Privacy Policy of Datainsite Oy

General

This document is a combined privacy policy and information notice in accordance with the Data Protection Act and the General Data Protection Regulation of the European Union (2016/679/EU). Datainsite Oy is committed to processing personal data in accordance with this privacy policy and applicable data protection legislation.

This privacy policy describes how Datainsite Oy collects and processes personal data.

Data Controller

Datainsite Oy

Hämeentie 31

00500 Helsinki

Business ID: 3221367-6 (”Datainsite”)

Contact Details

Datainsite Oy

Email address: privacy@datainsite.fi

Scope of this Privacy Policy

This Privacy Policy applies to the processing of personal data by Datainsite Oy in connection with the provision of its services, customer and partner relationships, and the operation and maintenance of the Stella platform.

Basis and Purpose of the Processing of Personal Data

General information on data processing

Datainsite processes personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679), the Finnish Data Protection Act, and all other applicable data protection laws, regulations, and official guidelines in force from time to time.

Personal data means any information relating to an identified or identifiable natural person.

Purpose of collecting personal data

• To administer and manage contractual, customer, partner, or equivalent relationships;
• To comply with legal and regulatory obligations;
• To communicate with customers and users regarding the Service, including service-related notices, support communications, and business-to-business communications related to Datainsite’s services.

Legal basis for the processing of personal data

Datainsite collects and processes only such personal data as is necessary for its operations, contractual obligations, and legal responsibilities. Personal data may be processed based on one or more applicable legal grounds.

The legal bases for the processing of personal data may include:

• The performance of a contract or steps taken prior to entering into a contract;
• Compliance with a legal obligation to which Datainsite is subject;
• The consent of the data subject, where required; and
• Datainsite’s legitimate interests, provided that such interests do not override the rights and freedoms of the data subject.

Datainsite’s legitimate interests include, in particular:

• ensuring the security, integrity, and availability of the Service;
• preventing fraud, misuse, and unauthorized access;
• maintaining audit logs and compliance records;
• operating, maintaining, and improving the Service; and
• managing customer relationships and business operations,

provided that such interests do not override the rights and freedoms of the data subject.

Regular Sources of Data

Datainsite collects and processes personal data that is provided directly by its clients or by individuals acting on behalf of its clients in connection with the use of the Service. This includes personal data submitted, uploaded, or otherwise made available by clients when creating user accounts, configuring the Service, managing access rights, or otherwise interacting with the platform.

Datainsite does not actively source personal data from third-party sources or public databases. Personal data may, however, be processed via Datainsite’s service providers or technical infrastructure (such as hosting, email delivery, or billing services) as necessary to provide the Service, comply with legal obligations, or operate the platform. Where clients provide personal data relating to third parties, clients represent and warrant that they have the necessary rights and legal basis to disclose such data to Datainsite.

Datainsite processes only such personal data as is necessary for the specific, pre-defined purposes described in this Privacy Policy. The purpose of processing determines the categories of personal data collected in each case.

What Data Datainsite Processes

Datainsite distinguishes between Customer Content (such as uploaded files, reports, and documents) and account-related personal data required to operate the Service (such as user identifiers, access logs, and billing information). Datainsite does not access or analyse Customer Content except as technically necessary to provide the Service or where required by law.

The categories listed below reflect the personal data Datainsite processes in connection with the Service and may vary depending on the customer’s use of the Service, configured features, and enabled integrations.

Datainsite processes the following data:

• User account data: email address, user identifier, Stella role, account status, and preference settings
• Authentication and security data: password hashes, login timestamps, IP address, user agent, session or device identifiers, MFA events, and error logs
• Access control and audit data: report and partner access grants and changes, comments, and terms acceptance records (including timestamp, version identifier, IP address, and user agent)
• Billing and subscription metadata: subscription status, plan identifiers, and payment-related metadata provided via Datainsite’s payment service provider (excluding full payment card details)
• Support communications: messages sent to customer support, resolution notes, and related metadata
• Content metadata: report and file names, types, partner associations, and storage locations (excluding file contents unless required to provide the Service)

How Long Datainsite Retains Your Data

Datainsite regularly reviews personal data and deletes or anonymizes data that is no longer necessary.

Datainsite retains personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy.

In certain cases, Datainsite is required to retain personal data for a longer period in order to comply with legal obligations or to protect its legal interests, including:

• Data required for accounting or auditing purposes, which is retained for six (6) or ten (10) years in accordance with applicable law;
• Data required to establish, exercise, or defend legal claims, which is retained for at least three (3) years;
• If you close your account with Datainsite or are no longer an active customer, uploaded content and related metadata are retained for up to thirty (30) days after deletion or account termination, and usage and audit log data is retained for up to seven hundred and thirty (730) days, for security, compliance, and auditing purposes.

You have the right to request erasure of your personal data in accordance with applicable data protection laws. Where Datainsite no longer has a lawful basis to process personal data, or where a valid erasure request applies, Datainsite has processes in place to delete or irreversibly anonymize such data.

