Struxiva Oy · Last updated: 18 June 2026 · Finnish Data Protection Act 1050/2018 · GDPR (EU) 2016/679
01Data controller
The data controller for this website and the Struxiva service is Struxiva Oy (business ID / Y-tunnus pending registration), Helsinki, Finland. For all data-protection matters, contact info@struxiva.com.
02Data we collect
We collect only data that is necessary to operate the service or that you provide voluntarily.
Contact & enquiry data
Email address (provided via the contact form or by direct email)
Name and organisation name (when provided voluntarily)
Content of messages and scoping-call notes
Building & operational data (pilot customers)
Building documents (drawings, energy certificates, BMS exports) — these relate to buildings, not individuals
Operator contact details for the customer organisation
Technical & analytics data
Server access logs (IP address, browser type, referring URL), retained for 30 days then deleted
Cookie-based analytics (see section 5)
03Legal basis for processing
Processing is based on one or more of the following grounds under GDPR Article 6 and the Finnish Data Protection Act (tietosuojalaki 1050/2018):
Consent (Art. 6(1)(a)): for non-essential cookies and marketing communications. You may withdraw consent at any time.
Contract performance (Art. 6(1)(b)): for pilot agreements and service delivery.
Legitimate interest (Art. 6(1)(f)): for security logging and basic analytics to improve the service. We have performed a balancing test; these interests do not override your rights.
Legal obligation (Art. 6(1)(c)): where Finnish law requires us to retain certain records.
04Finnish social security numbers (henkilotunnus)
Current status: Struxiva does not currently collect or process Finnish social security numbers (henkilotunnus / HETU) for any purpose, including credit assessment.
If Struxiva were to extend its service to include credit checks or identity verification for property transactions (for example tenant screening or buyer verification), the processing of a henkilotunnus would be governed by the framework below.
Legal framework
Under Section 29 of the Finnish Data Protection Act (1050/2018), processing of a henkilotunnus is permitted only when: (a) the data subject has consented; (b) processing is necessary for performing a task assigned by law; (c) processing is necessary to reliably identify the data subject when it is important for the performance of a contract; or (d) processing is based on another specific legal provision.
If SSN processing is introduced for credit or identity purposes, the legal basis will be contract performance (GDPR Art. 6(1)(b)) and Section 29(1)(3) of the Finnish DPA 1050/2018 — the necessity to reliably identify a party to a transaction. We will obtain explicit consent first, provide a dedicated privacy notice at the point of collection, and limit processing to the minimum necessary.
Safeguards
SSNs will never be stored in plain text; they will be encrypted at rest using AES-256.
Access will be restricted to a minimum number of authorised personnel with a documented need.
SSNs will not appear in log files, analytics data, or any third-party integrations.
Retention will be limited to the relevant contract plus the statutory limitation period under Finnish law (generally 3 years under the Limitation Act / vanhentumislaki 728/2003).
We will update this policy and notify existing users before any SSN processing is introduced.
05Cookies & tracking
We follow Traficom's guidelines on cookie consent, which require that "Reject all" is presented with the same ease and prominence as "Accept all". No pre-ticked boxes, no dark patterns.
Strictly necessary (no consent required)
Session continuity such as language preference and the cookie-consent record, stored locally and cleared when you clear your browser data.
Analytics (consent required)
Basic usage analytics (page views, session duration), used solely to improve the site. No cross-site tracking, no fingerprinting.
06Data transfers & processors
We use a limited number of sub-processors. All processors are bound by GDPR-compliant data processing agreements.
Google Cloud Platform (GCP) — infrastructure and storage, EU region (europe-north1 / Finland).
Google Gemini API — AI document analysis. Building documents are transmitted for processing; no personal data is intentionally included, and data is not used to train Google models under our agreement.
Website contact and newsletter form submissions are delivered to info@struxiva.com through FormSubmit, a third-party form-delivery service. Only the information you enter is sent, and this provider may process it outside the EEA. We intend to move this to EU-based handling.
No personal data is transferred outside the European Economic Area (EEA) without adequate safeguards, such as Standard Contractual Clauses or an adequacy decision.
07Retention periods
Contact & enquiry data: 2 years from last contact, unless a customer relationship is formed.
Customer data: duration of contract plus 3 years (Finnish accounting and limitation requirements).
Building documents: duration of the pilot or service agreement; deleted within 30 days of contract end unless export is requested.
Server access logs: 30 days, then automatically deleted.
Cookie-consent records: 12 months, then a fresh consent request is shown.
08Your rights
Under the GDPR and the Finnish Data Protection Act (1050/2018) you have the rights below. We respond to all requests within 30 days.
Access (Art. 15): obtain a copy of the personal data we hold about you.
Rectification (Art. 16): correct inaccurate or incomplete data.
Erasure (Art. 17): request deletion where there is no overriding legal basis.
Restriction (Art. 18): restrict processing while a dispute is resolved.
Portability (Art. 20): receive your data in a structured, machine-readable format.
Objection (Art. 21): object to processing based on legitimate interest.
Withdraw consent (Art. 7(3)): withdraw consent at any time without affecting prior lawful processing.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi). To exercise any right, email info@struxiva.com with the subject line "Data Subject Request".
09Security
All data in transit is encrypted with TLS 1.2 or higher.
Data at rest is encrypted using AES-256 on GCP.
Access to production systems is restricted to named personnel using multi-factor authentication.
We conduct security reviews before major releases.
In the event of a personal data breach, we will notify the Finnish Data Protection Ombudsman within 72 hours and affected individuals without undue delay (GDPR Art. 33-34).
10Contact & data protection officer
Struxiva Oy does not currently have a mandatory Data Protection Officer under GDPR Art. 37, as we are not a public authority and do not carry out large-scale systematic monitoring of individuals. Data-protection responsibilities are held by the co-founding team.
For all data-protection enquiries, requests or complaints: Email:info@struxiva.com Phone:+358 44 982 2227 Post: Struxiva Oy, Helsinki, Finland
We may update this policy to reflect changes in law or our practices. Material changes will be communicated by posting a notice on this page with an updated date.