Vaivatta is a digital-operations concierge service for Finnish small businesses, provided by Innovategy Oy. We protect your privacy and process your personal data in accordance with the EU General Data Protection Regulation (GDPR). This page explains, in plain language, what we collect, why, and how we keep it safe.
Data controller
The Vaivatta service is provided and personal data is controlled by:
What we collect
We process the following categories of data so we can deliver the concierge service:
- Identification data: name, email address, phone number, language
- Company data: company name, business ID, address, city
- Usage data: sign-in events, service-usage logs, cookie preferences
- Concierge conversations: messages and attachments you send us via WhatsApp, email, or in the app
- Managed-tool data: tool inventories, vendor details, and credentials (per-customer credentials live in a separate Passbolt vault that we may access only as your contract permits)
- Billing data: invoicing address and order history (card data is handled by Stripe — we don't store cards ourselves)
Legal basis for processing
We process personal data on the following GDPR-recognised bases:
- Contract: to deliver the service to you and your business
- Legitimate interest: to improve the service, prevent abuse, and maintain security
- Legal obligation: to meet accounting, tax, and consumer-protection duties
- Consent: for optional features such as letting us use concierge conversations to improve the service (revocable any time from your Settings)
How we use your data
Your data is used only for the agreed purposes:
- Receiving and resolving concierge requests
- Monitoring and maintaining the tools we manage for you
- Sending you status messages (e.g. incident and maintenance notices)
- Invoicing and accounting
- Improving the service via aggregated, anonymised statistics
Sharing your data
We don't sell your personal data. We share it only in these limited cases:
- With our subprocessors (see our Data Processing Agreement), who handle data on our behalf under strict instruction
- With third parties you direct us to engage on your behalf (e.g. when you ask us to negotiate with a vendor)
- With authorities when required by law
We never share your data with third parties for marketing purposes.
Location and retention
Your data lives primarily in Finland, in Hetzner's Helsinki (Tuusula) data centre. Concierge conversation media is stored in Cloudflare R2 inside the EU region. We don't transfer personal data outside the EU/EEA without the safeguards GDPR requires.
Retention: for the active contract period plus 5 years after termination, as required by Finnish accounting law. Concierge conversations are deleted 24 months after the last message unless you specifically extend the retention.
Your rights as a data subject
Under GDPR you have the right to:
- Access your personal data
- Correct inaccurate or incomplete data
- Request erasure ("right to be forgotten")
- Restrict processing
- Receive your data in a portable format for transfer to another provider
- Object to processing based on legitimate interest
- Withdraw any consent you have given, at any time
Exercise your rights by emailing [email protected]. We respond within one month.
Cookies and analytics
We use only strictly necessary cookies (sign-in and language-preference cookies). We don't use advertising trackers. Site usage is measured only via aggregated, anonymous metrics for product improvement — individual users cannot be identified from this data.
Updates to this page
We may update this privacy policy as the service evolves or the law changes. We'll notify you by email at least 14 days before any material change and record the change in the last-updated date at the top of this page.
Contact
For privacy questions and to exercise your rights:
- Privacy enquiries
- [email protected]
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) if you believe your personal data is being processed unlawfully.