Privacy Notice for Individuals (MaPP7)

1. Data Controller and Contact Information
   AarniNet Oy (Business ID FI33244618, “MaPP7 team”), contact person: Producer Juha Kettunen, Onkkalantie 113, 36600 Pälkäne, Finland
   Email: info@mapp7.com
2. Name of the Register
   The “Individual Register” of the MaPP7 service, containing data provided by the individual’s responses, basic information (e.g., first and last name, email, phone) and assessment results.
3. Purpose and Legal Basis for Processing Personal Data
   The purpose is to enable the completion of MaPP7 assessments (e.g., psychological profiles and motivation analyses) and to store the individual’s results for their own use and/or for the use of the inviting organization, if that organization invited the individual to complete the assessment.
   Processing is based either on the individual’s consent or on a contractual relationship (the invited person may participate voluntarily). The individual may request deletion of their data at any time (see “Right to be Forgotten”).
4. GDPR Consent and Invitation Content
   By completing a MaPP7 assessment, the individual gives explicit consent for the processing of their personal and psychological data within the MaPP7 system for the provision of the service and for access by registered users of the organization that invited them. This consent is also described in the invitation email. If the individual does not agree to this processing, they must not complete the assessment.
5. Contents of the Register
   Basic information about the individual: first name, last name, email, phone (optional), language selection, and any additional profile details.
   Assessment data: MaPP7 responses, analyzed results, timestamps, and other calculated values of the results.
   Setting: information on whether the results are hidden from the inviting organization or visible to it. If the individual hides their data, the organization has no right to view it.
6. Data Retention and Deletion
   Data is retained as long as the MaPP7 assessment results are needed or until the individual requests deletion.
   After such a request, the data is permanently destroyed and cannot be recovered. The individual may also “hide” their results from the organization, in which case only they themselves can see the results via their personal link.
   Complete deletion (right to be forgotten) removes both the basic information and all assessment results permanently.
7. Disclosures and Transfers of Data
   Personal data is not disclosed to third parties without a lawful basis (e.g., authority request) or the individual’s explicit consent.
   The organization that invited the individual to the assessment will see the data only if the individual has not hidden it. If the individual has hidden their results, the organization will have no access to them.
   Data processing may take place on servers authorized by the MaPP7 team (e.g., within the EU/EEA), and we ensure an adequate level of data protection in compliance with the GDPR.
8. Third‑Party Services
   The service utilizes certain third‑party technologies (such as WordPress, Elementor, WooCommerce, Stripe, WP Mail SMTP) primarily for email communication and payment functions. All such processing takes place under GDPR‑compliant agreements and does not extend to marketing or tracking purposes.
9. Anonymized Results and Statistics
   The MaPP7 team may use assessment responses for statistical and development purposes in an anonymized form, so that no individual can be identified from the dataset.
   In such cases, all identifiers (e.g., name, email) are removed or separated before analysis.
10. Data Security and Technical Safeguards
    MaPP7 uses two‑factor authentication (2FA) at administrative and developer levels to ensure strong security. Access to the service is protected (HTTPS), and database access is restricted to authorized personnel only.
    Databases are regularly backed up. Deletion requests extend to backups as well, at which point the data is either destroyed or rendered non‑identifiable.
11. Rights of the Data Subject
    Right of access: The individual may review their own data and results via their personal link or by contacting the data controller. They may also edit and update their data via their personal results page.
    Right to rectification: If data is incorrect or incomplete, the individual may correct it themselves or request the controller to correct it.
    Right to erasure (“right to be forgotten”): The individual may request permanent deletion of all their personal data and results.
    Right to restrict or object to processing: The individual may hide their results from the inviting organization, after which the organization can no longer see the data.
    Other rights under the EU General Data Protection Regulation (GDPR) (such as the right to data portability) are also available upon request.
12. Further Information and Contact
    Legal questions, deletion requests, and other data protection inquiries: info@mapp7.com.
    If the individual is dissatisfied with the MaPP7 team’s handling of data protection matters, they may contact the national data protection authority (e.g., in Finland, the Office of the Data Protection Ombudsman).