Privacy policy

Last updated 30.01.2025

Cambri respects your privacy and is dedicated to protecting your personal data in accordance with the General Data Protection Regulation (“GDPR”).

This Privacy Policy (hereinafter "Policy") informs you why Cambri collects, uses, or shares your personal data in connection with our website www.cambri.io and related to the provisioning of the service provided based on the agreement between Cambri and its customers, including the use of the Cambri Tool (“Service”). Please read this Privacy Policy carefully before you start using the Service.

1. Data controller
The data controller in accordance with the applicable data protection law is Cambri Ltd (hereinafter together "Cambri", "we", "us" or "our"). Cambri is responsible for ensuring that your personal data is processed in compliance with this Policy and applicable data protection laws, such as the GDPR.

Contact details of the data controller:

Cambri Ltd
Business ID: 2628434-7
Address: Salomonkatu 17B, 00100 Helsinki. Finland
Email: privacy@cambri.io

This Policy covers only cases where Cambri acts as the data controller. That is the case for data collected on the website, and for the customer relationships including marketing, administration, and billing as well as the use of the Cambri Tool. Those purposes are explained below at 3.

In some cases, Cambri acts on behalf of its customers when providing the Service, e.g. when hosting surveys and aggregating data to research reports. In case Cambri’s customers share personal data with Cambri, e.g. contact data from potential respondents, Cambri acts as a processor for such personal data and acts on behalf of a Cambri customer. In this case, Cambri measures to protect your personal data according to the instruction given by the data controller.

2. Collection of personal data
Personal data means information that is related to you as an identified or identifiable person, either directly or indirectly.
We may collect personal data through different means, which are explained below. There are two main constellations, where Cambri processes personal data as a controller. In both cases, Cambri collects the minimum amount of personal data necessary and uses technical and organizational measures like pseudonymization to protect the data.

2.1. Cambri as a business partner
As a main rule, the personal data processed by us is provided by someone acting for an organization when signing the agreement for the Service, upon registration to the Service, and/or when using the Service. The personal data we collect includes e.g. the following categories of data:

Name and contact details, such as email address, address, and phone number;
Information relating to customer relationship, such as billing information;
Language preferences; and
Customer interaction, customer contacts, and replies.

We may also collect technical data on the use of the Service, which may be associated with you. The technical data we collect includes e.g. the following categories of data:

Timestamps and log data relating to the use of the Service; and
Device ID, device type, operating system used, access network properties, and application settings.

This collection and processing of personal data concern people working for our customers, i.e. those organizations that interact with Cambri to use our Service.

2.2. Cambri processing personal data of Respondents
In this case 2.2., the collection and processing of personal data concern Respondents. Respondents are people that answer surveys that run on the Cambri tool. Cambri does not itself recruit Respondents or store any contact data from Respondents.
RESPONDENT ID: In some cases, Cambri receives a pseudonymized Respondent ID, which is a random number, specific for a particular survey from the so-called panel providers. The Respondent ID connects the survey answers to an individual. Cambri does not know who answered, as the panel providers only share the Respondent ID with the answers; Cambri cannot identify on its own whose personal data it is.
Cambri does not use the Respondent ID to create the report from the survey answers but uses the Respondent ID to

make sure that panel providers fulfil their obligation;
manages IT security
to report back to panel providers that the survey has been answered by a certain Respondent ID.

IP Addresses: Cambri receives also the IP addresses of Respondents. Cambri does not use those for creating reports, but for the purpose of IT security and Quality assurance only.

3. Purpose and legal basis for processing personal data
We process personal data only for the following purposes:

1. Service provision and managing your customer relationship
The primary purpose of collecting personal data is to provide the Service to you and to manage and maintain the customer relationship between us and you/the company you represent. This concerns also the processing of personal data to check if all survey answers have been received in the promised quality. In this case, processing of personal data is needed for example for creating service accounts, user verification, account administration, protecting the integrity of our service and our website (including troubleshooting, testing, and system maintenance), communication, order delivery, invoicing, and payment processing. In this case, our processing of personal data is based on the contract between you/the company you represent and us.