With Whom Datainsite Shares Your Data

Datainsite may share personal data with third parties only to the extent necessary to provide, operate, support, and improve the Service, or to comply with legal obligations. Such third parties include:

Service providers acting as data processors on Datainsite’s behalf, used to maintain and operate the Service and Datainsite’s business operations. Personal data may be processed by the following categories of service providers:

• Microsoft Azure, used for cloud infrastructure, hosting, databases, and storage. Azure services are configured to use data center regions within the European Economic Area (EEA).
• Microsoft Power BI / Fabric, used for embedded analytics and report rendering. Microsoft Fabric is configured in accordance with the EU Data Boundary, and Customer Lockbox is enabled where applicable.
• Mailgun, used for transactional and service-related email delivery. Email data may be processed in the European Union or the United States depending on configuration and routing.
• OpenAI API, used to provide support chat and assistance features within the Service. OpenAI processes user-provided chat input solely for the purpose of generating responses and does not have access to Customer Content stored within Stella. Customer files, reports, and documents are not made available to OpenAI as part of normal Service operation.

Payment service providers. Datainsite does not process or store financial information such as bank account details or full payment card numbers. Such information is provided directly to Datainsite’s payment service provider, Stripe. Stripe acts as an independent data controller with respect to payment card data and related financial information. Datainsite may receive and process limited billing and subscription-related metadata from Stripe solely for accounting, subscription management, and customer administration purposes, in accordance with applicable data protection laws. The processing of payment data by Stripe is governed by Stripe’s own privacy policies, which we recommend you review.

Where required under applicable data protection laws, Datainsite maintains information about its sub-processors and their processing locations and makes such information available to customers upon request or via a designated information page.

Where Is Your Data Processed

Customer Content is configured to be stored and processed within the EU/EEA as part of the Service’s core infrastructure. In certain situations, such as when sharing data with an IT service provider operating outside the EU/EEA, your personal data may be processed outside the EU/EEA. In such cases, Datainsite ensures that an adequate level of protection is in place and that appropriate safeguards are implemented (for example, by using the European Commission’s Standard Contractual Clauses).

Your Rights as a Data Subject

As a data subject, you have certain rights in relation to the processing of your personal data. If you wish to exercise any of these rights, please contact Datainsite via email (privacy@datainsite.fi).

• Right of access: You have the right to obtain information about which personal data Datainsite processes about you, including the purposes and legal basis for the processing.
• Right to rectification: If you believe that Datainsite processes incorrect personal data about you, you may request correction.
• Right to restriction of processing: You may request that Datainsite restricts the processing of your personal data, for example if the data is inaccurate and you do not want it processed until it has been corrected.
• Right to erasure (“right to be forgotten”): You may request that Datainsite deletes your personal data. While Datainsite will comply to the extent required by law, please note that Datainsite may continue to process certain data where required to protect Datainsite’s legal interests or to comply with legal obligations.
• Right to object: Where processing is based on legitimate interest, you have the right to object. If your privacy interests outweigh Datainsite’s legitimate interests, Datainsite will cease such processing.
• Right to data portability: You may have the right to receive the personal data you have provided to Datainsite in a structured, commonly used, and machine-readable format and to transfer it to another data controller.

Where the processing of personal data is based on the data subject’s separate consent, the data subject has the right to withdraw the consent at any time.

Cookies

Datainsite uses cookies and similar technical mechanisms that are strictly necessary for the operation, security, and core functionality of the Service.

Such cookies are used, for example, to:

• authenticate users and maintain secure login sessions;
• enable access control and role-based permissions;
• protect the Service against unauthorized access and misuse;
• ensure the integrity, availability, and technical operation of the Service; and
• support error handling and security-related logging.

These cookies are not used for advertising or marketing purposes and are not used to track users across websites or services.

The Service relies on certain cookies that are essential for authentication, security, and core functionality. You can manage cookies through your browser settings; however, disabling or blocking strictly necessary cookies may prevent you from accessing or using the Service.

If the Service uses additional cookies or similar technologies that are not strictly necessary (for example, optional analytics features), Datainsite will provide appropriate information and obtain any required consent in accordance with applicable law.

Profiling and Automated Decision-Making

Datainsite does not perform profiling based on personal data, nor does it use automated decision making.

Amendments to this Privacy Policy

Datainsite constantly develops its business operations, which is why Datainsite reserves the right to amend this Privacy Policy by announcing such amendments on its services. Amendments to this Privacy Policy may also be based on changes in legislation.

If You Are Not Satisfied

If you are not satisfied with how Datainsite processes your personal data, you are welcome to contact Datainsite via email (privacy@datainsite.fi). You may also contact the Finnish data protection authority (the Office of the Data Protection Ombudsman).

Want to Know More?

If you have any questions regarding the processing of your personal data, please do not hesitate to contact Datainsite via email (privacy@datainsite.fi).