1. Introduction / Johdanto

This Privacy Policy describes how Vesko Ltd (“Vesko” or “we”) collects, uses, and protects personal data in compliance with the EU General Data Protection Regulation (GDPR). We are committed to safeguarding your privacy and ensuring transparency in our data practices. Please read this policy carefully to understand what information we collect, how we use it, including our use of cookies, and the rights you have regarding your data. By using our website or services, you acknowledge the practices described in this policy. We will request your consent where required (for example, for optional cookies) and you may withdraw consent at any time as described below. We may update this Privacy Policy from time to time; the latest version will be posted on our website with an updated effective date, and significant changes will be communicated to users.

2. Data Collection and Legal Basis 

Personal Data We Collect: We collect personal data that you provide to us directly, as well as some data automatically through your use of our services and website. This may include: (a) Contact and Identity Information – such as your name, email address, telephone number, company/organization, and other details you submit when registering an account, signing up for a trial, or contacting us; (b) Account and Transaction Information – if you become our customer, we may collect information necessary to provide our services (e.g. login credentials, payment information handled via secure third-party processors like Stripe , and records of your subscriptions or orders); (c) Usage Data – such as IP address, browser type, device identifiers, pages or features you access, dates and times of visits, and other technical data collected through cookies or similar technologies when you interact with our website; and (d) Preferences and Communications – such as your language preference, and any preferences for marketing or newsletter communications (with your consent). We do not knowingly collect sensitive personal data (e.g. health, religion) and our services are not intended for children under 16 (we do not knowingly process children’s data).

‍Lawful Basis for Processing: We only process personal data when we have a lawful basis under GDPR Article 6. The primary bases we rely on are Consent and Legitimate Interest (and in some cases, Contractual Necessity or Legal Obligation):

• Consent (GDPR Art. 6(1)(a)): We will ask for your consent in situations where it is required or appropriate. For example, we rely on consent to send you marketing emails (such as newsletters or promotional offers), and to place non-essential cookies (analytics or marketing cookies) on your device . You have the right to withdraw your consent at any time, which will not affect the lawfulness of processing already carried out. For instance, if you consent to our use of analytics cookies, you can later opt-out and we will stop using those cookies (see Cookie Consent Banner section below on how to manage cookies).
  ‍
  
• Legitimate Interest (GDPR Art. 6(1)(f)): We may process certain data for purposes that support our business operations in a way that is not overridden by your privacy rights. This includes, for example, using your contact information to respond to your inquiries or demo requests, analyzing and improving our products and services (in aggregated or pseudonymous form), ensuring IT security and fraud prevention, or communicating with our existing customers about product updates and services (where such communications are related to the service you use). When we rely on legitimate interests, we will ensure to conduct a balancing test to confirm that our interest is not outweighed by your rights and interests. Direct marketing to existing customers: In limited cases, if you are an existing customer, we may send you product updates or offers about similar services under legitimate interest grounds, but you will always have the right to object to such marketing at any time (see Your Rights below).
  ‍
• Contractual Necessity (GDPR Art. 6(1)(b)): When you become a customer or sign up for our services, some processing of personal data is done to fulfill our contract with you. For example, we need to process your name and contact details to create your user account and provide you with the services you requested, and if you are purchasing a paid plan, to manage billing (handled via our payment provider). Such processing is necessary for us to perform our agreement with you; if you do not provide this information, we may not be able to offer the service.
  
  
• Legal Obligation (GDPR Art. 6(1)(c)): In certain cases, we must process personal data to comply with laws or regulations. For instance, applicable accounting and tax laws may require us to retain transaction records including personal data (e.g. invoices with your name or business details) for a certain period. Also, if authorities lawfully request information or we need to comply with law enforcement or regulatory requirements, we will process data as needed by law.

2. Data Collection and Legal Basis 

Our website uses cookies and similar technologies to ensure functionality and to enhance your user experience. We also use cookies for analytics and marketing, with your consent. A “cookie” is a small text file that is stored on your device when you visit a website, allowing the site to remember your actions and preferences over time . When you first visit our site, you will see a cookie consent banner (pop-up) that allows you to accept or reject different categories of cookies (see Cookie Consent Banner below). We classify the cookies we use into the following categories:Lawful Basis for Processing: We only process personal data when we have a lawful basis under GDPR Article 6. The primary bases we rely on are Consent and Legitimate Interest (and in some cases, Contractual Necessity or Legal Obligation):

• Strictly Necessary Cookies : These cookies are essential for the basic functionality and security of the website. They enable core features such as page navigation, access to secure areas (e.g. account login), and form submissions. Without these cookies, the website cannot function properly, so they are always active and do not require user consent. (For example, a session cookie that keeps you logged in as you navigate the site is a necessary cookie.) These cookies do not gather personal data for marketing or analytics purposes.
  
