Controller: Puida Oy, business ID 2918901-1, Lahti, Finland.

Data Protection Officer (DPO): Pauli Suuraho, pauli.suuraho@puida.com.

General privacy enquiries may also be sent to privacy@toiste.com.

We process the following categories of personal data:

• Account information when you sign up for the Service: email address, name, password (stored hashed) and organisation.
• Payment information if you are a paying customer: payment-transaction history and limited card or invoicing details. We do not store payment-card numbers; the payment provider handles them under its own policies.
• Log and device data: IP address, browser type and version, pages visited, visit time and duration, and other technical identifiers.
• Sales and support data: messages and attachments you share with us when interacting with customer support or sales.
• Usage data: how you use the Service and its features.
• Cookies and similar identifiers: see the separate cookie notice.
• Other information you provide directly: for example responses to surveys or feedback forms.

We process personal data only for the following purposes:

• Providing and operating the Service — performance of a contract (GDPR Art. 6(1)(b)).
• Payment processing and bookkeeping — contract and legal obligation (Art. 6(1)(b) and 6(1)(c); Finnish Accounting Act).
• Service development and information security — legitimate interest (Art. 6(1)(f)).
• Customer communication and support — contract or legitimate interest (Art. 6(1)(b) and 6(1)(f)).
• Marketing and newsletter — consent (Art. 6(1)(a)) or legitimate interest in an existing customer relationship (Art. 6(1)(f)). You can unsubscribe at any time via the link in every message.
• Compliance with legal obligations (Art. 6(1)(c)).

We retain personal data only for as long as necessary for the purposes above or as required by law.

• Customer account data: for the duration of the customer relationship and 12 months after.
• Invoicing and accounting data: six (6) years from the end of the accounting period, as required by the Finnish Accounting Act.
• Enquiries and support conversations: up to 24 months.
• Newsletter subscriber data: until you unsubscribe; unsubscribe records kept up to 12 months.
• Technical log data: up to 12 months.

We do not sell personal data. We disclose it only for the following purposes:

• To processors (subprocessors): IT infrastructure, payment processing, email and analytics providers. Processors act under a documented Data Processing Agreement (DPA).
• To authorities, where required by law, a court order or a reasoned request by law-enforcement authorities.
• In a corporate transaction: if Puida Oy is involved in a merger, acquisition or business transfer, personal data may be transferred as part of the transaction. We will use reasonable efforts to notify you in advance.

We do not share personal data with third parties for their own marketing without your explicit consent.

We primarily process personal data within the EU/EEA. If we use a subprocessor outside the EU/EEA, the transfer relies on the European Commission's Standard Contractual Clauses (SCCs, GDPR Art. 46) together with any additional safeguards required. On request we can provide a list of the transfer mechanisms in use.

We use technical and organisational safeguards including encryption in transit and at rest, role-based access control (RBAC), audit logs, restricted employee access and periodic security reviews. Product-environment details are described on the Security & trust page.

EU law grants you the following rights over your personal data:

• Right of access (GDPR Art. 15)
• Right to rectification of inaccurate data (Art. 16)
• Right to erasure in certain circumstances (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing based on legitimate interest and to direct marketing (Art. 21)
• Right to withdraw consent at any time where processing is based on consent (Art. 7)
• Right to lodge a complaint with a supervisory authority

To exercise your rights, email privacy@toiste.com. We will verify your identity before acting on the request and will respond, as a rule, within 30 days.

If you believe we process your personal data unlawfully, you may lodge a complaint with the Finnish Data Protection Ombudsman:

Office of the Data Protection Ombudsman PL 800, 00531 Helsinki, Finland tietosuoja.fi

You may also file a complaint with the supervisory authority in your country of residence or in the country of the alleged infringement.

Our website and Service may contain links to third-party websites and services. We are not responsible for their privacy practices. Please review their own privacy notices before use.

The Service is not directed at persons under 16 years of age. We do not knowingly collect or process personal data from minors. If you are a guardian and notice that your child has provided us with data, contact privacy@toiste.com — we will remove the data without undue delay.

We may update this policy from time to time. The latest update date is shown at the top of this page. For material changes we will notify you separately, for example by email or a clearly visible notice on the site.

Privacy enquiries and data-subject requests may be addressed to our Data Protection Officer Pauli Suuraho (pauli.suuraho@puida.com) or the general address privacy@toiste.com. Other enquiries: info@toiste.com.