- Name
- Country
- Email
- Phone number
- LinkedIn profile URLs
- Job information (e.g., title, company, industry)
- Other professional information available on LinkedIn profiles
- IP address
- We save your IP address to keep your account safe and to monitor for unusual activities.
It's important to note that we act as a data processor for the personal data uploaded to our platform by our customers or collected through LinkedIn automation. All data processed is in a professional capacity, and we do not collect or store personal (non-professional) contact information.
We process this data for specific purposes related to our service functions, including:
- Recording and editing videos
- Facilitating communication about video content
- Managing teams and sub-users
- LinkedIn automation and prospect management
- Handling data subject requests
- Maintaining audit trails and activity logs
We only process the personal data necessary to provide our services as instructed by our customers in our Data Processing Agreement (DPA).
Vaam is a Swedish company. However, like many other SaaS solutions, we use subcontractors who process personal data as our data processors (and your subprocessors) to deliver our service. GDPR compliance is of the utmost importance for us at Vaam, and we choose our subcontractors carefully. See our document about GDPR or contact us for more information.
Our data retention policy is as follows:
.1: We retain personal data and other information related to our customers' accounts and activities (including video content, LinkedIn automation data, and communication data) for as long as their accounts remain active.
.2: Upon termination of a customer's account, we provide the following options as per our Data Processing Agreement (DPA): a. Within 30 days of account termination, the customer can elect to have us either:
- Return all personal data to the customer in a commonly used, machine-readable format or
- Delete all personal data in our possession or control.
.3: We may retain specific personal data to the extent applicable laws or regulations require, even after account termination. Any such retained data remains subject to the terms of our DPA and is kept securely.
.4: Backups or archived copies of data that are not readily accessible in the ordinary course of business are securely destroyed or overwritten following our normal backup and archival processes.
.5: We may retain anonymized or aggregated data derived from personal data indefinitely as long as it cannot be used to identify any individual.
It's important to note that customers can request the deletion of their data at any time, and we will comply with such requests following our DPA and applicable data protection laws.
We regularly review and update our data retention policies to ensure they align with legal requirements, business needs, and our commitment to data minimization.
Our data cleansing routines are designed to ensure data accuracy, relevance, and compliance with data protection regulations. Here's an overview of our approach:
.1: Our systems include automated checks to validate data integrity and format, especially for structured data like email addresses, phone numbers, and LinkedIn URLs.
.2: For our LinkedIn automation service, we have processes to flag and update information that may have changed on LinkedIn profiles.
.3: We regularly assess the data we collect and store, ensuring we only retain information necessary for our services. We remove any unnecessary data fields from our systems.
.4l: When data is deleted, whether due to a customer request, account termination, or as part of our regular cleansing process, we ensure it's securely and permanently removed from our active systems.
.5: While immediate deletion occurs in active systems, we have processes to ensure that deleted data is also removed from backups as part of our normal backup rotation and overwriting procedures.
.1: We provide tools for customers to review and update the data they've uploaded or collected through our platform, ensuring the most up-to-date information.
.2: We have procedures in place to promptly handle data subject requests for correction, deletion, or restriction of their personal data, as outlined in our Data Processing Agreement.
In 2020, the European Court of Justice (ECJ) published its judgment in case C311-18 (commonly referred to as ”Schrems II”). We work continuously to manage the ruling's legal consequences, such as the invalidation of the Privacy Shield framework regarding transfers of personal data between the EU and the US.
We have entered into standard contractual clauses (SCC) with all sub-processors where a transfer can occur, or the companies are either American or owned by an American company.
Concerning the sub-processors that fall under the rules stated in 50 USC § 1881a (“FISA section 702”) and the legal issues that the ECJ raised in the ruling, we have taken the following actions to implement supplementary safety measures:
.1Investigated the processing of personal data by our necessary sub-processors to ensure that the personal data is processed and isolated within the EU. Among other things, we received assurances from IT security personnel at Google in Sweden that by having our agreement with the European subsidiary of Google, Google Cloud EMEA Limited, and a server location within the EU, our data is processed isolated within the EU.
.2Through their agreements, Google undertakes to, e.g., legally challenge any order for information disclosure. Google also releases information about the orders and injunctions they receive regarding data disclosure. For more information, see Google's Transparency Help Center . .3About Google Cloud Platform and encryption:
.aEncryption of data "in transit". The only communication allowed to be sent to the server is transferred via HTTPS protocols. All incoming traffic on HTTP is redirected to HTTPS. When data reaches the server through an HTTPS-encrypted transfer, it is processed within a virtual private network. Within this network, we have security policies to ensure that only necessary communication is allowed between resources, meaning that information transferred between the browsers of users and the server is encrypted and thus unreadable.
.bEncryption of data "at rest". The database is encrypted with the encryption standard AES-256.
.4We continuously monitor the constantly evolving legal situation and assess our safety measures against the guidelines and criteria set by, among others, the European Court of Justice, the European Data Protection Board, and the Swedish supervisory authority IMY.
.5We are happy to assist you with any transfer impact or other risk assessments regarding our sub-processors.
Administrators can only list or access data through our servers. That access level is protected by multiple factors of authentication and is only given to internal users who need it to run and maintain the service.