Skip to content

Privacy policy

In this Privacy Policy, we explain how Vahti Service Oy processes personal data when it acts as a data controller. Separate DPA, Subprocessors and Cookie Policy documents supplement this notice with respect to customer service data, sub-processors and cookie policies.

Privacy Policy

Vahti Service Oy / vahti.ai
Updated: 23 April 2026

1. Controller

Vahti Service Oy
Business ID: 3598836-2
Kauppakatu 39, 40100 Jyväskylä, Finland
Email: contact@vahti.ai
Website: https://vahti.ai

2. Contact Person for Data Protection Matters

For questions relating to data protection, you can contact:

Vahti Service Oy
Contact person for data protection matters: Teemu Tapper
Email: teemu@vahti.ai
General contact address: contact@vahti.ai

3. What This Policy Covers

This Privacy Policy applies to the processing of personal data by Vahti Service Oy when Vahti Service Oy acts as the controller.

This Policy applies in particular to the following situations:

  • website visitors
  • leads, demo requests and enquiries
  • customer contact persons and users
  • billing contact persons
  • support requests and customer communications

This Policy does not exhaustively describe all processing of personal data carried out on behalf of customers in the vahti.ai service. To the extent Vahti Service Oy processes customer service data on behalf of a customer, that processing is described in a separate Data Processing Agreement (DPA).

4. What Personal Data We Process

The data we process depends on the context in which you interact with Vahti Service Oy.

Website visitors

  • technical website usage and log data, such as IP address, time, browser and device information, and data related to page requests
  • data collected through HubSpot relating to website use, forms and customer relationship management
  • log and event data necessary for the operation and security of the service

Leads, demo requests and enquiries

  • name, work email address, phone number, company and job title
  • message content, topic, contact history and sales process status
  • data stored in HubSpot relating to customer relationship management, sales and marketing

Customer contact persons and users

  • name, work email address, company, user role and account status
  • invitation and activation data, language, time zone and notification settings
  • identifiers related to login and access management
  • limited data describing use of the service, such as opened view or function data

Billing contact persons

  • name, email address and company
  • subscription and billing information
  • data relating to the service package and billing period
  • payment status information
  • limited payment method summary data, if provided to the service by the payment service provider

Support requests and customer communications

  • sender’s name and email address
  • company
  • message content
  • subject, status and handling history of the support request
  • possible reference and background information needed to handle the matter

5. Where We Obtain the Data From

We receive personal data:

  • directly from the data subject, for example in connection with an enquiry, demo request, trial registration or use of the service
  • from the customer company, for example when the company names contact persons or users
  • from authentication and access arrangements used by the customer
  • from payment and billing services, such as Stripe
  • from technical logs and usage telemetry automatically generated when the website and service are used
  • from email and support communications

6. Purposes of Processing

We process personal data for the following purposes:

  • providing the website and service
  • responding to enquiries, demo requests and trial requests
  • managing customer relationships
  • creating user accounts, identifying users and managing access rights
  • delivering and maintaining the service
  • billing, payment processing and subscription management
  • handling support requests and customer communications
  • ensuring service security, monitoring and prevention of misuse
  • limited service usage analytics and service development
  • fulfilling statutory obligations, such as accounting

7. Legal Bases for Processing

The legal basis for processing varies depending on the purpose of processing.

Contract or steps prior to entering into a contract

Processing may be based on a contract or steps prior to entering into a contract, for example when a company registers as a customer, a user account is created and managed, the service is provided to the customer, or a demo request or trial request relates to deployment of the service.

Legitimate interest

Processing may be based on Vahti Service Oy’s legitimate interest, for example when we respond to B2B enquiries, manage customer relationships, process support requests and customer communications, monitor use of the service in a limited manner to develop the service, or ensure service security, logging and prevention of misuse.

Legal obligation

Processing may be based on a legal obligation, for example to comply with accounting and tax legislation and to respond to requests from authorities.

Consent

Processing may be based on consent to the extent we use non-essential cookies or similar technologies.

8. To Whom Data Is Disclosed or Who Processes It

Personal data is processed only by persons who need access to it for their work duties.

