GDPR and privacy
How Smove meets GDPR and where your data lives.
Updated 9 June 2026
Privacy at Smove
Smove is built privacy-first. All personal data is stored and processed in Finland and the EU, and we do not transfer data outside the EU. This page explains how we meet our GDPR obligations and who our sub-processors are.
Controller and processor
When you use Smove to manage your employees' shift and HR data, you (the employer) are the data controller and Smove acts as a data processor on your behalf. We process data only on your instructions. This is agreed in a data processing agreement.
Data location: Finland and the EU
The service, database, files and sign-in run in the Finnish provider UpCloud's data centres in Finland. Emails are sent through a service operating in the EU. Personal data is not transferred outside the EU or EEA.
Sub-processors
We use a limited set of carefully selected sub-processors, with data processing agreements in place. All are located in Finland or elsewhere in the EU. Both website leads and app users are synced to Brevo for customer relationship management and service communication; marketing messages are sent only with consent.
| Sub-processor | Purpose | Location |
|---|---|---|
UpCloud Ltd | Hosting, database, files and sign-in (self-hosted) | Finland |
Sendinblue SAS (Brevo) | Email, CRM and marketing (leads + app users) | France (EU) |
Accountor Finago Oy (Procountor) | Accounting and invoicing | Finland |
Supporting data subject rights
We support data subject rights: access, rectification, erasure, portability and restriction of processing. Because the controller for employee data is the customer, we route such requests to the customer and help fulfil them. The service includes tools to export and delete data.
Data minimisation and anonymisation
We collect only the data necessary for the service to work. In reporting and development we use aggregated or anonymised data wherever possible, from which an individual cannot be identified. When the retention period ends, data is either deleted or irreversibly anonymised.
Security
Data is encrypted in transit and at rest, access is role-based and follows the least-privilege principle, and activity is monitored through logs and change history. We describe security in more detail on our security page.
Retention and deletion
We process data only for the duration of the agreement. When the agreement ends, the customer's data is deleted or anonymised within the agreed period, except for data we are required by law to retain.
Data processing agreement
We offer customers a data processing agreement under GDPR Article 28 as part of the service terms. It covers, among other things, the purpose of processing, sub-processors and security obligations. Request the agreement at [email protected].
Data breaches
If personal data is subject to a breach, we notify the customer acting as controller without undue delay, and within 72 hours of becoming aware of the breach at the latest.