PRIVACY POLICY
1. General
This Privacy Policy describes how Mobimus Oy (“Company”), acting as a data controller, processes personal data in connection with the Osuria service in particular: what personal data the Company collects, for what purposes the data is used, to whom the data may be disclosed, and how data subjects can influence the processing. This Privacy Policy also provides information on the obligations that the Company complies with when processing personal data.
In connection with the Osuria service, the Company may also act as a data processor when the Company’s customers act as data controllers while using the Company’s services. In such cases, the Company processes personal data in accordance with the cooperation agreements entered into with its customers.
The Company processes personal data in accordance with the EU General Data Protection Regulation (2016/679) (“GDPR”) and other applicable data protection legislation (together with the GDPR, “data protection legislation”). Data protection is an integral part of all the Company’s business operations.
This Privacy Policy applies to all processing of personal data relating to the Company’s customers, potential customers, or their representatives and contact persons, as well as users, in connection with the Osuria service.
“Personal data” refers to information relating to a natural person (“data subject”) who can be directly or indirectly identified, as defined in the GDPR. Information that does not allow direct or indirect identification of a data subject is not considered personal data.
2. Data Controller
Mobimus Oy
Business ID: 2101984-3
Hankasuontie 8
00390 Helsinki, Finland
Email: asiakaspalvelu@osuria.com
3. Purposes and Legal Bases for Processing Personal Data
Personal data is processed for the following purposes:
- Fulfilment of cooperation and user agreements
- Provision of services and quality assurance
- Compliance with statutory obligations
- Business planning and product development
- Risk management and prevention of misuse
- Personalized customer service related to the services, targeted customer communications, monitoring of service usage, and the Company’s own customer surveys
- Marketing and targeted marketing to customers and potential customers
Legal bases for processing personal data:
- Performance of a contract with the data subject under a cooperation agreement or a user agreement for using the Osuria service, or taking steps prior to entering such a contract at the data subject’s request
- Compliance with legal obligations, such as accounting obligations, customer due diligence obligations, and statutory reporting obligations
- Management of the customer relationship based on the legitimate interest of the Company or its customer
- Development, testing, and similar activities related to services and business, based on the Company’s legitimate interest
- Processing for direct marketing based on the Company’s legitimate interest; electronic direct marketing, subscription to the Company’s newsletter, and storage of personal data collected via the Company’s website for direct marketing purposes are based on consent
4. Categories of Personal Data, Data Content, and Sources
The Company collects only such personal data that is necessary for the purposes described in this Privacy Policy.
The following categories of personal data are processed:
- Identification, contact, and role data: Name, email address, role
- Event data: Communications between the data subject and the Company, participation information
- Contract-related data: Information identifying the contractual relationship
- User data: Username and encrypted password
- Behavioral and technical identification data: Monitoring of online behavior and use of the Company’s services, for example through cookies or similar technologies. Collected data may include IP address, pages visited, browser type, URL, session time and duration
More information about the use of cookies and other tracking technologies can be found in the Company’s Cookie Policy.
Personal data is collected directly from data subjects or from the company represented by the data subject, for example in connection with making an offer, entering into a customer or service agreement, during a customer relationship or user relationship, in marketing activities, or via website forms. The data subject may also have provided information to the Company, for example through website use or by subscribing to an electronic newsletter.
The Company uses external service providers for marketing purposes, who process data subjects’ contact details for marketing.
In addition, data may be collected and updated, where permitted by law, from registers maintained by third parties, such as the Trade Register and commercial decision-maker databases.
If the data subject does not provide certain personal data, this may prevent the Company from providing the Osuria service.
5. Retention of Personal Data
The Company retains personal data for as long as necessary to fulfil the purposes defined in this Privacy Policy, unless the data is required for the preparation, presentation, or defense of legal claims or for resolving similar disputes.
Personal data is processed for the duration of a customer or other contractual relationship and for a necessary period after the termination of such relationship. In the case of organizations, retention of a data subject’s personal data is linked to how long the data subject acts as a representative of the organization in relation to the Company. Personal data is deleted within a reasonable time after the relevant role ends.
