This Privacy Notice explains how Sates Oy ("Vuuli", "we", "us") processes personal data on the Vuuli website and service. Our contact details are provided at the end of this notice.
1. Vuuli's roles in processing personal data
Vuuli acts as a controller when we determine the purposes and means of processing. This includes data about website visitors, user accounts, billing, sales, marketing, and support requests.
Vuuli acts as a processor when a customer stores information in the CRM about its customers, prospects, contacts, or other persons ("Customer Data"). In that case, the Vuuli customer is the controller and decides why the data is processed. Binding terms for Customer Data are set out in sections 3-9 of the Terms of Service.
To exercise rights concerning personal data contained in Customer Data, first contact the organization that entered the information into Vuuli.
2. What personal data do we process as a controller?
We process the following categories as needed:
- Account and user data: name, email address, organization, role, user identifiers, login and authentication information, and user role.
- Contract and billing data: subscription, billing address, payment status, billing history, and information required for accounting. Payment-card data is processed by Stripe, and we do not store full card details.
- Support and communications data: messages, support requests, feedback, and information needed to resolve them.
- Technical and usage data: IP address, browser, device, operating system, timestamps, page views, error and security logs, and actions taken in the Service.
- Sales and marketing data: contact details, organization, role, contact history, marketing choices, and campaign interactions.
- Public and third-party business information: company and professional contact details obtained from public registers, company websites, search services, or contracted data providers for Vuuli's company search, service delivery, or lawful B2B sales.
The Service is not intended for special-category data, health data, payment-card data, passwords, or similarly high-risk data as Customer Data without a separate written agreement.
3. Why and on what legal bases do we process data?
We process personal data for the following purposes:
- Entering into and performing a contract: creating accounts, providing the Service, authentication, billing, subscription management, and support.
- Legitimate interests: securing the Service, preventing misuse, troubleshooting, B2B sales, managing customer relationships, and improving Service usage and functionality. We assess that these interests do not override the rights of data subjects.
- Consent: optional analytics, electronic direct marketing where consent is required, and other activities expressly based on consent. Consent may be withdrawn at any time.
- Legal obligations: accounting, taxation, authority requests, and other obligations we must comply with.
- Legal claims: establishing, exercising, or defending contractual or legal claims where necessary.
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on a person.
4. How do we process Customer Data?
We process Customer Data only to provide, maintain, secure, and support the Service, carry out the customer's documented instructions, or comply with law.
We do not sell Customer Data. We do not use identifiable Customer Data for advertising, marketing, demonstrations, general product research, or training artificial intelligence models. General Service improvement may use only aggregated or anonymized information that cannot reasonably identify a customer or person.
We do not routinely inspect Customer Data. Authorized personnel may access it only when necessary to provide requested support, maintain or secure the Service, investigate misuse, or comply with a legal obligation. Access is limited according to work duties, and personnel with access are bound by confidentiality obligations.
5. With whom do we disclose or share data?
We do not sell personal data. We may provide data to the following recipients only as necessary:
- European hosting, database, infrastructure, communications, monitoring, and support providers used to operate the Service;
- Stripe for payment processing;
- PostHog for consent-based website analytics;
- email and marketing providers, such as Mailchimp, where there is an applicable legal basis;
- Google where a user enables a Google integration, within the permissions disclosed for that integration;
- advisers, auditors, insurers, or authorities where necessary for a legal obligation or claim; or
- a buyer or transaction party in a corporate transaction, subject to appropriate confidentiality and data-protection arrangements.
Service providers may process data only under contract and our instructions. A current list of material subprocessors that process Customer Data is available by request from help@vuuli.com.
6. Data location and international transfers
Primary production storage of Customer Data is located in the European Economic Area, including service environments used in Finland and Germany.
Some limited support, analytics, communications, or payment data may be processed by a provider outside the EEA, including in the United States. In that case, we use an applicable transfer mechanism, such as a European Commission adequacy decision or Standard Contractual Clauses, and supplementary safeguards where required.
7. How long do we retain data?
We retain personal data processed as a controller only for as long as needed for the purposes in this notice:
- account data for the customer relationship and a reasonable period afterward;
- billing and accounting data for the legally required period;
- support data for resolving the matter and assuring service quality;
- security and technical logs for a limited period required for security and troubleshooting; and
- marketing data until you object, withdraw consent, or the data is no longer necessary.
When a customer account is terminated, Customer Data is deleted from active production systems immediately unless applicable law requires retention. Backup copies expire through the normal rotation process within 90 days and are not used for ordinary processing.
8. How do we protect data?
We use technical and organizational measures appropriate to the risk to protect the confidentiality, integrity, and availability of data. As applicable, these include access restrictions, authentication and access management, protection of data in transit, backups, update and vulnerability management, and security-incident handling.
If we identify a personal-data breach affecting Customer Data, we notify the customer acting as controller without undue delay and assist with applicable notification obligations.
No electronic service is entirely risk-free. Customers must also manage user access, protect credentials, and secure their devices.
9. Cookies and analytics
We use necessary technologies to operate the Service and remember your choices. PostHog analytics is enabled only with your consent. We do not use advertising or marketing cookies.
You can give, refuse, or withdraw analytics consent through the cookie banner or cookie settings at the bottom of the page. See our Cookie Policy for more information.
10. Your rights
Under applicable data-protection law, you may have the right to:
- confirm whether we process your personal data and obtain a copy;
- correct inaccurate or incomplete data;
- request deletion or restriction of processing;
- object to legitimate-interest processing and direct marketing;
- withdraw consent at any time;
- receive data you provided in a portable format where the conditions apply; and
- complain to a supervisory authority.
In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.
We may request reasonable information to verify your identity. If a request concerns Customer Data, we may refer it to the customer acting as controller or direct you to contact that customer.
11. Children
The Service is intended for business use and not for persons under 18. We do not knowingly collect children's personal data. If you learn that a child's data has been provided without an appropriate basis, contact us so we can investigate and delete it.
12. Changes and contact details
We update this notice when our processing or applicable law changes. Material changes will be communicated on the website or directly to users where appropriate.
Privacy questions and requests to exercise rights:
- Sates Oy, Kuivastie 21 as 47, 90500 Oulu, Finland
- help@vuuli.com