
- The outcome of the login attempt (success, failed).
This data is extracted mainly from the HTTP request which is send to the testwithspring.com website when a user submits the login form. The outcome of the login attempt and the boolean flag (existing user) is determined from the result of the login attempt.
We collect this data because we have a legitimate interest to prevent abuse.
We store this data for three months.
Opt-In Forms
We have implemented our opt-in forms by using the Thrive Leads WordPress plugin. This plugin gathers statistics about the conversation rates of our opt-in forms and stores the email address of every student who subscribes our email newsletter.
Thrive Leads collects the following data when the user submits an opt-in form.
- Timestamp
- Email address
- The lead group / short code which displayed the opt-in form
- The type of the Opt-In form
- The referrer URL
The collected information is given by the student when he/she subscribes our email newsletter.
The email address is given by the student when he/she subscribes our email newsletter. The lead group / short code and the type of the opt-in form is determined by Thrive Leads. The referrer URL is extracted from the incoming HTTP request.
We collect this data because we have a legal obligation (Article 7 of EU GDPR) to prove that a person has given us his/her consent to send email to him/her.
This data is stored as long as the subscriber has confirmed his/her subscription by clicking the opt-in link found from the confirmation email. However, because it would take too much time to delete this information one row at the time, we clear the content of this database table once a week.
Orders
We use WooCommerce as our eCommerce platform, and it keeps track of the orders made by the people who purchased this course. When WooCommerce creates a new order, it saves the following information to the database:
- Customer
- Company name
- VAT identification number
- Name
- Address
- Email address
- Order
- Timestamp
- The purchased product
- The number of the purchased products
- VAT free price in USD
- VAT country
- VAT amount in USD
- Total price in USD
- The status of the order (completed, cancelled, refunded, failed)
- Payment
- Timestamp
- The IP address of the customer
- The used payment method
- The Stripe ID of the payment
This data is given by the student when he/she purchases this course. The payment information is provided by Stripe.
We collect this data because we have a legitimate interest to show the order history on the student’s profile page. This ensures that a student has an easy way for accessing his/her order history.
This data is stored indefinitely.
Testimonials
We use a WP plugin called Thrive Ovation that allows use to gather testimonials from our students and show these testimonials on the testwithspring.com website.
Thrive Ovation collects the following information:
- The name of the student
- The email address of the student
- The occupation of the student
- The photo of the student
- The testimonial text.
- The change history of the testimonial. This change history answers to the following questions:
- Who made the change
- What was changed
- When the change was made
This data is given by a student when he/she submits the testimonial form. Also, we might request a photo from the student if he/she hasn’t provided it when he/she wrote the testimonial in question.
When a student submits the testimonial form, he/she gives us his consent to collect the information given by him/her and save this information to our database. Also, before a testimonial is used on our marketing material, the student receives an email which allows him/her to either accept or reject the testimonial.
We collect this data because we want to collect feedback from our students and use this feedback on our marketing material.
This information is stored indefinitely.
User Accounts
When a student purchases this course, he/she has to also create a user account to our website. We collect the following information from each user:
- Username
- First name
- Last name
- Email address
- Password hash (bcrypt)
- User role
- The registration date
The collected data is given by a student when he/she purchases this course.
We collect this data because we have a legitimate interest to ensure that only authorized persons (our students) can access the material of this course.
This information is stored indefinitely.
The Data Collected by Our Sales Reporting Software
We also use an in-house reporting software that reads data from Stripe and Taxamo. Our reporting software reads the following data from Stripe and Taxamo:
- Taxamo
- Taxamo transaction ID
- Tax free price in USD
- VAT country
- VAT percentage
- VAT amount in USD
- VAT identification number (if given)
- Deducted VAT amount in USD (if VAT identification number was given)
- Refunded tax amount
- Price with VAT in USD
- Refunded total amount
- The status of the transaction
- Invoice place
- Woocommerce order ID
- Stripe
- The Stripe ID of the payment
- Payment amount in USD
- Refunded amount in USD
- Payment amount in EUR
- Refundend amount in EUR
- Stripe fee in EUR
- Payment description
- Payment status (paid, refundend)
- The amount that is paid to our bank account (in EUR)
The collected data is read from Stripe and Taxamo. However, it is was originally provided by the student when he/she purchased this course or determined from the provided data.
