Skip to content
Varaa

Privacy Policy

Last updated: 3 June 2026 · Version 1.0

1. Data controller

The controller responsible for your personal data is:

  • Kasvuvoima Oy
  • Business ID (Y-tunnus): 3623793-1
  • Registered address: Iltatähdentie 39, 00740 Helsinki, Finland
  • Email: info@kasvuvoimaoy.fi

2. What data we collect

If you create an account (host):

  • Name, email address, username
  • Password (stored only as a salted bcrypt hash — never in plain text)
  • Time zone and language preference
  • Your availability rules and event types
  • If you connect a calendar: an encrypted access token and your calendar email

If you book a meeting (invitee):

  • Your name and email address
  • Your time zone
  • Any answers you provide in the booking form
  • The date, time and details of the booking

We do not use advertising or third-party tracking cookies. The only data stored in your browser is a strictly-necessary authentication token (used to keep you signed in). No analytics or marketing trackers are loaded.

3. Why we process it and our legal basis

PurposeLegal basis (GDPR Art. 6)
Creating and operating your accountPerformance of a contract (6(1)(b))
Processing a booking and notifying both partiesPerformance of a contract (6(1)(b))
Sending booking confirmations, reminders and cancellationsPerformance of a contract (6(1)(b))
Securing the service and preventing abuseLegitimate interests (6(1)(f))
Connecting an external calendar (optional)Consent (6(1)(a)), withdrawable anytime

4. Who we share data with (processors)

We use a small number of carefully chosen processors. We do not sell personal data.

  • Hosting: Hetzner Online GmbH — servers located in the EU (Finland/Germany).
  • Email delivery: our transactional email provider (used only to send booking emails). [Confirm provider before launch.]
  • Calendar sync (optional): Google / Microsoft, only if you connect that calendar.

5. International transfers

Your data is hosted within the EU. Where an optional integration you enable (e.g. Google Calendar) involves a transfer outside the EU, that transfer relies on the provider's Standard Contractual Clauses and is only triggered by your own choice to connect it.

6. How long we keep it

  • Account data: for as long as your account is active, then deleted within 90 days of closure.
  • Booking records: retained while relevant to the host, then deleted on request or account closure.
  • Security logs: a short rolling period, then automatically purged.

7. Your rights

Under the GDPR you have the right to: access, rectification, erasure, restriction, data portability, and to object to processing. You may also withdraw consent at any time where processing is based on consent. To exercise any right, email info@kasvuvoimaoy.fi.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi).

8. Security

Passwords are hashed with bcrypt, calendar tokens are encrypted at rest (AES-256-GCM), all traffic is served over HTTPS, and access to personal data is restricted. No system is perfectly secure, but we take appropriate technical and organisational measures.

9. Changes

We will update this policy as the service evolves and post the new version here with a revised date.