  
• Functional Cookies : Functional cookies are used to remember your preferences and enhance your experience on our site . While not strictly necessary for the basic operation of the site, they enable convenient features, such as remembering your chosen language or other preferences, so you don’t have to set them each time. For instance, if you select Finnish or English on our site, a functional cookie may store that preference for future visits. Functional cookies generally do not track you across other sites and are used only to provide the services or settings you explicitly request. Because these cookies store potentially identifiable information (like your preferences), our cookie banner will treat them as optional – you can choose to allow or disable functional cookies. If you disable them, some personalized features (like remembering preferences) may not work as intended.
  ‍
  
• Analytics Cookies : We use analytics or performance cookies to collect information about how visitors use our website in order to improve its content and functionality . These cookies gather data such as which pages are visited, how long users stay on each page, what links are clicked, and if users encounter errors. This helps us understand web traffic patterns and user behavior on an aggregate level, so we can enhance the user experience and fix issues. Our analytics cookies are primarily provided by third-party services – notably, we use Google Analytics by Google LLC for website analytics. Google Analytics uses cookies (e.g., _ga and others) which are text files placed on your device to help analyze how you use our site . The information generated by these cookies (including truncated IP address and usage data) is transmitted to Google’s servers. We have configured Google Analytics in a privacy-friendly manner: IP anonymization is enabled in our Google Analytics implementation, meaning that Google truncates/anonymizes the IP address within the EU/EEA to prevent it from being directly identifying . We have also disabled data sharing with other Google services and do not use Google Analytics for advertising features. These analytics cookies will not be set unless you give consent via the cookie banner . If you consent, the cookies help us collect useful statistics (for example, number of visitors, popular pages, etc.) to improve the site. If you decline, our site will still function but without the benefit of this analytics insight. (Note: Google Analytics’ data is subject to Google’s privacy policy and Google may process the data on servers outside the EU – see Data Transfers below for how we handle this.)
  
  
• Marketing Cookies : Marketing cookies, also known as advertising or tracking cookies, are used to track your online activities and interests in order to show you relevant advertisements on our site or across other websites . These cookies may be set through our site by third-party advertising partners and social media platforms. They create a profile of your interests by collecting information about your browsing behavior, which enables us or our partners to present you with targeted ads that match your interests. For example, if we run advertising campaigns, cookies from providers like Google Ads or Facebook (Meta) Pixel might track which pages or products you viewed on our site so that we can show you ads on other platforms (so-called “retargeting”). Marketing cookies can also limit how many times you see the same ad and help measure the effectiveness of ad campaigns. We only use marketing cookies if you explicitly opt-in to them . If you do not consent, you will not receive targeted advertising based on information collected on our site (you will still see generic ads, if any). Enabling these cookies will allow third parties (like Google, Facebook) to collect data via our site and combine it with information from other sites – please note that such third parties have their own privacy policies and responsibilities for the data they collect. We list the relevant third-party cookie providers in our detailed cookie settings interface, and you can learn more about how they process data by visiting their privacy policies (for example, Google’s Privacy Policy is available at Google’s website).
  
  
• Third-Party Cookies:  As mentioned above, some of our cookies are set by third-party services that we use. For instance, Google Analytics and advertising partners may set their own cookies through our site . We vet these service providers and only integrate those that align with our privacy standards. However, data collected via third-party cookies will be subject to those third parties’ privacy policies. We do not have direct control over these cookies or the data they collect, but we ensure via agreements that any third-party processing of data from our site is compliant with GDPR and that no data is shared with unauthorized parties. A full list of cookies and their purposes is available in our cookie consent management tool on the website.
  
  

Cookie Lifespan: Cookies may be either “session cookies” (which are temporary and deleted when you close your browser) or “persistent cookies” (which remain on your device for a set period or until you delete them). For example, a session cookie might keep you logged in during your visit, while a persistent cookie (such as a Google Analytics cookie) can remain for several months or years. We have set our analytics cookies to a reasonable retention period (Google Analytics data is typically retained for up to 14 months by default before being automatically deleted ). Marketing cookies from advertising networks often have set expiration dates (for instance, some advertising cookies expire after 3 months, others may last up to 1-2 years). You can see specific expiration details in our cookie settings or by checking your browser’s cookie details. Regardless of their lifespan, you have full control to delete cookies from your browser at any time (see below).

