Skip to content

Privacy policy

In this Privacy Policy, we explain how Vahti Service Oy processes personal data when it acts as a data controller. Separate DPA, Subprocessors and Cookie Policy documents supplement this notice with respect to customer service data, sub-processors and cookie policies.

Privacy Policy

Vahti Service Oy / vahti.ai
Updated: 23 April 2026

1. Controller

Vahti Service Oy
Business ID: 3598836-2
Kauppakatu 39, 40100 Jyväskylä, Finland
Email: contact@vahti.ai
Website: https://vahti.ai

2. Privacy Contact

For privacy-related questions, you can contact:

Vahti Service Oy
Privacy contact: Teemu Tapper
Email: teemu@vahti.ai
General contact address: contact@vahti.ai

3. What This Policy Covers

This Privacy Policy applies to Vahti Service Oy’s processing of personal data when Vahti Service Oy acts as controller.

This Policy applies especially to the following situations:

  • website visitors
  • leads, demo requests, and contact requests
  • customer contacts and users
  • billing contacts
  • support requests and customer communications
  • limited B2B sales and customer communications

When Vahti Service Oy processes the customer’s Microsoft 365 tenant data on behalf of the customer to provide the vahti.ai service, the customer acts as controller and Vahti Service Oy acts as processor. This processing is governed by a separate Data Processing Agreement (DPA): Data Processing Agreement (DPA).

This Policy covers Vahti’s own controller role, such as the website, sales, customer relationship, user accounts, billing, support, and Vahti’s own service management.

4. What Personal Data We Process

The data we process depends on the context in which you interact with Vahti Service Oy.

Website visitors

  • technical website usage and log data, such as IP address, timestamp, browser and device information, and page request data
  • website usage, form, and customer relationship data collected through HubSpot
  • log and event data necessary for service operation and security

Leads, demo requests, and contact requests

  • name, work email, phone number, company, and job title
  • message content, topic, contact history, and sales process status
  • customer relationship, sales, and marketing data stored in HubSpot

Customer contacts and users

  • name, work email, company, user role, and user account status
  • invitation and activation data, language, time zone, and notification settings
  • identifiers related to sign-in and access management
  • limited service usage data, such as opened view or action information

Billing contacts

  • name, email, and company
  • subscription and billing data
  • service plan and billing period data
  • payment status data
  • limited payment method summary data if provided to the service by the payment provider

Support requests and customer communications

  • sender name and email
  • company
  • message content
  • support request subject, status, and handling history
  • possible reference and background information needed to handle the matter

5. Where We Obtain Data From

We receive personal data:

  • directly from the data subject, for example in connection with a contact request, demo request, trial registration, or use of the service
  • from the customer company, for example when the company names contacts or users
  • from the authentication and access management arrangements used by the customer
  • from payment and billing services, such as Stripe
  • from technical logs and usage telemetry automatically generated in connection with website and service use
  • from email and support communications
  • from customer relationship, sales, and communications systems, such as HubSpot, when data is processed to manage the customer relationship, contact requests, or B2B communications

6. Purposes of Processing

We process personal data for the following purposes:

  • providing the website and service
  • responding to contact requests, demo requests, and trial requests
  • managing the customer relationship
  • creating user accounts, authentication, and access management
  • delivering and maintaining the service
  • billing, payment processing, and subscription management
  • handling support requests and customer communications
  • limited B2B sales and customer communications
  • ensuring service security, monitoring, and prevention of misuse
  • limited service usage analytics and service development
  • fulfilling legal obligations, such as accounting

7. Legal Bases for Processing

The legal basis for processing depends on the purpose of processing.

Purpose Typical legal basis
Technical website operation, necessary cookies, logging, and security Legitimate interest
Responding to contact requests, demo requests, and trial requests Steps prior to entering into a contract and/or legitimate interest
Managing the customer relationship and providing the service Contract and/or legitimate interest
Creating user accounts, authentication, and access management Contract and/or legitimate interest
Billing, payment processing, and subscription management Contract and legal obligation
Handling support requests and customer communications Contract and/or legitimate interest
B2B sales and customer communications Legitimate interest or consent, depending on the situation
Limited service usage analytics and service development Legitimate interest
Accounting, taxation, and responding to authority requests Legal obligation

Legitimate interest

Processing may be based on Vahti Service Oy’s legitimate interest, for example when we respond to B2B contact requests, manage the customer relationship, handle support requests and customer communications, monitor service use in a limited manner for service development, or ensure service security, logging, and prevention of misuse.

Consent

Processing may be based on consent to the extent we use non-essential cookies or similar technologies, or if a communication or marketing activity requires consent under applicable law.

8. Is Providing Data Mandatory

Some personal data is necessary to enter into a contract, create a user account, provide the service, issue invoices, process payments, or handle support requests. If such data is not provided, we may not be able to provide the service, process an order, respond to a request, or fulfil our legal obligations.

Providing personal data for marketing, voluntary contact requests, and other voluntary information is not mandatory. If you do not provide such data, we may not be able to respond to your contact request or send requested materials.

