WhatSpam Company Privacy Policy

Updated on August 16, 2024

If you reside outside the European Union, European Economic Area and Switzerland (“Europe”), You are entering into the Terms of Service with Whatspam Company Oy and the terms of this Privacy Policy apply to You. This privacy notice applies to personal data which the Whatspam Company Oy later “Controller” or “Whatspam Company”) processes in connection with the applications provided by Whatspam Company Company Oy (including both mobile app and website version, (”Application”)) and other services related to direct marketing prohibitions (” Services”). Whatspam Company is firmly committed to the security and protection of personal information of our Users and their contacts. This Privacy Policy describes how Whatspam Company will collect, use, share and process personal information. Capitalized terms not defined in this Privacy Policy are defined in the Whatspam Company Terms of Service. By accepting the Whatspam Company Privacy Policy and/or using the Services You consent to the collection, use, sharing and processing of personal information as described herein. If You provide us with personal information about someone else, You confirm that they are aware that You have provided their information and that they consent to our use of their information according to our Privacy Policy. You may opt-out at any time to prevent further use of the information shared via the Services.


Contact details

Controller

Whatspam Company Oy, 3372401-3
Punavuorenkatu 15 A 10, 00150 Helsinki, Finland
info@whatspam.com

Controller Representative

Chairman of the Company, Arto Isokoski
Whatspam Company Oy
Punavuorenkatu 15 A 10, 00150 Helsinki, Finland
info@whatspam.com

1. Purpose of Processing and Legal Bases for Processing

1.1 Providing Services

With regard to the Services it offers, the Controller processes the personal data of the users of the Services, its members, third parties provided by potential members, as well as potential members and their representatives. The processing of personal data is based on the express consent of the data subject or the implementation of an agreement or membership between the Controller and the data subject. Personal data is also processed in certain parts to fulfil the legal obligations of the Controller, such as for accounting purposes required by accounting legislation.

1.2 Providing the Application and its Functionalities

In relation to the Application, the Controller processes the personal data of the Application’s users, its members and any third parties it receives from the aforementioned. Regarding the Application, the purpose of processing personal data is to provide the Application to the data subjects and to maintain and develop the Application. The Controller processes personal data specifically for the following purposes:

  • Verification of the data subject’s identity when downloading the Application;

  • Enabling automatic identification of callers and senders of messages (Caller ID function). The Caller ID function includes manual phone number and message searches from the contact list of the data subject’s device and/or community-based spam blocking directory (“Controller's database”). The application retrieves the information of callers and senders of messages from the Controller’s online telephone directory, if the information is not found in the contact list of the data subject’s device and/or the Controller’s database.

  • Displaying the information retrieved by the Caller ID function on the screen of the data subject’s device or in the Application, as well as saving the information retrieved from the online telephone directory in the contact list of the data subject’s device;

  • Displaying the information retrieved by the Caller ID function on the screen of the data subject’s device or in the Application, as well as saving the information retrieved from the online telephone directory in the contact list of the data subject’s device;

  • Maintaining the data subject’s personal spam list (blacklist) on the data subject’s device and gathering a community-based spam blocking directory, i.e. the Controller’s database. The Controller analyses the spam report made by the data subject about the sender of the spam or a nuisance caller (“spammer”) and adds the contact information obtained in this way to the Controller’s database for better spammer identification and spam protection, if the Controller identifies the person as a spammer;

  • Blocking calls and messages from spammers found in the data subject’s spam list or the Controller’s database;

  • Maintaining a data subject’s personal list of permitted contact information (whitelist) for better spammer identification and spam protection;

  • Sending application notifications (so-called push notifications) and reminders to the data subject’s device;

  • Using and sharing personal data in connection with registration and/or logging into the Application or other service provided by a third party (e.g. payment service providers) in order to provide various services to the data subject;

  • Ensuring the functionality of the Application, providing customer support and responding to the data subject’s inquiries and solving problems related to the Application;

  • Development of new functionalities of the Application; and

  • Improving the services and operations of the Controller.

The processing of personal data is mainly based on the implementation of the contract or membership between the data subject and the Controller. The processing of personal data may also be based on the express consent of the data subject or the legitimate interest of the Controller or the data subject. Personal data is also processed in certain parts to fulfill the legal obligations of the Controller, such as for accounting purposes required by accounting legislation. Regarding the directory assistance system provided by the Controller, the processing of personal data is based on the Finnish Act on Electronic Communications Services (917/2014).
Regarding responding to contact requests of data subjects, the processing of personal data is based on the contractual relationship between the data subject and the Controller and the provision of services.

1.3 Direct Marketing

The Controller may send newsletters and other electronic direct marketing about the services of the Controller to the data subject. The processing of personal data for marketing purposes is based on the data subject’s consent or the Controller’s legitimate interest.

1.4 Analytics

To assess and monitor the usage of our website effectively, we process your personal data in relation to the collection of visitor statistics on our platform. The processing carried out for the aforementioned purpose may encompass the utilization of statistical and analytical cookies

2. Categories of Personal Data and Regular Data Resources

This paragraph presents the personal data processed by the Controller.

2.1 Personal data which may be collected when you create a user account on WhatSpam's Application
  • Full name

  • Phone number

  • Email address

Personal data is primarily obtained from the natural persons themselves when they authorise the Controller to deliver direct marketing prohibitions and/or data disclosure prohibitions on their behalf. The Controller may also receive personal data from another party that registers the data subject for the membership offered by the Controller. If a user registers for or signs into Whatspam’s Application using another account (such as their Facebook, Google, Apple or Microsoft account) that service will send their name, email address and profile picture to us. This information helps create the account with Whatspam’s Application. The user can control the personal data they allow us to have access to through the privacy settings on the respective third party service. Please note that we will never store any passwords created for any third party services.