2. Marketing
We may send you emails to inform you about new features of the Service, ask you for feedback, or provide you with other relevant information about our services. In this respect, the processing of personal data is based on our legitimate interest to provide you with relevant information as part of the Service and to promote the Service to you. You may object to marketing communications at any time (please see section 8 of this Policy).

3. Service development and information security
We also process personal data to ensure the security of the Service, to improve the quality of the Service, and to develop new features to the Service. In these cases, the processing of personal data is our legitimate interest to ensure that our Service has an adequate level of data security, and that we have sufficient and relevant information at hand to develop our Service. When processing of personal data is based on our legitimate interest as mentioned above, we have assessed the processing of personal data by using a so-called balancing test in accordance with data protection laws. You may object to processing based on legitimate interest at any time (please see section 8 of this Policy).

To protect your privacy, we mainly use anonymized data in our service development. That means that data has been rendered down to a general level (aggregated) or converted into statistics so that it is impossible to identify you from the data.

4. Transfers and disclosures of personal data
We may disclose personal data to third parties:

when permitted or required by law, e.g. to comply with requests by competent authorities or related to legal proceedings;
when our trusted services providers provide services to us, on behalf of us and under our instructions, for example, to provide us necessary technical solutions to perform, improve or maintain the Service. We will control and be responsible for the use of your personal data at all times;
if we are involved in a merger, acquisition, or sale of all or a portion of our assets; and
when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
when we are acting on behalf of a panel provider as a processor. In this case, the panel provider is responsible for the processing.

5. Transfers of personal data outside the EU/EEA
We do not transfer your personal data outside the EU or the European Economic Area.

6. Cookies
6.1 General information about cookies
We also use cookies and other similar techniques on our website at www.cambri.io. A cookie is a string of information or a small text file that a website stores on a visitor’s device, and that the visitor’s browser or operating system provides to “remember” things about your visit. In addition to cookies, Cambri may use other existing or later developed tracking technologies. These tracking technologies may set, change, alter or modify settings or configurations on your device. You will find more information on our cookie types, purposes for collection, and information collected in the following sections 6.2 and 6.3. In section 6.4 we will inform you how your consent is requested and how to withdraw your consent.

Your use of our website may result in some cookies being stored that are not controlled by us. This may occur when the part of the website makes use of a third-party analytics or marketing automation/management tool or includes content displayed from a third-party website. You should review the privacy and cookie policies of these services to find out how these third parties use cookies and whether your cookie data will be transferred to a third country. You will find more information also on third-party cookies in section 6.2.

Each cookie lasts for a different period. “Session cookie” will last only while your browser is open. When you close the browser, the session cookie will be deleted automatically. A “persistent cookie” will survive even after closing the browser. Persistent cookies will for example recognize your device when you browse the Internet by opening the browser again.

6.2 Cookie types and information collected

Strictly necessary cookies let you use all the different parts of the website. Without them, the services that you’ve asked for cannot be provided. Such cookies may be used for function, authentication, performance, or security purposes or may help you to share things on your social media platform. However, the way we use these cookies poses minimal harm to your privacy (e.g. we only keep such cookies for a browser session).
Security cookies let us put in place security measures for certain services or third-party websites.
Functional cookies let us remember your preferences, settings, or authentication credentials when you return to our website. These cookies may help us to provide us with personalized content on our website.
Analytical cookies collect information about how visitors use our websites, for instance, which pages visitors go to most often, and whether they get error messages from web pages. These help us make sure that the website is working properly and fix any errors. We can also improve the way the site works and presents content to you.
Social media cookies allow you to share what you’ve been doing on the website on social media and allow us and third-party providers to offer you a more personalized and engaged web experience, e.g., by offering you advertisements on your social media channels that are more relevant to you while allowing you to share your experiences on our website via social media.
Advertising cookies are used to deliver relevant ads, track email marketing or ad campaign performance and efficiency. For example, we and our ad partners may rely on information acquired through these cookies to serve you ads that may be interesting to you on our website or other websites. Similarly, our business partners may use a cookie to determine whether we’ve served an ad and how it performed or provide us with information about how you interact with them.