Personal data necessary for marketing purposes is retained as long as the data subject is a target of marketing and has not withdrawn consent for electronic direct marketing or objected to the use of their data for marketing purposes. Data is deleted from the register every three years if the data subject is no longer a target of marketing.
When personal data is no longer needed as described above, it will be deleted within a reasonable time, unless the Company is required by law to retain the data for a longer period.
6. Recipients of Personal Data
The Company may use service providers and subcontractors in the processing of personal data. Parties involved in processing personal data include, among others:
- Rebooted Solutions
- Kvan
In special cases, personal data may be disclosed to authorities where required or permitted by law. Personal data is not disclosed for direct marketing purposes, opinion or market research, or similar studies.
The Company may be required to disclose personal data if it is involved in legal proceedings or other dispute resolution processes. In addition, in emergencies or other unforeseen situations, the Company may disclose personal data to protect human life, health, or property.
If the Company is involved in a merger, acquisition, or other corporate arrangement, personal data may be disclosed to third parties. Data protection will be ensured in such arrangements, and data subjects will be informed as appropriate.
7. Transfer of Personal Data Outside the European Union or European Economic Area
The Company uses subcontractors acting on its behalf in the processing of personal data. The Company has ensured the protection of data subjects’ personal data by entering into data processing agreements with its subcontractors.
Personal data may be transferred outside the European Union or the European Economic Area. In such cases, where there is no adequacy decision by the European Commission, the Company uses the standard contractual clauses issued by the European Commission pursuant to Article 46(2) of the GDPR as appropriate safeguards.
8. Principles of Personal Data Protection and Security of Processing
The Company processes personal data in a manner that ensures appropriate security, including protection against unauthorized processing and against accidental loss, destruction, or damage.
The Company uses appropriate technical and organizational measures to ensure security, including firewalls, encryption technologies, secure facilities, appropriate access control and access management, and instructions to personnel and subcontractors involved in personal data processing.
Original document materials are stored in locked facilities with access restricted to authorized persons only. All parties processing personal data are subject to confidentiality obligations based on employment legislation and/or confidentiality clauses in employment contracts.
The Company may outsource the processing of personal data to service providers or subcontractors in accordance with this Privacy Policy and ensures through adequate contractual obligations that personal data is processed appropriately and lawfully.
9. Rights of Data Subjects
Data subjects have the rights granted under data protection legislation.
Right of access and right to inspect data
The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed. The data subject has the right to access and review their personal data and, upon request, to receive the data in written or electronic form.
Right to rectification and erasure
The data subject has the right to request correction of inaccurate or incomplete data and to request deletion of their personal data. The data controller also corrects, supplements, or deletes personal data on its own initiative if it identifies data that is incorrect, unnecessary, incomplete, or outdated for the purposes of processing.
Right to data portability, restriction of processing, and objection
In situations defined by data protection legislation, the data subject has the right to request transfer of their data to another data controller. The data subject also has the right, subject to the conditions set out in data protection legislation, to request restriction of processing. The data subject has the right to object to certain types of processing and to prohibit the disclosure and processing of their data for direct marketing purposes.
Right to withdraw consent
If processing is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Exercising rights
Requests concerning data subjects’ rights should be submitted electronically or otherwise in writing using the contact details above. Requests will be responded to within a reasonable time and, where possible, no later than one month after receipt of the request and verification of identity. If a request cannot be fulfilled, the data subject will be informed of the refusal in writing.
10. Right to Lodge a Complaint with a Supervisory Authority
The data subject has the right to lodge a complaint with a data protection authority if they consider that their personal data has been processed in violation of applicable legislation. Within the European Union, a complaint may be lodged with the supervisory authority of the data subject’s habitual residence or place of work, or the place where the alleged infringement occurred.
11. Amendments to This Privacy Policy
The Company continuously develops its services and may therefore update this Privacy Policy. Changes may also be based on amendments to data protection legislation. We recommend reviewing the content of this Privacy Policy regularly.
This Privacy Policy was published on 4th of August, 2025.