Privacy Policy

1. Who we are

This Privacy Policy is issued by Serviceform Oy("Serviceform", "we", "us", "our"), a private limited company incorporated in Finland and the parent entity of the Serviceform group.

• Registered office: Linnaistentie 20 B, 01640 Vantaa, Finland
• Business ID (Y-tunnus): 2713896-6
• VAT number: FI27138966
• Company form: Osakeyhtiö (limited company), registered in the Finnish Trade Register on 20 October 2015
• Operational office (Finland): Yliopistonkatu 23 A, 2A, 20100 Turku
• Serviceform group personnel locations: Finland, Sweden, Spain and Sri Lanka. A United Kingdom entity is planned for a future date and this Policy will be updated when it is established.
• Data Protection Officer (DPO): Jarkko Oksanen, reachable at asiakaspalvelu(at)serviceform.com or by post to the registered office above.
• Privacy queries: asiakaspalvelu(at)serviceform.com
• General contact: help(at)serviceform.com · +358 45 7836 1590

The Serviceform group

Serviceform Oy is the parent company. The day-to-day delivery of our products is supported by a small number of wholly-owned subsidiaries, each incorporated in its country of operation and acting under a written intra-group data-sharing agreement that incorporates the European Commission's Standard Contractual Clauses where applicable:

• Serviceform Software Solutions SL (Spain) — operating from Rambla de Catalunya 65, Barcelona. Handles sales, customer success and product engineering for the Iberian and EMEA region.
• Serviceform Sweden AB — operating from Drottninggatan 32, 111 51 Stockholm. Handles Nordic sales, customer success and partnerships.
• Serviceform Private Limited (Sri Lanka) — operating from 16 Station Road, Colombo 04. Provides product engineering, customer support and operational services to the group.

All subsidiaries are controlled by Serviceform Oy and bound by the same security, confidentiality and data-protection standards described in this Policy. Personnel in each entity may access personal data on a strict need-to-know basis to deliver the Services and run the business. Transfers of personal data between Serviceform Oy and the Sri Lanka subsidiary — the only group entity outside the EEA — take place under Standard Contractual Clauses (Module 1, controller-to-controller, or Module 3, processor-to-processor, as applicable) supported by a Transfer Impact Assessment. Section 15 explains our international-transfer framework in detail.

2. Our role: controller and processor

Serviceform acts in two distinct capacities depending on the relationship.

Controller. We are the data controller for personal data we process about visitors to our marketing websites, prospects, leads, newsletter subscribers, customer-account administrators, contractors, job applicants, employees and vendor contacts.

Processor.When our Customers deploy Serviceform products on their own websites and apps — for example chatbots, lead-capture forms, booking flows, AI assistants and CRM-sync tooling — we act as a data processor on the Customer's behalf. The Customer is the controller of the end-user data collected through those products. Our processing in that role is governed by our Data Processing Agreement ("DPA"), which incorporates the Article 28 GDPR clauses and, where applicable, the EU Standard Contractual Clauses. End-users seeking to exercise rights regarding that data should contact the operator of the website or app on which they used the Serviceform tool. We will assist controllers in responding to such requests as required by law. A current copy of our DPA is available at serviceform.com/dpa or on request.

3. Our products and apps

This Policy applies to the following Serviceform products and surfaces:

