Privacy Policy

Customers on SosseliSOS can browse companies, run searches, and contact service providers entirely without registering or providing personal data. We do not require a name, email or other identifying information to use the service.

For technical operation and security purposes, we collect the following data, which is not linked to any identity:

None of this data is linked to an individual person. We do not use third-party analytics services such as Google Analytics or Meta Pixel.

Service providers who register with SosseliSOS and publish business profiles provide us with personal data to use the service. We collect data in the following situations:

At registration:

• Email address: used for login, subscription confirmations, and important service communications
• Password: stored only as a bcrypt hash; the original password is never stored and cannot be recovered

When creating or editing a business profile:

• Business name
• Business ID / VAT number (optional, helps customers identify the company)
• Phone number
• Address or service area
• Short company description
• Logo or profile image
• Services offered and their pricing
• Service areas (municipalities where the provider operates)

When managing a subscription:

• Chosen subscription plan (Aloitus, Perus, or Pro)
• Subscription validity and billing interval (monthly/yearly)
• Subscription status (active, trial, expired)

During service use:

• Login timestamps and locations (IP address hash) for security purposes
• Change log of updates made to business profile
• Statistics: how many times the profile has been viewed and contact details clicked

Payment data is not stored with us. Subscription payments are processed through Stripe's payment system. SosseliSOS never sees or stores card numbers, CVV codes, or other payment card details; these are handled exclusively by Stripe Payments Europe Ltd.

We do not purchase or receive personal data from third parties for marketing or profiling purposes. Our service providers (Supabase, Vercel, Stripe) act as our processors and handle data only to provide services to us; they do not share data with us for other purposes.

We use trusted technical service providers to run the service. These act as personal data processors under the GDPR and process data solely on our instructions. All have a Data Processing Agreement (DPA) with us.

These providers do not use your data for their own purposes. We have written data processing agreements with all of them.

We may disclose data to competent authorities where there is a statutory obligation to do so, for example, in a criminal investigation or pursuant to a legally binding information request from an authority. We disclose only the specific data requested, nothing more.

If SosseliSOS's business is sold or transferred to another party, personal data may be transferred to the new owner. In that case, registered users will be notified in advance, and the new controller must commit to processing data in accordance with this privacy policy or obtain new consent if the purpose changes.

SosseliSOS does not use:

• Google Analytics or other analytics cookies
• Meta Pixel (Facebook/Instagram tracking)
• Advertising cookies or retargeting cookies
• Third-party tracking technologies
• Browser fingerprinting or other tracking methods

Strictly necessary cookies are essential for the service to function and do not require consent under the Finnish Act on Electronic Communications Services (917/2014, Section 205). You can delete cookies in your browser settings at any time; this will log you out of your provider account.

• All traffic is encrypted with TLS 1.3 (HTTPS), no unencrypted HTTP connections
• Passwords are stored as bcrypt hashes (cost factor 10+); the original password cannot be recovered
• Database access is restricted with Row Level Security (RLS); each user can only access their own data
• There is no direct public access to the production database; connections require authenticated server-side mediation
• Admin operations use a separate service-role key and cannot be performed from user accounts
• Environment variables and secrets are stored securely and not in version control
• The database is automatically updated with security patches (managed by Supabase)

• Only the data controller has access to the production database and admin panels
• Third parties have no access to user data without a written data processing agreement
• Security incidents are handled immediately and notified to users and authorities in accordance with the GDPR

You have the right to obtain confirmation of whether SosseliSOS processes personal data about you, and if so, to receive a copy of that data along with information about the processing purposes, categories of data, recipients, retention periods, and your rights.

Service providers can view most of their own data directly in the dashboard while logged in. A full data access request is made by email.

If data we hold about you is inaccurate or incomplete, you have the right to request its correction. Service providers can update their business profile data directly in the dashboard. Requests to change login details (email) are submitted by email.

You can request deletion of your personal data when:

• The data is no longer necessary for the purpose for which it was collected
• You withdraw consent on which processing was based and there is no other legal basis
• You object to the processing and there are no overriding compelling grounds
• The data has been processed unlawfully

Limitations: The right does not apply where processing is necessary for compliance with a legal obligation. This means billing records cannot be deleted before the end of the 7-year Accounting Act retention period. All other data is deleted within 30 days of the request.

You may request restriction of processing in situations where:

• You contest the accuracy of the data; restriction for the period needed to verify it
• Processing is unlawful but you do not want erasure, only restriction of use
• The controller no longer needs the data but you need it for the establishment, exercise, or defence of legal claims
• You have objected to processing and are awaiting verification of whether the controller's grounds override yours

During restriction, we may only store the data. Any other use requires your consent or a legal basis.

You have the right to receive the personal data you have provided to the controller in a structured, commonly used, and machine-readable format (JSON or CSV). You may also request that the data be transmitted directly to another controller where technically feasible. This right applies to data processed automatically on the basis of a contract or consent. It covers only data you provided, either directly or collected through your use of the service.

You have the right to object to the processing of your personal data where processing is based on legitimate interest (GDPR 6.1.f). At SosseliSOS this applies, for example, to the processing of login logs.

Following an objection, we will cease processing unless we have compelling legitimate grounds that override your interests, rights and freedoms, or unless processing is necessary for the establishment, exercise or defence of legal claims. We do not process data for direct marketing at all without consent.

SosseliSOS does not make automated decisions about you that produce legal or similarly significant effects. The service does not perform credit scoring, individual price differentiation, or any other automated decision-making based on profiling.

You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data violates the GDPR or the Finnish Data Protection Act. The supervisory authority in Finland is the Office of the Data Protection Ombudsman.

We encourage you to contact us first, however, so that we can resolve the matter directly and quickly.