Skip to content

Privacy policy

In this Privacy Policy, we explain how Vahti Service Oy processes personal data when it acts as a data controller. Separate DPA, Subprocessors and Cookie Policy documents supplement this notice with respect to customer service data, sub-processors and cookie policies.

Privacy policy

Vahti Service Oy / vahti.ai
Updated: 23.4.2026

1.

Vahti Service Oy
Business ID: 3598836-2
Kauppakatu 39, 40100 Jyväskylä, Finland
E-mail: contact@vahti.ai
Website: https://vahti.ai

2. Contact person for data protection issues

For any questions related to data protection, please contact us:

Vahti Service Oy.
Contact person for data protection matters: Teemu Tapper
E-mail: teemu@vahti.ai
General contact address: contact@vahti.ai

3. What this notice applies to

This Privacy Policy applies to Vahti Service Oy's processing of personal data when Vahti Service Oy acts as a controller.

This statement applies in particular to the following situations:

  • visitors to the website
  • Visitors to the website, including leads, demo requests and contacts
  • customer contact persons and users
  • billing contacts
  • support requests and customer communications

This notice does not exhaustively describe all processing of personal data on behalf of customers by the watch.ai service. To the extent that Vahti Service Ltd processes customer service data on behalf of the customer, the processing is described in a separate Data Processing Agreement (DPA).

4. What personal data we process

The data we process depends on the context in which you are dealing with Vahti Service Oy.

Website visitors

  • technical usage and log data of the website, such as IP address, time, browser and device information and page request data
  • Data collected through HubSpot related to website usage, forms and customer care
  • log and event data necessary for the operation and security of the service

Leads, demo requests and contacts

  • name, work email, phone number, company and job title
  • message content, subject, contact history and status of the sales process
  • Customer, sales and marketing management data to be stored in HubSpot

Customer contacts and users

  • Name, work email, company, user role and user account status
  • Call and activation information, language, time zone and notification settings
  • Identification data related to log-in and access management
  • limited information describing the use of the service, such as the view or function opened

Billing contact persons

  • name, e-mail address and company
  • subscription and billing information
  • information related to the service package and billing period
  • payment status information
  • limited summary information related to the payment method, if transmitted from the payment service provider to the service

Support requests and customer communication

  • name and e-mail address of the sender
  • Company
  • content of the message
  • subject, status and processing history of the support request
  • any reference and background information for the handling of the case

5. Where the information is obtained

We receive personal data:

  • Directly from the data subject, for example in connection with a contact, demo request, trial registration or use of the service
  • from the client company, for example when the company assigns contacts or users
  • customer authentication and authorisation schemes used by the customer
  • payment and billing services, such as Stripe
  • the technical logs and usage metrics automatically generated in connection with the use of the website and the service
  • e-mail and support communications

6. Purposes for which the data are processed

We process personal data for the following purposes:

  • to provide the website and the service
  • to respond to contacts, demo requests and trial requests
  • to manage the customer relationship
  • creating, identifying and managing user accounts and access rights
  • providing and maintaining the service
  • billing, payment processing and order management
  • handling support requests and customer communications
  • ensuring the security, control and prevention of misuse of the service
  • limited service usage analytics and service development
  • to fulfil legal obligations, such as accounting

7. Legal grounds for processing

The legal basis for processing varies according to the purpose of the processing.

Contract or preparation of a contract

Processing may be based on a contract or preparation of a contract, for example, when a company registers as a customer, when a user account is created and managed, when a service is provided to a customer, or when a demo or trial request is related to the implementation of a service.

Legitimate interest

Processing may be based on Vahti Service Oy's legitimate interest, for example, when we respond to B2B contacts, manage the customer relationship, handle support requests and customer communications, monitor the use of the service for limited service development, or provide security, logging and abuse prevention for the service.

Legal obligation

Processing may be based on a legal obligation, for example, to comply with accounting and tax law and to respond to requests from public authorities.

Consent

Processing may be based on consent to the extent that we use cookies or similar technologies other than necessary.

8. Who the data is disclosed to or processed by

Personal data are processed only by those persons who have a legitimate interest in doing so by reason of their duties.

