Privacy Policy

HaVe Living Solutions Oy
Business ID: 3554660-1, 70800 KUOPIO, Finland
Email: info@kamppisfinder.fi

For all questions related to the processing of personal data and for exercising your rights, please contact the data controller in writing by sending an email to customer service at info@kamppisfinder.fi

The legal basis for processing personal data is:

• Consent given by the data subject for the processing of personal data
• A contractual relationship between the data subject and the data controller
• Fulfillment of the data controller's legal obligations
• The data controller's legitimate interest, based on the customer relationship between the data subject and the data controller, use of the service, prevention of misuse and ensuring service security, and business development.

We process personal data at HaVe Living Solutions Oy to provide and deliver the KämppisFinder service, to analyze and develop business operations and customer service, for product development, reporting, profiling, and technical maintenance of the service. Our goal is to improve user understanding and develop the functionality of the service. In product development and reporting, data is primarily processed in aggregated or anonymized form so that individual data subjects cannot be identified.

We process data to prevent and investigate misuse of the service and to ensure information security. When necessary, we may review log data or communications within the service to investigate misuse, security threats, or technical issues related to the service.

Customer service communications and communications between users within the service may be stored to protect the rights of the parties, to develop the service, and to resolve potential disputes. Messages may also be processed on the basis of legitimate interest in situations where no contractual relationship is established.

In addition, we may use data for marketing and user experience research and for direct marketing based on an existing customer relationship in accordance with applicable legislation.

The processing purposes described above are in accordance with the legitimate interest of HaVe Living Solutions Oy to the extent that the processing is not based on a contract, consent, or a legal obligation.

We consider that such processing is in line with the reasonable expectations of the data subject in connection with the use of the service. We do not process sensitive personal data on the basis of legitimate interest. Taking into account the purposes of processing, the nature of the data, the principle of data minimization, and the data subject's right to object to processing, we consider that the processing does not conflict with the fundamental rights or freedoms of the data subject.

The data controller collects only such personal data from data subjects that is relevant and necessary for the purposes described in this privacy policy.

The following data is processed about data subjects:

• Basic information: name, email address, phone number, username
• Age and eligibility information: year of birth or age (minimum age of 18 is required to use the service)
• Profile information: display name, description (bio), city, gender, profile photos
• Lifestyle questions: pets, sleep schedule, cleanliness, sociability, sharing of belongings, family situation
• Housing information: number of rooms, rent, apartment area
• Housing search information: move-in date, budget, preferred areas, preferred city, lease duration
• Occupation/employment status
• Student information: student status, major, study progress
• Most recent activity time in the service
• Phone number verification information
• Communication data: communication between users within the service and customer service communications
• Connection and blocking data: connection requests between users with messages, connection statuses (pending, accepted, declined), and blocks between users
• Account and contractual data: user account creation and login information and data related to the use of the service
• Technical data and log data: IP address, device and browser information, login times, and other technical identifiers generated from the use of the service
• Marketing-related data: direct marketing permissions and opt-outs

Business Users (Landlords and Partners)

• Company basic information: company name, business ID, address
• Contact person information: name, position in the company, email address, phone number
• Contract and billing data: data related to contracts and billing
• Listing and property data: content and contact information of published listings
• Communication data: communication through the service or customer service
• Technical data and log data: IP address and other technical data generated from the use of the service

Personal data is generally not disclosed to third parties.

We use the following data processors in providing the service:

Appwrite (Appwrite Ltd): The technical platform of the service, responsible for user account management, database, file storage, and real-time communications. Data is stored on Appwrite servers in Frankfurt, Germany (EU).

Sightengine (content moderation service): We use an external technical service provider for automatic content review of profile photos to ensure service safety. Only the profile photo being evaluated is transmitted to the service. The service provider processes data in accordance with data protection legislation and with appropriate safeguards. The service provider may process data within or outside the EU/EEA. Any transfers are based on safeguard mechanisms approved by the European Commission.

Data may also be disclosed to authorities as required by law.

Personal data may be transferred outside the EU/EEA in connection with the use of the Sightengine service. Transfers are based on European Commission adequacy decisions or Standard Contractual Clauses (SCC), which ensure an adequate level of data protection.

Contractual agreements have been established with all processors to ensure that personal data is processed in accordance with data protection legislation.

Personal data is not transferred outside the EU/EEA without appropriate safeguards.

The data controller processes personal data in a manner that ensures appropriate security, including protection against unauthorized processing and accidental loss, destruction, or damage.