6.3 Purposes of cookies and other information
6.3.1 Strictly necessary cookies

Cookie type	Provider	Purpose	Duration
Strictly necessary cookies	HubSpot: __hs_opt_out	This cookie is used by the opt-in privacy policy to remember not to ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to opt out of cookies. It contains the string "yes" or "no".	It expires in 13 months.
Strictly necessary cookies	HubSpot: __hs_do_not_track	This cookie can be set to prevent the tracking code from sending any information to HubSpot. It contains the string "yes".	It expires in 13 months.
Strictly necessary cookies	HubSpot: __hs_initial_opt_in	This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode. It contains the string "yes" or "no".	It expires in seven days.
Strictly necessary cookies	HubSpot: __hs_cookie_cat_pref	This cookie is used to record the categories a visitor consented to. It contains data on the consented categories.	It expires in 13 months.
Strictly necessary cookies	HubSpot: hs_ab_test	This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before. It contains the id of the A/B test page and the id of the variation that was chosen for the visitor.	It expires at the end of the session.
Strictly necessary cookies	HubSpot: <id>_key	When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page. It contains an encrypted version of the password so future visits to the page will not require the password again.	It expires in 14 days.
Strictly necessary cookies	HubSpot: hs_langswitcher_choice	This cookie is used to save the visitor’s selected language choice when viewing pages in multiple languages. It gets set when an end user selects a language from the language switcher and is used as a language preference to redirect them to sites in their chosen language in the future, if they are available. It contains a colon delimited string with the ISO639 language code choice on the left and the top level private domain it applies to on the right. An example will be "EN-US:hubspot.com".	It expires in two years.

6.3.2 Other cookies used only with your consent

Cookie type	Provider	Purpose	Duration
Analytics cookies	HubSpot: __hstc	The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).	It expires in 13 months.
Analytics cookies	HubSpot: hubspotutk	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts. It contains an opaque GUID to represent the current visitor.	It expires in 13 months.
Analytics cookies	HubSpot: __hssc	This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.	It expires in 30 minutes.
Analytics cookies	HubSpot: __hssrc	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. It contains the value "1" when present.	It expires at the end of the session.
Functionality cookies	HubSpot: Pre-populated form fields	This cookie is used to recognize visitors. If the visitor leaves your site before they're added as a contact, they will have this cookie associated with their browser. This cookie will be specific to a subdomain and will not carry over to other subdomains. For example, the cookie dropped for info.example.com will not apply to the visitor when they visit www.example.com, and vice versa. HubSpot will only pre-populate data previously submitted to a HubSpot form on the same device. For example, if you submit your phone number to a form on your desktop, but the number is updated from a contact record in HubSpot or another form submission from your mobile device, the updated property will not pre-populate in any forms on your desktop. Only the phone number from the earlier submission will be displayed.	It expires in 13 months.
Advertisement cookies	HubSpot LinkedIn Google Ads Google Analytics Facebook and Instagram	LinkedIn via pixel: We use LinkedIn pixels to learn more about your interactions with our web or email content, such as whether you interacted with ads or posts. Pixels can also enable us and third parties to place cookies on your browser. LinkedIn maintains an Information Security Program to ensure the confidentiality, integrity, and availability of all computer and data communication systems while meeting the necessary legislative, industry, and contractual requirements. Google Ads via pixel: When you interact with our ads by clicking a text ad or viewing a video ad, Google Ads stores cookies that contain information about the interaction, and a unique identifier for you or the ad click that brought you to our site. Google's security standards are strict. Google Ads only collects data on pages where you have deployed the associated tags. Google Analytics: This is a web analytics service. With this service we can measure the users behavior when they visits our website, and the advertising ROI as well as track Flash, video, and social networking sites and applications. Facebook and Instagram via pixel: Facebook and Instagram's tracking technology is used to collect data. It's also used by other services such as Facebook Custom Audiences.

6.4 Cookie consent
In case we collected (personal) information via our strictly necessary cookies listed in section 6.3.1, we will process such information on the basis of our legitimate interest to provide the requested services on our website. Without these cookies the functionalities of our website would not work properly.

