Privacy Policy

Prepared for discussion and legal review only. This is a commercial first draft, not legal advice.

Effective date: 01.04.2026

This Privacy Policy explains how Karinja Oy (“Supplier”, “we”, “us”, or “our”) processes personal data relating to our website visitors, business contacts, account administrators, support contacts, and users of our business services.

Where we process customer-submitted service data on behalf of an enterprise customer, that enterprise customer is generally the controller and we act as processor. In those cases, the customer’s privacy notice and our contract with that customer govern that processing.

1. Controller

The controller for the personal data described in this Privacy Policy is:

Karinja Oy, Espoo/Finland, 3613878-1, privacy@karinja.ai

2. Categories of personal data we process

Depending on how you interact with us, we may process:

2.1 Website and sales data

  • Name, company, role, email address, phone number
  • Meeting notes, sales correspondence, and deal history
  • Website usage data, cookies, and analytics data

2.2 Account and service administration data

  • User and administrator account information
  • Authentication and access records
  • Billing and payment contact details
  • Support communications and troubleshooting records

2.3 Operational and security data

  • Logs, device and browser metadata
  • Service usage events
  • Error reports, diagnostic records, monitoring data, and security event data
  • Backup and disaster recovery data where applicable

2.4 Enterprise customer service data

Where enterprise customers use our Services, they may submit or connect personal data through repositories, messaging platforms, data platforms, documents, and other business systems. For that service data, we generally act as processor on behalf of the customer.

We process personal data for the following purposes:

3.1 To provide and operate our Services

We use personal data to create accounts, authenticate users, manage subscriptions, provide support, operate service features, and deliver continuity and recovery functions.

Legal basis: performance of a contract; legitimate interests.

3.2 To secure, maintain, and improve our Services

We use logs, telemetry, diagnostics, and operational data to monitor performance, prevent abuse, detect incidents, fix defects, and improve reliability.

Legal basis: legitimate interests.

3.3 To manage business relationships

We use contact information and correspondence to manage prospects, customers, vendors, partnerships, contracting, invoicing, and related administration.

Legal basis: performance of a contract; legitimate interests.

3.4 To comply with law

We may process personal data where necessary to comply with accounting, tax, sanctions, legal process, recordkeeping, or other legal obligations.

Legal basis: legal obligation.

3.5 To send business communications

We may send product, service, security, and administrative communications to customers and prospects. Where marketing consent is required by law, we will request it.

Legal basis: legitimate interests; consent where required.

4. No training on customer inputs and outputs

We do not use customer Inputs, Outputs, or customer-submitted service data to train our models or third-party models.

For service analytics and improvement, we may use de-identified or aggregated operational telemetry that does not identify individual employees and does not contain customer Inputs or Outputs.

5. Controller / processor split for enterprise services

When an enterprise customer uses our Services and submits or connects personal data to the Services:

  • The enterprise customer generally determines the purposes of that processing and acts as controller; and
  • We process that data on the customer’s behalf as processor or sub-processor.

If you are an end user using our Services through your employer or another organization, you should direct service-data privacy requests to that organization first.

6. Recipients and disclosures

We may disclose personal data to:

  • Service providers and subprocessors who help us provide hosting, support, security, analytics, backups, and related business functions
  • Professional advisers such as lawyers, auditors, and insurers
  • Competent authorities or courts where required by law
  • Counterparties in a corporate transaction, subject to confidentiality protections

We do not sell personal data.

7. International transfers

We aim to store and process personal data for our Services within the EEA.

If we need to transfer personal data outside the EEA, we will do so only where permitted by law and with an appropriate transfer mechanism, such as the European Commission’s Standard Contractual Clauses where required.

8. Retention

We retain personal data for as long as necessary for the purposes described above, including:

  • Identifiable operational logs: generally up to 3 months
  • De-identified or aggregated telemetry: generally up to 12 months or longer where no longer personal data
  • Billing and contractual records: as required by law
  • Support records: for the support lifecycle and reasonable follow-up period
  • Backups: according to our backup and deletion cycles

9. Your rights

Where the GDPR or similar laws apply, you may have rights to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase data in certain cases
  • Restrict processing
  • Object to certain processing
  • Receive data portability where applicable
  • Withdraw consent where processing is based on consent

If we process your data on behalf of an enterprise customer, we may direct your request to that customer.

10. Complaints

If you are in Finland or the EEA, you may lodge a complaint with your local supervisory authority. In Finland, the competent authority is the Office of the Data Protection Ombudsman.

11. Security

We implement technical and organizational measures designed to protect personal data, taking into account the risks involved and the nature of the data.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If the changes are material, we will provide reasonable notice through our website, service, or direct communication where appropriate.

13. Contact

For privacy questions or requests, contact: privacy@karinja.ai