1. Controller and Contact Information
The controller of your personal data is Digitoimisto Aave Digital Oy (Business ID: 2627786-8), Kokkola, Finland. For questions about data processing, contact us at: privacy@projekto.fi.
2. What Data We Collect
We collect and process the following personal data:
- Account information: name, email address, language preference
- Authentication data: hashed password, two-factor authentication settings, login timestamps
- Usage data: actions performed within the service (activity log), IP addresses
- Contact form submissions: name, company, email, phone number (optional), message
- Technical data: browser type, session information, cookies necessary for the service to function
3. Legal Basis for Processing
We process personal data on the following legal bases under the EU General Data Protection Regulation (GDPR):
- Contract performance: processing your data is necessary to provide the Projekto service you have subscribed to (Article 6(1)(b))
- Legitimate interest: service security, fraud prevention, and service improvement (Article 6(1)(f))
- Consent: marketing communications, if separately consented to (Article 6(1)(a))
- Legal obligation: tax and accounting requirements under Finnish law (Article 6(1)(c))
4. Purpose of Processing
- Providing and maintaining the Projekto service
- User authentication and access control
- Sending transactional emails (invitations, password resets, notifications)
- Customer support
- Service development and troubleshooting
- Complying with legal obligations
5. Data Sharing and Transfers
We do not sell your personal data. Data may be shared with the following categories of processors:
- Brevo (Sendinblue): transactional email delivery — data processed within the EU
- Server infrastructure: dedicated server hosted in Europe
- Backup storage: encrypted backups stored on EU-based cloud storage
All processors are bound by data processing agreements. We do not transfer personal data outside the European Economic Area (EEA).
6. Data Retention
- Active account data: retained for the duration of the subscription
- After account termination: personal data is deleted within 30 days, except where retention is required by law
- Activity logs: retained for 12 months
- Contact form submissions: retained for 12 months
- Backups: daily backups retained 7 days, weekly 4 weeks, monthly 6 months — personal data in expired backups is automatically removed
7. Your Rights
Under GDPR, you have the following rights:
- Right of access: request a copy of your personal data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data ("right to be forgotten")
- Right to restrict processing
- Right to data portability: receive your data in a machine-readable format
- Right to object: object to processing based on legitimate interest
- Right to withdraw consent: where processing is based on consent
To exercise your rights, contact us at privacy@projekto.fi. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- All connections encrypted with HTTPS/TLS
- Passwords hashed using industry-standard algorithms
- Each customer organisation uses a completely separate database (tenant isolation)
- Files stored outside the public web root and accessible only to authorised users
- Regular automated backups with encryption
- Access logging and audit trails
9. Cookies
Projekto uses only essential cookies required for the service to function (session management, authentication, CSRF protection). We do not use tracking cookies, advertising cookies, or third-party analytics.
10. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or an in-app notification. The latest version is always available at this page.