• Mira platform. Our core SaaS, including AI chat, lead capture, forms, booking flows, customer-data platform (CDP), workflows, voice and messaging features. Hosted on Google Cloud Platform in Hamina, Finland (Cloud Run, Firestore, Firebase Realtime Database). Optional analytics features additionally use ClickHouse Cloud (EEA) and Google BigQuery (EU multi-region) as described in this Policy.
• Embeddable widgets and pixel.The Serviceform pixel (V2 and V3) and embeddable widgets (chat, recommendations, lead forms, booking) that load on Customers' websites. The pixel collects activity events on the Customer's instructions and consent configuration. The Customer is the controller of the resulting end-user data.
• Serviceform Pixel for WordPress / WooCommerce.A WordPress plugin distributed via the WordPress.org plugin directory and our website that installs the Serviceform pixel on a Customer's WordPress site and provides optional REST APIs for product-catalogue, cart, recommendations and order synchronisation. Order-related endpoints process customer contact and order details, are protected by API-key authentication, and are disabled by default — the merchant opts them on individually.
• Serviceform Shopify app.An OAuth-based Shopify app installed by merchants from the Shopify App Store. The app reads product, collection and order data via the Shopify Admin API on the merchant's instruction, and provides product feeds, order tracking, recommendations, stock validation and newsletter subscription. Merchant configuration is stored in our EEA-hosted database (see Sub-processors). The app implements all mandatory Shopify privacy compliance webhooks — customers/data_request, customers/redact (within 30 days) and shop/redact (issued 48 hours after uninstall, deleting all shop sessions and configuration). Newsletter subscriptions submitted through the app are recorded with the consent state communicated by the Customer (single or confirmed opt-in).
• Mobile applications.Native and hybrid apps distributed through the Apple App Store and Google Play Store for Customers' staff to manage their Serviceform tenant.
• Social Inbox and email / calendar sync (Gmail and Microsoft 365). Customers may connect Google Gmail or Microsoft Outlook accounts (individual or shared, e.g. [email protected]) to sync inbound and outbound email and calendar events into the Serviceform Social Inbox and the "Ourly" calendar feature. Use cases are limited to: customer-support email handling, ticketing, applicant tracking (ATS), and calendar booking management. When you connect such an account we may access your email address, the content and metadata of your messages and calendar bookings, and the permission to read, send and organise them. Access is used solely to deliver the above functionality and is never used for advertising, generic analytics or unrelated profiling. You retain full control over which accounts are connected, what content is visible, and the ability to disconnect at any time.

Google API Services User Data Policy — Limited Use disclosure.Serviceform's use and transfer of information received from Google APIs (including Gmail, Google Calendar, Google Drive and related identity APIs) adhere to the Google API Services User Data Policy, including the Limited Userequirements. We do not transfer this data to third parties except as necessary to provide or improve user-facing features that are prominent in the Serviceform interface, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users. We do not use this data to serve advertisements, and we do not allow humans to read this data unless we have your affirmative agreement, it is necessary for security purposes (e.g. to investigate abuse), to comply with applicable law, or for our internal operations where the data has been aggregated and anonymised. Microsoft 365 / Outlook integrations are governed equivalently under Microsoft's Data Protection Addendum and Microsoft Entra ID standards.

Meta Platform Terms — Limited Use disclosure

When Customers connect Meta business accounts (Facebook Pages, Instagram, WhatsApp Business) to the Serviceform Social Inbox, our use of information received from Meta's APIs adheres to the Meta Platform Terms and, where applicable, the WhatsApp Business Solution Terms and WhatsApp Business Messaging Policy. Information accessed via Meta APIs is used solely to deliver the messaging, lead-routing and audience features the Customer has enabled. We do not use Meta data to train AI models, sell or share data for unrelated purposes, or use it to derive identity-graph profiles. When a Customer's end-user signs in via Facebook Login, Serviceform receives only the public-profile fields and email address scopes the Customer requests in their app configuration; we do not request friend lists, biographical or sensitive scopes by default. Customers connecting Meta accounts must have their own contractual relationship with Meta where required (notably WhatsApp Business).

Apple App Store and iOS disclosures

• The data categories disclosed in our App Store Connect Privacy Nutrition Labels match the categories described in this Policy.
• Our iOS app does not use the Identifier for Advertisers (IDFA) and does not perform cross-app or cross-website tracking; we do not present an App Tracking Transparency (ATT) prompt because no tracking takes place.
• Our iOS app ships a Privacy Manifest file (PrivacyInfo.xcprivacy) consistent with this Policy, declaring data types collected, tracking domains (none) and the approved reasons for any Apple Required Reason API the app uses.
• We comply with the Apple App Store Review Guidelines and the Apple Developer Program License Agreement, including §5.1 (Privacy) and §5.6 (Code of Conduct).
• Where Customers' staff use "Sign in with Apple" (if enabled), Apple's hide-my-email relay choice is respected and the relay address is treated as the Customer-staff email of record.

