Privacy Notice for Registered Users (MaPP7)

1. Data Controller and Contact Information
   AarniNet Oy (Business ID FI33244618, “MaPP7 team”), Onkkalantie 113, 36600 Pälkäne, Finland.
   Contact person: Producer Juha Kettunen
   Email: info@mapp7.com
2. Name of the Register
   The “Registered Users Register” of the MaPP7 service, which contains data about users registered on the MaPP7.com website (e.g., organizational representatives, professionals).
3. Purpose and Legal Basis for Processing Personal Data
   
   Purpose:
   • To enable the creation of a user account and login to the MaPP7.com website.
   • To provide role and access management (such as the ability to invite Individuals and view their psychological results).
   • To enable the use of paid or advanced features (billing, reports, analytical tools) for the registered user.
   Legal basis: Contractual or customer relationship (the user registers and/or receives access on behalf of their organization). Processing is necessary for delivering the service and is justified under the GDPR (e.g., legitimate interest or consent when specific additional features are used).
4. Contents of the Register
   
   • Basic user data: first name, last name, email, optional phone number, organization (company/client), role (e.g., HR, team leader, coach).
   • User credentials and login data: WordPress username, password hash, user level (e.g., “Master,” “Leader,” “User”) and user role (toolset, such as “Advanced,” “Intermediate,” “Basic”), and any additional fields (e.g., 2FA identifier).
   • Usage logs: Log events from logins, invitations sent, and management of assessments. The retention period of logs varies depending on the technical needs of the service.
   • Billing and contractual information (if applicable): if the user or organization has a paid license, subscription details, payment reference numbers, and other information required by the contract are stored.
5. Data Retention and Deletion
   
   • Data is retained as long as the user account is active or until the registered user requests deletion. If the entire organization terminates its MaPP7 agreement, user data is deleted or anonymized within an agreed timeframe (taking into account, for example, statutory accounting requirements).
   • Billing‑related data is retained in accordance with accounting law for at least six years after the end of the financial year, even if the user account is deleted earlier.
   • The user may request deletion of their account in writing (see Rights of the Data Subject). Upon deletion, the account and related personal data are destroyed permanently.
6. Disclosures and Transfers of Data
   
   • Personal data will not be disclosed to third parties without a lawful basis (e.g., regulatory order or the user’s explicit consent).
   • Data may be processed on servers within the EU/EEA. We ensure GDPR‑compliant data protection and processing agreements (DPAs) with our service providers.
   • Log data (who invited whom and when) may be visible internally to authorized users of the same organization at the same hierarchical level (e.g., within a team).
7. Third‑Party Services
   The service utilizes certain third‑party technologies (such as WordPress, Elementor, WooCommerce, Stripe, WP Mail SMTP) particularly for payments, email communication, and access management. These services are GDPR‑compliant and are used only for processing necessary to operate the MaPP7 service.
8. Anonymized Results and Statistics
   
   • The MaPP7 team may use registered user activity in an anonymized form to develop the service (e.g., number of registered users, most used features).
   • No individual user is identified from such data, as personal identifiers are removed prior to analysis.
9. Data Security and Technical Safeguards
   
   • MaPP7 employs two‑factor authentication (2FA) at administrative and developer levels to ensure security. Registered users may also enable 2FA on their own accounts if desired.
   • Traffic is encrypted (HTTPS) and database access is restricted to authorized personnel only.
   • Backups are performed regularly. Deletion requests extend to backups, after which the data is destroyed or anonymized accordingly.
10. Rights of the Data Subject
    
    • Right of access: The user has the right to review their profile information (e.g., name, email) by logging into the service or by contacting the data controller.
    • Right to rectification: Incorrect or incomplete data may be corrected by the user themselves or by requesting the administrator to correct it.
    • Right to erasure: The user may request permanent deletion of their account and related personal data. Certain statutory data (e.g., billing history) must, however, be retained for a prescribed period.
    • Right to restrict or object to processing: The user may prevent their data from being visible to certain teams or groups, which may, however, limit some service features.
    • Other rights under the EU General Data Protection Regulation (GDPR) (such as the right to data portability) are also available upon request.
11. Further Information and Contact
    
    • Legal questions, data deletion requests, or other data protection inquiries: info@mapp7.com.
    • If the registered user is dissatisfied with the MaPP7 team’s resolution, they may contact the national data protection authority (e.g., in Finland, the Office of the Data Protection Ombudsman).