Privacy Policy – Valu Customer Register
Prepared in accordance with Articles 13 and 14 of the GDPR
1. DATA CONTROLLER
| Field | Information |
|---|---|
| Company | Valu Digital Oy |
| Business ID | 1097410-8 |
| Address | Kauppakatu 18 A, 40100 Jyväskylä |
| info@valu.fi | |
| Phone | 010 423 5400 |
2. CONTACT PERSON FOR DATA PROTECTION MATTERS
| Field | Information |
|---|---|
| Name | Harri Valkonen |
| harri.valkonen@valu.fi | |
| Phone | 050 428 8220 |
3. NAME OF THE REGISTER
Valu Customer Register
4. PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
4.1 Purposes of processing
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Managing and maintaining customer relationships | Art. 6(1)(b) – Performance of a contract |
| Customer communication and contact | Art. 6(1)(b) – Performance of a contract |
| Processing of offers and orders | Art. 6(1)(b) – Performance of a contract |
| Invoicing and payment management | Art. 6(1)(c) – Legal obligation (Accounting Act) |
| Customer service and handling of complaints | Art. 6(1)(b) – Performance of a contract |
| Marketing and newsletters (consent) | Art. 6(1)(a) – Consent |
| Marketing to existing customers | Art. 6(1)(f) – Legitimate interest |
| Service development | Art. 6(1)(f) – Legitimate interest |
4.2 Assessment of legitimate interest
To the extent that processing is based on legitimate interest, Valu has assessed that:
- Processing is necessary for business purposes
- The rights of data subjects are not overridden, as the data mainly concerns B2B contact persons in a professional context
- Data subjects have the right to object to processing at any time
5. CONTENT OF THE REGISTER
5.1 Customer company information
- Name of the company or organisation
- Business ID or equivalent company identifier
- Billing and visiting address
- Industry
5.2 Personal data of contact persons
| Data category | Data |
|---|---|
| Basic information | First name, last name |
| Contact details | Email address, phone number |
| Position | Title, job title |
| Communication data | Emails sent and received via the CRM system |
5.3 Customer relationship data
- Start date of the customer relationship
- Contract and order history
- Billing information
- Customer service contacts and their content
- Notes on the customer relationship
5.4 Special categories of data
The register does not contain special categories of data as defined in Article 9 of the GDPR (e.g. health data, political opinions or other sensitive data).
6. REGULAR SOURCES OF DATA
Personal data is primarily obtained from:
- The data subject themselves – when establishing a customer relationship, through requests for proposals, orders or contacts
- The customer company – from contact persons designated by the company
- Public sources – company websites, LinkedIn or other public professional profiles during prospecting
- The Trade Register – company details and contact information
7. RECIPIENTS OF PERSONAL DATA AND DISCLOSURE OF DATA
7.1 Internal use
Valu limits access to personal data to only those employees who need it to perform their duties. All employees are bound by a confidentiality obligation.
7.2 Processors (subcontractors)
Valu uses the following external service providers for processing personal data. A data processing agreement compliant with the GDPR has been concluded with all processors:
| Service provider | Purpose of use | Server location |
|---|---|---|
| CRM system | Customer data management | Finland |
| Google Workspace | Email communication | EU |
| Invoicing system | Invoicing and payment management | Finland |
| Anthropic Ireland, Limited | AI-assisted communication (Claude AI) | Ireland / USA |
| Zendesk, Inc. | Customer support communication and ticket management | EU |
| Basecamp, LLC | Project management and internal communication | USA (see section 8.3) |
See section 8 for more details (Transfer of data outside the EU/EEA).
7.3 Disclosure of data to third parties
Valu does not sell, rent or disclose personal data to third parties for commercial purposes.