Google Play and Android disclosures

• The data types disclosed in our Google Play Console Data Safety form match the categories described in this Policy.
• All data in transit is encrypted using TLS 1.2 or higher between the Android app and our servers (Google Play's "Data is encrypted in transit" declaration is therefore set to "Yes").
• The Android app does not request sensitive permissions (SMS, Call Log, Accessibility, All Files Access, background location) without a documented, in-app declared use case displayed at runtime.
• We comply with the Google Play Developer Program Policies and the Google Play Developer Distribution Agreement.

Account and data-deletion request mechanism

You may request deletion of your Serviceform account and the personal data associated with it at any time. This satisfies the deletion-request requirements of Google Play(in-policy deletion mandate, in force from May 2024) and Meta (Facebook Login User Data Deletion):

• By email: write to asiakaspalvelu(at)serviceform.com with the subject "Delete my account" (or "Delete my data") from the email address registered to your account. We may need to verify your identity. We will action verified deletion requests within 30 days, except where retention is required by Finnish accounting law (Kirjanpitolaki 1336/1997), tax law, AML legislation or to defend legal claims, in which case we isolate the affected records and delete them at the end of the statutory retention period.
• From a Meta-connected account (Facebook Login):if you signed up via Facebook Login and want us to remove the data Meta provided to us, send the email above. This produces the same effect as a Facebook "App removal" data-deletion callback.

Across all of these surfaces, our role under data-protection law follows the same controller / processor split described in Section 2: we are processor for the end-user data our Customers collect through these tools, and controller for our own administrative records (account, billing, support, security telemetry).

4. Information we collect

The categories of personal data we may process include:

• Contact Details: real name, email, postal address, telephone, social-media username, title.
• Financial Data: credit-card last four digits, credit-card expiry date, bank-account number, billing address, transaction reference, VAT number. Full card numbers are processed by Stripe and never stored on our systems.
• Identifiers and Legal Documents: public health number, passport, proof of residence, right-to-work status, visa status, social-security or national-insurance number, driver's licence, national identification document, signature.
• Personal Characteristics: sex, nationality, date of birth, gender, academic qualifications, age.
• Location Data: approximate location derived from IP, tracking data (consent-based).
• Communications Data: instant-messaging content, social-media posts, postal correspondence.
• Views and Opinions: survey responses, testimonials, references, non-political/religious/philosophical opinions.
• Work-related Data: employer, occupation, completed tasks, grievance or disciplinary details, CV.
• Technical Identifiers: IP address, MAC address, usernames, hashed passwords, browser data, device identifiers, unique identifiers.
• Activity and Behavioural Data: feature usage, page views, click events, audit-log records of administrative actions.
• Aggregated Data: statistical or demographic data that does not identify you. If we combine aggregated data with personal data so that it can identify you, we treat the combined set as personal data.

We do not intentionally collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic, biometric, health data, sex life, sexual orientation, or data concerning criminal offences). Please do not submit such data to us through our forms or chats.

When acting as a processor on behalf of a Customer, our handling of any special-category data follows the Customer's lawful instructions, the permissions or exemptions they have established and the conditions of Article 9 GDPR — typically Article 9(2)(a) (explicit consent), Article 9(2)(b) (employment, social-security or social-protection law) for staff data, or Article 9(2)(h) (preventive medicine, occupational medicine) for healthcare-vertical Customers. The Customer must identify the applicable Article 9 ground in our DPA before such data is processed. For staff and contractor data we additionally rely on the Finnish Act on the Protection of Privacy in Working Life (759/2004) and equivalent national laws.

