Social-emotional learning programs and training


Customer Data Protection and Register Description

Name of Data Register
The Mighty United – Customer Data Register

Applicable Legislation
General Data Protection Regulation (EU) 2016/679

Last Updated
Nov 14th, 2018

The Mighty United Oy
Lapinlahdenkatu 16

Contact Person
CEO Mervi Pänkäläinen
Tel: +358 400 885 221

The customer of The Mighty United

The Service
Mightifier web application and related services

This Description of Data Protection does not apply to third-party websites, applications or services that may be available through the Mightifier services or website. By opening another website, the customer exits company’s service.


Purpose of Processing Personal Data

The Mighty United processes data with the consent of the customer based on customer agreements. Personal data is processed for providing the Mightifier web application service (“Service”), managing customer relationships, and ensuring that the rights and obligations of the customer and the controller are met.

Personal data is stored and processed to support the customers’ use of Mightifier Service. The controller (e.g. teacher) registers the users (e.g. students) to the Service. Mightifier Service is a digital tool for boosting users’ social-emotional skills. In the Service users give each other positive peer feedback. Personal data is stored and used for improving the service.

Personal data can be processed for the following purposes:

  • Registering the customers and users to the Service
  • Upkeeping the profiles in the Service
  • Producing, offering, developing, improving and protecting the Service
  • Contacting potential or existing customers
  • Sending newsletters and sales materials
  • Creating user surveys
  • Helping customers with their customer service needs and personalizing the Service
  • Ensuring the fluent use of Mightifier Service
  • Analyzes and statistics regarding the use of the Service
  • Preventing and solving cases of misuse of the Service
  • Other similar purposes


Content of Data Register

The following information can be stored on the controller (customers):

  • Name and contact details (phone number and email address)
  • Organization and the position in the organization
  • Customer relationship management data created in customer service
  • Customer’s services and invoicing data
  • Messages from customer service communication
  • Device version
  • Operating system version of the device
  • Browser version
  • Time and length of the visits to the service
  • IP address
  • Location (based on IP address)
  • Other information provided by the customer

The following information can be stored on the users of the Service:

  • User’s first names or nicknames and individual access codes
  • The positive feedback messages sent and received in the Service
  • The answers to the wellbeing questionnaire
  • Device version
  • The operating system version of the device
  • Browser version
  • Time and length of the visits to the service
  • IP address
  • Location (based on IP address)
  • Other information provided by the customer

The following information can be stored of the visitors of company’s website

  • Time and length of the visits to the service
  • Device version
  • Operating system version of the device
  • Browser version
  • IP address
  • Location (based on IP address)
  • Other information provided by the customer e.g. via our customer service chat


Regular Sources of Data

The controller registers to the service and add their own and users’ (data subjects such as students) personal data to the digital Service. Personal data will be collected in compliance with the Terms of Service. In addition, personal data will be collected from the usage of the company’s Mightifier Service.

The data is regularly received after the controller and user submit them to the service during the registration and use of the Service. If the Controller or other data subject uses a third-party service to register or login to the Service, the third-party operator may collect available personal data (such as email address or passwords) according to the Terms of Service of that service.

Information about the devices of the users of The Mighty United’s digital products and online services will be collected automatically, using browser cookies or similar technologies, for the purpose of developing digital products and improving customer service.


Regular Disclosure of Data and Practices Relating to the Disclosure of Data

Data can be disclosed to the necessary members of the controller’s organization, e.g. the principal of the school according to customer agreements.

The Mighty United discloses personal data to the necessary employees or subcontractors of The Mighty United. Data contained in the register can be disclosed to these parties to provide customer support and improve the services of the company. Information about the third parties who company has disclosed personal data can be obtained by the customers or data subjects upon request.

The company may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority. If personal data is disclosed to the authorities, the company will inform the data subjects.

The company may disclose personal information to another entity if it is acquired by or merged with another company, if substantially all company’s assets are transferred to another company, or as part of a bankruptcy proceeding.

The Mighty United does not sell, rent or otherwise disclose personal data to other parties.


Location of Data

Personal data will not be transferred outside the European Union or the European Economic Area, unless requested by the customer in writing. Data transfers outside the EU or the EEA requested by customers will be carried out in compliance with the requirements specified in the EU General Data Protection Regulation.

The Company uses AWS cloud service to store the data related to registering and using Mightifier Service. You can read more about the Data Protection Principles on Amazon website here and here. The terms are in accordance with the General Data Protection Regulation of the European Union.


Storage and Erasure of Data

At the end of customer relationship, or at the request of the customer all personal data of the user, or the organization should no users remain, will be deleted.

The database holding all personal data of service users has backups that predate the current moment by 30 days, after this no personal data of the service users can be reconstructed by any means. The system backups are needed to restore data in case of involuntary data loss, or system failure.

Company’s website visitor data processed in Intercom service will be deleted once a visitor has not been seen for nine months. Of visitors who have not visited the company’s website in 9 months IP, conversation, and location information will be removed. If a visitor returns after 9 months they will be treated as a new visitor. More about the Intercom Data Protection Policy here:


Principles of the Protection of the Data

Data contained in the data register that is processed electronically is protected by technical means: using firewalls and passwords, and using other technical means. The data is stored securely encrypted and is transferred only over encrypted channels. All-access to personal data in electric form is logged, and physical documents are stored securely. Discarding of all physical media is done so that it cannot be reconstructed by any third party. Personal data of the application users is stored in an encrypted database, that forces all connections to be TLS encrypted. This database has backups that predate the current data by 30 days.

Only identified employees of the supplier and the employees of companies operating on behalf of the supplier have access to the data contained in the register, based on access rights granted to them. Customer data is only processed by the employee assigned to that task. Processing personal data on any other grounds is not allowed, even if the employee has technical access to the data based on their role in the company. All the supplier’s employees, and any external parties operating on behalf of the supplier, are bound to secrecy regarding all the customer’s personal data. Employees who process customer data receive regular training.

Materials that are maintained manually are located on-premises that have access control to prevent unauthorized access.


Right to access, rectify and erase data, right to restrict data, and data portability

In accordance with Articles 15 to 22 of the EU General Data Protection Regulation, data subjects have the following rights:

  1. right of access to personal data
  2. right to rectify the data
  3. right to erase the data
  4. right to restrict processing
  5. right to data portability

These rights apply to personal data stored in The Mighty United’s information systems. Should you wish to use one of these rights, you need to contact The Mighty United in writing at the following email address:

If a data subject wishes to access their personal data contained in a personal data register owned by a customer of The Mighty United, the data subject must submit a request to access or change the data to the controller. The request to access, rectify or erase data must specify the personal data that the data subject wants to access.

The company will provide a copy of the information free of charge. However, the company can charge a reasonable fee when a request is manifestly unfounded or excessive, e.g. if it is repetitive. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

The Mighty United Oy will handle the requests within 30 days.



May 24th, 2018 – The Customer Data Protection and Register Description was updated according to the General Data Protection Regulation of the European Union.

Nov 1st, 2018 – The Purpose of Processing Personal Data has been amended so that it does not provide rights to store personal information for undisclosed marketing purposes

Nov 14th, 2018 – Specification of the information collected of the visitors to the company’s website Updates to the links to Amazon data processing policies.

This Policy is effective from the date below

May 24th, 2018

If you have questions, concerns or other feedback, please contact us.

Please read more about our Privacy Policy here.