We collect this data we have a legitimate interest to automate the sales report creation process.
We store this data for ten years after the fiscal period in which the purchase was made has ended.
Regular Transfer of Data
This section identifies the information that is transferred to third parties. If you want take a look at a specific subsection of this section, you can use the following links:
Email List
We have an email list that allows us to keep in touch with our customers. We use an email marketing tool called Drip for this purpose. Drip collects the following data:
- The email address of the student.
- The time zone of the student.
- The method that was used to subscribe the newsletter.
- Tags which are used segment subscribers to different groups. For example, a tag can identify the package purchased by the subscriber (starter, intermediate, and master).
- A list of emails send to the student.
- A list of emails which were opened by the subscriber.
- A list of emails which contained a link that was clicked by the subscriber.
- A list of trigger links clicked by the subscriber.
- A list of subscribed email campaigns.
- Notes about the customer.
Drip collects its data by using the data sources:
- Our student. The email address is provided by our student. When a student opens our email or clicks a link found from our email, Drip updates the open and click statistics of the email in question.
- Drip. A list of emails send to the student is updated by Drip when we send a new email to the subscribers of our newsletter.
- An administrator. When a student subscribes our newsletter, the administrator adds the correct tags to the student.
We use the collected data for three different purposes:
First, we send course related notifications to our subscribers. These notification include:
- Every time when a new lesson is added to the course or the information of an existing lesson is updated, we send an email to the students of the course.
- We notify the students of the course about upcoming maintenance breaks.
- We notify the students if our website is down.
- We send monthly webinar invitations to the students who have enrolled to the master package.
Second, we segment our subscribers to different groups because this allows us to send relevant information to our subscribers. For example, if we add a new lesson to the master package, we can notify only the students who can access it.
Third, we use the open and click rates for improving our communication. We want to provide useful information to our students and these two statistics help us to achieve this goal.
We collect this data because the subscriber has given us his/her consent to do so. When a person subscribes our email newsletter, he/she has to confirm his/her subscription by clicking the confirm link found from the confirmation email.
This data is stored as long as the subscriber is subscribed to the newsletter. When a subscriber cancels his/her subscription, we store this data for 30 days before it is deleted permanently.
Additional Information:
Mailgun
We use Mailgun (EU region) for sending the following emails:
- Instructions which describe how a student can reset his/her password.
- Order confirmations.
- Emails which contain the approval and rejection links of the testimonials written by our students.
When we send email with Mailgun, we send the following data to it:
- The email address of the sender
- The email address of the recipient
- The subject of the email
- The message body (not shown on the Mailgun log)
Mailgun adds this information to its internal log (except the message body). This log contain also other information such as as the delivery status of the email.
The collected data was given by the student when he/she purchased this course, started the password reset process, or wrote a testimonial. Also, an administrator might have might made some changes to the actual testimonial.
We can send this data to Mailgun because:
- A student has given his/her consent to do when he/she submits the testimonial form.
- We have a legitimate interest to ensure that the order confirmation emails and password reset emails are delivered to the inbox of the recipient.
This data is stored for 30 days.
Additional Information:
Payment and Accounting
Before we will describe the information that is transferred to our payment and accounting partners, we will explain how this information is collected.
When a user opens our sales page, he/she starts a sequence that has the following steps:
- The browser opens the sales page which has tax free prices.
- The browser gets the VAT data from Taxamo by using the Taxamo’s Javascript library (
taxamo.js
). Before Taxamo can return the VAT data, the user’s country is detected by using IP geo-location. - After Taxamo has returned the VAT data, the
taxamo.js
will replace the tax free prices with prices which include VAT.
The following figure illustrates this process:
When a user clicks the buy button, he/she will start a checkout sequence which consists of the following steps:
- The browser requests the checkout page.
- The testwithspring.com website gets the VAT data from Taxamo. Again, before Taxamo can return the VAT data, it has detect the user’s country by using IP geo-location.
- The testwithspring.com website returns the checkout page to the browser. Note that this page contains the VAT data returned by Taxamo.
- User fills checkout form and clicks the ‘Place Order’ button.