5. Legal bases for processing

Under Article 6 GDPR — as supplemented in Finland by the Finnish Data Protection Act (Tietosuojalaki, 1050/2018)— and the corresponding national laws of Sweden, Spain, Portugal and Italy, the UK GDPR, and Sri Lanka's Personal Data Protection Act No. 9 of 2022, we rely on:

• Consent (Art. 6(1)(a)) — you have given clear consent for a specific purpose (e.g. non-essential cookies, marketing emails to prospects). You may withdraw consent at any time.
• Contractual necessity (Art. 6(1)(b)) — processing is necessary to perform a contract with you or take pre-contractual steps you requested.
• Legitimate interests (Art. 6(1)(f)) — we have a business or commercial reason to process your data, balanced against your rights and interests.
• Legal obligation (Art. 6(1)(c)) — processing is necessary to comply with statutory duties, including those under the Finnish Accounting Act (Kirjanpitolaki, 1336/1997), Finnish tax law and anti-money-laundering legislation.
• Vital interests and public interest are not generally relied on.

Direct marketing to existing business customers about similar products operates under the soft-opt-in permitted by §200 of the Finnish Act on Electronic Communications Services (Sähköisen viestinnän palveluista annettu laki, 917/2014). Direct marketing to prospects requires prior consent under §200(1). Cookies and similar tracking technologies on terminal equipment require consent under §205 of the same Act.

Is providing personal data required?

Under Article 13(2)(e) GDPR we set out below whether the provision of personal data is voluntary, a contractual requirement or a statutory requirement, and the consequences of not providing it:

• Website visitors and newsletter subscribers — provision is voluntary; consequence of not providing is that we cannot send you the requested content or contact you back.
• Customer account holders — provision of account, billing, contact and authentication data is a contractual requirement; without it we cannot deliver the Services.
• Leads and prospects contacted by Serviceform — provision is voluntary; consequence is that we will not be able to follow up on your interest.
• Staff and contractors — certain categories of data (identity, tax, social-security, payroll, AML) are required by Finnish, Swedish, Spanish and Sri Lankan statutory law; without them an employment or contractor relationship cannot be entered into or maintained.

6. How we process personal data of our Customers

When acting as a processor.When functioning as a processor, we undertake processing only on documented instructions from our Customers, who serve as the data controllers in this context. For additional insights regarding our data usage as a processor, you can request access to our Data Processing Agreement, or alternatively, refer to the Customer's privacy policy.

7. How we process personal data of our Customers' End-users

When acting as a processor.When functioning as a processor we undertake processing based on explicit directives from our Customers, who serve as the data controllers in this context. In this capacity there might be instances where we handle special-category data pertaining to a Customer's users. While it is infrequent for us to regularly process such specialised data, any such processing strictly adheres to the permissions and exemptions established by the Customer acting as data controller. End-users seeking to exercise rights should contact the Customer directly. For additional insights please refer to our DPA or the Customer's privacy policy.

8. How we process personal data of our Leads

9. How we process personal data of our Newsletter Subscribers

10. How we process personal data of our Website Visitors

11. How we process personal data of our Contractors

12. How we process personal data of our Staff

For staff based in Finland, processing is also governed by the Finnish Act on the Protection of Privacy in Working Life (Laki yksityisyyden suojasta työelämässä, 759/2004), which limits the collection of employee personal data to data directly necessary for the employment relationship. Equivalent national protections apply for staff based in Sweden, Spain and Sri Lanka.

13. How your personal data is collected

We collect personal data through:

• Direct interactions. You give us Contact Details, Identifiers, Financial Data and other information by filling in forms or by corresponding with us by post, phone, email, via our website, our applications or otherwise. This includes personal data you provide when you apply for our products or services, create an account, subscribe to publications, request marketing, respond to a sales outreach, give us feedback or otherwise contact us.
• Automated technologies or interactions. As you interact with our website and services we automatically collect Technical, Profile, Usage and Activity Data about your equipment, browsing actions and patterns through cookies, server logs, error reporting and similar technologies.
• Third parties or publicly available sources. We may receive personal data about you from CRM enrichment providers, online recruitment platforms, professional networks (e.g. LinkedIn), business registries, identity providers (Google, Microsoft) where you sign in via single sign-on, and partners that you have authorised to share data with us.

Sources of third-party data (Article 14(2)(f) GDPR)

The table below identifies the categories of personal data we may receive from third-party sources:

Where we obtain personal data about you from a source other than yourself, we provide this notice within one month of obtaining the data, or at the latest at the time of the first communication with you, in line with Article 14(3) GDPR. You have the right to object to processing on the basis of our legitimate interests, including the processing of enrichment data.