We use other types of cookies listed in section 6.3.2 only if you have given your consent to do so via a cookie banner that appears when entering our website. You can withdraw your consent from our cookies here. You can also at any time delete the cookies that have been set and change your browser settings and/or block all or some of any other cookies that are set on your device in the future through your browser settings.

7. Retention of personal data
Your personal data will be retained only for as long as necessary to fulfil the purposes defined in this Policy.
Most of your personal data will be retained during the course of you customer relationship with Cambri. This concerns for example marketing related information and information needed to communicate with you and send you bills. Some personal data might be retained after your customer relationship with us has ended, if required or allowed by applicable laws. For example, Cambri is obliged to keep accounting related records for 6 years.
When your personal data is no longer required by law or rights or obligations by either party, we will delete your personal data. Respondent IDs will be deleted after service completion.

8. Your rights
Please note that there might be cases, where Cambri cannot technically identify you, and you might need to turn to the panel provider to ask for more information. In cases, where Cambri can identify you, you have all rights granted under European data protection law.

You have a right to access personal data we process about you. You may access, correct, update, change or remove your personal data at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Policy and may also be required by law. Thus, you may not remove such personal data.

You have a right to object for certain processing. To the extent required by applicable data protection law, you have a right to restrict data processing.

You have a right to data portability, i.e. right to receive your personal data in a structured, commonly used machine-readable format and transmit your personal data to another data controller, to the extent required by applicable law.

You may opt-out of receiving marketing communications by following the instructions in the marketing message or by sending a request to us.

Please send above-mentioned requests to us at privacy@cambri.io
If you think there is a problem with the way we are handling your personal data, you have a right to file in a complaint to your national data protection authority in the EU. In Finland, that is the Data Protection Ombudsman (Tietosuojavaltuutettu): https://tietosuoja.fi/en/contact-information. Data protection authorities in other EU member states can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en

9. Security
We maintain reasonable security measures (including physical, electronic, administrative, and organizational) to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. In addition, we limit access to personal data to authorized employees, contractors and agents who need to know the information in the course of their work tasks, in any such case, based on our explicit instructions and being bound by strict confidentiality obligations.

Please be aware that, although we endeavour to provide reasonable security measures for personal data, no security system can prevent all potential security breaches. We have put in place appropriate procedures to respond to any suspected personal data breach and will notify you and any applicable regulator of such breach where we are required to do so.

AI Data security

Cambri trains and hosts most of its AI models in its own cloud within its own data science architecture. The only 3rd-party models that are in use are GPT and AWS translation. Both OpenAI (owner of GPT) and AWS are GDPR compliant and SOC2 certified. We maintain an enterprise account with OpenAI in which:

1. We communicate securely via OpenAI API

2. OpenAI is not using data from Cambri for any model trainings

Note: Cambri is only using OpenAI API in its production, not ChatGPT. Cambri data is private and is not used for any training models outside Cambri.

LLMs are not trained with user data. All of Cambri’s NLP labeling models are trained with anonymous respondent data, which are open-ended responses from the surveys. This training takes place in our own cloud infrastructure. NLP labeling models are available for all Cambri users.

10. Trusted partners
We work with several trusted partners who interact with our data at different stages. The majority of our partners are based in the European Economic Area (EEA). For partners who reside outside the EEA, the transfer of data is governed by the standard contractual clauses as defined by the European Commission.

We use AWS EMEA Sarl for data hosting, and Amazon Bedrock for AI tools and services. Our key panel provider partners are Cint and Norstat. We co-operate with Veracell whose technology consultants who are subject to the same confidentiality and data security terms as our own employees. Our main partners for sales, communication and invoicing are Zendesk, PostHog, Salesforce, Jiminny, Procountor, Hubspot, Outreach, Xappex.

11. Changes to this Policy
We may change this Policy from time to time. If we make any changes to this Policy, we will let you know it on our website at www.cambri.io where you will also find the latest version of this Policy.

12. Contact us
If you have any questions regarding this Policy or the personal data we process about you, please contact us at privacy@cambri.io.