Privacy & Cookie policy
1) Who is the controller of your personal data?
iconicchain Oy
Business ID: 2875875-3
Lodenkuja 2 J, 02450 Sundsberg, Finland
For data protection matters, you can contact us via email at dpo@iconicchain.com.
2) From where do we collect your personal data?
To provide our services and fulfill our obligations, we process personal data. We want you to be aware of the types of personal data we collect. When we process personal data on behalf of our customers, the data protection agreement applies.
Information you provide to us
You provide us with personal data when you contact us via email or web form, when you represent a customer or vendor in a business relationship with us, when you sign up to receive marketing communications, when you participate in events we host, sponsor or attend, and when you apply for a position with us.
| Categories | Examples of personal data types |
| Identity and contact data | Name, work email, phone number, employer, job title, and business address |
| Employment and contract data | Contract terms, position, department, and other information needed to perform a service, or commercial contract. |
| Financial data | Invoicing details, bank account, tax identification number, and other information needed to process payments. |
| Communication and inquiry data | The content of messages, emails, web form submissions, customer support exchanges, feedback, and survey responses you send to us. |
| Marketing and engagement data | Marketing preferences, consent status, event participation, contact source, and similar information you provide when signing up to receive communications. |
| Application and assessment data | CV, cover letter, certificates, references, interview notes provided when you apply for a position. Background check data only with explicit consent. |
Information we collect when you use our website and systems
We collect information about how you use our services.
| Categories | Examples of personal data types |
| Online behavioural and tracking data | Browsing behaviour, pages visited, session duration, referral source, IP address, cookie identifiers, and consent status when you visit our website. |
| Marketing and engagement data | Unsubscribe status, campaign responses, and other identifiers generated when you interact with our marketing communications. |
Information we receive from third parties
In certain situations, we receive personal data from third parties.
| Categories | Examples of personal data types |
| From event organizers and business partners | Contact details and event participation data from events, and conferences we host. |
| From advertising, analytics and social media platforms | Campaign performance data, audience and engagement metrics, page interaction data, and audience segments inferred or created by the platform. |
| From public sources and authorities | Trade register data on company representatives and beneficial owners, statutory filings, and other publicly available information. |
| From references and previous employers (recruitment) | Reference statements and information about a candidate provided by referees the candidate has nominated. |
| From our customers (where applicable) | Information necessary to perform a customer contract |
3) Why do we process your personal data?
We process your personal data in accordance with the processing purposes listed below.
| Purpose | Legal basis |
| Managing customer relationships and performing customer contracts. We process customer and their representatives’ contact information, employment and contract data, and invoicing details to manage business relationships, fulfill service contracts, and handle invoicing. | Performance of contract (Art. 6(1)(b)). |
| Developing and improving our products and services. We analyze how our customers use our products, collect their feedback, and use this information to understand their needs, reproduce and fix bugs, and develop a better service. | Legitimate interest (Art. 6(1)(f)). You have the right to object to this processing. |
| Managing vendor and supplier relationships. We collect and process the contact information of vendors’ and suppliers’ representatives in order to purchase goods and services, manage contracts, and process invoices. | Performance of contract (Art. 6(1)(b)). |
| Recruitment. We process application materials and interview notes submitted by or obtained about candidates in order to assess suitability for open positions and make hiring decisions. | Steps taken at the request of the data subject prior to entering into a contract (Art. 6(1)(b)). |
| Responding to inquiries We process the contact details and content of messages of individuals who contact us via email, web form, or other channels in order to respond to their inquiries. | Legitimate interest (Art. 6(1)(f)). You have the right to object to this processing. |
| Managing our presence on social media. We maintain company pages on social media platforms (such as LinkedIn) to share product news, communicate with our professional audience, and build our brand. | Legitimate interest (Art. 6(1)(f)). We maintain a company page on LinkedIn to share news and engage with our professional audience. For the processing of personal data used to generate Page Insights, we act as joint controllers with LinkedIn Ireland Unlimited Company under LinkedIn’s Joint Controllership Addendum. The legal basis for this processing is legitimate interests (Art. 6(1)(f)). You have the right to object to this processing. |
| Website analytics. We analyze how visitors use our website in order to understand which content is useful and improve the user experience. | Consent (Art. 6(1)(a)) You can manage your consent through our cookie banner at any time. |
| Paid digital advertising and audience targeting. We run paid advertising campaigns on media platforms to reach professionals at financial institutions and other organizations who may be interested in our products. | Legitimate interest (Art. 6(1)(f)). You have an absolute right to object to direct marketing. Consent (Art. 6(1)(a)) for pixel- and cookie-based retargeting.[A1] |
| Direct marketing by email. We send marketing emails to professionals at organizations that we believe may be interested in our products. | Legitimate interest (Art. 6(1)(f)). Consent (Art. 6(1)(a)) You have an absolute right to object to direct marketing. |
| Information security and IT infrastructure management. We manage access to our IT systems and monitor those systems for security threats and unauthorized activity in order to protect the data we hold and keep our services running securely. | Legitimate interest (Art. 6(1)(f)). You have the right to object to this processing. |
4) How do we use cookies and similar technologies?
