Privacy
Suunta.ai Privacy Policy
Effective Date: January 27, 2025 · Version: 1.0
Introduction
Y4 Works Oy (“Suunta.ai”, “we”, “us”, “our”) provides the Suunta.ai platform, an AI-assisted strategic planning service designed for businesses. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our services.
Suunta.ai is a business-to-business (B2B) service. This Privacy Policy applies to representatives of our business customers and their authorized users.
Controller: Y4 Works Oy, Business ID: 2978296-6, Finland
Email: privacy@suunta.ai
1. Information We Collect
1.1 Information You Provide
Account Information
| Data | Required | Purpose |
|---|---|---|
| Email address | Yes | Account login, communication |
| First and last name | No | Personalization |
| Phone number | No | Optional contact |
| Password | Yes* | Authentication |
| Profile picture | No | Personalization |
| Language setting | Yes (default: Finnish) | Localization |
| Time zone | Yes (default: Europe/Helsinki) | Time display |
| Additional profile information | No | Personalization |
SSO users authenticate via Google or Microsoft and do not have a Suunta.ai password.
Organization Information
| Data | Required | Purpose |
|---|---|---|
| Organization name | Yes | Account identification |
| Country | Yes (default: Finland) | Localization, compliance |
| City | No | Localization |
| Industry | No | Service customization |
| Organization size | No | Service customization |
| Website | No | Organization profile |
| Logo | No | Branding |
| Organization profile details | No | Service customization |
Business Information
Strategy documents and plans
OKRs (Objectives and Key Results)
KPIs (Key Performance Indicators) and metrics
Projects and tasks
Documents for AI analysis (RAG sources)
Conversations with our AI assistant
Other business information you provide
This business information is processed to provide our services to you.
1.2 Information Collected Automatically
Technical Data
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security, fraud prevention | Replaced upon new login |
| User agent (browser/device) | Security, session management | Session duration |
| Login timestamps | Security auditing | Replaced |
| Session data | Authentication status | 14–30 days |
| Failed login attempts | Brute-force protection | Reset upon successful login |
Usage Data
| Data | Purpose | Retention |
|---|---|---|
| AI feature usage (tokens, model, latency) | Billing, analytics | 365 days |
| Activity logs (actions performed) | Audit trail | 12–36 months |
Important: We do not store your AI prompts or AI-generated responses. Only metadata related to AI usage (such as token counts and response times) is logged.
1.3 Information from Third Parties
Single Sign-On (SSO)
If you log in via Google or Microsoft, we receive your name, email address, and profile picture from the SSO provider.
Payment Information
We use Stripe for payment processing. Stripe collects and processes your payment card information directly. We only receive your Stripe customer ID and subscription status — never your card details.
Integrations
If you connect third-party services (e.g., Slack, Google Workspace), we receive the data required for the integration as configured by you.
2. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing services (account management, AI features, data storage) | Contract performance (Art. 6(1)(b)) |
| Payment processing and subscription management | Contract performance |
| Sending transactional emails (OTP codes, notifications) | Contract performance |
| Ensuring security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Maintaining audit logs for compliance | Legitimate interest / Legal obligation |
| Service improvement (aggregated analytics) | Legitimate interest |
| Responding to support requests | Contract performance |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not:
Sell your personal data
Use your data for advertising
Share your data with data brokers
Use your business data to train AI models (without explicit consent)
3. AI Data Processing
3.1 How AI Features Work
Your prompts and context are sent to our AI service providers (Anthropic, OpenAI, Google, Mistral)
The AI provider processes your request and returns a response
We display the response to you
We log only metadata (tokens used, processing time, cost)
3.2 What We Store
| Stored | Not Stored |
|---|---|
| Conversation history (for continuity) | Raw AI prompts sent to providers |
| AI usage metadata (tokens, latency, cost) | AI provider responses |
| Document embeddings (for search) | Original document text after indexing |
3.3 AI Service Provider Processing
OpenAI: store=False flag disables retention
Anthropic: Standard API with no training on inputs
Google Vertex AI: EU region when available
Mistral: EU-based provider
We do not allow our AI providers to use your data for model training.
3.4 RAG (Document Analysis)
Text is extracted from your document
Text is converted into vector embeddings
Original text is deleted within 24 hours
Embeddings and text snippets are stored for search functionality
Deleting a source removes all related data
4. Data Sharing
4.1 Service Providers (Subprocessors)
| Provider | Purpose | Location |
|---|---|---|
| AWS | Infrastructure hosting | EU (Stockholm) |
| Anthropic | AI processing | USA |
| OpenAI | AI processing | USA |
| AI processing | EU/USA | |
| Mistral | AI processing | EU (France) |
| Stripe | Payment processing | USA/EU |
| Resend | Email delivery | EU |
Full list available at: https://suunta.ai/legal/subprocessors
4.2 Customer-Initiated Integrations
Slack: Messages, notifications as configured
Google Workspace: Calendar events, spreadsheet data as configured
Zapier/Make: Webhook data as configured
You control which integrations are enabled and what data is shared.
