Privacy Policy / Tietosuojaseloste
Last updated: April 2026
1. Controller
[Company Name]
Y-tunnus: [pending]
[Registered address]
Finland
2. Data Protection Contact
For data protection inquiries: tietosuoja@[domain].fi
No mandatory Data Protection Officer (DPO) is required under GDPR Article 37, as the controller does not carry out large-scale processing of special categories of data or systematic monitoring.
3. Purposes and Legal Bases
We process personal data for the following purposes under the stated legal bases (GDPR Article 6):
| Purpose | Data | Legal Basis |
|---|---|---|
| B2B vehicle brokerage service delivery | Company name, contact person, email, phone, Y-tunnus/USt-IdNr | Art. 6(1)(b) — performance of contract |
| KYC / counterparty verification (DE vendors) | Company name, USt-IdNr, IBAN (masked), Handelsregister data | Art. 6(1)(c) — legal obligation (EU AMLD5, HGB) |
| Financial record-keeping | Invoice data, SEPA references, ledger entries | Art. 6(1)(c) — legal obligation (Kirjanpitolaki, HGB §257) |
| Platform security & binding confirmations | IP address, session data, timestamps | Art. 6(1)(f) — legitimate interest (fraud prevention, B2B contract evidence) |
| Email delivery tracking | Delivery status, bounce data (no content) | Art. 6(1)(f) — legitimate interest (dispute evidence) |
4. Legitimate Interests
Where processing is based on legitimate interest (Art. 6(1)(f)), the specific interests are:
- IP/session logging: fraud prevention and providing evidence for binding B2B purchase confirmations (Finnish OikTL).
- Email delivery tracking: maintaining audit trail for dispute resolution in cross-border transactions.
5. Recipients and Sub-Processors
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting | EU (Frankfurt) |
| Neon Inc. | PostgreSQL database | EU (Frankfurt) |
| Cloudflare Inc. | R2 document storage | EU |
| Resend Inc. | Transactional email | US (SCCs in place) |
6. Third-Country Transfers
Resend Inc. processes email delivery data in the United States under EU Standard Contractual Clauses (SCCs). All other sub-processors operate within the EU/EEA.
7. Retention Periods
| Data Category | Retention | Legal Basis |
|---|---|---|
| Trade documents (Kaufverträge, invoices) | 10 years | HGB §257 / Kirjanpitolaki §10 |
| KYC / vendor verification records | 5 years post-relationship | EU AMLD5 |
| Audit logs | 10 years | HGB §257 (Handelsbuch) |
| Session / auth data | Until session expiry | System security |
| Email delivery metadata | 6 years | Kirjanpitolaki (dispute evidence) |
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — request a copy of your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion, subject to legal retention obligations
- Restriction (Art. 18) — restrict processing in certain circumstances
- Objection (Art. 21) — object to legitimate-interest processing
- Data portability (Art. 20) — receive your data in machine-readable format (JSON)
We will respond to valid requests within 30 days (GDPR Art. 12(3)). Contact: tietosuoja@[domain].fi
9. Consent
This platform does not rely on consent as a legal basis for processing. All processing is based on contract performance, legal obligation, or legitimate interest.
10. Supervisory Authority
You have the right to lodge a complaint with the Finnish Data Protection Ombudsman:
Tietosuojavaltuutetun toimisto
Lintulahdenkuja 4, 00530 Helsinki
Phone: +358 29 566 6700
Website: tietosuoja.fi
11. Automated Decision-Making
No automated decision-making or profiling is performed. All material decisions (deal classification, vendor verification, pricing) involve human review.
12. B2B Platform
This platform is strictly B2B. We do not process consumer (B2C) personal data. All data subjects are business representatives acting in their professional capacity.
13. Cookies
See our Cookie Notice for details on cookies used by this platform.