14. Third parties and sub-processors

We share personal data only when necessary and only with recipients bound by appropriate confidentiality and data-protection obligations. Our sub-processor model is structured in two parts:

• Part A — what we provide to our Customers.Sub-processors that may process Customer Data on our Customers' behalf. Within Part A, only one sub-processor is engaged for every Customer (the "core" row, Google Cloud Finland). All other Part A sub-processors are optional — engaged only when the Customer enables a feature, integration or configuration choice that requires them. Customers may request a configuration that excludes any optional sub-processor.
• Part B — what Serviceform uses for its own operations. Service providers Serviceform engages for its own business — billing, accounting, payroll, sales, marketing, internal productivity. These do not process Customer end-user data; where they process personal data of our website visitors, prospects, employees or vendor contacts, Serviceform Oy is the controller.

The full structured list — with each sub-processor's activation trigger and data residency — is maintained at serviceform.com/subprocessors and is updated with at least 30 days' notice for material additions. All sub-processors handling personal data implement encryption in transit (TLS 1.2+) and encryption at rest for primary stores. We do not sell personal data, and we do not share personal data for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act.

Customer-authorised integration destinations

Our Customers can configure Serviceform to forward data to third-party systems they operate, such as their own CRM, marketing automation platform, ecommerce platform, ticketing tool, shipping provider or analytics environment. When a Customer connects such an integration, data flows from Serviceform to that destination using credentials the Customer supplies, and the receiving system becomes a separate controller (or the Customer's own processor) under its own privacy policy. Common destinations include — without limitation — HubSpot, Salesforce, Microsoft Dynamics 365, Pipedrive, Klaviyo, Mailchimp, Brevo, ActiveCampaign, LianaMailer, Linear, Shopify, WooCommerce / WordPress, Shipit, DHL, Matkahuolto, WhatsApp Business and Meta / Google ad platforms. We are not responsible for the privacy practices of those destinations beyond the act of transmission instructed by the Customer.

Shopify Protected Customer Data and compliance webhooks

The Serviceform Shopify app is registered with Shopify's Protected Customer Data programme and processes Level 1 protected customer data (name, email, address) only as needed to provide the merchant with the features they have enabled. We honour Shopify's mandatory privacy compliance webhooks within the required timeframes: customers/data_request (we surface to the merchant any data we hold that relates to the customer), customers/redact (we delete identified customer data within 30 days of a request) and shop/redact(we delete merchant configuration, sessions and any retained data when issued, 48 hours after uninstall).

15. International transfers and EU data residency

EU data residency commitment for European Customers

For Customers based in the European Economic Area, the United Kingdom or Switzerland, we operate the Serviceform platform on the principle that your data should stay in Europe. By default, the only sub-processor engaged in processing Customer Data is Google Cloud / Firebase hosted in Hamina, Finland(Cloud Run with our managed Postgres database, Firestore, Firebase Realtime Database, Firebase Authentication and Cloud Storage), which means EU Customers' primary platform data — chat conversations, contacts, leads, CDP records, tenant configuration and authentication credentials — is stored and processed inside Finland.

Additional EU-hosted sub-processors are engaged only when the Customer enables a feature or configuration that requires them — for example, Elastic Cloud (Finland / Germany) for search and analytics features, ClickHouse Cloud (EEA) and Google BigQuery (EU multi-region) for analytics features, and Typesense (EEA) for search indexing. These remain inside the EEA.

Data may leave Europe only when (i) the Customer enables an optional feature or integration whose provider operates outside the EEA — for example AI inference (OpenAI Ireland Ltd contracting, US compute), Twilio for voice / SMS, Meta-platform messaging, or Zapier-based forwarding; or (ii) the Customer instructs forwarding to an integration destination they own outside Europe. The full mapping of which sub-processor is engaged when, and where each is located, is at /subprocessors.

