Effective Date · April 22, 2026 · Version 1.0
Introduction
Y4 Works Oy ("Suunta.ai", "we", "us", "our") provides the Suunta.ai platform, an AI-assisted strategic planning service designed for businesses. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our services.
Suunta.ai is a business-to-business (B2B) service. This Privacy Policy applies to representatives of our business customers and their authorized users.
Controller: Y4 Works Oy, Business ID: 2978296-6, Finland
Email: privacy@suunta.ai
1. Information We Collect
1.1 Information You Provide
Account Information
| Data | Required | Purpose |
|---|---|---|
| Email address | Yes | Account login, communication |
| First and last name | No | Personalization |
| Phone number | No | Optional contact |
| Password | Yes* | Authentication |
| Profile picture | No | Personalization |
| Language setting | Yes (default: Finnish) | Localization |
| Time zone | Yes (default: Europe/Helsinki) | Time display |
| Additional profile information | No | Personalization |
*SSO users authenticate via Google or Microsoft and do not have a Suunta.ai password.
Organization Information
| Data | Required | Purpose |
|---|---|---|
| Organization name | Yes | Account identification |
| Country | Yes (default: Finland) | Localization, compliance |
| City | No | Localization |
| Industry | No | Service customization |
| Organization size | No | Service customization |
| Website | No | Organization profile |
| Logo | No | Branding |
| Organization profile details | No | Service customization |
Business Information
- Strategy documents and plans
- OKRs (Objectives and Key Results)
- KPIs (Key Performance Indicators) and metrics
- Projects and tasks
- Documents for AI analysis (RAG sources)
- Conversations with our AI assistant
- Other business information you provide
This business information is processed to provide our services to you.
1.2 Information Collected Automatically
Technical Data
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security, fraud prevention | Replaced upon new login |
| User agent (browser/device) | Security, session management | Session duration |
| Login timestamps | Security auditing | Replaced |
| Session data | Authentication status | 14–30 days |
| Failed login attempts | Brute-force protection | Reset upon successful login |
Usage Data
| Data | Purpose | Retention |
|---|---|---|
| AI feature usage (tokens, model, latency) | Billing, analytics | 365 days |
| Activity logs (actions performed) | Audit trail | 12–36 months |
Important: We do not store your AI prompts or AI-generated responses. Only metadata related to AI usage (such as token counts and response times) is logged.
1.3 Information from Third Parties
Single Sign-On (SSO)
If you log in via Google or Microsoft, we receive your name, email address, and profile picture from the SSO provider.
Payment Information
We use Stripe for payment processing. Stripe collects and processes your payment card information directly. We only receive your Stripe customer ID and subscription status — never your card details.
Integrations
If you connect third-party services (e.g., Slack, Google Workspace), we receive the data required for the integration as configured by you.
2. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing services (account management, AI features, data storage) | Contract performance (Art. 6(1)(b)) |
| Payment processing and subscription management | Contract performance |
| Sending transactional emails (OTP codes, notifications) | Contract performance |
| Ensuring security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Maintaining audit logs for compliance | Legitimate interest / Legal obligation |
| Service improvement (aggregated analytics) | Legitimate interest |
| Responding to support requests | Contract performance |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not:
- Sell your personal data
- Use your data for advertising
- Share your data with data brokers
- Use your business data to train AI models (without explicit consent)
3. AI Data Processing
3.1 How AI Features Work
- Your prompts and context are sent to our AI service providers (Anthropic, OpenAI, Google, Mistral)
- The AI provider processes your request and returns a response
- We display the response to you
- We log only metadata (tokens used, processing time, cost)
3.2 What We Store
| Stored | Not Stored |
|---|---|
| Conversation history (for continuity) | Raw AI prompts sent to providers |
| AI usage metadata (tokens, latency, cost) | AI provider responses |
| Document embeddings (for search) | Original document text after indexing |
3.3 AI Service Provider Processing
- OpenAI: store=False flag disables retention
- Anthropic: Standard API with no training on inputs
- Google Vertex AI: EU region when available
- Mistral: EU-based provider
We do not allow our AI providers to use your data for model training.
3.4 RAG (Document Analysis)
- Text is extracted from your document
- Text is converted into vector embeddings
- Original text is deleted within 24 hours
- Embeddings and text snippets are stored for search functionality
- Deleting a source removes all related data
4. Data Sharing
4.1 Service Providers (Subprocessors)
| Provider | Purpose | Location |
|---|---|---|
| AWS | Infrastructure hosting | EU (Stockholm) |
| Anthropic | AI processing | USA |
| OpenAI | AI processing | USA |
| AI processing | EU/USA | |
| Mistral | AI processing | EU (France) |
| Stripe | Payment processing | USA/EU |
| Resend | Email delivery | EU |
Full list available at: https://suunta.ai/legal/subprocessors
4.2 Customer-Initiated Integrations
- Slack: Messages, notifications as configured
- Google Workspace: Calendar events, spreadsheet data as configured
- Zapier/Make: Webhook data as configured
You control which integrations are enabled and what data is shared.