The data controller uses appropriate technical and organizational safeguards to protect personal data. These include, among others, encryption of data communications, firewalls, access control and restriction of user rights, secure server environments, system logging, and careful management of information system usernames and passwords. Personnel processing personal data are instructed on information security practices and process data only to the extent required by their job duties.

When external service providers are used in the processing of personal data (such as technical service providers or payment service providers), contractual agreements ensure that they process personal data in accordance with data protection legislation and only according to the data controller's instructions.

All employees processing personal data have a duty of confidentiality regarding matters related to the processing of personal data of data subjects, based on the Employment Contracts Act (55/2001) and supplementary confidentiality agreements.

We retain personal data for at least the duration of the customer relationship or user account and for a reasonable period thereafter to fulfill the purposes described in this privacy policy.

Data related to a user account is generally retained as long as the account is active. If a user has not logged into the service for 24 months, we may consider the user account inactive and delete the associated personal data, unless there is a justified reason for retention. Before deleting an account, we may send the user a notification about the account's inactivity.

After deletion of a user account, personal data may be retained for up to 12 months for investigating potential misuse, for establishing, exercising, or defending legal claims, and for ensuring the security of the service.

Communications between users are generally retained for the duration of the user account. After account deletion, messages are deleted or anonymized within 12 months at the latest, unless their retention is necessary for the reasons mentioned above.

Log data is retained for information security purposes for up to 12 months.

Data related to accounting and billing is retained for the period required by accounting legislation (generally 6 years from the end of the financial year).

Data related to direct marketing is retained as long as the customer relationship is in effect or until the data subject withdraws their consent or objects to marketing. If the data subject opts out of direct marketing, we retain the information about the opt-out to the extent necessary to ensure compliance with the opt-out.

After this period, personal data is deleted or anonymized in accordance with the data controller's deletion processes.

Users may also delete their account directly from the application settings. When an account is deleted, personal data is deleted or anonymized in accordance with the retention periods described in this policy.

Personal data is not used for profiling or automated decision-making that would have legal effects on the data subject or similarly significant effects.

The KämppisFinder website may use cookies to ensure the functioning of the service and to improve the user experience.

The mobile application stores settings-related data locally on the user's device (such as theme selection and language selection). This data is not transmitted to the server.

Right of Access to Personal Data

The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed, and if so, the right to obtain a copy of their personal data.

Right to Rectification

The data subject has the right to request that inaccurate and incorrect personal data concerning them be corrected. The data subject also has the right to have incomplete personal data completed by providing the necessary additional information.

Right to Erasure

The data subject has the right to request the erasure of personal data concerning them if:

• the personal data is no longer necessary for the purposes for which it was collected;
• the data subject withdraws the consent on which the processing was based, and there is no other legal basis for the processing; or
• the personal data has been processed unlawfully.

Right to Restriction of Processing

The data subject has the right to restrict the processing of personal data concerning them if:

• the data subject contests the accuracy of their personal data;
• the processing is unlawful, and the data subject opposes the erasure of personal data and requests the restriction of their use instead; or
• the data controller no longer needs the personal data for the original purposes of processing, but the data subject needs them for establishing, exercising, or defending legal claims.

Right to Object

The data subject has the right to object at any time to the processing of personal data concerning them on grounds relating to their particular situation.

The data controller may no longer process the personal data of the data subject, unless the data controller can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or for establishing, exercising, or defending legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it relates to such direct marketing.

Right Not to Be Subject to Automated Decisions

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

The above does not apply if the decision is necessary for entering into or performing a contract between the data subject and the data controller, or is based on the data subject's explicit consent.

Right to Withdraw Consent

The data subject has the right to withdraw their consent to processing at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Right to Data Portability

The data subject has the right to receive personal data concerning them that they have provided, in a structured, commonly used, and machine-readable format, and the right to transmit that data to another data controller.

Right to Lodge a Complaint with a Supervisory Authority

The national supervisory authority for personal data matters is the Office of the Data Protection Ombudsman, operating in connection with the Ministry of Justice. You have the right to lodge a complaint with the supervisory authority if you consider that the processing of your personal data violates applicable legislation.

The data controller continuously develops its operations and may therefore need to change and update its privacy practices as necessary. Changes may also be based on changes in data protection legislation.

If changes include new purposes for the processing of personal data or otherwise change significantly, the data controller will notify of them in advance and request consent if necessary.