4. Cookie Consent Banner

We have implemented a cookie consent management tool (cookie banner) to give you control over non-essential cookies on our website. When you first visit our site, a banner will appear explaining that we use cookies and asking for your preferences. You have the choice to accept or decline different categories of cookies (such as analytics and marketing) except strictly necessary cookies, which are always enabled. The banner typically provides an “Accept All” option, a “Reject” or “Decline” option for non-necessary cookies, and sometimes a “Customize settings” option where you can enable/disable specific categories (e.g. functional, analytics, marketing). For full transparency, the banner or the linked Cookie Policy lists the cookies used and their purposes.

If you select “Accept All Cookies,” the optional analytics and marketing cookies will be set and start functioning . If you choose to decline or only accept certain categories, we will honor your choice – for example, if you click “Decline” for analytics, Google Analytics will not be loaded at all . In practice, our site’s scripts check your consent choice before setting any non-essential cookies. Until you have given consent, those cookies will remain inactive.

You can also change or withdraw your cookie consent at any time after your initial choice. We make it as easy to withdraw consent as it is to give it. For instance, our website provides a “Cookie Settings” link (or a small widget icon) that remains accessible (for example, in the footer of the site). By clicking that link, you can reopen the consent preferences and modify which cookies are allowed or revoke consent entirely. Alternatively, you can manage and delete cookies via your web browser settings. However, using the on-site preferences tool is recommended because it will also inform our site not to set the cookies again in the future unless you re-consent . Please note that if you clear cookies from your browser, this may remove the record of your consent preferences, and you may be prompted with the cookie banner again on your next visit.

Our cookie consent banner is designed to comply with applicable laws and guidance: it does not use pre-ticked boxes (consent is obtained through an explicit opt-in), it provides a clear “Accept” and “Decline” option side by side , and it appears on your first visit (and until a choice is made). We also log your consent decision (and any changes) in a secure manner to have a record of consent, as required by Finnish Traficom and data protection authorities (consents are stored for the legally required period, e.g. up to 5 years for auditing purposes ). If you have any issues with the cookie banner or questions about your choices, you can contact us using the information in the Contact section below.

5. Your Data Protection Rights 

Under the GDPR, you as a data subject have various rights regarding your personal data. We are committed to honoring your rights and have processes in place to enable you to exercise them. You may exercise these rights by contacting us (see Contact Information below). These rights include :

• Right to Access: You have the right to obtain confirmation of whether we are processing personal data about you, and if so, to request a copy of the personal data we hold about you . This is commonly known as a “data subject access request.” Upon verification of your identity, we will provide you with a copy of your data, as well as information about the purposes of processing, the categories of data, any recipients to whom the data has been disclosed, the envisaged data retention period, and the safeguards for data transfers (if applicable). The first copy of your data will be provided free of charge, but we may charge a reasonable fee for additional copies or manifestly unfounded/repetitive requests as permitted by law.
  
  
• Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay . For example, you can ask us to correct a misspelled name or update a changed email address. We may need to verify the new information you provide, but we will comply with correction requests whenever feasible. If for some reason we cannot fulfill your request (for instance, if we disagree that the data is incorrect), we will explain the reason and inform you about your further options.
  
  
• Right to Erasure (“Right to be Forgotten”): You have the right to request the deletion of your personal data in certain circumstances . This right applies, for example, if the data is no longer necessary for the purposes it was collected, if you withdraw consent and no other legal basis exists, or if you object to processing based on legitimate interest and we have no overriding grounds to continue. It also applies if we were processing data unlawfully or if deletion is required to comply with a legal obligation. Please note that this is not an absolute right – sometimes we may have legal or legitimate grounds to retain some data (e.g., we may need to keep certain transaction records for legal compliance, or we may retain suppression information to honor opt-out requests). We will inform you if that is the case. However, if none of these grounds apply, we will honor your request and erase your data. If we have made the data public (e.g. posted on a website), we will also take reasonable steps to inform other controllers who are processing the data to erase links or copies, taking into account available technology and cost of implementation.
  ‍
• Right to Restrict Processing: You have the right to ask us to restrict (i.e. limit) the processing of your personal data in certain situations . This means we would store your data but temporarily refrain from using it for most purposes. You can exercise this right, for instance, if you contest the accuracy of your data (for a period enabling us to verify it), or if you have objected to processing (pending verification of our legitimate grounds). You can also request restriction instead of erasure if processing is unlawful but you prefer we retain the data, or if we no longer need the data but you need us to keep it for the establishment, exercise or defense of legal claims. When processing is restricted, we will mark the data as such and only process it with your consent or for specific lawful reasons (e.g., for legal claims). We will also inform you before lifting any restriction.
  