4.3 Legal Requirements
We may share data:
- To comply with applicable law or legal process
- To respond to lawful authority requests
- To protect our rights, privacy, safety, or property
- In connection with a merger, acquisition, or sale of business
4.4 With Your Consent
We may share data with third parties when you have provided explicit consent.
5. International Transfers
5.1 Where We Process Data
Primary processing occurs in the EU (AWS Stockholm, eu-north-1). AI processing may occur in the USA via AI providers.
5.2 Transfer Safeguards
For transfers outside the EEA, we rely on:
- European Commission Standard Contractual Clauses (SCCs)
- Supplementary measures including encryption and access controls
- Provider certifications (e.g., SOC 2, ISO 27001)
6. Data Retention
6.1 Retention Periods
| Data Type | Retention |
|---|---|
| Active user accounts | Duration of use |
| Deleted user accounts | Immediately anonymized |
| Organization data | Until deletion + 90 days (backups) |
| AI usage metadata | 365 days |
| Audit logs (standard) | 24 months |
| Audit logs (critical) | 36 months |
| Billing data | 6 years (Finnish law) |
| Backups | 30 days |
6.2 Account Deletion
- Personal data is anonymized
- Email is replaced with a placeholder
- Organization membership is removed
- Sessions are revoked
- Audit logs are retained (with anonymized actor ID)
6.3 Organization Deletion
- 30-day grace period (reversible)
- All organization data permanently deleted
- User accounts remain but lose organization access
- Immutable compliance audit log entry created
7. Your Rights
Under GDPR, you have the following rights, which you may exercise via Settings or by contacting privacy@suunta.ai:
- Right of access (Art. 15): Settings → Export Data
- Right to rectification (Art. 16): Settings → Profile
- Right to erasure (Art. 17): Settings → Delete Account / Delete Organization
- Right to restriction (Art. 18): Email privacy@suunta.ai
- Right to data portability (Art. 20): Settings → Export Data
- Right to object (Art. 21): Email privacy@suunta.ai
- Right to withdraw consent: Settings → Marketing Preferences
You also have the right to lodge a complaint with the supervisory authority in Finland:
Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki
tietosuoja@om.fi
+358 29 566 6700
8. Cookies and Similar Technologies
8.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session | Essential | Authentication | 14–30 days |
8.2 We Do Not Use
- Google Analytics
- Facebook Pixel
- Marketing cookies
- Third-party tracking cookies
8.3 Local Storage
| Key | Purpose |
|---|---|
| sidebarCollapsed | UI preference |
| theme | Display theme |
| userTimezone | Time display |
8.4 Third-Party Scripts
- Stripe (js.stripe.com): Payment processing
- Google Fonts: Typography
- Font Awesome: Icons
These services may set their own cookies. Please refer to their respective privacy policies.
9. Security
9.1 Technical Measures
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Password security: PBKDF2-SHA256 hashing
- Session security: HttpOnly, Secure, SameSite cookies
- Access control: Role-based, organization-isolated
9.2 Organizational Measures
- Staff confidentiality obligations
- Security training
- Incident response procedures
- Regular security assessments
9.3 Your Responsibilities
- Keep your password secure
- Use a strong, unique password
- Report suspicious activity immediately
- Log out on shared devices
10. Children's Privacy
Suunta.ai is a business service intended for professionals. It is not directed to individuals under 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect and prominently on our website. Continued use of the services after changes constitutes acceptance.
12. Contact
For privacy-related questions or to exercise your rights:
Y4 Works Oy (Suunta.ai)
Email: privacy@suunta.ai
For general inquiries: team@suunta.ai
13. Additional Information for EEA Users
13.1 Legal Basis Summary
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract |
| Service delivery | Contract |
| Payment processing | Contract |
| Transactional emails | Contract |
| Security measures | Legitimate interest |
| Audit logging | Legitimate interest / Legal obligation |
| Marketing (if consent given) | Consent |
13.2 Data Protection Officer
As a small company, we have not appointed a formal Data Protection Officer. For data protection inquiries, contact: privacy@suunta.ai.
13.3 Automated Decision-Making
We do not make automated decisions that produce legal effects or similarly significant impacts on you. AI features provide recommendations and analysis, but final decisions are made by you.