- The testwithspring.com website creates a new Taxamo transaction and a new Stripe payment.
- User is forwarded to the ‘Order Received’ page. This page displays the information of the received order.
The following figure illustrates this sequence:
Note that this description describes the happy path. If the user’s VAT country cannot be detected by using IP geo-location, he/she can set it on the checkout page. This means that the VAT data will be fetched from Taxamo for the second time. Also, if the payment fails, user can try again. If the user decides to do so, the testwithspring.com website will create a new Taxamo transaction and a new Stripe payment.
Next, we will identify the information that is transferred to third parties. If you want to take a look at a specific subsection of this section, you can use the following links:
Taxamo
Taxamo allows us to keep track of our sales and ensures that we are compliant with the European Union VAT for rules for selling digital goods. Taxamo collects the following data:
First, If a user opens our sales page and doesn’t purchase this course, only the IP address of the user is send to Taxamo.
Second, Taxamo collects the following data when a person submits the checkout form:
- Customer
- Name
- Email address
- The VAT identification number (if given)
- Address
- Country
- IP address
- Transaction
- Woocommerce order ID
- Order date
- The description of the purchase
- The type of the transaction (untaxed, eu-b2c, or eu-b2b)
- The status of the transaction (new, confirmed)
- Tax free price
- VAT country
- VAT percentage
- VAT amount
- Price with VAT
- Refunded amount
- Payment description
- Payment amount
- Payment timestamp
This data is either given by the student when he/she purchases this course or determined from the given data. For example, the VAT country, VAT percentage, and VAT amount are determined from the data given by our student.
We collect this data because we have the following legal obligations:
- We must display the price that includes VAT on our sales page because this is required by the consumer protection act.
- We use this information as a voucher that identifies the transaction. This is required so that we can fulfill our legal obligations concerning accounting.
- We collect this information because we have to identify the customer’s location. We need to this because the European Union VAT rules for selling digital goods required that we pay the VAT to the country in which the course is consumed. In other words, Taxamo helps us to calculate the VAT charged from the customer and stores the evidence that allows us to pay the VAT to the correct country.
Relevant Laws:
- Section 8 of the chapter 2 of the consumer protection act (20.1.1978/38). Note that the English transaction of this act is also available. However, this translation is not up-to-date and doesn’t contain the latest changes made to the consumer protection act.
- Section 5 of the chapter 2 of the accounting act (1620/2015). Note that the English transaction of this act is also available.
- Chapter 12 a of the value added tax act (30.12.1993/1501). Note that the English translation of this act is also available.
We have to store this data for ten years after the fiscal period in which the purchase was made has ended.
Additional Informatioon:
Stripe
Stripe is a payment gateway that allows us to accept credit card payments from our customers. Stripe collects the following information when a user submits the checkout form:
- The information of the customer
- Name
- Email address
- Address
- The information of the payment
- Timestamp
- Woocommerce order ID
- Description
- Amount
- Stripe processing fee
- Net amount
- Refunded amount
- The result of the Stripe risk evaluation
- The status of the payment (successful, failed, refunded)
- The information of the used credit card
- Card number (only the last four digits are visible to us).
- The card verification code
- The card fingerprint
- The name of the card holder
- The expiration date
- The type of the card
- The origin country
- The result of the CVC check
- The result of the street address check
- The result of the ZIP code check
- The information of the used payment instrument (aka source)
- A unique source ID
- The type of the payment instrument (ach_credit_transfer, ach_debit, alipay, bancontact, bitcoin, card, eps, giropay, ideal, multibanco, p24, sepa_debit, sofort, or three_d_secure)
- The status of the payment instrument (canceled, chargeable, consumed, failed, or pending)
- The authentication flow that was used to create this source (redirect, receiver, code_verification, none)
- Usage (reusable or single_use)
- Creation time
This data is either given by the student when he/she purchases this course or determined from the given data.
We collect this data because of these two reasons:
- We have a legitimate interest to accept credit card payments from our customers and protect our customers from credit card fraud
- We have a legal obligation to use this data as a voucher that links the payment to the Taxamo transaction.
Relevant Laws:
- Section 5 of the chapter 2 of the accounting act (1620/2015). Note that the English transaction of this act is also available.