9. Who Receives or Processes the Data

Personal data is processed only by people who need it based on their duties.

We may disclose or make data available for processing to:

  • Vahti Service Oy personnel
  • technical service providers for the service
  • payment and billing service providers
  • email delivery service providers
  • customer relationship management and sales systems
  • a support partner designated by the customer at the customer’s request or according to the customer’s settings
  • authorities if required by law or authority order

We do not sell personal data to third parties.

10. Subcontractors / Subprocessors

We use service providers that process personal data on our behalf or support the provision of the service.

According to current information, such service providers include at least:

  • Google Cloud: infrastructure, hosting, database, logging, monitoring, and Google Vertex AI / Gemini for explaining findings and producing guidance
  • Stripe: payments, subscriptions, and billing
  • Postmark: email delivery
  • HubSpot: website forms, customer relationship management, sales process, and customer communications management

The current subprocessor list is published on a separate page: Subprocessors.

11. Are Data Transferred Outside the EU/EEA

Vahti Service Oy uses a Google Cloud environment located in the EU for the service’s core production infrastructure.

Some service providers we use, such as Stripe, Postmark, and HubSpot, may process personal data or provide access to personal data from outside the EU/EEA to provide, maintain, support, or protect their services. In such cases, transfers are carried out using transfer mechanisms under applicable data protection law, such as European Commission Standard Contractual Clauses, the EU-U.S. Data Privacy Framework, or another applicable safeguard.

More detailed information about service providers and possible international transfers is described on the separate subprocessor page: Subprocessors.

12. AI and Automated Decision-Making

Vahti Service Oy does not make decisions based solely on automated processing that produce legal effects concerning a data subject or similarly significantly affect them.

The vahti.ai service may use AI to explain findings, produce guidance, answer customer questions, and summarize security content. AI is an advisory layer. It does not create, close, modify, or prioritize risk state and does not make decisions about changing the customer’s Microsoft 365 environment.

Customer identifiable tenant data is not used to train general AI models.

13. How Long We Retain Data

We retain personal data only for as long as necessary for the purposes described in this Policy or for the period required by law.

  • Technical website log data: generally up to 12 months, unless longer retention is necessary for security, misuse investigation, or legal obligations.
  • Contact requests, demo requests, and trial leads: up to 24 months from the last active contact, unless they result in a customer relationship or longer retention is justified for B2B sales and customer relationship management.
  • Customer contact and user account data: for the duration of the customer relationship and up to 12 months after the customer relationship ends, unless longer retention is necessary for billing, complaints, security, or legal claims.
  • Closed user account data: up to 12 months after account closure, unless longer retention is necessary for security, misuse investigation, or legal obligations.
  • Support requests and customer communications: up to 36 months after the matter is closed, so that we can handle follow-up questions, quality assurance, and possible complaints.
  • Usage telemetry: up to 24 months from the event, unless the data has been anonymized or aggregated into statistical information.
  • Security logs: generally up to 12 months, unless longer retention is necessary to investigate a security incident.
  • Email sending and delivery logs: up to 24 months from sending the message, unless longer retention is necessary for delivery issues, consents, suppression lists, or misuse investigation.
  • Billing and accounting material: for the period required by accounting law.

When data is no longer needed, it is deleted or anonymized within a reasonable time.

Deletion and return of service data processed on behalf of the customer are governed by the separate Data Processing Agreement (DPA).

14. How We Protect Data

We protect personal data with technical and organizational measures, such as:

  • access limitation and role-based access control
  • authentication and tenant-scoped authorization
  • encrypted traffic between the browser and the service
  • secrets management in a dedicated secrets management service
  • logging, monitoring, and misuse detection
  • log minimization so that logs are not intentionally used to record, for example, access tokens, full payment card details, or unnecessary sensitive content
  • limited operator and support access
  • system- and environment-level security measures
  • backup and recovery procedures
  • personnel guidance
  • contract and service provider management

We do not describe all security measures in detail in this public Policy.

15. Data Subject Rights

Under applicable data protection law, the data subject has the right to:

  • receive information about the processing of their personal data
  • access personal data concerning them
  • request correction of inaccurate data
  • request deletion of data if the conditions for deletion are met
  • request restriction of processing
  • object to processing where processing is based on legitimate interest
  • object to direct marketing at any time
  • receive data in a portable format if the right applies
  • withdraw consent where processing is based on consent

If Vahti Service Oy processes personal data on behalf of a customer as processor, requests concerning data subject rights should generally be addressed primarily to that customer as controller.

Requests concerning rights may be sent to teemu@vahti.ai.

16. Cookies and Similar Technologies

We use only cookies and similar technologies necessary for website and service operation, security, sign-in, remembering settings, and customer relationship management.

We do not use non-essential cookies without a separate decision and, where required, consent. Cookies and similar technologies are described in more detail in a separate Cookie Policy: Cookie Policy.

17. Right to Lodge a Complaint With a Supervisory Authority

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: https://tietosuoja.fi

18. Changes to This Policy

We may update this Privacy Policy if the service, legislation, or personal data processing changes. The current version is published on our website, and we update the latest update date at the top of the Policy.