Controller and contact
Data controller: Grit company Oy (Business ID 3436415-2), Kurkimoisio 9 A, 00960 Helsinki, Finland. For privacy questions, rights requests, or complaints related to this notice, contact us at hello@gritcompany.fi.
Privacy and cookies
Privacy & Cookies
This notice explains how we process personal data, how we use cookies, and how you can exercise your rights.
What data we process
Depending on your interaction with our website and app, we may process:
- Account and profile data you provide (name, email, company, role, profile details).
- Project and workflow data entered by authorized users in the app.
- Technical and usage data (device/browser metadata, timestamps, request logs).
- Limited landing analytics data when analytics consent is granted.
Purposes and legal bases (GDPR)
- Service delivery and account access: contract performance (GDPR Art. 6(1)(b)).
- Security, fraud prevention, abuse monitoring, and reliability: legitimate interest (Art. 6(1)(f)).
- Regulatory, accounting, and legal obligations: legal obligation (Art. 6(1)(c)).
- Optional analytics on landing pages: consent (Art. 6(1)(a)).
Cookie categories and consent
- Necessary cookies/storage: required for core functionality such as language preference, security controls, and sign-in/session handling.
- Analytics cookies/storage: optional and disabled by default. We process analytics only after explicit opt-in.
- You can withdraw or update analytics consent at any time from cookie settings.
Cookie and browser storage details
Current keys/categories used by our website and app include:
- grit_consent_v1 (local storage): stores your cookie consent choices (necessary/analytics) and update timestamp. Category: necessary. Retention: until changed or cleared by user/browser.
- landing_lang (local storage): stores landing page language preference. Category: necessary. Retention: until changed or cleared by user/browser.
- user_token, admin_token (app storage): authentication/session tokens for signed-in use. Category: necessary. Retention: until logout, token expiry, or manual clearing.
- user_role, user_name, user_email, user_last_active (app storage): session/profile context for app operation. Category: necessary. Retention: until logout, profile/account changes, or manual clearing.
- theme_mode, locale (app storage): user interface preferences. Category: necessary. Retention: until changed or cleared by user/browser.
- No non-essential analytics storage is used before explicit analytics opt-in.
Retention and deletion
- Landing analytics aggregates: 13 months from event date, then purged or anonymized.
- Security and access logs: 12 months from creation, then purged via log rotation.
- Account and profile data: retained during active account use, deleted or anonymized 24 months after account closure (unless a legal hold applies).
- Project and workflow records: retained during contract lifetime, deleted or anonymized 24 months after contract end or account closure.
- Authentication/session tokens: until logout, token expiry, or manual clearing.
- Cookie consent record: until you change your preference or clear browser storage. Consent choices expire and are re-prompted after 6 months.
- Preference keys (language, theme): until you change a preference or clear browser storage.
- Backup archives: 35 days from creation, then automatically removed.
- When retention ends, data is deleted, anonymized, or irreversibly aggregated. Legal holds override scheduled deletion until released.
- Accounting and invoicing records: retained for the period required by Finnish accounting law (kirjanpitolaki, up to 10 years from the end of the financial year), then deleted.
- Erasure requests may be refused where retention is required by law, or for the establishment, exercise, or defense of legal claims (Art. 17(3) GDPR).
Data sharing and processors
We use the following trusted service providers (processors) to deliver our services:
- Tentacle Networks Oy (Finland) β server hosting, DNS, and domain management for our infrastructure.
- Visma Solutions Oy / Netvisor (Finland) β invoice processing and bookkeeping.
Both processors are Finnish companies operating primarily within the EEA. Under their respective data processing agreements, each processor may engage sub-processors that operate outside the EEA, provided GDPR-compliant safeguards (such as Standard Contractual Clauses) are in place. See the "International transfers" section below for details. We require data processing agreements (DPAs) and contractual safeguards (Art. 28 GDPR) with all processors. Our analytics, notifications, and database services are fully self-hosted.
International transfers
All personal data is processed and stored primarily within the EEA (Finland). Our own infrastructure is hosted exclusively in Finland by Tentacle Networks Oy.
However, both Tentacle Networks Oy and Visma Solutions Oy/Netvisor reserve the right under their DPAs to engage sub-processors that may operate outside the EEA. In all such cases, transfers are governed by GDPR-compliant safeguards, including EU Standard Contractual Clauses (SCCs) and/or adequacy decisions, as well as supplementary technical and organizational measures where required (in line with CJEU Schrems II requirements).
The data categories potentially affected are limited to: (a) infrastructure data processed by Tentacle Networks (all platform data), and (b) invoicing/bookkeeping data processed by Visma/Netvisor (names, contact details, billing information).
Your rights
- Access, correction, deletion, restriction, portability, and objection rights under GDPR.
- Right to withdraw consent at any time (for consent-based processing).
- Right to lodge a complaint with your local supervisory authority. You may contact the data protection authority in the EU/EEA country where you reside or work. For Finland: Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman), tietosuoja.fi.
To exercise rights, contact hello@gritcompany.fi. We may need to verify identity before fulfilling requests. We will respond within one month of receipt; in complex cases this may be extended by up to two additional months, with prior notice.
Security
We apply proportionate technical and organizational measures, including access controls, authentication, transport security, and monitoring to protect personal data from unauthorized access, loss, misuse, or alteration.
Data protection officer
Given the nature and scale of our processing activities, we are not required to appoint a Data Protection Officer under GDPR Art. 37. For all data protection inquiries, please contact us at hello@gritcompany.fi.
Obligation to provide data
The provision of account, profile, and project data is a contractual requirement necessary for us to deliver our services. If you choose not to provide this data, we may be unable to create your account or deliver the requested service. Landing page analytics data is collected only with your voluntary consent and is not required for service use.
Automated decision-making
We do not make automated individual decisions or profiling that produces legal effects or similarly significantly affects you (GDPR Art. 22).
Manage cookie settings
You can change your analytics preference at any time.
Policy updates
We may update this notice when our services, legal requirements, or processing practices change. Material changes will be reflected on this page.
Version 1.1 — Last updated: 4 March 2026