We have to store this data for ten years after the fiscal period in which the purchase was made has ended. However, keep in mind that Stripe has its own legal obligations and these obligations define the real retention period of the collected data.
Additional Information:
Accountant
We have outsourced our accounting to a local accounting firm. We send a sales report to the accounting firm once a month. This report contains the following information:
- Woocommerce order ID
- Sales date
- Sales amount in USD
- VAT identification number
- VAT country
- VAT percentage
- VAT amount in USD
- Total sales amount in USD
- Refundend VAT amount in USD
- Refunded total amount in USD
- Total sales amount in EUR
- VAT amount in EUR
- Refunded total amount in EUR
- The Stripe fee in EUR
- The amount that is paid to our bank account (in EUR)
This data is created by our sales reporting software.
We send this data to the accounting firm because the accounting firm helps us to fulfill our legal obligations regarding accounting and taxes. The accounting firm uses this information for two purposes:
- They do our bookkeeping.
- They do our VAT reports and send them to the tax authorities.
Relevant Laws:
- Accounting act (1620/2015). Note that the English transaction of this act is also available.
- Chapter 12 a of the value added tax act (30.12.1993/1501). Note that the English translation of this act is also available.
This data is stored for ten years after the fiscal period in which the purchase was made has ended.
Youtube
We use Youtube for broadcasting the live webinars. Also, webinar replays and bonus lessons are uploaded to Youtube and embedded to the testwithspring.com website.
When a user watches a live webinar, webinar replay, or a bonus lesson, Youtube collects the following data:
- The IP address of the user
- The watched live feed or webinar
- The watch time
- The identity of the user. If a user is logged in to his/her Google account, Youtube will know what videos he/she is watching. If a user is not logged in to his/her Google account, Google might identify the user by using its tracking cookies.
This data is collected from the students who have purchased the master package.
We collect this data because we want to provide the bonus lessons to our students and share the webinar replay with students who couldn’t attend to the live webinar. Also, the student has given us his/her permission to collect this data when he/she purchased the master package.
This data is stored indefinitely.
Additional Information:
Wistia Video Platform
We host our videos on Wistia’s video platform. Because we use Wistia’s privacy mode, Wistia won’t collect any personally identifying viewer data. This means that Wistia player anonymizes IP addresses, and disables both session and cookie tracking.
Wistia collects the following analytics data when a user watches one of our videos:
- The anonymized IP address of the user.
- The location of the user. This information is determined by using IP geo-location. Note that Wistia cannot collect the exact location of the user because the IP address is anonymized.
- The internet service provider of the user. This information is determined from the IP address of the user.
- The operating system used by the user.
- The browser used by the user.
- The device used by the user.
- The watched video.
- A heat map which identifies the watched sections.
There are two things which we don’t do:
- We don’t track the email addresses of the people who watch our videos. Wistia has a feature that would allow us to do this, but we don’t use it because we don’t want to violate the privacy of our users.
- We don’t use the Google Analytics integration provided by Wistia.
This data is collected from the students of this course.
We collect this information because we have want to provide interesting content to our students. Also, the student has given us his/her permission to collect this data when he/she purchased this course.
This data is stored indefinitely.
Additional Information:
Transfer of Data Outside the EU or EEA
The following data is transferred outside the EU or EEA:
- The data collected by Drip. Drip is a U.S. company and the data that is collected by it is processed in the United States or any other country in which Drip or its subsidiaries, affiliates or service providers maintain facilities.
- The data collected by Stripe. The entity that provides services in Europe is Stripe Payments Europe that is located in the republic of Ireland. However, the collected data may be stored and processed in any country where Stripe or its service providers have operations.
- The data collected by Youtube. Google is a U.S. company and the data that is collected by it is processed in the United States or any other country in which Google or its subsidiaries, affiliates or service providers maintain facilities.
- The data collected by Wistia. Wistia is a U.S. company and the data that is collected by it is processed in the United States or any other country in which Wistia or its subsidiaries, affiliates or service providers maintain facilities.
The Data Stored in Backups
Database Backups
We take periodical backups from the database of the testwithspring.com website. These backups contains all data that is collected by the testwithspring.com website.