  
• Right to Object: You have the right to object to our processing of your personal data at any time, on grounds relating to your particular situation, when we process your data based on legitimate interests . If you object, we must stop such processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. Direct Marketing Objection: Importantly, if your personal data is processed for direct marketing purposes, you have an absolute right to object at any time. If you object to direct marketing, we will cease to process your data for those purposes immediately. For example, if you no longer wish to receive our newsletters or marketing emails, you can unsubscribe at any time via the unsubscribe link in those emails or by contacting us, and we will stop sending them. This will be done without delay and at no cost to you.
  
  
• Right to Data Portability: For data that you have provided to us and that we process by automated means based on your consent or on a contract, you have the right to obtain that data in a structured, commonly used, machine-readable format and the right to transmit it to another controller where technically feasible . In practice, this typically applies to things like account data you have given us. We will provide the data in a commonly used format (such as CSV or JSON) upon request, so that you can reuse it or transfer it. Where possible (and if you request), we may also be able to transfer the data directly to another service provider at your direction, if it is technically feasible and secure to do so.
  
  
• Right to Object: You have the right to object to our processing of your personal data at any time, on grounds relating to your particular situation, when we process your data based on legitimate interests . If you object, we must stop such processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. Direct Marketing Objection: Importantly, if your personal data is processed for direct marketing purposes, you have an absolute right to object at any time. If you object to direct marketing, we will cease to process your data for those purposes immediately. For example, if you no longer wish to receive our newsletters or marketing emails, you can unsubscribe at any time via the unsubscribe link in those emails or by contacting us, and we will stop sending them. This will be done without delay and at no cost to you.
  
  
• Right to Withdraw Consent: As noted above, if we rely on your consent for any processing, you have the right to withdraw that consent at any time. This includes, for example, your consent for optional cookies or for receiving marketing communications. You can withdraw consent by changing your cookie settings (for cookies) or by contacting us (for other consent-based processing). Once you withdraw consent, we will stop the processing that was based on it. Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal.
  
  
• Right not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects on you . Note: We do not currently carry out any fully automated decision-making processes with legal or significant effects on individuals (such as automated credit decisions or profiling with no human involvement). Should we ever implement such automated decision-making, we will ensure compliance with GDPR Article 22 and inform you, including providing an opportunity to request human intervention or to contest the decision.
  
  
• Right to Information (Transparency): You have the right to be informed about how your personal data is being processed, which is the purpose of this Privacy Policy. We aim to provide clear and comprehensive information about our data practices. If anything is unclear or if you have further questions, you can always reach out to us for clarification.
  
  

We will do our best to respond to any rights requests within one month, as required by GDPR (this period may be extended by an additional two months for complex requests, but we will inform you if an extension is needed). Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request, as permitted by law.

Finally, you also have the right to lodge a complaint with a data protection supervisory authority if you believe our processing of your personal data violates the law. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). We encourage you to contact us first with any concerns, and we will do our best to address them, but you have the right to seek assistance from the authorities at any time.

6. Data Retention and International Transfers 

Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to meet legal requirements. We have defined retention periods for different categories of data, considering the nature of the data and the reason for its collection. In general, personal data will be kept for the duration of our relationship with you (for example, while you are using our services or have an active account with us) and for a certain period thereafter as needed. For instance, if you register an account or participate in our free trial, we will retain your account data as long as your account exists or as needed to provide the service. If you become a customer, we may retain your data for the duration of the contract and thereafter as required by law or our legitimate interests (e.g. retaining minimal information to prove the transaction or to re-activate your service at your request).

Specifically, contact information and account details are kept while you remain a user of our service. If you decide to terminate your account or withdraw from the service, we will either delete or anonymize your personal data within a reasonable time after closure, unless we are required to keep it longer. Marketing communications data (such as your email for newsletters) is kept until you unsubscribe or withdraw consent, or if we discontinue our marketing program. If you opt-out of marketing, we will keep your email on a suppression list to ensure we respect your opt-out in the future. Support or inquiry data (like emails you send us) is retained as long as needed to address your inquiry and for a short period thereafter in case of follow-up questions, and to improve our customer service.