Transfer safeguards

Whenever we transfer personal data out of the EEA, the United Kingdom or Switzerland we ensure a similar degree of protection by implementing at least one of the following safeguards:

• The country to which personal data is being transferred has been deemed by the European Commission, the UK ICO or another competent authority to provide an adequate level of protection — for example the United Kingdom (under the EU–UK Adequacy Decision) and Japan, Switzerland, the Republic of Korea and others.
• We use appropriate transfer mechanisms such as the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Agreement or UK Addendum, supplemented by technical and organisational measures (encryption, pseudonymisation, strict access controls).
• We rely on the EU–US Data Privacy Framework where the recipient is certified.
• For transfers to third countries without an adequacy decision — most notably to our Sri Lanka subsidiary and to certain US subprocessors — we conduct documented Transfer Impact Assessments before the transfer takes place and apply additional safeguards where the assessment indicates they are needed.

Copies of the safeguards we rely on are available on request from [email protected].

16. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know; they will only process it on our instructions and they are subject to a duty of confidentiality.

Our information-security programme is aligned with ISO/IEC 27001 principles and includes:

• TLS 1.2+ encryption in transit and AES-256 encryption at rest for primary data stores.
• Role-based access control with least-privilege defaults; multi-factor authentication for administrators.
• Network segmentation, web application firewall, DDoS protection.
• Continuous logging, monitoring and intrusion detection.
• Secure software development lifecycle, dependency scanning and periodic penetration testing.
• Vendor risk assessments and contractual data-protection terms.
• Incident-response procedures meeting GDPR Articles 33–34, including notification to the Office of the Data Protection Ombudsman of Finland within 72 hours where required, and notification to affected individuals where there is a high risk to their rights and freedoms. When acting as processor on behalf of a Customer, we notify the affected Customer (controller) without undue delay and in any event within 48 hours of becoming aware, in line with Article 33(2) GDPR and our DPA.
• Confidentiality obligations and security training for personnel.

Where you have chosen a password that enables you to access certain parts of our applications, you are responsible for keeping that password confidential. Please do not share your password with anyone. If you believe your account has been compromised, contact security(at)serviceform.com immediately. No service can be guaranteed to be 100% secure.

Trust documentation. Our DPA, list of subprocessors, security overview, Transfer Impact Assessment summaries and breach-notification procedure are available to Customers on request. Please write to [email protected] with the name of your organisation and the document you would like to receive.

17. Data retention

We retain personal data only for as long as reasonably necessary to fulfil the purposes for which we collected it, including any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or where we reasonably believe there is a prospect of litigation. Where Serviceform acts as a data processor, retention periods are set by the Customer (data controller) in line with their policies and regulatory requirements.

After the retention period we delete or irreversibly anonymise the data unless we are legally required to retain it longer.

18. Automated decision-making and AI

Some of Serviceform's products are AI-powered. We use machine learning and large language models to power chatbots, classify intents, route requests and generate responses. Despite this, we do not use your personal data to make decisions producing legal or similarly significant effects on you without human involvement (Article 22 GDPR), nor do we engage in profiling that produces such effects.

AI features are opt-in per Customer

AI features (e.g. an AI bot answering customer inquiries on a website or via WhatsApp) are only enabled for Customers who specifically contract them. Customers who have not subscribed to AI features have no end-user data forwarded to any AI provider.

Automatic PII redaction before AI processing

When a Customer enables AI services, our system automatically removes personal data from end-user input before forwarding it to OpenAI Ireland Ltd or Google AI / Gemini for inference. Categories of data redacted by default include:

• Names (first and last)
• Email addresses
• Phone numbers
• Postal addresses
• Birth dates
• IPv4 / IPv6 addresses
• Customer IDs and order numbers
• Social-security and national-insurance numbers
• Credit-card numbers
• Bank-account numbers
• Medical information
• Geolocation (lat/long) data

This redaction process is regularly reviewed and pattern-matching is continuously updated as new data types and privacy regulations emerge. Customers may request additional redaction categories. The result is that even though an AI provider participates in answering the end-user's question, the underlying model never receives identifiable personal data.