Data may be disclosed:
- To authorities to fulfil a statutory obligation (e.g. tax authority)
- To a buyer in a potential business acquisition (data subjects will be notified separately)
8. TRANSFER OF DATA OUTSIDE THE EU/EEA
8.1 Transfer to the United States – Anthropic
Valu uses the Claude AI service provided by Anthropic Ireland, Limited to support customer communication. In connection with the use of the service, personal data of customers’ contact persons (name, email address, phone number and email content) may be transferred to the United States.
| Field | Information |
|---|---|
| Recipient | Anthropic Ireland, Limited / Anthropic, PBC |
| Destination country | United States |
| Legal basis for transfer | EU Standard Contractual Clauses (SCC), Module 2 |
| Applicable law | Irish law |
| More information | trust.anthropic.com |
Safeguards:
- Anthropic does not use customer data to train AI models
- Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Data is deleted from Anthropic’s systems within 30 days of the end of the service agreement
- Anthropic is SOC 2 certified
- Website visitor data is not transmitted unless the visitor fills in forms or otherwise provides data through the site
8.2 Transfer to the United States – Zendesk
Valu uses the customer support system provided by Zendesk, Inc. to manage customer service contacts and support requests. In connection with the use of the service, personal data of customers’ contact persons may be transferred to the United States.
| Field | Information |
|---|---|
| Recipient | Zendesk, Inc. |
| Domicile | San Francisco, California, USA |
| Destination country | United States |
| Legal basis for transfer | EU Standard Contractual Clauses (SCC), Module 2 |
| More information | zendesk.com/company/privacy-and-data-protection |
Data processed:
- Contact person’s name and email address
- Content of support requests and communication history
- Any other data provided by the customer in connection with the support request
Safeguards:
- Servers are located in the EU
- A GDPR-compliant data processing agreement (DPA) has been concluded with Zendesk
- Transfer of data to the United States takes place under EU Standard Contractual Clauses
- Data is encrypted in transit (TLS) and at rest
- Zendesk is ISO 27001 certified and SOC 2 Type II audited
- Zendesk does not use customer data for its own marketing purposes
8.3 Transfer to the United States – Basecamp
Valu uses the project management service provided by Basecamp, LLC to coordinate customer projects and communication. In connection with the use of the service, personal data may be transferred to the United States.
| Field | Information |
|---|---|
| Recipient | Basecamp, LLC (37signals, LLC) |
| Domicile | Chicago, Illinois, USA |
| Destination country | United States |
| Legal basis for transfer | EU Standard Contractual Clauses (SCC), Module 2 |
| More information | basecamp.com/about/policies/privacy |
Data processed:
- Contact person’s name and email address
- Project-related communication and documents
- Any other data shared during project work
Safeguards:
- A GDPR-compliant data processing agreement (DPA) has been concluded with Basecamp
- Transfer of data to the United States takes place under EU Standard Contractual Clauses
- Data is encrypted in transit (TLS) and at rest
- Access to project data is limited to persons participating in the relevant project
9. RETENTION PERIOD FOR PERSONAL DATA
| Data category | Retention period | Basis |
|---|---|---|
| Data relating to an active customer relationship | For the duration of the customer relationship | Performance of a contract |
| Invoicing and accounting data | 6 years from the end of the financial year | Accounting Act |
| Emails | Legitimate interest / contract | |
| Offer and contract documents | Legitimate interest | |
| Marketing consent | Until withdrawal of consent | Consent |
| Data relating to a terminated customer relationship | Legitimate interest |
After the retention period has expired, data is deleted or anonymised securely.
10. RIGHTS OF THE DATA SUBJECT
The data subject has the following rights. Requests must be sent to the contact person mentioned in section 2.
10.1 Right of access (art. 15)
You have the right to obtain confirmation as to whether personal data concerning you is being processed, and the right to receive a copy of the personal data being processed.
10.2 Right to rectification (art. 16)
You have the right to demand the rectification of inaccurate or incomplete personal data concerning you.
10.3 Right to erasure (art. 17)
In certain circumstances, you have the right to demand the erasure of your personal data. This right does not apply to data whose retention is subject to a statutory obligation.
10.4 Right to restriction of processing (art. 18)
In certain circumstances, you have the right to demand the restriction of processing of your personal data.
10.5 Right to data portability (art. 20)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and the right to transmit that data to another controller, where processing is based on consent or a contract.
10.6 Right to object (art. 21)
You have the right to object to the processing of your personal data where processing is based on legitimate interest, including direct marketing. After objection, we will no longer process your personal data for that purpose unless we have a compelling legitimate reason to do so.