2.2 Personal data processed in connection with the implementation and the use of the Application
  • Phone number

  • Email address

When using the Application, the Controller may process the following information: cookies, IP address, device ID, device manufacturer and type, device and hardware settings, SIM card use and information, applications installed on the device, internet browser, time of use, membership start date and validity information, and information regarding the Application characteristics.
In order to enable the use of the Application, the Controller also processes the personal data (name and contact information), keywords and metadata of the data subject’s device incoming and outgoing calls and messages, as well as the content of the messages contained in the contact list of the data subject’s device, the SMS application and the e-mail application. The Controller also processes the information contained in the list of permitted contact information (whitelist) and the spam list (blacklist) of the data subject’s Application. The information processed in connection with the implementation or use of the Application is obtained primarily from the data subject. In addition, in case you use such third party services to create your user profile or log in to our services, the Controller may get personal data from third-party service providers. The Controller processes the data subject’s call/text message/email spam reports. The data subject using the Application can disclose the personal data (name, phone number) of the spammer to the Controller with the spam report, provided that the data subject has informed such a person about the disclosure of personal data to the Controller and that the person has given his/her consent to the processing of their personal data for the purposes of this privacy notice. The Controller analyses the report of a suspected spammer received from the data subject and adds the reported contact information to the Controller’s database for better spam identification and spam protection, if the Controller detects that the contact information in question belongs to a spammer.

2.3 Data Collected by Cookies

The Controller uses cookies and other similar technologies both on its website and in the Application. The Controller requests the data subject’s consent to the use of non-necessary cookies. In connection with requesting consent, it is explained, amongst other things, which cookies are used and for what purposes they are used. The data subject can disable cookies at any time. The data subject can also prevent the use of cookies by changing his/ her browser settings. Disabling cookies may limit the user experience of the website. Further, third party advertising cookies may be used on the website and in the Application in order to present advertisements. The processing of personal data collected through the use of advertising cookies is governed by the privacy notice of the applicable third party and is available at the website of the third party.

2.4 Data Collected for Direct Marketing

The Controller processes personal data collected by cookies for direct marketing purposes, as well as the following personal data of the data subject: name, e-mail address and phone number.
As a rule, personal data is collected from the data subject themselves. The Controller can also collect personal data from public sources.

3. Regular Disclosure of Data

Personal data is disclosed or granted access to service providers that process personal data on behalf of the Controller, for example, related to technical, administration and maintenance, statistic, or marketing purposes under the conditions of the notice applicable legislation, including the processing related to targeting and narrowing down marketing. Such service providers may process the personal data only limiting to what is necessary for providing services to the Controller. The Controller concludes a data processing agreement with the service provider. You may ask for more details about our data processors by using the contact details provided in section 9 of this Privacy Notice. The Application may include cookies or links to third-party websites. STML is not responsible for third-party websites. Such a third party is responsible for the privacy practices and terms of its website.

4. Data Transfers Outside the EU or EEA

As a general rule, personal data is processed within the European Union (EU) and the European Economic Area (EEA). The controller will ensure, by appropriate agreements and in an appropriate manner, an adequate level of data protection and appropriate processing of data as required by law when using service providers. Data may also be transferred outside the EU and EEA. In such cases, the Controller will use data transfer mechanisms approved by the European Commission, such as model contractual clauses approved by the European Commission.

5. Personal Data Protection Principles and Retention Period

The Controller respects the confidentiality of personal data. Personal data is protected by encryption and other appropriate technical and organisational measures. Processing, searching and browsing of data is based on authenticated access rights. Access rights are granted to certain employees and management personnel of the Controller. The Controller will dispose of outdated and unnecessary data in an appropriate manner. The Controller shall keep the Users' personal data for 13 months after the end of the membership period in order to allow the processing of any claims. Otherwise, the Controller will retain personal data only for as long as necessary to fulfil the purposes of the processing of personal data as defined in this Privacy Policy. The Controller may process personal data for longer than the above where the processing is necessary for the establishment, exercise or defences of legal claims.

6. No Automated Decision-Making or Profiling

Whatspam Company does not carry out automated decision-making or profiling.

7. Right of the Data Subject

The data subject has the right, in accordance with the applicable data protection legislation, at any time:

  • to be informed of the processing of personal data;

  • to have access to his or her own data and to inspect the personal data concerning him or her processed by the Controller;

  • to have inaccurate or incorrect personal data rectified and completed;

  • to request the erasure of personal data;

  • to withdraw their consent where the processing of personal data is based on the data subject's consent;

  • to object to the processing of personal data on grounds relating to a particular personal situation, where the processing of the personal data is based on the legitimate interests of the controller;

  • receive the personal data in a machine-readable form and transfer the data in question to another controller, provided that the data subject has provided the personal data in question to the controller, the controller processes the personal data in question on the basis of a contract or the data subject's consent and the processing is carried out automatically; and

  • require the restriction of the processing of personal data.

The controller may ask the data subject to specify his or her request and to verify his or her identity before processing the request. The controller may refuse to execute the request on the grounds provided for by the applicable law. The data subject always has the right to file a complaint to the competent supervisory authority or to the supervisory authority in the EU member state, where the data subject has their place of residence or where their place of work is, if the data subject considers that the Controller has not processed personal data in accordance with the applicable data protection legislation.
The data subject shall send requests regarding their rights by e-mail to info@whatspam.com or by mail with the following contact information: Whatspam Company Company Oy, Arto Isokoski, Punavuorenkatu 15 A 10, 00150 Helsinki, Finland.

8. Amendments to the Privacy Policy

The Controller has a right to amend this privacy notice and the processing practice of personal data in accordance with the applicable legislation.