We may disclose data to or make data available for processing by:

  • Vahti Service Oy personnel
  • technical service providers of the service
  • payment and billing service providers
  • email delivery service providers
  • customer relationship management and sales systems
  • a support partner designated by the customer at the customer’s request or according to the customer’s settings
  • authorities, if required by law or an authority order

We do not sell personal data to third parties.

9. Subcontractors / Sub-processors

We use service providers in the processing of personal data that process data on our behalf or support the provision of the service.

Based on current information, such service providers include at least:

  • Google Cloud: infrastructure and hosting
  • Stripe: payments and billing
  • Postmark: email delivery
  • HubSpot: website forms, customer relationship management, sales process and customer communication management

An up-to-date sub-processor list is published on a separate Subprocessors page.

10. Are Data Transferred Outside the EU/EEA?

For its own production infrastructure, Vahti Service Oy aims to use a Google Cloud environment located in the EU.

Some of the service providers we use, such as Stripe, Postmark and HubSpot, may nevertheless process personal data or provide access to personal data from outside the EU/EEA for the purpose of providing, maintaining, supporting or protecting their services. In such cases, transfers are carried out using transfer mechanisms under applicable data protection legislation, such as Standard Contractual Clauses approved by the European Commission, the EU-U.S. Data Privacy Framework or another applicable safeguard.

More detailed information about service providers and possible international transfers is described on a separate Subprocessors page.

11. How Long We Retain Data

We retain personal data only for as long as necessary for the purposes described in this Policy or for the period required by law.

  • Website technical logs: generally for no more than 12 months, unless longer retention is necessary for security, investigation of misuse or a statutory obligation.
  • Enquiries, demo requests and trial leads: for no more than 24 months from the last active contact, unless they lead to a customer relationship or longer retention is justified for B2B sales and customer relationship management.
  • Customer contact person and user account data: for the duration of the customer relationship and for no more than 12 months after the customer relationship ends, unless longer retention is necessary for billing, complaints, security or legal claims.
  • Closed user account data: for no more than 12 months after account closure, unless longer retention is necessary for security, investigation of misuse or statutory obligations.
  • Support requests and customer communications: for no more than 36 months after the matter has been closed, so that we can handle follow-up questions, quality assurance and possible complaints.
  • Usage telemetry: for no more than 24 months from the event, unless the data has been anonymised or aggregated into statistical information.
  • Security logs: generally for no more than 12 months, unless longer retention is necessary to investigate a security incident.
  • Email sending and delivery logs: for no more than 24 months from sending the message, unless longer retention is necessary to investigate delivery issues, consents, suppression lists or misuse.
  • Billing and accounting materials: for the period required by accounting legislation.

When data is no longer needed, it is deleted or anonymised within a reasonable time.

12. How We Protect Data

We protect personal data through technical and organisational measures, such as:

  • restricting access rights
  • authentication and access management
  • logging and monitoring
  • system- and environment-level security measures
  • staff instructions and guidance
  • contract and service provider management

We do not describe all security measures in detail in this public Policy.

13. Data Subject Rights

Under applicable data protection legislation, the data subject has the right to:

  • receive information about the processing of their personal data
  • access data concerning them
  • request rectification of inaccurate data
  • request deletion of data where the conditions for deletion are met
  • request restriction of processing
  • object to processing where processing is based on legitimate interest
  • receive data in a portable format where the right applies
  • withdraw consent where processing is based on consent

If Vahti Service Oy processes personal data on behalf of a customer as a processor, requests concerning data subject rights should usually be addressed primarily to that customer as the controller.

Requests concerning these rights may be sent to teemu@vahti.ai.

14. Cookies and Similar Technologies

We use only cookies and similar technologies that are necessary for the operation, security, login, remembering settings and customer relationship management of the website and service.

We do not use non-essential cookies without a separate decision and, where required, consent. Cookies and similar technologies are described in more detail in a separate Cookie Policy.

15. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data infringes data protection legislation, you have the right to lodge a complaint with a supervisory authority.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: https://tietosuoja.fi

16. Changes to This Policy

We may update this Privacy Policy if the service, legislation or processing of personal data changes. The current version is published on our website, and we update the latest update date at the top of the Policy.