10.7 Right to withdraw consent (art. 7)
Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
10.8 Exercising rights in practice
Requests will be responded to without undue delay and at the latest within one month of receipt of the request. The deadline may be extended by two months where necessary due to the complexity of the matter.
Requests must be submitted in writing by email to: harri.valkonen@valu.fi
We may, where necessary, request verification of identity before fulfilling the request.
11. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
If you consider that the processing of your personal data infringes data protection legislation, you have the right to lodge a complaint with the competent supervisory authority:
Office of the Data Protection Commissioner
- Website: tietosuoja.fi
- Email: tietosuoja@om.fi
- Phone: 029 566 6700
- Address: P.O. Box 800, 00531 Helsinki
12. AUTOMATED DECISION-MAKING AND PROFILING
Valu does not make automated decisions that have legal or similarly significant effects on data subjects (GDPR art. 22).
Valu does not automatically profile data subjects.
The AI service (Claude) is used solely to support CRM communication, not for automated decision-making.
13. DATA SECURITY
Valu protects personal data with appropriate technical and organisational measures.
13.1 Technical safeguards
| Measure | Description |
|---|---|
| Access control | Access to personal data is limited to only those who need it |
| Password protection | Strong passwords and multi-factor authentication (MFA) |
| Encryption of data connections | TLS encryption for data transfers |
| Data encryption | Personal data is encrypted at rest |
| Backups | Data is backed up regularly |
| Firewalls and security software | Up-to-date security solutions |
| Log data | System usage is monitored via log data |
13.2 Organisational safeguards
| Measure | Description |
|---|---|
| Confidentiality obligation | All employees handling personal data are bound by a confidentiality obligation |
| Training | Staff are regularly trained on data protection matters |
| Access rights | Access rights are granted to the extent required by the duties |
| Data processing agreements | GDPR-compliant agreements have been concluded with all subcontractors |
| Management of data security breaches | A procedure is in place for detecting and handling data security breaches |
13.3 Data security breaches
If a personal data breach occurs that poses a risk to the rights and freedoms of data subjects, Valu will notify the Data Protection Commissioner within 72 hours of becoming aware of the breach. If the breach poses a high risk to data subjects, we will also notify the relevant data subjects without undue delay.
14. USE OF AI SERVICES IN THE PROCESSING OF PERSONAL DATA
14.1 General
Valu uses the Claude AI service provided by Anthropic Ireland, Limited to support customer communication. This section describes in more detail how personal data is processed in connection with the AI service.
14.2 What data is processed in the AI service
The following personal data may be entered into the AI service:
| Data category | Purpose of use |
|---|---|
| Contact person’s name | Personalisation of communication and understanding context |
| Email address | Targeting of communication |
| Phone number | Contact information management |
| Content of emails | Supporting communication and drafting responses |
14.3 Safeguards in the AI service
Valu has ensured that:
- Anthropic does not use customer data to train AI models
- Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- A GDPR-compliant data processing agreement (DPA) has been concluded with Anthropic
- Transfer of data to the United States takes place under EU Standard Contractual Clauses
- Data is deleted from Anthropic’s systems within 30 days of the end of the service agreement
- The AI service is not used for automated decision-making
- The AI service is not used to monitor employee performance
14.4 Data minimisation in the AI service
Valu adheres to the principle of data minimisation in the use of the AI service. Only the data that is strictly necessary for carrying out the relevant task is entered into the AI service. Website visits are not entered into the AI.
15. COOKIES AND WEBSITE TRACKING
Valu’s website uses cookies. More detailed information on the use of cookies can be found in our separate cookie policy at www.valu.fi/evasteet.
16. UPDATING THE PRIVACY POLICY
Valu reserves the right to update this privacy policy when operations or legislation change. The updated privacy policy will be published on our website at www.valu.fi/tietosuojaseloste. Data subjects will be notified separately of significant changes by email or another appropriate means.
17. VALIDITY AND VERSION HISTORY
| Version | Effective date | Description of change |
|---|---|---|
| 1.0 | 27.2.2026 | Original version |
This privacy policy has been prepared in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) 2016/679.
Last updated: 12.3.2026