We use cookies and similar technologies on our website. Cookies are small text files that are stored on your device when you visit a website. We also use local storage, which works like cookies but stores data directly in your browser.
We use cookies to enable essential website features and analyze visitor activity. Non-essential cookies will only be activated after you give your consent through our cookie banner. You may accept all cookies, reject non-essential cookies, or select your preferences by category. You may change or withdraw your consent at any time by clicking the cookie icon at the bottom of the page.
The table below lists the cookies and local storage items that we use.
| Cookie | Category | Description | Duration |
| cookieyes-* | Necessary | CookieYes sets this cookie for consent solution management. | 1 year |
| zfccn | Necessary | Zoho sets this cookie for website security when a request is sent to campaigns. | Session |
| zalb_* | Necessary | Zoho sets this cookie for load balancing and session stickiness. It ensures that user requests are consistently directed to the same server during a session. | Session |
| _ga | Analytics | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and keeps track of site usage. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. | 400 days |
| _ga_* | Analytics | Google Analytics sets this cookie to store and count page views. | 400 days |
| zabUserId | Analytics | Zoho PageSense sets this cookie to store a unique ID for every user who visits the website. | 1 year |
| zsc* | Analytics | Zoho sets this cookie to uniquely identify the current session and enable comprehensive tracking of user interactions. | 1 hour |
| zft-sdc | Analytics | Zoho PageSense sets this cookie to determine whether a request is the first interaction with the server. It also identifies the entrance page and stores source information for visitor tracking. | 1 day |
| zps-tgr-dts | Analytics | Zoho PageSense sets this cookie to store session-level metadata related to its triggers, supporting website analytics and optimisation. | 1 year |
| zpssr* | Analytics | Zoho PageSense sets these session-level cookies to identify top-level domains during session recording. Multiple instances are created per browsing session. | Session |
| zps-ft-details | Analytics | Zoho PageSense stores visitor tracking details in local storage, including traffic source, session, and page view data. | Does not expire |
| zps-ft-pghitType-details | Analytics | Zoho PageSense stores page hit type details in local storage to support visitor analytics and session tracking. | Does not expire |
Google Analytics data is processed by Google LLC. Zoho PageSense data is processed by Zoho Corporation. Both processors may process data outside the EU/EEA under standard contractual clauses.
5) Do we disclose or transfer your personal data?
We use carefully selected service providers and business partners to help us deliver our services. These partners include providers of technical, administrative, and compliance services. All service providers and business partners are required to protect your personal data and process it only for the specified purposes.
We may be required by law to disclose your personal data to authorities, regulatory bodies, or law enforcement agencies. Such disclosures are made only when required or permitted by applicable law.
In the event of a prospective merger, acquisition, or sale of all or part of our business, we may disclose your personal data to potential buyers.
6) Do we process your personal data outside the EU and the eea area?
7) How long do we retain your personal data?
The retention period of your personal data depends on the purposes for which we process your personal data. We inspect the necessity of the personal data stored regularly and keep records of the inspections.
| Purpose | Retention period |
| Customer relationships and contract performance | For the duration of the customer relationship, and accounting records ten (10) years from the end of the accounting period under the Finnish Accounting Act (1336/1997). |
| Product development and improvement | For as long as necessary for product development purposes. |
| Vendor and supplier management | For the duration of the contractual relationship, and accounting records ten (10) years from the end of the accounting period under the Finnish Accounting Act (1336/1997). |
| Recruitment | 12 months from either the deadline for the job announcement or the receipt of the application. |
| Inbound inquiries | For as long as necessary to respond to and document the inquiry. |
| Social media presence | For the duration of our company page on the relevant platform. |
| Website analytics | User- and event-level data are retained between 2 and 14 months. |
| Paid digital advertising and audience targeting | Pixel and custom audience data per each platform’s retention policy, typically up to 180 days.[A2] |
| Direct marketing by email | Until the contact unsubscribes, requests deletion, or the employer and role can no longer be verified. A suppression list of unsubscribers is maintained indefinitely. |
| Information security and IT infrastructure management | System access and security logs: 12 months. Audit logs: 12–24 months. |
8) What data protection rights do you have?
You may have the right to use the below listed data protection rights under the GDPR:
- Right to inspect (art. 15)
- Right to rectify (art. 16)
- Right to erasure (art. 17)
- Right to restriction of processing (art. 18)
- Right to data portability (art. 20)
- Right to object; especially when processing personal data based on legitimate interests (art. 21)
If you would like to use your rights or inquire something about data protection, please be in touch via email (see contact information from section 1).
9) Can this privacy notice be amended?
We may unilaterally amend this Privacy Notice. We update the Privacy Notice as necessary, for example, when there is a change in legislation. Amendments to this privacy notice will take effect immediately when we post an updated version on our website.
If we make significant changes to the Privacy Notice, or if there is a significant change in the way it is used, we will notify the data subjects.
(Last update 7.6.2026)