Supplementary Privacy Notice for Cloud Service Users

GENERAL INFORMATION ON DATA PROCESSING

In this Supplementary Privacy Notice for Cloud Service Users, M Room Oy (“M Room”, “we”) describes how it processes personal data in connection of making available a cloud-based software service (the “Service”) offered to wellness businesses for managing day-to-day operations, resources, and customer relationships. M Room acts as the data controller in respect of personal data processed for its own purposes in connection with the Service.

This Supplementary Privacy Notice complements the M Room Privacy Policy [link] and may be updated to reflect changing business needs, legal requirements, or changes to the Service. The latest version of the notice is always available on our website and in connection with logging in to the Service.

PERSONAL DATA PROCESSED AND SOURCES

In connection with the provision and use of the Service, we may collect and process the following categories of personal data:

Contact person data: Name, contact information (email, phone number, address), job title, role, and user credentials of individuals managing the use of the Service.

Usage analytics and service improvement-related data: IP address, device information, browser settings, login timestamps, usage logs, usage information, and data collected via cookies or similar technologies.

The type of data collected depends on the data subject and the nature of the interaction and is always guided by the principle of data minimisation.

Sources of data:

From users of the Service directly (e.g., during registration, service use, or user interactions recorded in the Service).

Generated automatically through the use of the Service (e.g., usage logs, technical data, and cookies).

From reliable third-party sources where applicable (e.g., public authority registers).

PURPOSES AND LEGAL BASES FOR DATA PROCESSING

Purposes of processing:

Providing, maintaining, and operating the Service, including user account management and support services.

Development and improvement of the Service, including understanding customer and user behaviour, needs, and preferences, improving existing functionalities, developing new features, and providing a more personalised and effective user experience, including through the use of anonymised and aggregated data.

Statistical analysis and reporting.

Fulfilling legal and regulatory obligations.

Legal bases for processing:

Performance of a contract: Processing is necessary for the performance of the Cloud Service Agreement and the provision of the Service.

Legitimate interest: M Room’s legitimate interest in developing and improving the Service, ensuring its security, and conducting business operations. Whenever processing relies on legitimate interest, we conduct a balancing test to ensure that the data subject’s rights and freedoms are not overridden. You may object to such processing at any time.

Consent: Where required, processing is based on the consent of the data subject, for example, for direct marketing purposes or the use of non-essential cookies.

Legal obligation: Processing is necessary for compliance with applicable legal obligations, such as accounting and reporting requirements.

DATA RETENTION

We retain personal data only as long as necessary for the purposes outlined in this Supplementary Privacy Notice, for the performance of the Cloud Service Agreement, or to fulfil legal obligations. The retention period may vary based on:

The duration of the customer relationship and the term of the applicable Cloud Service Agreement.

Legal requirements, such as accounting, tax, and reporting obligations.

The nature of the data and the purposes for which it is processed.

When data is no longer needed, it is deleted or anonymised within a reasonable timeframe.

DATA TRANSFER AND DISCLOSURE

Personal data may be shared with:

Service providers: Third parties engaged by M Room, including cloud infrastructure providers, IT service providers, and other subcontractors.

Within the group: Data may be processed by companies belonging to the same group as M Room for business purposes.

For legal reasons: Authorities or other entities as required by applicable law.

Transfer outside the EU/EEA:

If personal data is transferred outside the EU/EEA, we ensure an adequate level of data protection by applying appropriate safeguards in accordance with applicable data protection legislation, such as standard contractual clauses approved by the European Commission, adequacy decisions, or other recognised transfer mechanisms.

DATA SECURITY

We protect personal data processed in connection with the Service with appropriate technical and organisational security measures. Our security measures include, but are not limited to:

Encryption of data in transit and at rest.

Access control systems and role-based access management.

Regular security testing and vulnerability assessments.

Confidentiality obligations for all staff with access to personal data.

In the event of a personal data breach, affected data subjects and the competent supervisory authority will be notified in accordance with applicable data protection legislation.

DATA SUBJECT RIGHTS

Data subjects have the following rights under applicable data protection legislation:

Right of access: The right to obtain confirmation as to whether personal data is being processed and, where that is the case, access to such data.

Right to rectification: The right to have inaccurate or incomplete personal data corrected.

Right to erasure: The right to have personal data deleted where there is no legal basis for its continued retention.

Right to restriction of processing: The right to restrict the processing of personal data in specific situations.

Right to data portability: The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit such data to another controller.

Right to object: The right to object to the processing of personal data, for example, for direct marketing purposes.

Right to withdraw consent: Where processing is based on consent, the right to withdraw such consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal.

We do not perform automated decision-making or profiling that produces legal or similarly significant effects on data subjects in connection with the Service.

THE RIGHT TO FILE A COMPLAINT WITH THE SUPERVISORY AUTHORITY

The data subject has the right to file a complaint with the competent data protection supervisory authority if the data subject considers that his or her personal data has been processed in violation of applicable data protection legislation. In Finland, the competent authority is the Office of the Data Protection Ombudsman (tietosuojavaltuutetun toimisto).