We may disclose or make data available for processing:

  • Vahti Service Oy personnel.
  • to the technical service providers of the service
  • Payment and billing service providers
  • the e-mail delivery service
  • customer relationship management and sales systems
  • at the Customer's request or in accordance with the Customer's preferences, to a support partner designated by the Customer
  • to public authorities where required by law or regulation

We do not sell personal data to third parties.

9. Subcontractors / sub-processors

We use service providers to process personal data who process data on our behalf or support the provision of the service.

To the best of our current knowledge, such service providers include at least:

  • Google Cloud: infrastructure and hosting
  • Stripe: payments and billing
  • Postmark: email delivery
  • HubSpot: website forms, customer relationship management, sales process and customer communication management

An up-to-date list of sub-processors will be published on a separate Subprocessors page.

10. Whether data is transferred outside the EU/EEA

Vahti Service Ltd aims to use the Google Cloud environment located in the EU territory for the service's own production infrastructure.

However, some of the service providers we use, such as Stripe, Postmark and HubSpot, may process personal data or provide access to personal data from outside the EU/EEA for the purpose of providing, maintaining, supporting or protecting their services. In such cases, transfers will be made in accordance with the transfer criteria set out in applicable data protection legislation, such as the European Commission's standard contractual clauses, the EU-U.S. Data Privacy Framework or other applicable safeguards.

More details on service providers and possible international transfers are described on a separate Subprocessors page.

11. How long data is stored

We will retain personal data only for as long as necessary for the purposes described in this notice or as required by law.

  • Website technical log data: as a general rule, up to 12 months, unless longer retention is necessary for data security, to investigate misuse or to comply with a legal obligation.
  • Contacts, demo requests and trial leads: up to 24 months from the last active contact, unless a customer relationship is established or longer retention is justified for B2B sales and customer management purposes.
  • Customer contact and user account data: for the duration of the customer relationship and up to 12 months after the end of the customer relationship, unless longer retention is necessary for billing, complaints, security or legal requirements.
  • Closed user account data: up to 12 months after account closure, unless longer retention is necessary for data security, abuse investigation or legal obligations.
  • Support requests and customer communications: up to 36 months from the end of the case to allow us to deal with follow-up questions, quality assurance and any complaints.
  • Usage metrics: up to 24 months after the occurrence of the event, unless the data has been anonymised or aggregated for statistical information.
  • Security logs: as a general rule, up to 12 months, unless longer retention is necessary to resolve a security incident.
  • E-mail transmission and delivery logs: up to 24 months after sending the message, unless longer retention is necessary to resolve delivery problems, consents, block lists or misuse.
  • Billing and accounting records: for the period required by accounting legislation.

When no longer needed, the data will be deleted or made anonymous within a reasonable period of time.

12. How we protect data

We protect personal data by technical and organisational measures, such as:

  • limiting access rights
  • authentication and access control
  • logging and monitoring
  • system and environmental protection measures
  • staff training
  • contract and provider management

We do not describe all security measures in detail in the public description.

13. Rights of the data subject

In accordance with the applicable data protection legislation, the data subject has the right to:

  • to be informed of the processing of their personal data
  • to have access to his/her personal data
  • request rectification of inaccurate data
  • request the erasure of data, if the conditions for erasure are met
  • request restriction of processing
  • object to processing insofar as it is based on a legitimate interest
  • obtain the transfer of data from one system to another where the right applies
  • withdraw consent where the processing is based on consent

Where Vahti Service Ltd processes personal data on behalf of a customer as a processor, the request for rights should normally be addressed in the first instance to that customer as controller.

Requests for rights can be sent to teemu@vahti.ai.

14. Cookies and similar technologies

We only use cookies and similar technologies on the Website and the Service that are necessary for the operation of the Service, security, logging in, remembering preferences and managing your account.

We do not use cookies other than necessary without a separate decision and, where necessary, consent. For more information on cookies and similar technologies, please refer to the separate Cookie Policy document.

15. Right to lodge a complaint with a supervisory authority

If you consider that your personal data are processed in breach of data protection legislation, you have the right to lodge a complaint with a supervisory authority.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: https://tietosuoja.fi

16. Changes to this notice

We may update this Privacy Policy if the service, legislation or processing of personal data changes. We will publish an up-to-date version on our website and update the date of the latest update at the top of this Privacy Statement.