We have to take these backups because we have a legitimate interest to recover from accidents that lead into loss of data.
Each database backup is stored for one month. When this period is over, the backup will be deleted.
Other Backups
We take periodical backups from the data we need to fulfill our legal obligations concerning accounting. These other backups contain the following data:
- Sales reports
- The data transferred to Taxamo
- The data transferred to Stripe
- The data transferred to our accountant
We take these backups because this material is the “source material” that is used to do our book keeping, and we have a legal obligation to keep it safe.
Relevant Laws:
- Section 5 of the chapter 2 of the accounting act (1620/2015). Note that the English transaction of this act is also available.
- Chapter 12 a of the value added tax act (30.12.1993/1501). Note that the English translation of this act is also available.
These backups are stored for ten years after the fiscal period in which the backup was made has ended.
The Principles of Protecting the Collected Data
This section describes the principles which we use to protect the data that is collected by us.
The testwithspring.com Website
The data that is collected by the testwithspring.com website is protected by following these rules:
- All communication between a web browser and the testwithspring.com website uses HTTPS.
- Every user (either a student or an administrator) has a username and a password that are used to log in to to the course website. This password is hashed with bcrypt.
- A student can access only his/her own information.
- The testwithspring.com website has a firewall that protects it from malicious traffic and blocks brute force attacks.
- The testwithspring.com website uses a malware scanner that performs regular malware scans.
- The testwithspring.com website sends automatic email alerts to the administrator when a WordPress plugin update is available.
- Only the administrator of the Test With Spring Course has the required permissions to access all information stored the database of the testwithspring.com website.
- The information is saved in a database that is protected with username and password. Only the administrator of the Test With Spring Course has access to this database.
- The database server and web server are located in Finland at locked and guarded premises. Only authorized personnel are allowed to access these premises and the information stored on these servers.
Manual Processing
When we process the collected data manually, we follow these principles:
- We minimize the number of persons who can access the collected data. At the moment only one person (Petri Kainulainen) can access it.
- We use two factor authentication every time when it’s supported by the service that collects the data described in this privacy policy.
- All communication between the administrator and a remote system happens by using HTTPS.
- All backups are stored in an encrypted hard drive.
- If a file is transferred to a cloud storage, it is encrypted before it is transferred.
Automatic Processing
When the collected data is processed automatically, we follow these princples:
- Sensitive information (such as password or a credit card number) is never written to a log file.
- All communication between the testwithspring.com website and an external system uses HTTPS.
- All HTTP requests send to external systems are authenticated by using authentication mechanism supported by the external system.
Individual Rights
You have the right of access your personal data that has been collected by us. You can obtain a copy of your personal data by sending a signed letter to the person who is in charge of the collected data. This letter must contain the information that allows us to identify you. You can obtain your personal data free of charge once per year. Your request is processed within 30 days of receiving your letter.
You have the the right to rectify incorrect data or complete incomplete data. If you want to exercise this right, you have to contact the person who is in charge of the collected data. Your request is processed within 30 days.
You have the right to have your personal data erased. You can have your personal data erased by sending a signed letter to the person who is in charge of the collected data. This letter must contain the information that allows us to identify you. Your request is processed within 30 days of receiving your letter. Note that if you want to erase the data collected by Drip, you don’t have to send us a signed letter. You can simply unsubscribe our newsletter and you data will be erased.
You have the right to restrict the processing of your personal data. If you want restrict us from processing your personal data, you have to send a signed letter to the person who is in charge of the collected data. This letter must contain the information that allows us to identify you. Your request is processed within 30 days of receiving your letter.
You have the right to data portability. This means that you can obtain the collected data in a machine readable format. You can obtain a copy of your personal data in a machine readable format by sending a signed letter to the person who is in charge of the collected data. This letter must contain the information that allows us to identify you. Your request is processed within 30 days of receiving your letter.
You have the right to object the data processing based on legitimate interest, direct marketing, and data processing for purposes of scientific/historical research and statistics. If you want to exercise this right, you have to contact the person who is in charge of the collected data. Your request is processed within 30 days.
Also, if you think that we are processing your personal data in a way that breaks the law, you have the right to file a complaint to the office of the data protection ombudsman.