No training on your data

We do not use Customer end-user conversations to train Serviceform models, and we contractually require our AI providers to do the same on the API plans we use:

• OpenAI. The contracting entity for our EEA processing is OpenAI Ireland Ltd, which acts as our data processor under a signed Data Processing Addendum dated 11 November 2024 incorporating Module 2 and Module 3 of the EU Standard Contractual Clauses and the UK Addendum. OpenAI does not use API request or response data to train or improve its models, retains API Customer Data for a maximum of 30 days for abuse-monitoring before deletion, and notifies us at least 15 days in advance of any changes to its sub-processor list (which we then relay to our Customers).
• Google (Gemini API / Vertex AI). Operates under enterprise API terms that bar the use of Customer Data for model training, with regional EEA processing where available.

When you use a Serviceform-powered chatbot or AI assistant on a Customer's website, the Customer determines the configuration of that AI feature; we provide the underlying technology as a processor under our DPA.

19. Your legal rights

You have the right to:

• Request access (a "data subject access request") to receive a copy of the personal data we hold about you and check that we are lawfully processing it.
• Request correction of incomplete or inaccurate data we hold about you. We may need to verify the accuracy of the new data you provide.
• Request erasure of your personal data where there is no good reason for us to continue to process it. We may not always be able to comply for specific legal reasons, which we will explain at the time of your request.
• Object to processing based on our legitimate interests where something about your particular situation makes you want to object on this ground. You also have the right to object at any time to processing for direct marketing, which we will always honour.
• Request restriction of processing where you contest accuracy, where our use is unlawful but you do not want erasure, where you need us to keep the data to establish, exercise or defend legal claims, or while we verify whether overriding legitimate grounds apply.
• Request data portability — receive certain data in a structured, commonly used, machine-readable format and have it transmitted to another controller. This applies only to information you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Not be subject to solely automated decisions producing legal or similarly significant effects.
• Lodge a complaint with a supervisory authority (see below).

You will not have to pay a fee to access your personal data or to exercise any of the other rights. We may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive. We may need to request specific information from you to confirm your identity.

Our service-level commitment. We respond to every legitimate data-subject request within 30 days as required by Article 12(3) GDPR, and most requests are answered within five business days. The 30-day clock can be extended by up to two further months for genuinely complex requests, in which case we will tell you within the first month why and keep you updated.

Supervisory authorities

Our lead supervisory authority is the Office of the Data Protection Ombudsman of Finland (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki, tietosuoja.fi. You may also lodge a complaint with the authority where you live or where the alleged breach occurred — for example AEPD (Spain), IMY (Sweden), CNPD (Portugal), Garante (Italy) or the ICO (United Kingdom, ico.org.uk).

Sri Lanka residents

Under the Sri Lanka Personal Data Protection Act No. 9 of 2022 you have analogous rights of access, rectification, erasure, withdrawal of consent, objection to processing for direct marketing, and review of decisions made solely by automated means. You may lodge a complaint with the Data Protection Authority of Sri Lanka.

Notice for California residents (CCPA / CPRA)

The following Notice at Collection is provided in addition to the rights described above to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively "CCPA").

Categories of personal information we collect (CCPA §1798.140 categories): identifiers (name, email, IP, device identifiers); commercial information (purchase history, billing); internet or other electronic network activity (browsing, interactions with our tools); geolocation (approximate, derived from IP); audio, electronic, visual or similar information (when Customers connect voice or chat features); professional or employment-related information (for B2B leads and Customer staff); inferences (segments derived from interactions). For staff and applicants only: Sensitive PI (Cal. Civ. Code §1798.140(ae)) — government identifiers, account login credentials, precise geolocation only where strictly necessary, contents of mail/email/text messages, and limited categories of health information may be processed where the Customer has instructed it as controller and a lawful basis exists.

Sources of personal information: directly from you (forms, chats, account creation); automatically (cookies, server logs); from your employer or organisation (when you are added to a Customer's tenant); from third parties (LinkedIn, business registries, enrichment providers, identity providers, advertising platforms, your connected integrations).

Business or commercial purposes: providing and securing the Services; fulfilling our contract with you; customer support; quality assurance; preventing fraud and abuse; analytics; advertising and remarketing (consent-based); legal compliance and defence of claims.

