Privacy

Privacy policy

How Smove processes personal data as a data controller.

Updated 9 June 2026

Overview

This policy explains how Smove Oy processes personal data as a data controller. It covers visitors to our website, people who contact us, and the contact persons of our subscribing customers.

When our customer processes their own employees' data in the service (shifts, absences and other HR), the customer is the data controller and Smove acts as a data processor. That processing is governed by a separate data processing agreement, described on the GDPR page.

Data controller

The data controller is Smove Oy (business ID 3596026-3). Postal address: Linnanpellonkatu 52, 70300 Kuopio, Finland.

We have not appointed a separate data protection officer, but for data protection matters you can contact [email protected].

Controller or processor

Smove is the controller for the data it controls itself: website visitors, enquiries and the contact persons of customers.

For the personal data a customer enters about their own employees, the customer is the controller and Smove processes the data on the customer's behalf. This policy does not cover that processing; it is governed by the data processing agreement with the customer.

What we use data for

We process personal data for the following purposes:

  • Providing the service, managing user accounts and sign-in
  • Customer relationship management, support and communication
  • Billing and statutory accounting obligations
  • Improving the service, security and abuse prevention
  • Marketing and contact with business contact persons
  • Meeting legal obligations

What data we process

We mainly process the following data:

  • Contact details: name, work email, phone number, organisation and role
  • Account data: user identifier and account settings
  • Contract and billing data
  • Enquiries and support correspondence
  • Technical data: log data, IP address and session data to keep the service working and secure

Where data comes from

We receive data mainly from the data subject or their employer (the customer organisation) when the service is taken into use or used. Some data is generated through use of the service. Company information may be supplemented from public registers such as the trade register.

Legal bases for processing

Processing is based on the following GDPR legal bases:

  • Contract: providing the service to the subscriber and users
  • Legitimate interest: customer relationship management, service development and security
  • Consent: electronic direct marketing
  • Legal obligation: for example accounting legislation

Where processing is based on legitimate interest, we have assessed that it does not override your interests or rights. Some data is necessary to enter into the agreement or use the service; without it we cannot provide the service.

Recipients and sub-processors

We do not sell personal data. Data is processed on our behalf by carefully selected sub-processors that provide, for example, hosting, email and accounting services. All our sub-processors are located in Finland or elsewhere in the EU, and data processing agreements are in place with them. An up-to-date list is on our GDPR page.

Data may be disclosed to authorities where required by law.

Transfers outside the EU and EEA

Personal data is not transferred outside the EU or EEA. Data is stored in Finland and processed only within the EU/EEA.

How long we keep data

We keep personal data only as long as necessary:

  • Account and customer data: for the duration of the customer relationship and up to 90 days after it ends, after which data is deleted or anonymised
  • Accounting-related data: for the period required by accounting law, generally 6 years
  • Enquiries: up to 12 months
  • Backups: rotated in roughly 30-day cycles

Your rights

You have the right to:

  • Access and review your data
  • Have inaccurate data corrected
  • Request erasure of your data
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent you have given

You can exercise your rights by contacting [email protected]. We respond to requests generally within one month.

Automated decision-making

We do not carry out automated decision-making or profiling covered by this policy that produces legal or similarly significant effects on you.

The automated shift planning performed in the service concerns the customer's employees' data, where the customer acts as the controller. That processing is governed by the data processing agreement.

Security

We protect personal data with appropriate technical and organisational measures. Data is encrypted in transit and at rest, access is restricted by role on a least-privilege basis, and use is monitored through logs. Data is stored in Finnish data centres and backed up regularly.

If a personal data breach occurs, we notify the supervisory authority and, where required, you, as required by law.

Right to lodge a complaint

If you consider that the processing of your personal data is unlawful, you can lodge a complaint with the supervisory authority. In Finland this is the Office of the Data Protection Ombudsman (tietosuoja.fi).

Cookies

Our website uses no tracking or analytics cookies and no third-party ad tracking. Fonts and other resources are served from our own server. The service itself uses only essential cookies to maintain sign-in and sessions.

Changes to this policy

We may update this policy as the service or legislation changes. We publish the current version on this page and note the update date at the top.