Privacy Policy / Tietosuojaseloste

Data Controller

The data controller for this website and the Struxiva service is Struxiva Oy (business ID / Y-tunnus pending registration), Helsinki, Finland. Contact for all data-protection matters: info@struxiva.com.

Data We Collect

We collect only data that is necessary to operate the service or that you voluntarily provide.

Contact & enquiry data

Email address (provided via contact form or direct email)
Name and organisation name (when provided voluntarily)
Content of messages and scoping-call notes

Building & operational data (pilot customers)

Building documents (drawings, energy certificates, BMS exports) — these relate to buildings, not individuals
Anonymised sensor time-series (energy, temperature, CO₂)
Operator contact details for the customer organisation

Technical & analytics data

Server access logs (IP address, browser type, referring URL) — retained for 30 days, then deleted
Cookie-based analytics (see Section 5)

Legal Basis for Processing

Processing is based on one or more of the following grounds under GDPR Article 6 and the Finnish Data Protection Act (tietosuojalaki 1050/2018):

Consent (Art. 6(1)(a)): for non-essential cookies and marketing communications. You may withdraw consent at any time.
Contract performance (Art. 6(1)(b)): for pilot agreements and service delivery.
Legitimate interest (Art. 6(1)(f)): for security logging and basic analytics to improve the service. We have performed a balancing test; these interests do not override your rights.
Legal obligation (Art. 6(1)(c)): where Finnish law requires us to retain certain records.

Finnish Social Security Numbers (Henkilötunnus)

Current status: Struxiva does not currently collect or process Finnish Social Security numbers (henkilötunnus / HETU) for any purpose, including credit assessment.

If Struxiva were to extend its service to include credit checks or identity verification for property transactions (e.g., tenant screening or buyer verification), the processing of henkilötunnus would be governed by the following framework:

Legal framework

Under Section 29 of the Finnish Data Protection Act (1050/2018), the processing of a henkilötunnus is permitted only when: (a) the data subject has consented; (b) processing is necessary for performing a task assigned by law; (c) the processing is necessary to reliably identify the data subject when it is important for the performance of a contract; or (d) processing is based on another specific legal provision.

Credit assessment basis

If SSN processing is introduced for credit or identity purposes, the legal basis will be contract performance (GDPR Art. 6(1)(b)) and Section 29(1)(3) of the Finnish DPA 1050/2018 — the necessity to reliably identify a party to a transaction.

We will obtain explicit consent before any such processing begins, provide a dedicated privacy notice at point of collection, and limit processing to the minimum necessary for the stated purpose.

Safeguards

SSNs will never be stored in plain text; they will be encrypted at rest using AES-256.
Access will be restricted to a minimum number of authorised personnel with documented need.
SSNs will not be included in log files, analytics data, or any third-party integrations.
Retention will be limited to the duration of the relevant contract plus the statutory limitation period under Finnish law (generally 3 years under the Limitation Act / vanhentumislaki 728/2003).
Any credit-reference bureau query will be logged and disclosed to the data subject on request.

We will update this policy and notify existing users before any SSN processing is introduced.

Cookies & Tracking

We follow Traficom's guidelines on cookie consent, which require that "Reject all" is presented with the same ease and prominence as "Accept all." No pre-ticked boxes, no dark patterns, no additional clicks required to reject.

Strictly necessary (no consent required)

Session continuity (language preference, cookie-consent record) — stored in localStorage, cleared when you clear browser data.

Analytics (consent required)

Basic usage analytics (page views, session duration) — used solely to improve the site. No cross-site tracking. No fingerprinting.

You can withdraw cookie consent at any time by clearing your browser's local storage or by clicking "Reject all" in the cookie banner (reachable by refreshing the page after clearing the struxiva_cookie_consent key).

Data Transfers & Processors

We use a limited number of sub-processors. All processors are bound by GDPR-compliant data processing agreements (DPA).

Google Cloud Platform (GCP) — infrastructure and storage, EU region (europe-north1 / Finland). Subject to Google's data processing addendum.
Google Gemini API — AI document analysis. Building documents are transmitted for processing; no personal data is intentionally included. Data is not used to train Google models under our enterprise agreement.

No personal data is transferred outside the European Economic Area (EEA) without adequate safeguards (Standard Contractual Clauses or adequacy decision).

Retention Periods

Contact & enquiry data: 2 years from last contact, unless a customer relationship is formed.
Customer data: Duration of contract + 3 years (Finnish accounting and limitation period requirements).
Building documents: Duration of pilot or service agreement. Deleted within 30 days of contract end unless the customer requests export.
Server access logs: 30 days, then automatically deleted.
Cookie consent records: 12 months, then a fresh consent request is shown.

Your Rights

Under the GDPR and the Finnish Data Protection Act (1050/2018) you have the following rights. We respond to all requests within 30 days.

Right of access (Art. 15 GDPR): Obtain a copy of personal data we hold about you.
Right to rectification (Art. 16): Correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Art. 17): Request deletion where there is no overriding legal basis.
Right to restriction (Art. 18): Restrict processing while a dispute is resolved.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior lawful processing.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi).

To exercise any right, email info@struxiva.com with the subject line "Data Subject Request."

Security

All data in transit is encrypted with TLS 1.2 or higher.
Data at rest is encrypted using AES-256 on GCP.
Access to production systems is restricted to named personnel using multi-factor authentication.
We conduct security reviews before major releases.
In the event of a personal data breach, we will notify the Finnish Data Protection Ombudsman within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33–34.

Contact & Data Protection Officer

Struxiva Oy does not currently have a mandatory Data Protection Officer (DPO) under GDPR Art. 37, as we are not a public authority and do not carry out large-scale systematic monitoring of individuals. Data protection responsibilities are held by the co-founding team.

For all data-protection enquiries, requests, or complaints:
Email: info@struxiva.com
Post: Struxiva Oy, Helsinki, Finland

We may update this policy to reflect changes in law or our practices. Material changes will be communicated by posting a notice on this page with an updated date. Continued use of the service after such notice constitutes acceptance.

Privacy & Data Protection