Categories disclosed for a business purpose, in the past 12 months: identifiers, commercial information, internet activity, geolocation, professional information — disclosed only to the sub-processors listed at /subprocessors, each bound by data-protection terms.

We do not "sell" personal information and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under the CCPA. We have not sold or shared personal information of consumers (including minors under 16) in the past 12 months.

Retention of each category: in line with the retention table in Section 17. We retain each category for the period reasonably necessary to fulfil the disclosed purpose, plus any statutory retention period.

Your CCPA rights: right to know, access, correct, delete, port, opt out of sale/sharing, limit use of sensitive PI, opt out of certain profiling, and not to be discriminated against for exercising your rights. Authorised agents may submit requests on your behalf with proof of authority (signed permission, power of attorney) and verification of your identity.

How to exercise your CCPA rights: email asiakaspalvelu(at)serviceform.com with the subject "California privacy request" or write to our registered office. We honour Global Privacy Control (GPC) browser signals as a valid request to opt out of sale and sharing where applicable. We will respond within 45 days, extendable by an additional 45 days for complex requests.

Shine the Light (Cal. Civ. Code §1798.83): California residents may request information about our disclosures of personal information to third parties for their direct-marketing purposes. We do not currently make such disclosures, but will respond to a written Shine the Light request sent to the address above.

Other US states

Residents of states with comprehensive privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Delaware (DPDPA), Montana (MTCDPA), New Hampshire (NHPA), New Jersey (NJDPA), Iowa (IADPA), Maryland (MDPA) — and the Washington My Health My Data Act and Florida Digital Bill of Rights where applicable, have analogous rights to access, correct, delete, port and opt out of sale, targeted advertising and profiling. To exercise these rights, use the email address above; we honour GPC signals where applicable and respond within the timeframe required by the relevant state law.

Other jurisdictions

For residents of jurisdictions not listed above — including Canada (PIPEDA and the Quebec Act respecting the protection of personal information in the private sector / Law 25), Brazil (LGPD), Australia (Privacy Act), India (DPDP Act 2023), Japan (APPI), South Korea (PIPA) and Switzerland (revFADP) — we honour the substantive rights of access, rectification, deletion, withdrawal of consent, objection to direct marketing and complaint to the local authority on the same email channel. A Quebec Person in Charge of Personal Information can be reached at the same email; for now this role is held by our Privacy Lead, Jarkko Oksanen.

To exercise any right, email asiakaspalvelu(at)serviceform.com or write to our registered office.

20. Children

Our website and services are not directed to children under 16, the digital-consent age set in §5 of the Finnish Data Protection Act (Tietosuojalaki 1050/2018), and we do not knowingly collect personal data from children. Where a Customer deploys our products in a context where users under 16 may interact with them (for example, a chatbot embedded on a youth-services website), the Customer remains the controller and is responsible for obtaining verifiable parental consent under Article 8 GDPR. On request, Serviceform offers a minor-blocking configuration that flags input that appears to originate from a minor and immediately deletes it without forwarding to AI providers or storing it as a lead. Contact the privacy email above to enable it.

For US Customers subject to the Children's Online Privacy Protection Act (COPPA), parental notice and verifiable consent obligations sit with the Customer-controller; Serviceform supports Customers in meeting them.

If you believe a child has provided us with personal data, please contact asiakaspalvelu(at)serviceform.com and we will delete it.

21. Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

22. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email — where we have your address and the change affects you — or by a prominent notice on our website at least 30 days before the change takes effect. The "Last updated" date at the top reflects the latest revision.

Version history

23. Contact us

• Privacy enquiries / data-subject requests: [email protected]
• Security incidents: security(at)serviceform.com
• General: help(at)serviceform.com · +358 45 7836 1590
• Postal: Serviceform Oy (Y-tunnus 2713896-6), Linnaistentie 20 B, 01640 Vantaa, Finland

24. Cookies

Our use of cookies and similar technologies, the four cookie categories we operate (strictly necessary, functionality, analytical and targeting), the specific third-party cookies in use, and the controls available to you are set out in our Cookie Notice. You can change or withdraw your consent at any time using the "Cookie settings" control in our footer (powered by Usercentrics).