Analytics data collected via cookies (e.g., Google Analytics) is retained according to the settings we have configured with our analytics provider. Currently, our Google Analytics data retention is set to 14 months for user-level and event-level data, after which Google automatically deletes the older data on a rolling basis. We use aggregated analytics reports for business planning, but those reports do not contain personal identifiers. Web server logs (which include IP addresses) are generally kept for a short duration (typically a few weeks up to a few months) for security monitoring and to investigate any technical issues, after which they are deleted or anonymized.

Legal retention requirements: In some cases, we need to retain data for a specific period to comply with laws. For example, financial and transaction records are kept for the period required by accounting and taxation laws (in Finland, typically 6 years after the end of the financial year). If there is an ongoing dispute or legal proceeding, relevant data may be retained until the issue is resolved and the time limit for appeals has passed. We also periodically review the data we hold and erase or anonymize any personal data that is no longer needed for any legitimate purpose.

Data Transfers Outside EU/EEA: Primarily, we process and store personal data within the European Union/European Economic Area. Our own servers and infrastructure are located in Finland or other EU countries. However, some of our service providers are international companies which might process data outside the EU/EEA. Notably, we use Google Analytics, and Google LLC is based in the United States. Using Google Analytics may involve transferring some data (such as truncated IP addresses and analytics data) to Google’s servers in the U.S. or other countries .

The GDPR requires that when personal data is transferred outside the EEA, it must be protected by appropriate safeguards. We do not transfer your personal data outside the EU/EEA unless certain conditions are met . For any transfers to a third country (a country outside EU/EEA) where the European Commission has not granted an “adequacy decision” (meaning the country’s data protection laws are not deemed equivalent to EU standards), we rely on one or more of the following safeguards:

• Standard Contractual Clauses (SCCs): We have agreements in place incorporating the European Commission’s approved Standard Contractual Clauses with service providers like Google (to the extent data is accessed outside EEA). These clauses contractually oblige the recipient to protect personal data according to EU privacy standards. Google, for example, is party to SCCs for European data transfers and has committed to comply with EU data protection requirements for data transferred to the U.S.
  ‍
• Data Privacy Framework or Other Certifications: We monitor developments such as the EU–U.S. Data Privacy Framework. If a service provider is certified under an approved framework recognized by the EU (for instance, if Google or another provider attains an EU-U.S. adequacy certification or similar), we will rely on that as appropriate. We will update our practices in line with the latest regulations and guidance.
  
  
• Additional Technical Measures: Where possible, we employ technical measures to supplement transfer safeguards. For example, as mentioned, we use IP anonymization for Google Analytics so that full IP addresses (which are personal data) are not transmitted. We also ensure data is encrypted in transit and at rest. For other service providers, we may opt to use EU data centers or other configurations to minimize extra-EEA transfers.
  
  

In all cases, we evaluate our third-party processors and only transfer data to them if we are satisfied that appropriate data protection measures are in place. If you have questions about our data transfer practices or want more information about the safeguards for a specific transfer, please contact us.

It’s also worth noting that we will not share or transfer your personal data to any third parties for their own use (such as selling your data) without your consent. Any sharing of data is limited to what is described in this Policy (e.g., using service providers under contract, or if you request us to do so). Should we in the future need to use new service providers that involve cross-border data transfers or significantly change our transfer practices, we will update this Policy and inform users as required, obtaining consent if necessary.

7. Contact Information / Yhteystiedot

English: The data controller responsible for your personal data is Vesko Ltd. If you have any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us:Lawful Basis for Processing: We only process personal data when we have a lawful basis under GDPR Article 6. The primary bases we rely on are Consent and Legitimate Interest (and in some cases, Contractual Necessity or Legal Obligation):

• Data Controller: Vesko Ltd 
• Business ID: 3472131-6
• Registered Address: Joensuu, Finland 
• Email: hello@vesko.fi
  

You can direct any inquiries about privacy or data protection to us via email. We will respond as soon as possible, generally within a few business days. If you prefer to contact us by mail, please send correspondence to our address with attention to “Privacy”. In matters regarding exercising your rights (as detailed above), please provide sufficient information for us to verify your identity and locate your data (for example, the email address associated with your account or communications).