4.3 Legal Requirements
We may share data:
To comply with applicable law or legal process
To respond to lawful authority requests
To protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of business
4.4 With Your Consent
We may share data with third parties when you have provided explicit consent.
5. International Transfers
5.1 Where We Process Data
Primary processing occurs in the EU (AWS Stockholm, eu-north-1). AI processing may occur in the USA via AI providers.
5.2 Transfer Safeguards
For transfers outside the EEA, we rely on:
European Commission Standard Contractual Clauses (SCCs)
Supplementary measures including encryption and access controls
Provider certifications (e.g., SOC 2, ISO 27001)
6. Data Retention
6.1 Retention Periods
| Data Type | Retention |
|---|---|
| Active user accounts | Duration of use |
| Deleted user accounts | Immediately anonymized |
| Organization data | Until deletion + 90 days (backups) |
| AI usage metadata | 365 days |
| Audit logs (standard) | 24 months |
| Audit logs (critical) | 36 months |
| Billing data | 6 years (Finnish law) |
| Backups | 30 days |
6.2 Account Deletion
Personal data is anonymized
Email is replaced with a placeholder
Organization membership is removed
Sessions are revoked
Audit logs are retained (with anonymized actor ID)
6.3 Organization Deletion
30-day grace period (reversible)
All organization data permanently deleted
User accounts remain but lose organization access
Immutable compliance audit log entry created
7. Your Rights
Under GDPR, you have the following rights, which you may exercise via Settings or by contacting privacy@suunta.ai:
Right of access (Art. 15): Settings → Export Data
Right to rectification (Art. 16): Settings → Profile
Right to erasure (Art. 17): Settings → Delete Account / Delete Organization
Right to restriction (Art. 18): Email privacy@suunta.ai
Right to data portability (Art. 20): Settings → Export Data
Right to object (Art. 21): Email privacy@suunta.ai
Right to withdraw consent: Settings → Marketing Preferences
You also have the right to lodge a complaint with the supervisory authority in Finland:
Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki
tietosuoja@om.fi
+358 29 566 6700
8. Cookies and Similar Technologies
8.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session | Essential | Authentication | 14–30 days |
8.2 We Do Not Use
Google Analytics
Facebook Pixel
Marketing cookies
Third-party tracking cookies
8.3 Local Storage
| Key | Purpose |
|---|---|
| sidebarCollapsed | UI preference |
| theme | Display theme |
| userTimezone | Time display |
8.4 Third-Party Scripts
Stripe (js.stripe.com): Payment processing
Google Fonts: Typography
Font Awesome: Icons
These services may set their own cookies. Please refer to their respective privacy policies.
9. Security
9.1 Technical Measures
Encryption: TLS 1.2+ in transit, AES-256 at rest
Password security: PBKDF2-SHA256 hashing
Session security: HttpOnly, Secure, SameSite cookies
Access control: Role-based, organization-isolated
9.2 Organizational Measures
Staff confidentiality obligations
Security training
Incident response procedures
Regular security assessments
9.3 Your Responsibilities
Keep your password secure
Use a strong, unique password
Report suspicious activity immediately
Log out on shared devices
10. Children’s Privacy
Suunta.ai is a business service intended for professionals. It is not directed to individuals under 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect and prominently on our website. Continued use of the services after changes constitutes acceptance.
12. Contact
For privacy-related questions or to exercise your rights:
Y4 Works Oy (Suunta.ai)
Email: privacy@suunta.ai
For general inquiries: team@suunta.ai
13. Additional Information for EEA Users
13.1 Legal Basis Summary
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract |
| Service delivery | Contract |
| Payment processing | Contract |
| Transactional emails | Contract |
| Security measures | Legitimate interest |
| Audit logging | Legitimate interest / Legal obligation |
| Marketing (if consent given) | Consent |
13.2 Data Protection Officer
As a small company, we have not appointed a formal Data Protection Officer. For data protection inquiries, contact: privacy@suunta.ai.
13.3 Automated Decision-Making
We do not make automated decisions that produce legal effects or similarly significant impacts on you. AI features provide recommendations and analysis, but final decisions are made by you.